Security+: Carrying Out Data Security and Privacy Practices In Response to Specific Scenarios
Any organization worth its information security salt will be carrying out data security and privacy practices. An organization’s data security and privacy practice habits are part of what separates a data-secure environment from an at-risk data environment. This article will detail what a successful candidate will need to know regarding carrying out data security and privacy practices in response to specific scenarios for the CompTIA Security+ certification exam.
Remember: this article should not serve as your main means of exam preparation, but rather as a brief review.
Data Destruction and Media Sanitization
In the course of business, organizations usually have to destroy media on a regular basis. Below are the different data destruction and media sanitization methods covered on the Security+ exam.
Burning or incineration is a good method for destroying data on paper. However, disposing of data on USB drives, DVDs, CDs, or other storage media via burning can give off toxic fumes, making it an environmental issue. This method should be used mainly for data on paper.
Shredding is preferable to burning in many cases. Equipment for shredding is inexpensive, portable and readily available.
Shredding works by reducing the size of objects to render them useless. These objects can be sheets of paper, CDs and DVDs. Cross-cut and micro-shredders are preferable to strip shredding, as they make the shredded pieces smaller and therefore even harder to use.
Pulping is a method that turns paper into a liquid slurry. This is only for data on paper and the disadvantages outweigh advantages, including having to haul the paper to a pulping facility and ensuring that the paper will be secure until pulping occurs.
Pulverizing means to feed documents into a pulverizer (normally hydraulic in nature) to reduce the documents into loose fibers. Few commercial disposal facilities use this method.
Degaussing is the preferred method for disposal of data stored in magnetic media. When degaussing such a device, a large magnet is used to eradicate the device’s memory. The data is irretrievable and, in cases of storage media such as hard drives, the device itself will be completely unusable.
Purging, for Security+ purposes, refers to the quality or level of data destruction. Completely destroyed data is said to be purged.
Data wiping refers to removing data from a data storage device. Wiping is a synonym for sanitization or purging. The techniques discussed above all lead to a form of data wiping, depending on the thoroughness/quality of the wiping.
Data Sensitivity Labeling and Handling
Data sensitivity labeling refers to the classification of data based upon its sensitivity. There are different levels of data sensitivity which are explored below
- Confidential: This is the most sensitive classification level. Generally, this data is for internal use only. If disclosed, it will have a significant negative impact for the organization
- Private: Data of a personal nature and intended only for internal use. Significant negative impact to the organization if disclosed
- Public: Public is the lowest data classification level. Public data disclosure will not have a significant negative impact on an organization
- Proprietary: Proprietary data is a form of the confidential classification. Disclosure of proprietary data could have a significant negative effect on an organization.
- Personally Identifiable Information (PII): PII is any data that is linked back to the human it refers to. If this data is medical, it falls under HIPAA regulations. Most other PII is not generally protected. Organizations should have an acceptable use policy (AUP) that clearly discloses how PII is collected and how it will be used
- Protected Health Information (PHI): PHI is any data that relates to health status, use of health care, payment for healthcare and other information collected about an individual and their health. This data falls under HIPAA regulation, which defines 18 elements of information that qualify as PHI. These elements include:
- Geographic identifiers smaller than a state
- Dates directly related to an individual (other than year)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security number
- Medical record number
- Health plan beneficiary number
- Certificate or license number
- Vehicle or other device serial number
- Web URL
- IP address
- Voice print
- Photographic image (not limited to face)
- Any other characteristic that could uniquely identify the individual
An information owner is the person who has final organizational responsibility for classifying, labeling, protecting and storing the information. An owner may be held liable for negligence if they fail to perform due diligence in establishing and enforcing information security policies to protect sensitive organizational information. Owners have the responsibility of ensuring that everyone in the organization follows all appropriate laws and regulations related to the information.
A steward or custodian is an individual who has been assigned or is responsible for the day-to-day proper storage, maintenance and protection of information. Normally this role falls on the IT department and can be a network administrator, backup operator and the like. The responsibilities of the information custodian should be laid out in the organization’s security policies, standards and guidelines.
The user is the individual who uses the data. Data users may perform input, output, editing and other functions related to the data based upon their role in the organization.
An organization’s data retention policy lays out what data is to be maintained and for how long. This policy is what defines all operations and parameters of said data retention. Retention policies may need to define the purpose of the data, the means to protect the data, and who is authorized to access the data. Organizations subject to specific laws and regulations may have to meet minimum storage mandates set out in the law or regulation.
Legality and Compliance
Many organizations will find that they are subject to certain laws and regulations and they will have to ensure that they are in compliance with their stated security policies and regulations. This is done via a process called compliance testing. Compliance testing verifies that all necessary and required components of a security solution are properly deployed and functioning. The methods of which to compliance test include log analysis, penetration testing, and vulnerability scans.
Depending on the nature of the organization, data security and privacy practices will differ based upon the circumstances in which they operate. Some organizations will need to enforce only the bare minimum of data security and privacy practices and some, such as those that have to comply with HIPAA, will face far more restrictions. Regardless, it is up to the information security professional to assess the scenario in which the organization operates in and then use appropriate data security and privacy safeguards.
18 HIPAA Identifiers, Loyola