Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Data Policies As we close out our final lesson for this Chapter for on Application Security Controls and Techniques, we want to thoroughly discuss Data Policies and why they are so critical to establishing and maintain a secure networking and operating environment to minimize the unauthorized exposure of data. We look at why it's important to have, review and update Data Policies for shared media, for the disposal of old or damaged or outdated media. Of equal importance is having an active data retention policy that defines data and document life cycles. You'll learn why updated and consistent document/data disposal schedules and procedures, policies, who performs what action(s), and other related factors are key to preventing unauthorized exposure of data and data stored on media devices. [toggle_content title="Transcript"] Depending on the classification of data, we need to look at the data policies that regard the wiping of data, disposing, retention and storage of data on our media. Some policies would dictate that if we are to share media, the data on the drive should be wiped out before the media is shared with other users. This is sanitization to ensure that data is not left behind...there is no data reminisce on these media that are shared because high cadre staff and low cadre staff could be sharing media. Best practice is that we need to wipe properly the data on this drive, so unauthorized disclosure will not take place. If we are disposing off media as well, we need to be sensitive to the sort of data that this media has possibly contained in the past. The policies should dictate how we dispose of these media. Should they be physically destroyed? Should they just be passed through devices that could rid them of the data that is on them? We also have to be concerned about data retention. Policies would dictate what sort of data we need to retain for a specific period of time. Offsite storage can be considered for some of this. The security at the offsite location also has to be reviewed. Because someone having access to these drives at the offsite location is as good as someone sat in front of the server. The storage at the offsite location has to be very, very robust. It has to follow the policies as to the dictates of the policy, how do we store or what sorts of media do we store, and for how long should these be at the storage location. The data retention policies will also look at how long the data has to be stored after which it possibly could be destroyed. We have to give consideration for encryption for our data whether it is data in transit or data at rest, data in use. When we have data in transit, we could be having data moving via email. We need to look into secure mechanisms like . People encrypt their data in storage. They know it is on the drive. So they do full disc encryption. While it is in use within the databases, there could also be database encryption. Many people forget about the data in transit. We need to ensure secure mechanisms so that our data in transit cannot be eavesdropped on by malicious persons. We could ensure secure protocols like ssh-->secure shell or ssl-->secure socket layer. These will ensure secure means by which our data could be moved across networks to guarantee confidentiality and integrity. Permissions and access control lists need to be built up to determine who has access to the data in transit, at rest or while it is in use. It could be database...data in your database, the permissions of your network users. These will be dictated in the access control list. The access control list is simply a list to dictate who has access to what resources and what sort of access do they have. Do they have read, write, modify...especially the network users. The permissions will dictate what sort of access our users have to data even when it is encrypted. They must have the appropriate encryption keys with which they are able to decrypt this data be it data in transit, data at rest or data in use. [/toggle_content]