12 Steps to Understanding Data Security

Twelve steps to help you understand Data Security, how it fits together in layers, and how simple and cost effective steps along with basic awareness training for staff can have a dramatic effect on the security in the business

Data Security is not down to one person or ‘the IT department’ – it is a central and cultural element of awareness running throughout the business

A logical stepped process which should enable you to check and audit what you have in place and what you need to do to improve the security

01 – Planning

Read this entire section before going any further

Plan what you are going to have to do to check and possibly modify your data systems

Create a team of people (internal or external) with specialist skills

Explain the what, why & how

Get senior management buy-in and a p[roper budject

We offer on-site planning assistance to management

02 – Data Classification

All company data (and equipment that processes that data) needs to be grouped or classified into sub-sets of security so that the correct level(s) of protection can be applied

Classic example of a commercial data classification system (below)

Confidential – Data should be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a critical level of risk to the business. The highest level of security controls should be applied to Confidential data.

Restricted – Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the business. The highest level of security controls should be applied to Restricted data.

Internal use – Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the business. A reasonable level of security controls should be applied to Private data

Public – Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the business. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data

Ensure you don’t waste time, effort and money protecting data that doesn’t need protection

We offer on-site assistance to management

03 – Audit & Classify What You Have

This company audit requirement extends to the entire estate of the business

Include all hardware, software, data, routers/switches, hard drives, cloud locations, backup devices and locations

Ensure you include details of data classification that traverse these pieces of equipment

Include the type of data (sensitivity / classification) and location

All to be documented in writing

Include ‘data owners’ if possible for each sub-set of data

Be aware of ‘shadow IT’ – remove all software and associated data that has not been sanctioned by management

We offer on-site assistance to management with specialist software for auditing across the entire estate – including ‘cloud’

The auditing software will find duplications where they exist

Remember that almost 52% of stored data is redundant and no-one remembers why the data was ever collected in the first instance

04 – Director’s Responsibilities

Directors need to set an example to the business by implementing security policies and procedures

Data Privacy & Access Policies

Directors need to lead by example

Directors are ultimately responsible for the company and how it protects data – large fines and possibly (in the future) custodial sentences for data breaches

We offer on-site presentations to management

05 – Vulnerabilities

A vulnerability is a weakness, something, that if exploited, could cause some unwanted effect(s)

Vulnerabilities are normally fixed with patches or updates from the manufacturer; if these are left off, the system might be found vulnerable to exploitation / attack

Zero day or a day zero attack is the term used to describe the threat of an unknown security vulnerability in a computer software or application for which either the patch has not been released or the application developers were unaware of or did not have sufficient time to address.

Wanacry exploited huge holes in old Operating Systems which had not been patched (although a retro-patch had bee available four months previously

06 – Risk Management

Risk is a combination of  ‘threat’ and ‘vulnerability’

Four main methods of treating risk –

  • Avoid the risk
  • Accept the risk
  • Reduce the risk
  • Transfer the risk

Never, never, never ignore a risk

.

07 – Plan & Implement Remediation

Detail all of the updates / jobs that are required to amend the system and reduce the risks

Allocate time lines and time delays to each job

List all the Business Impact statements that each step will impact

Schedule the jobs over a period of time ensuring that each technical step has not introduced more issues or errors and the system is functioning as it should

One obvious example would be a major server awaiting re-application of software patches – difficult to shut the server down for re-boot etc without impacting the daily work in the business

.

08 – Test & Measure Improvment

Perform steps 03 through to step 07

If there any glaring errors or mistakes re-run the test

If all the remedial work has been successful, you’re almost there

09 – Data Backup Schedule

All data must be backed up on a regular basis – either on a ‘full’ backup (meaning everything classed as ‘data’) or an ‘incremental’ (meaning everything and anything that has been amended since the previous incremental backup

Always remember the mobile data – that which is carried or created on mobile devices; this must also be treated properly within any bbback-up routine

Backup to the cloud, external tape, digital devices

Ensure that there are atleast enough backup to restore data from three months previously

For each system being backed up –

  • One daily backup kept for 7 days
  • One Friday backup taken every Friday in the month (i.e. four backups)
  • One Month-end backup taken on the last day of each month and kept for three months

Always remember to backup the entire server before or after each upgrade – this will save you having to re-install and entire operating system and all the patches before loading the data restore

10 – Incident Management Plan

Incident Management is a specialist area and any plan needs to be carefully checked and tested for full functionality with respect to maintaining ‘evidential trail’ of actions

Normally has five phases –

  • Reporting
  • Investigation
  • Assessment
  • Corrective Action
  • Review

Always keep an incidence log of every action, decision taken and consequences of those actions

We can assist with internal planning

11 – Business Continuity Planning

Business Continuity Planning (BCP) is an internal task as only the business owners know how their business departments link together

BCP is business focused – NOT – IT focused although IT may feature

Another complex and specialist area which must be planned, documented, practised with ‘walk through’ actions and (possibly) a ‘fail-over’ test

Business Impact Analysis – to include –

  • Time Sensitivity
  • Data Integrity
  • Data Classification
  • Maximum Tolerable Downtime (MTD)
  • Maximum Tolerable Period of Disruption
  • Recovery Point Objective
  • Third Party Dependencies
  • Service Level Agreements

We offer on-site assistance with Business Continuity Planning and Disaster Recovery (DR) solution planning to management

12 – Cyber Insurance

Your Business reputation has been ‘hard won’ – inversely – it is very easy to lose as a direct consequence of a ‘data breach’

Cyber Insurance is now becoming essential to other businesses insurances

Normally will cover the cost of replacing equipment and data (from backup)

 It will not cover your lost Business Reputation

.

- Contact Details -