Non-Technical Controls for Securing Data

Governance – Protecting data with policies and procedures

• Classification of data

  • Applies to existing and new data

  • Intellectual property:

    • Public

    • Private

    • Restricted

    • Confidential

  • Military version:

    • Unclassified

    • Classified

    • Confidential

    • Secret

    • Top Secret

  • Review classification periodically:

    • Changing jurisdictions

    • Data “ages” over time

  • Data Types

    • Requirements stem from regulations: PII, PHI, financial data

    • Types are usually built into DLP solutions

    • Types include non digital media as well

  • Data Ownership

    • Data Owner

      • CIA of data

      • Labels of data

      • Org can be owner

    • Data steward

      • Handles data quality

      • Labelling and classification

      • Proper collection and storage

    • Data custodian

      • Handles the system that stores the data

      • Access control, encryption, backups

    • Privacy Officer

      • Handles privacy

      • PII, PHI handled correctly

    • Legal requirements

      • GDPR

      • SOX

      • PCI-DSS

      • GLBA

      • FISMA

      • COSO

      • HIPAA

    • Purpose Limitation

    • Data minimization

    • Data sovereignty

    • Retention: e-discovery

    • Policies and Procedures: short term and long term

    • Data sharing

      • Service Level Agreement

      • NDA

      • MOU – Gentleman’s agreement. Non legally binding.

      • ISA – interconnection security agreement – for federal agencies

      • Data sharing and use agreements

    • Security, privacy, and governance. Know the difference.

• Access Control

• Data dissemination

• Retention or destruction