My Top 70 Rules of Data Protection of Senstive Data

In the face of the PSNI data breach, here are a few pointers on improving data protection procedures:

My Top 70 Rules of Data Protection of Senstive Data

In the face of the PSNI data breach, here are a few pointers on improving data protection procedures:

  1. The enemy is within. Beware of insiders.
  2. Beware of trusted partners and limit their access to your systems.
  3. If you can, avoid using Microsoft Office for sensitive information.
  4. If possible use a markup system, such as Wiki/LaTeX, for internal document handling and enable tracking.
  5. Lock down access to sensitive information for time, location and role.
  6. Separate services, and do not merge data areas across different services.
  7. Define special access tokens for access to given services, and revoke once timed out or complete.
  8. Lock down the browser to only support certain document types.
  9. Avoid making documents editable unless there is a clear need to edit.
  10. Have an audit trail for document updates, and have a proper version control system.
  11. Automatically remove any markup on documents that are sent outside a trusted circle.
  12. Properly digitally sign sensitive documents, and restrict access (such as with PDFs).
  13. Clearly define the mission statement for data handling, and make it clear to every employee.
  14. Run continual workshops on data handling.
  15. If you can, encrypt data at its source.
  16. Perform data audits on a regular basis for the handling of highly sensitive data. If possible, get external audits done.
  17. Put access to sensitive data behind an API, and restrict access or queries. Log all accesses.
  18. Apply masks onto sensitive data within the API, eg telephone numbers and date of birth.
  19. Carefully define data export format, and lock-down if possible.
  20. Zero trust is defined in highly sensitive areas of data.
  21. Define strict levels of authorization escalation. Have at least seven levels of authorization that someone has to go through to get access to the highest level.
  22. Integrate human authorization into privilege escalation.
  23. Log all privilege escalation requests — even ones that are rejected. Call in HR, it there are too many rejections.
  24. Understand the risk levels related to PII (Personally Identifiable Information).
  25. Never rely on the operating system to protect access to the document.
  26. Sensitive documents should be classified as Confidential, Secret or Top Secret. This should be easily identifiable from metadata, file names, and folders.
  27. Documents which are classified should have the appropriate access restrictions applied to them.
  28. A spreadsheet is not a database.
  29. Use multifactor authentication to gain the rights to access sensitive documents.
  30. Implement a tripwire approach to the access to documents, and alert on certain levels of access.
  31. In an HR policy statement, make it known about the penalties for data protection breaches.
  32. Have an incident response plan for data breaches, and rehearse them, including getting your senior management ready to talk to the BBC. PS: See Talk Talk data breach for how not to do it.
  33. Minimise the number of network connection outlets, and triage outgoing data.
  34. Quarnerteen anything that looks suspicious and reports it to the user. Require authorization to overrule quarantine for highly sensitive information.
  35. Report back useful messages for documents placed in quarantine and with links to the policy and related training.
  36. Set up a smart firewall, and which breaks TLS tunnels and filters for content. Block anything going out which looks sensitive.
  37. In highly sensitive operations, implement file scanners which detect key words in metadata and within files.
  38. In highly sensitive operations, implement network scanners which detect keywords in metadata and within files.
  39. Put employees on “gardening leave” once they say they are leaving the organisation. All rights to sensitive documents should be revoked.
  40. When employees with access to sensitive information leave the organisation, all of the passwords for the access to sensitive information should be reset.
  41. Restrict the usage of cameras, phones and memory sticks in certain areas of the organisation. Use scanning equipment for this.
  42. Define restricted and highly restricted areas within your organisation.
  43. Do not let guests into restricted areas unless accompanied by a trusted person.
  44. Require a high level of authorization of guests into highly restricted areas.
  45. In restricted areas, scan for wifi access requests, and ask for wifi sharing to be turned off.
  46. In restricted areas, scan for Bluetooth activity, especially for sharing applications and AirDrop.
  47. If you can afford it, run a 24x7 SOC (Security Operations Centre).
  48. Run more than one data protection software on your network, and look out for sensitive documents and code leakage.
  49. Keep your encryption keys in a safe place, such as within an HSM (Hardware Security Module).
  50. Trusted executions — such as searching within encrypted data — should only be run in a secure enclave.
  51. Have a military mindset and employ battlefield techniques, eg Defence in Depth, the Kill Chain, and Demilitarized Zones.
  52. Get an ex-military person to do a risk assessment on your site.
  53. Scan the Internet for your sensitive documents.
  54. Watch out for ransom requests — they may be real.
  55. You can never trust an adversary to delete your data — even if you pay them.
  56. Consider a kill switch on data — not easy to implement, but, in some cases, you may have ways to revoke access to the data, even though an adversary has access to it.
  57. If you can, set up an audit within trust partners and build trust between each other.
  58. Use basic tools such as Google Dorks to scan your domains for spreadsheets and other documents.
  59. Restrict details on job postings for technical details of the methods you use.
  60. Do an impact risk assessment on any sensitive information, and review access rights and privacy settings.
  61. Have a strong version control system, and remove previous versions of documents from general access.
  62. Define a KPI for the team/organisation, such as for the number of sensitive documents found or put in quarantine.
  63. Anonymise roles and users for version control on exportable versions.
  64. In some cases, implement image scanners for sensitive data, such as for names and addresses.
  65. Use a dual-homed system to store sensitive data and with a firewall that only opens access to the data for users with the correct rights.
  66. Use biometric access methods or hardware tokens for access to restricted areas.
  67. Remove passwords wherever possible, and replace them with multifactor authentication based on soft and hard tokens.
  68. Use hardware tokens and/or biometrics on laptops.
  69. Block all encryption tunnels from being created in your network.
  70. Define data that could pose a risk to life and limb.