|
Data Security
Every bit of information is data
in an organization. Be it an email sent internally or received from
a customer. The modern day office generates lot of information
online and lot of processes run on computers. The purpose of the
data security component of the IT security program is to reduce the
risk associated with the unauthorized access, disclosure, or
destruction of the controlled data in an organization. Rules for the
access, storage, and dissemination of data are to be clearly
defined.
IT
department or Systems department shall develop, document, and
implement policies and procedures for classification of data as well
as for application development process.
Classification of data may be based on the
organization's risk analysis. It may be classified as
sensitive/confidential or public information. It could be internal
or external. Data related to vendors and customers must be
classified separately.
Application
development processes must ensure version control and currency. Only
the latest version must be the live version in use. Ensure system
security requirements assessment and testing during the development
life cycle.
Service Level Agreements (SLA) shall be signed if the
data if data is likely to be shared with an external organization.
The SLA and
Non Disclosure Agreements
shall cover in detail about the information security and
address the issues of amount
of data to be shared, the
classification of data being shared,
how it will be shared and how the same will be returned and
the data protection at the external organization, etc.
Data
and program back up are to be addressed in detail both in the
organization or the partner’s premises.
Secure
management of information and data encryption standards must be
implemented to enhance the data protection. Generally the areas
where data has to be encrypted are identified in risk management
study.
Encryption may be implemented in the areas related to secure
file transfer, secure e-mail, and secure data storage are met.
Secure File Transfer
Secure exchange of information from one application or user to
another requires that:, if the data is intercepted during
transmission , data can not be read or understood. Only the intended
recipient shall be able to receive and read the content and a
confirmation may be requested when the secure data is transferred
and received by the intended recipient.
Secure
E-mail
More and more business is being done on emails. Proposals are
sent through emails, purchase orders are being issued through mail.
Ensure that at least the attachments are encrypted as these can not
be read if and when maliciously intercepted. No one shall be able to
modify and the send the mails other than the actual user. You may
look into biometric enabled login systems to avoid any misuse of
email systems of others.
Secure Data Storage
Secure data storage is the protection of data content
and changes in data state from its original storage on electronic
media by using encryption processes.
Secure data storage requires that: the data can be read only
through an authorized process which decrypts the data after
retrieving from the database. If one tries to read the data from the
database directly, it may become unreadable. The organization shall
also have a recovery mechanism of the encrypted data or the
encrypted data that is damaged due to abuse. The organization also
shall be able to measure the intent of damage due to abuse of data.
Web
Server Data Security
Web server is a tricky issue. You need to give certain
permissions to users. While you are authorizing ‘read’ or
‘write’ permissions, you must take extra care. If the
confidential or sensitive data is being permitted to be used by
others, the appropriate security and server and database
configuration shall be put in place and documented to maintain the
confidentiality and integrity of the data on the web server. Switch
off the unused ports. Ensure that SMTP relay is either off, or
properly observed.
|