Non-Technical Controls for Securing Data

  • Governance – Protecting data with policies and procedures

    • Classification of data

      • Applies to existing and new data

      • Intellectual property:

        • Public

        • Private

        • Restricted

        • Confidential

      • Military version:

        • Unclassified

        • Classified

        • Confidential

        • Secret

        • Top Secret

      • Review classification periodically:

        • Changing jurisdictions

        • Data “ages” over time

      • Data Types

        • Requirements stem from regulations: PII, PHI, financial data

        • Types are usually built into DLP solutions

        • Types include non digital media as well

      • Data Ownership

        • Data Owner

          • CIA of data

          • Labels of data

          • Org can be owner

        • Data steward

          • Handles data quality

          • Labelling and classification

          • Proper collection and storage

        • Data custodian

          • Handles the system that stores the data

          • Access control, encryption, backups

        • Privacy Officer

          • Handles privacy

          • PII, PHI handled correctly

        • Legal requirements

          • GDPR

          • SOX

          • PCI-DSS

          • GLBA

          • FISMA

          • COSO

          • HIPAA

        • Purpose Limitation

        • Data minimization

        • Data sovereignty

        • Retention: e-discovery

        • Policies and Procedures: short term and long term

        • Data sharing

          • Service Level Agreement

          • NDA

          • MOU – Gentleman’s agreement. Non legally binding.

          • ISA – interconnection security agreement – for federal agencies

          • Data sharing and use agreements

        • Security, privacy, and governance. Know the difference.

    • Access Control

    • Data dissemination

    • Retention or destruction

Last updated