Security controls have evolved over time, becoming easier to use and more effective at stopping a wide variety of threats. Of course, threats continue to evolve and strengthen as well, with an ever-sharpening focus on stealing valuable data.
Despite the precautions and products available to help IT departments curb data security risks, there are frequent accounts in the news of major data breaches involving governments. How can agencies better manage risk?
The answer lies in focusing on managing data risk, not IT risk. Agencies have long known the basics of IT risk mitigation — installing patches, configuring operating systems and applications securely, implementing access control. Those fundamental principles have not changed. What has changed is the attackers' focus on gaining unauthorized access to sensitive data. That is not meant to imply that general IT risk mitigation is not important — by all means, agencies still need to apply patches and do all those other fundamental security activities — but they must also carefully consider the threats against sensitive data and perform risk management activities specific to protecting that data from unauthorized access.
A number of risk management methodologies are out there, and all include the same basic steps: Identify security requirements, perform a risk assessment, implement security controls, identify (and correct) any deficiencies within those controls and monitor them.
I don't intend to rehash the finer details of risk management methodologies; rather, I've highlighted here some of the critical planning actions necessary for any data risk management methodology to reduce the potential for exposure of sensitive data and the likely impact of any such exposure.
Establish and maintain a comprehensive, up-to-date inventory of the agency's sensitive data assets, which may be much easier said than done. The challenge is greater today, thanks to the advent of cloud technologies, causing sensitive data to be stored increasingly in third-party servers outside of an agency's direct control. Within the agency's boundaries, it may be possible to use data loss prevention (DLP) technologies to scan servers and other agency-controlled hosts to identify sensitive data stored on those hosts or being transferred to or from them.
For identifying sensitive data stored in cloud environments, it may be possible to get a partial picture automatically through cloud use analysis services or products, which monitor and report all cloud activity involving an agency's users and systems. While that will not produce an inventory of sensitive data in cloud environments, at minimum it will indicate which cloud services are in use and by whom so that further investigation can be conducted.
Most agencies already have an information security plan, but it may not adequately take the security of sensitive data into account. At a minimum, any plan should define a scheme for information classification based on the sensitivity of the data — for instance, labeling it confidential, internal or public — so that the agency can define security policies and procedures corresponding to those classifications. The plan also should list any laws or any other regulations — such as the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standards (PCI DSS) — to which some or much of an agency's data are subject.
It is important to update the agency's incident response plan to address proper response in the case of a sensitive data breach. Government records, financial information and health records are all considered highly sensitive. Of course, it is also important to be technically prepared to handle such breaches: Conduct forensic analysis to determine the scope of the breach and correct exploited vulnerabilities to ensure that they are not taken advantage of again. It is just as important for the agency as a whole to be prepared from an organizational perspective. Be ready to compose notification messages and distribute them to the affected parties (faculty and staff, students, alumni, patients, etc.) in a timely manner, and offer protective compensation, such as credit monitoring services for financial information breaches. Far too often, agencies that suffer sensitive data breaches are criticized for a slow response; adequate incident response planning can speed response time.
It's been widely reported the past few years that internal users themselves are the largest cause of sensitive data breaches. Although many of these breaches are intentional (such as an employee stealing financial information in order to commit identity theft), the majority are inadvertent (such as an employee accidentally emailing sensitive information to unintended recipients or saving a copy of a sensitive file in an unsecured location). Many of those incidents could be avoided if users receive security awareness training. Tools such as DLP may also be helpful in blocking both accidental and intentional breaches or, at a minimum, warning users of the sensitivity of what they are doing and asking them to confirm their action before executing it.
The benefits of planning for data security cannot be overemphasized, but technical controls are also critically important.
Alongside DLP technologies, another fundamental technical control is storage encryption.
Desktops, notebooks, smartphones, tablets and other end-user devices should use full-disk encryption or its equivalent, and should require authentication — at minimum, a four-digit PIN — for users to gain access to the devices. This step can significantly reduce the likelihood that a lost or stolen device will lead to a sensitive data breach.
Agencies should also consider storing all sensitive data centrally (on servers), not locally, making the data much easier to safeguard by keeping it off end-user devices, where most government risk lies. Finally, strong access control and authentication (preferably multifactor) are needed to ensure that only authorized personnel are granted access to sensitive data in the first place.