My Top 70 Rules of Data Protection of Senstive Data
My Top 70 Rules of Data Protection of Senstive Data
In the face of the PSNI data breach, here are a few pointers on improving data protection procedures:
- The enemy is within. Beware of insiders.
- Beware of trusted partners and limit their access to your systems.
- If you can, avoid using Microsoft Office for sensitive information.
- If possible use a markup system, such as Wiki/LaTeX, for internal document handling and enable tracking.
- Lock down access to sensitive information for time, location and role.
- Separate services, and do not merge data areas across different services.
- Define special access tokens for access to given services, and revoke once timed out or complete.
- Lock down the browser to only support certain document types.
- Avoid making documents editable unless there is a clear need to edit.
- Have an audit trail for document updates, and have a proper version control system.
- Automatically remove any markup on documents that are sent outside a trusted circle.
- Properly digitally sign sensitive documents, and restrict access (such as with PDFs).
- Clearly define the mission statement for data handling, and make it clear to every employee.
- Run continual workshops on data handling.
- If you can, encrypt data at its source.
- Perform data audits on a regular basis for the handling of highly sensitive data. If possible, get external audits done.
- Put access to sensitive data behind an API, and restrict access or queries. Log all accesses.
- Apply masks onto sensitive data within the API, eg telephone numbers and date of birth.
- Carefully define data export format, and lock-down if possible.
- Zero trust is defined in highly sensitive areas of data.
- Define strict levels of authorization escalation. Have at least seven levels of authorization that someone has to go through to get access to the highest level.
- Integrate human authorization into privilege escalation.
- Log all privilege escalation requests — even ones that are rejected. Call in HR, it there are too many rejections.
- Understand the risk levels related to PII (Personally Identifiable Information).
- Never rely on the operating system to protect access to the document.
- Sensitive documents should be classified as Confidential, Secret or Top Secret. This should be easily identifiable from metadata, file names, and folders.
- Documents which are classified should have the appropriate access restrictions applied to them.
- A spreadsheet is not a database.
- Use multifactor authentication to gain the rights to access sensitive documents.
- Implement a tripwire approach to the access to documents, and alert on certain levels of access.
- In an HR policy statement, make it known about the penalties for data protection breaches.
- Have an incident response plan for data breaches, and rehearse them, including getting your senior management ready to talk to the BBC. PS: See Talk Talk data breach for how not to do it.
- Minimise the number of network connection outlets, and triage outgoing data.
- Quarnerteen anything that looks suspicious and reports it to the user. Require authorization to overrule quarantine for highly sensitive information.
- Report back useful messages for documents placed in quarantine and with links to the policy and related training.
- Set up a smart firewall, and which breaks TLS tunnels and filters for content. Block anything going out which looks sensitive.
- In highly sensitive operations, implement file scanners which detect key words in metadata and within files.
- In highly sensitive operations, implement network scanners which detect keywords in metadata and within files.
- Put employees on “gardening leave” once they say they are leaving the organisation. All rights to sensitive documents should be revoked.
- When employees with access to sensitive information leave the organisation, all of the passwords for the access to sensitive information should be reset.
- Restrict the usage of cameras, phones and memory sticks in certain areas of the organisation. Use scanning equipment for this.
- Define restricted and highly restricted areas within your organisation.
- Do not let guests into restricted areas unless accompanied by a trusted person.
- Require a high level of authorization of guests into highly restricted areas.
- In restricted areas, scan for wifi access requests, and ask for wifi sharing to be turned off.
- In restricted areas, scan for Bluetooth activity, especially for sharing applications and AirDrop.
- If you can afford it, run a 24x7 SOC (Security Operations Centre).
- Run more than one data protection software on your network, and look out for sensitive documents and code leakage.
- Keep your encryption keys in a safe place, such as within an HSM (Hardware Security Module).
- Trusted executions — such as searching within encrypted data — should only be run in a secure enclave.
- Have a military mindset and employ battlefield techniques, eg Defence in Depth, the Kill Chain, and Demilitarized Zones.
- Get an ex-military person to do a risk assessment on your site.
- Scan the Internet for your sensitive documents.
- Watch out for ransom requests — they may be real.
- You can never trust an adversary to delete your data — even if you pay them.
- Consider a kill switch on data — not easy to implement, but, in some cases, you may have ways to revoke access to the data, even though an adversary has access to it.
- If you can, set up an audit within trust partners and build trust between each other.
- Use basic tools such as Google Dorks to scan your domains for spreadsheets and other documents.
- Restrict details on job postings for technical details of the methods you use.
- Do an impact risk assessment on any sensitive information, and review access rights and privacy settings.
- Have a strong version control system, and remove previous versions of documents from general access.
- Define a KPI for the team/organisation, such as for the number of sensitive documents found or put in quarantine.
- Anonymise roles and users for version control on exportable versions.
- In some cases, implement image scanners for sensitive data, such as for names and addresses.
- Use a dual-homed system to store sensitive data and with a firewall that only opens access to the data for users with the correct rights.
- Use biometric access methods or hardware tokens for access to restricted areas.
- Remove passwords wherever possible, and replace them with multifactor authentication based on soft and hard tokens.
- Use hardware tokens and/or biometrics on laptops.
- Block all encryption tunnels from being created in your network.
- Define data that could pose a risk to life and limb.