Recent high-profile data breaches at the national level have increased concerns about sensitive data and what can and should be done to provide appropriate protections.
State agencies must "Require that sensitive data not be stored on mobile data storage media [including laptops] unless there is a documented agency business necessity approved in writing by the Agency Head and that all data storage media containing sensitive data are physically and logically secured" (such as using locks and authentication and encryption). This is a requirement of Commonwealth Information Technology Security Standard (ITRM Std SEC501-01), which has a compliance date of July 2007; however, earlier compliance with this particular section is strongly encouraged!
Sensitive data is defined as "any data of which the compromise with respect to confidentiality, integrity, and/or availability could adversely affect COV interests, the conduct of Agency programs, or the privacy to which individuals are entitled."
Types of Sensitive Data
Examples of types of sensitive data include:
- Personally Identifiable Information, including information that describes, locates or indexes anything about an individual including financial transactions, Social Security numbers, medical history, ancestry, religion, political ideology, criminal or employment record and photographs
- Proprietary research data
- Certain confidential proprietary data
- Network diagrams and IP addresses
- Server names and configurations
- Contract cost estimates
The best line of defense is not collecting sensitive data unless there is an absolute business necessity. Secondly, if sensitive data must be collected, consider whether collecting only a portion of sensitive data is a viable option such as the last four digits of a credit card number or Social Security number.
When sensitive data must be collected and stored, appropriate safeguards must be implemented commensurate with the level of sensitivity and risk. Consideration must be given both to the controls over sensitive data in motion (being transmitted) and sensitive data at rest (stored).
Sensitive Data in Motion
Sensitive data should not be transmitted electronically unless encryption is utilized. For Web entry of sensitive data always look for the yellow lock at the bottom right as well as the https in the address indicating secure socket layer. With the use of e-mail now routine, it is extremely important to step back and reconsider the data that will be transmitted before hitting the send button. Sensitive data should NOT be transmitted via e-mail, which is not secure unless encrypted.
Sensitive Data at Rest
Storage of sensitive data should be in the least mobile location possible and adequate technical controls should be deployed. Some available controls:
- Two-factor authentication via hardware or software token Complex passwords that require a combination of upper case, lower case letters, numbers and/or special characters
- Mandatory screen saver passwords
- Physical protection of mobile devices that can be easily moved such as a PDA, blackberry or laptop
Your Sensitive Data
Finally, for your own protection, do not provide your personal data electronically including via the Web or e-mail unless you are absolutely positive it is encrypted and the recipient is valid. Do not respond to unusual e-mails or click on unrecognized URLs. Keep your personal computer updated with the latest patches and anti-virus definitions. Trust but verify.
For additional information:
U.S. Department of Homeland Security's US-CERT: http://www.uscert.gov