Time
56 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Data Policies As we close out our final lesson for this Chapter for on Application Security Controls and Techniques, we want to thoroughly discuss Data Policies and why they are so critical to establishing and maintain a secure networking and operating environment to minimize the unauthorized exposure of data. We look at why it's important to have, review and update Data Policies for shared media, for the disposal of old or damaged or outdated media. Of equal importance is having an active data retention policy that defines data and document life cycles. You'll learn why updated and consistent document/data disposal schedules and procedures, policies, who performs what action(s), and other related factors are key to preventing unauthorized exposure of data and data stored on media devices. [toggle_content title="Transcript"] Depending on the classification of data, we need to look at the data policies that regard the wiping of data, disposing, retention and storage of data on our media. Some policies would dictate that if we are to share media, the data on the drive should be wiped out before the media is shared with other users. This is sanitization to ensure that data is not left behind...there is no data reminisce on these media that are shared because high cadre staff and low cadre staff could be sharing media. Best practice is that we need to wipe properly the data on this drive, so unauthorized disclosure will not take place. If we are disposing off media as well, we need to be sensitive to the sort of data that this media has possibly contained in the past. The policies should dictate how we dispose of these media. Should they be physically destroyed? Should they just be passed through devices that could rid them of the data that is on them? We also have to be concerned about data retention. Policies would dictate what sort of data we need to retain for a specific period of time. Offsite storage can be considered for some of this. The security at the offsite location also has to be reviewed. Because someone having access to these drives at the offsite location is as good as someone sat in front of the server. The storage at the offsite location has to be very, very robust. It has to follow the policies as to the dictates of the policy, how do we store or what sorts of media do we store, and for how long should these be at the storage location. The data retention policies will also look at how long the data has to be stored after which it possibly could be destroyed. We have to give consideration for encryption for our data whether it is data in transit or data at rest, data in use. When we have data in transit, we could be having data moving via email. We need to look into secure mechanisms like []. People encrypt their data in storage. They know it is on the drive. So they do full disc encryption. While it is in use within the databases, there could also be database encryption. Many people forget about the data in transit. We need to ensure secure mechanisms so that our data in transit cannot be eavesdropped on by malicious persons. We could ensure secure protocols like ssh-->secure shell or ssl-->secure socket layer. These will ensure secure means by which our data could be moved across networks to guarantee confidentiality and integrity. Permissions and access control lists need to be built up to determine who has access to the data in transit, at rest or while it is in use. It could be database...data in your database, the permissions of your network users. These will be dictated in the access control list. The access control list is simply a list to dictate who has access to what resources and what sort of access do they have. Do they have read, write, modify...especially the network users. The permissions will dictate what sort of access our users have to data even when it is encrypted. They must have the appropriate encryption keys with which they are able to decrypt this data be it data in transit, data at rest or data in use. [/toggle_content]

Video Transcription

00:04
depending on the classification of data.
00:06
We need to look at the data policies that we regard the wiping off that a disposing retention on storage off data on our media.
00:16
Some data shooed some policies will dictate that if we are to share media, the data on the drive should be wiped out before the media is shared with other users. This is sanitization to ensure that that is not left behind.
00:35
There's no doubt are remnants
00:37
on these media that I shared because High Kid A staff on locator stuff will be sharing media
00:43
best practices that we need to wipe properly. The data on these drives so
00:49
unauthorized disclosure will not will not take place if we're disposing off media as well. We need to be sensitive toe the sort of data that this media as possibly contained in the past. So the policies should dictate how we dispose off these media.
01:07
Should they be physically destroyed,
01:11
Shoot, They just be past two devices that cooled. Read them off the data that is on them.
01:18
We also have to be concerned about that. Our retention
01:23
policies will dictate what sort of data we need to retain for a specific period of time.
01:27
Offside storage can be considered for some of these on. The security at the outside location also has to be reviewed because someone having access to these drives at the offside location is as good as someone sat in front of the server.
01:42
The storage at the offside location has to be very, very robust.
01:48
It has to follow the policies as toe the dictates of the policy.
01:53
How do we store on what sort of media do we store on for? How long should these be? At the storage locations that are detention policies will also look at how long the data has to be stalled, after which it possibly could be destroyed. We
02:12
I have to give consideration for encryption for our data, whether it is that are in transit
02:17
or that at rest that are in use
02:21
when we are better in transit, you could be having that are moving their email.
02:24
We need We need to look in tow, secure mechanisms like I'd be sick,
02:30
we people and their data in storage. Yes, they know it's on the on the drive, so they do full disk encryption
02:38
while it's in used within the data business. DeKoven do database encryption, but many people forget about the data in transit. We need to ensure secure mechanisms so that our data in transit cannot be eavesdropped on by malicious persons. We could employ secure protocols like sshh, the secure shell.
02:57
Oh,
02:58
SSL secure socket layer. These will ensure
03:02
secure means by which our data will be moved across networks toe guarantee confidentiality on integrity.
03:12
Permissions
03:14
on access control list need to be built up to determine who has access to the data in transit or at rest while it's in use. It will be database that are in your database, the permissions off your network users.
03:27
These will be dictated in the access control list. The access control. This is simply a list to dictate who has access to what resources on what sort of access do they have? Do they have read, write modify especially the network users.
03:42
So the permissions will dictate what sort of access our users have toe data even while it's encrypted. They must have the appropriate encryption keys with which they're able to decrypt this data beat that are in transit that at rest or that are in use

Up Next

Fundamental System Security

Commonly referred to as INFOSEC, refers to the processes and methodologies required to keep information confidential.

Instructed By

Instructor Profile Image
John Oyeleke
Lead IT Security Instructor
Instructor