Data Handling Controls
Data classification is governed by your organization's “Data Classification Policy” also known as an “Information Security Policy”. The extent of depth and breadth of this topic can seem overwhelming. BCSF recognizes how important data classification is and also how cumbersome it can be to implement and control, and this is why we developed a guide to handling data. The Data Handling Controls provide clear and simple terms for storing and transmitting information in three tiers: Low, Medium, and High. Your organization can frame a policy and control system around this practical guide in an unusual attempt to govern from the bottom up.
Data Handling Controls
| Public / Low | Sensitive / Medium | Confidential / High |
|---|---|---|---|
Non-Disclosure Agreement (NDA) | None | NDA is required prior to access by non-staff | NDA is required prior to access by staff |
Access | Access request, review, approval and termination process | • Password(s) • Access request, review, approval and termination process • Secure storage when not in use • Situational awareness for verbal communications | • Strong password(s) • Access request, review, approval and termination process • Asset Owner-approved access • Non-Disclosure Agreement (NDA) for third-parties • Immediate retrieval when printing or faxing • Secure storage when not in use • Situational awareness for verbal communications |
Cloud-based Storage (DropBox, OneDrive, Google Drive) | None | <designated system> | <designated system> |
E-Mail (with and without attachments) | None | • internal <designated system> • external <designated system> | • internal <designated system> • external <designated system> |
Encryption | None | • Encryption during transmission • Encryption for third parties | • Encryption during creation, storage, processing and transmission • Encryption for third parties |
Internal & External Network Transmission (wired & wireless) | None | • Encryption is required • Instant Messaging is prohibited • Non-IT approved FTP solutions are prohibited | • Encryption is required • Instant Messaging is prohibited • Non-IT approved FTP solutions are prohibited • Remote access should be used only when necessary and only with approved VPN and two- factor authentication solutions |
Faxing / Printing | None | Verify destination printer • Attend fax/printer while printing | Verify destination printer • Attend fax/printer while printing |
Labelling | None | None | Document watermark |
Mobile Devices (iPhone, iPad, MP3 player, USB drive, etc.) | None | Encryption is required | Encryption is required |
Monitoring | None | Auditing and Passive Monitoring | • Active/Real-time monitoring • Security monitoring and alerting • Privileged identity monitoring |
Removable Media (flash drives, jump drives, external hard drives, CD’s, DVD’s, etc.) | None | Only use IT approved solutions | Only use IT approved solutions |
Retention | None | • Backup testing and verification • Inclusion in Business Continuity and Disaster Recovery Plans | • Backup testing and verification • Inclusion in Business Continuity and Disaster Recovery Plans • Redundancy or automatic failover • Offsite backup • Secure physical storage |
Destruction | None | Approved secure destruction solutions, including shredding and secure wiping | Approved secure destruction solutions, including shredding and secure wiping |
Audit | None | Biennial controls audit | Annual controls audit |
Physical | None | • Secure courier when shipping • Media possession at all times • Mark “Open by Addressee Only” • Use “Certified Mail” and sealed, tamper- resistant envelopes for external mailings • Delivery confirmation is required | • Secure courier when shipping • Media possession at all times • Mark “Open by Addressee Only” • Use “Certified Mail” and sealed, tamper- resistant envelopes for external mailings • Delivery confirmation is required |