Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Is Data Privacy part of your Company's Culture? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is Data Privacy part of your Company's Culture?

I was reading a while back about the FDIC data lost who had 5 major breaches between Oct 30, 2015 (taxpayers’ personally identifiable information) and could have been prevented with a combination of host based and network controls to prevent sensitive data from leaving the network. According to the information released, the breaches occurred because individual copied data to USB drives which then left the premises. A strong and effective security policy restricting access to USB drive could have helped prevent this. All removable drives should be encrypted and limit who can write to a removable drive for accountability.

Here are three tips I think can help:

1- Have HR involved and provide awareness training [1] on a regular basis

Have the human resource (HR) department do awareness training on a regular basis with an emphasis on the organization access data policy and explain the consequences to the company and the individual when data is lost. If the data policy changes, HR must explain clearly what those changes are and why they were implemented.

2- Track, tag and audit sensitive data

It is possible to protect corporate data by tagging and classifying it properly. Employees should have access to the data they need to do their job (need to know) and nothing else. Auditing and reporting who access what help understanding if the proper controls and safeguard are working. These controls should also be applied to who print what documents. For example, if you do business in the EU, in May 2018, the EU [2] is implementing a new directive on data protection. This update means stiffer penalty of "[...] up to 4% of their global annual turnover."[3]

3- Encrypt all external devices and identify who can transfer sensitive data?

First, having all external devices used to copy sensitive data encrypted is a good idea, if it get lost, it cannot be access without the proper encryption key. Next, have a policy that identify who can copy and save data sensitive data on an external media. As per Item #2, track, audit and report when that data was access or transferred and by whom.

Is Data Privacy part of your Company's Culture? Do you feel the policy use to protect data within your organization is adequate?

[1] https://securingthehuman.sans.org/
[2] http://ec.europa.eu/justice/data-protection/reform/index_en.htm
[3] http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm
[4] https://technet.microsoft.com/en-us/magazine/2007.06.grouppolicy.aspx

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

414 Posts
ISC Handler
Greetings,
I would be interested in how you can track and audit in the EU when most in the EU don't want you to track and audit?

Regards,
Bill

3 Posts Posts
> have a policy that identify who can copy and save data sensitive data on an external media.

Does your definition of "external media" include "non-media", such as usage of Microsoft/Apple-iCloud/Hotmail cloud-based services to store a copy?

Some of those interfaces synchronize automatically, i.e., store the data into one's "My Documents" folder, and that data will be silently pushed out to the cloud, without any explicit actions authorized by the user of the computer.

How would one audit (or restrict) that?
Anonymous
Posts
I would think yes external storage should mean iCloud, OneDrive, Dropbox etc.

As for preventing their use you can disable OneDive with Group Policy. Use software restrictions to prevent the installation on iCloud or Dropbox.

As for hosted email solutions DNS, blackhole the domain names or redirect your users to an internal page stating why they cannot browse to these types of sites.
PW

62 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!