12 Steps to Understanding Data Security
Twelve steps to help you understand Data Security, how it fits together in layers, and how simple and cost effective steps along with basic awareness training for staff can have a dramatic effect on the security in the business
Data Security is not down to one person or ‘the IT department’ – it is a central and cultural element of awareness running throughout the business
A logical stepped process which should enable you to check and audit what you have in place and what you need to do to improve the security
- 01 - Planning
- 02 - Data Classification
- 03 - Audit & Classify What You Have
- 04 - Director's Responsibilities
- 05 - Vulnerabilities
- 06 - Risk Management
- 07 - Plan & Implement Remediation
- 08 - Test & Measure Improvment
- 09 - Data Backup Schedule
- 10 - Incident Management Plan
- 11 - Business Continuity Planning
- 12 - Cyber Insurance
01 – Planning
Read this entire section before going any further
Plan what you are going to have to do to check and possibly modify your data systems
Create a team of people (internal or external) with specialist skills
Explain the what, why & how
Get senior management buy-in and a p[roper budject
We offer on-site planning assistance to management
02 – Data Classification
All company data (and equipment that processes that data) needs to be grouped or classified into sub-sets of security so that the correct level(s) of protection can be applied
Classic example of a commercial data classification system (below)
Confidential – Data should be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a critical level of risk to the business. The highest level of security controls should be applied to Confidential data.
Restricted – Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the business. The highest level of security controls should be applied to Restricted data.
Internal use – Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the business. A reasonable level of security controls should be applied to Private data
Public – Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the business. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data
Ensure you don’t waste time, effort and money protecting data that doesn’t need protection
We offer on-site assistance to management
03 – Audit & Classify What You Have
This company audit requirement extends to the entire estate of the business
Include all hardware, software, data, routers/switches, hard drives, cloud locations, backup devices and locations
Ensure you include details of data classification that traverse these pieces of equipment
Include the type of data (sensitivity / classification) and location
All to be documented in writing
Include ‘data owners’ if possible for each sub-set of data
Be aware of ‘shadow IT’ – remove all software and associated data that has not been sanctioned by management
We offer on-site assistance to management with specialist software for auditing across the entire estate – including ‘cloud’
The auditing software will find duplications where they exist
Remember that almost 52% of stored data is redundant and no-one remembers why the data was ever collected in the first instance
04 – Director’s Responsibilities
Directors need to set an example to the business by implementing security policies and procedures
Data Privacy & Access Policies
Directors need to lead by example
Directors are ultimately responsible for the company and how it protects data – large fines and possibly (in the future) custodial sentences for data breaches
We offer on-site presentations to management
05 – Vulnerabilities
A vulnerability is a weakness, something, that if exploited, could cause some unwanted effect(s)
Vulnerabilities are normally fixed with patches or updates from the manufacturer; if these are left off, the system might be found vulnerable to exploitation / attack
Zero day or a day zero attack is the term used to describe the threat of an unknown security vulnerability in a computer software or application for which either the patch has not been released or the application developers were unaware of or did not have sufficient time to address.
Wanacry exploited huge holes in old Operating Systems which had not been patched (although a retro-patch had bee available four months previously
06 – Risk Management
Risk is a combination of ‘threat’ and ‘vulnerability’
Four main methods of treating risk –
- Avoid the risk
- Accept the risk
- Reduce the risk
- Transfer the risk
Never, never, never ignore a risk
.
07 – Plan & Implement Remediation
Detail all of the updates / jobs that are required to amend the system and reduce the risks
Allocate time lines and time delays to each job
List all the Business Impact statements that each step will impact
Schedule the jobs over a period of time ensuring that each technical step has not introduced more issues or errors and the system is functioning as it should
One obvious example would be a major server awaiting re-application of software patches – difficult to shut the server down for re-boot etc without impacting the daily work in the business
.
08 – Test & Measure Improvment
Perform steps 03 through to step 07
If there any glaring errors or mistakes re-run the test
If all the remedial work has been successful, you’re almost there
09 – Data Backup Schedule
All data must be backed up on a regular basis – either on a ‘full’ backup (meaning everything classed as ‘data’) or an ‘incremental’ (meaning everything and anything that has been amended since the previous incremental backup
Always remember the mobile data – that which is carried or created on mobile devices; this must also be treated properly within any bbback-up routine
Backup to the cloud, external tape, digital devices
Ensure that there are atleast enough backup to restore data from three months previously
For each system being backed up –
- One daily backup kept for 7 days
- One Friday backup taken every Friday in the month (i.e. four backups)
- One Month-end backup taken on the last day of each month and kept for three months
Always remember to backup the entire server before or after each upgrade – this will save you having to re-install and entire operating system and all the patches before loading the data restore
10 – Incident Management Plan
Incident Management is a specialist area and any plan needs to be carefully checked and tested for full functionality with respect to maintaining ‘evidential trail’ of actions
Normally has five phases –
- Reporting
- Investigation
- Assessment
- Corrective Action
- Review
Always keep an incidence log of every action, decision taken and consequences of those actions
We can assist with internal planning
11 – Business Continuity Planning
Business Continuity Planning (BCP) is an internal task as only the business owners know how their business departments link together
BCP is business focused – NOT – IT focused although IT may feature
Another complex and specialist area which must be planned, documented, practised with ‘walk through’ actions and (possibly) a ‘fail-over’ test
Business Impact Analysis – to include –
- Time Sensitivity
- Data Integrity
- Data Classification
- Maximum Tolerable Downtime (MTD)
- Maximum Tolerable Period of Disruption
- Recovery Point Objective
- Third Party Dependencies
- Service Level Agreements
We offer on-site assistance with Business Continuity Planning and Disaster Recovery (DR) solution planning to management
12 – Cyber Insurance
Your Business reputation has been ‘hard won’ – inversely – it is very easy to lose as a direct consequence of a ‘data breach’
Cyber Insurance is now becoming essential to other businesses insurances
Normally will cover the cost of replacing equipment and data (from backup)
It will not cover your lost Business Reputation
.