Editor’s note: this piece on data security controls was originally published in January 2021, and has been updated on June 24, 2021, with new information.
Regardless of the type of business you operate, odds are you have, or will have, some form of sensitive information in your possession. Maybe you take credit card payments online or store patient records electronically and must adhere to HIPAA Security and Privacy rules. If you work with the federal government, you’re likely handling unclassified information that the government wants to safeguard. You may also have customer lists, architecture diagrams, and other artifacts that you wouldn’t want your competition to get ahold of.
Today, sensitive data can be subject to many security and privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), plus other state or industry-specific laws. In this current security climate, just saying you can protect sensitive customer information doesn’t cut it anymore. The days of self-assessments are long gone—organizations must provide concrete evidence that they have sufficient technical and administrative controls in place to protect sensitive customer information and go through third-party attestation processes before they can conduct business with their target customers.
So, what are the critical data protection controls you need to implement within your organization today? This article will discuss the types of sensitive data requiring protection, the five critical control families for data protection, and the importance of documenting your controls for information security audits.
What is the primary objective of data security controls?
The primary objective of data security controls is to protect and safeguard the data held by your organization, reduce the risk of data breach or loss, and enforce policies and best practices. Data security controls facilitate risk management plans by minimizing, avoiding, detecting, or responding to risks in networks, hardware, software, data, and other systems. At a high level, they can usually be categorized into internal controls or incident-focused controls.
Why is knowing the primary objective of data security controls important? Because at any time, your organization might be running hundreds of security controls — each with a specific purpose or objective. Since every company has different procedures, policies, and goals, knowing how these controls align to protect and mitigate their specific risks is an important part of keeping operations running smoothly.
Different types of data requiring protection
Designing relevant controls starts with knowing your data. That’s right—you need intimate knowledge of the information you’re holding to design the proper safeguards. Think about the nature of your data, beginning with these critical questions: What’s the sensitive information you’re collecting? What regulations cover this type of data? Where is it located? Who might be looking to exploit it? What are the consequences if this information is lost, stolen, or destroyed?
Below are some types of data that require protection (And all of these types of data are subject to one data privacy regulation or another):
Individual identifiers such as name, address, email, and social security/driver’s license/passport numbers.
Financial and payment cardholder information including credit card number, bank account, personal ownership, transaction, and credit history.
Employment and professional information such as employment history, references, salary, job titles, and disciplinary actions.
Social network including names of friends, connections, networks, and group associations.
Medical and health information relating to healthcare and medical conditions including health records, tests, and prescriptions.
Genetic and biometric information such as DNA code, fingerprints, iris scans, and facial geometry.
Geolocation data identifying devices’ physical location that can be collected from a smartphone, tablet, watch, or other IoT device.
Personal preference data relating to sexual orientation and religious or political beliefs.
Education records including grades, evaluations, and attendance records.
Internet network activity including browsing history and website/application interaction.
Sensitive federal information including data generated, processed or stored in federal IT systems while working for a U.S. federal government agency.
Controlled unclassified information (CUI) or covered defense information (CDI), which is a subcategory of sensitive federal information that is now regulated under the CMMC
If your organization collects any of these data types, you will need to implement technical and administrative controls to ensure data security, confidentiality, and integrity. However, some data is highly sensitive, requiring more protection, while other information is less sensitive, requiring far fewer safeguards.
So, how can you know which data to prioritize in terms of security?
In a word—classification. All data collected and processed by your organization should be classified. By classifying data, you create a sensitivity hierarchy, ensuring your most delicate information receives robust safeguarding. Creating a healthy data classification policy is the first step toward securing your sensitive information.
Five critical control families for safeguarding sensitive information
Access control
Who is accessing your systems? Protecting user-level access to information systems is your first line of defense, and proper account management and enforcement are paramount. The control of accounts, enforcement, and features is accomplished using authentication management and directory systems like Active Directory and Lightweight Directory Access Protocol (LDAP). These controls extend beyond user directories, including system accounts, networking equipment, and databases.
Least privileged and separation of duties provide a logical and popular approach to access control. Least privileged access allows only those required and authorized to access system data—and they may only access the necessary information for their job function. Separation of duties grants access based on individual role responsibility, with an administrator having higher-level access than, say, a receptionist or a sales rep.
Administrators may have multiple accounts, using an administrator login to perform administrative functions and a user login to perform useful functions. Problems can arise when administrators use accounts for unintended purposes. For example, this occurs when administrators fail to keep user-level accounts solely for non-administrative activity.
Another essential component of access control is ensuring your team audits the right events and provides auditors with correct information. It helps to compile a list of information you know your auditors want to see and prepare it in advance. Failed log-ons, remote log-ons, and quick access upgrades are examples of event information many auditors might request.
Systems integrity
Are your systems free of exploits? Safeguarding your system’s integrity with technical and operational controls should be a top priority. This starts with installing malicious code blocking and spam protection mechanisms; these controls block endpoint attacks, working best in unison with user awareness and training programs.
Information systems monitoring is the most critical control to correctly set up and use, as it’s your canary in the coalmine for detecting network security events. This essential control is driven by monitoring detection technology working in conjunction with automation and endpoint detection software.
Integrity and failure controls provide continuity and emergency protection for your business. These controls ensure system data isn’t changed without authorization and provide a plan for business continuity and disaster recovery (BCDR).
Configuration management
Are your configuration changes authorized? Configuration management controls cover the policies and procedures for the authorized changing of system configurations. They prevent administrators’ unauthorized adjustments and require all changes to be documented. These controls ensure all configurations are designed and maintained with security in mind.
Have you taken inventory of your data lately? Configuration management controls govern the updating of inventory and monitoring of data. The importance of maintaining continuous knowledge of your data can’t be underestimated. In the words of Josh Bobbitt, CISSP and CEO of Fortified Logic, “Knowing what data you have is essentially the start of any solid security program.”
Security assessment and authorization
Do you know where your vulnerabilities lie? Vulnerabilities can be defined as weaknesses in an information system, security procedure, internal control, or implementation that can be exploited by a threat source. Here is where the fun starts for many—some call it “ethical hacking” with the end goal of identifying vulnerabilities and determining the overall security of your environment.
Security assessments provide point-in-time snapshots of your environment, starting with vulnerability and risk assessments all the way to complete penetration tests. Following these point-in-time assessments, organizations should track all discovered risks with a Plan of Action and Milestones (POAM). These reports list all risks and their security impact, proposed dates to address, and suggested mitigation plans. POAMs are mandatory monthly deliverables for federal government clients and can be quite tedious and manual to prepare. A tool like Hyperproof’s compliance operations software can expedite risk tracking and evidence collection efforts and save your team countless manual hours.
However, although conducting regular security assessments is important, it represents just one step in a broader security program. Point-in-time assessments fall short in today’s constantly changing threat landscape, as they can become outdated in a matter of hours. Organizations must continually monitor systems to keep pace with these changes, maintaining an accurate view of vulnerability and risk. System vulnerability scans should be run as often as possible—preferably daily or weekly, but at least monthly.
Incident response
OK, so you have your access, integrity, and configuration controls in place, and you’re conducting security assessments and system vulnerability scans. But do you have a tested action plan for responding to a security incident when one does happen? Hopefully, you do – because other controls mean little if you lack an effective incident response plan.
The last critical data security control domain to put in place is a documented response plan detailing the handling of events based on data classification and incident criticality. Incident response plans typically fall under IT and security jurisdiction but should include contributions from other teams.
Incident response plans are critical today for many reasons. They help safeguard your business and assist in recovery after a security incident. If you lack an incident response plan, you signal a weaker security commitment to auditors in addition to risking fines and legal action when inevitable incident management missteps occur. Keep in mind that some industry-lead frameworks like ISO 27001 and regulatory laws like the CCPA now require an incident response plan.
Many organizations benefit from engaging security information and event management (SIEM) system software to help with incident response. SIEM software should be enriched and fine-tuned with other tools, like data threat intelligence, to improve security events’ detection and management.
Finally, incident response plans must be routinely tested to ensure proper function during an actual response event.
Importance of documenting your controls
As we discussed earlier, the self-proclamation of your ability to keep sensitive information safe isn’t enough today. Auditors and customers want to see working evidence of your security controls to verify compliance.
These days, gathering evidence of your security controls should become a regular part of your workflow as you’re putting controls in place and as you test them to ensure their effectiveness. For many organizations, collecting and storing evidence is still an afterthought; oftentimes compliance managers rush through this task just days before a scheduled IT compliance audit. Fortunately, Hyperproof has specifically built tools to help you organize and simplify the process of documenting your entire compliance journey.
Conclusion
Quite likely, it’s only a matter of time before your business handles sensitive information—if it isn’t already. Your organization must prove the existence of technical and administrative controls to achieve compliance certifications (e.g. SOC 2, ISO 27001, CMMC, etc.) and meet regulatory and contractual obligations. And this isn’t a domain to cut corners on, as your reputation can take a significant hit when sensitive customer information within your possession is compromised.
Not to worry—with the five critical control domains in place, your team is well-positioned to protect sensitive data and prove compliance. Start by controlling network access with an authentication management system based on least privilege and separation of duties. Ensure system integrity with malicious code and spam protection, continuous system monitoring, and a BCDR plan. Manage configurations to ensure all changes are authorized and documented. Continually assess your security posture with vulnerability scans and risk tracking. Finally, create and maintain a tested incident response action plan in the event of an emergency.
There you have it–the five critical data security control domains every organization needs in place today. By implementing these critical controls, you can be more confident in your ability to protect sensitive data while taking pride in knowing you’re doing all you can to make the world a little bit safer.
Monthly Newsletter