Data security policies

- [Instructor] Policies form the foundation of any information security program and having strong data security policies is a critical component of your efforts to protect information. Data security policies and procedures, play several important roles in an organization. No matter what specific issue a policy or procedure covers, it should meet several key criteria. First, policies provide the foundational authority for data security efforts, adding legitimacy to your work and providing a hammer if needed to ensure compliance. They also offer clear expectations to everyone involved in data security by explaining what data must be protected and the controls that should be used to protect that data. They provide guidance on the appropriate paths to follow when requesting access to data for business purposes and they offer an exception process for formerly requesting policy exceptions when necessary to be business requirements. Let's take a look at a few of the key issues that your data security policies should cover, following these principles that we just described. Data classification policies describe the security levels of information used in an organization and the process for assigning information to particular classification levels. These classifications are assigned based upon both the sensitivity of information and the criticality of that information to the organization. Data classification policies are important because they establish the basis for deciding what information and asset handling requirements the organization should put in place. I'll discuss classification more later in this course. Data storage is a key component of a security policy. Data storage policies should explain several important concepts to users. These include the appropriate storage locations for data of varying classification levels. For example, policy might restrict the use of cloud storage solutions for highly sensitive information. They also include access control requirements for stored information, including the process you use to gain access to data and the mechanisms use to enforce access controls. Data storage policies also contain encryption requirements for information at different classification levels and in different storage environments. For example, an organization might allow the un-encrypted storage of information on hard drives located in their own data centers but require encryption for all other storage locations such as cloud services or employee laptops. Data transmission policies protect data in motion. Data is especially vulnerable when it's being transmitted over a network because it's susceptible to eavesdropping attacks. Therefore, data transmission policies should cover what data may be transmitted over different kinds of networks and under what authority. They should also cover the use of encryption to protect information in transit on public or private networks. And they should also cover appropriate transmission locations for sensitive information, such as the types of information that may leave corporate networks without special permission. Finally, data lifecycle policies provide important guidance concerning the end of life process for information. This is important because information may retain sensitivity even after the organization no longer requires it. Data life cycle policies should address at least two important issues. First, data retention policies should describe how long an organization will keep different data elements. This may include a minimum retention periods such as retaining all tax related records for seven years. It may also include a maximum retention period stating, for example, that customer credit card information should only be retained for the length of time necessary to complete a transaction. Data retention policies limit an organization's risk exposure by ensuring that data is kept for as long as it as needed but no longer. These policies affect both hardware and personnel and should apply equally to electronic and paper records. Data disposal policies should cover proper disposal of data, including the wiping techniques use to securely erase hard drives, flash drives and other storage media before they are thrown away, recycled or otherwise discarded. This is extremely important because of data remnants issues. Simply deleting files or formatting a hard disk, is not sufficient to remove all traces of data from a device. Security administrators must use specialized tools to securely wipe storage devices and prevent the future retrieval of information that's believed to have been deleted. These techniques include software applications such as Darik's Boot and Nuke, otherwise known as DBAN, and hardware tools such as magnetic degaussers and physical device shredders. These security policies provide an important foundation for data security efforts.