- Cost and Classification:
- Cost Not a Factor in Classification: When classifying data, the primary considerations are the sensitivity, confidentiality, integrity, and availability requirements, rather than the cost of managing or protecting the data.
- Cost in Controls: Costs are more relevant when implementing and managing controls to protect data. This includes evaluating the expense of encryption solutions, access controls, and other security measures.
- Unencrypted vs. Encrypted Protocols:
- Unencrypted Protocols: FTP (File Transfer Protocol) and Telnet do not provide encryption. They transmit data and credentials in plain text, which can be intercepted and read by unauthorized parties.
- Encrypted Protocols:
- SFTP (Secure File Transfer Protocol): Provides secure file transfer by using encryption to protect data during transit.
- SSH (Secure Shell): Secures remote login and command execution by encrypting the data exchanged between the client and server.
- Record Retention Policies:
- Retention and Maintenance: Define how long records and data should be retained and maintained based on regulatory, legal, and business requirements. Ensure compliance with data retention regulations and organizational policies.
- Removable Media:
- Strong Encryption: Use strong encryption methods, such as AES-256, to protect data on removable media (e.g., USB drives). This ensures that if the media is lost or stolen, the data remains protected and inaccessible without proper decryption keys.
- Personnel Retention:
- Knowledge Retention: Address the knowledge and skills that employees acquire while employed. Implement measures to protect organizational knowledge, such as non-disclosure agreements, training, and secure handling of sensitive information.
- Label Data:
- Data Identification: Label data to clearly indicate its classification level (e.g., Confidential, Restricted, Public). This helps in managing and securing data appropriately and preventing its misuse. Labeling media that contains sensitive data also helps avoid the accidental reuse of public media for sensitive information.
- Data in RAM:
- Data in Use: Data stored in RAM (Random Access Memory) is considered to be “data in use.” It is actively being processed or accessed by applications and is often more vulnerable to exposure if not properly secured.
- CIS (Center for Internet Security):
- Security Controls: CIS provides a list of security controls and best practices for various systems, including operating systems, mobile devices, servers, and network devices. These controls help organizations improve their security posture by providing actionable recommendations.
- Cost Considerations: While cost is not a factor in data classification, it plays a role in implementing and managing security controls.
- Encryption Protocols: Use encrypted protocols (e.g., SFTP, SSH) for secure data transfer and remote access.
- Record Retention: Establish policies for how long data should be retained and maintained.
- Removable Media: Protect data on removable media with strong encryption.
- Personnel Retention: Manage knowledge retention and protect organizational knowledge.
- Labeling Data: Clearly label data to indicate its classification level and prevent misuse.
- Data in RAM: Recognize the importance of securing data in use.
- CIS Controls: Utilize CIS controls to guide security practices for various systems.
By addressing these considerations, organizations can enhance their data protection strategies and ensure compliance with security and privacy requirements.