It’s the Data Stupid!, is the re-wording of former President Clinton’s famous campaign slogan, “It’s the economy stupid,” used when running for president in his attempt to resonate with voters about the obvious systemic issues during that time. Fast forward to 2020, and the same thing can be said for securing your data. Keep the “main thing, the main thing.”
By Zachery S. Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group
The CISO is designated by the enterprise to safeguard the confidentiality, integrity, and availability of all enterprise data. The CISO is tasked with the responsibility to develop and implement a security strategy that will satisfy this charge.
In keeping with basic security principles, you should never implement a security control that is more expensive than the data you are trying to secure. Each situation and enterprise are different. Therefore, your approach to securing your data should be tailor-fitted to meet your individual industry’s needs. There is no one size fits all industry solution when it comes to securing your data. The approach or strategy that you employ to secure your data will largely depend on the nature of the industry that you’re in: Government Organization (GO), Non-Government Organization (NGO), Industrial, Scientific, Medical (ISM), Professional, or Technical. Additionally, it helps to understand the regulatory requirements mandated for data security.
If your data is critical to you and important enough for you to secure it, you should do so with a comprehensive layered approach. The crucial components of this layered approach are:
- Enterprise Policies
- Network Segmentation
- Multi-factor Authentication (MFA)
- Data Encryption
- Digital Rights Management (DRM)
- Data Loss Prevention (DLP)
- Common Vulnerability Exposure (CVE) Scanning
- Offline – Standalone Security Controls
Let’s discuss each one independently.
The institution must develop strong and ubiquitous policies that address responsibilities, responsible use, classification, security, and handling of data maintained within the organization. Such policies are paramount to the overall collective approach that must be taken in ensuring confidentiality, integrity, and availability of it.
Educating your constituents on these policies is a must in order to ensure stakeholders buy into the program.
Network segmentation is necessary when you need to isolate your sensitive data from being accessible to those who don’t need to know what it is. Network segmentation is a means to help satisfy certain industry data security requirements. Payment Card Industry Data Security Standard (PCI DSS) v 3.2, for example, states that scope reduction of sensitive information in the form of credit cards that is compartmentalized, separated/ isolated from other data that is stored within the enterprise can be achieved through network segmentation. Network segmentation is simply the division of an enterprise technological network into subnets, making it easier for administrators to control the flow of information via specialized policies. This type of segmentation is often done by establishing Virtual Local Area Networks (VLANs), which is simply the partitioning of a computer network at the Open Systems Interconnection (OSI) Layer 2, otherwise known as the Data Link Layer.
Multi-Factor Authentication (MFA)
Gaining access to a technological system utilizing multiple verification methods adds additional complexity when augmenting the overall hardening of the enterprise computing environment. Access mechanisms consist of something that you are, something that you have, something that you know, or any combination thereof. MFA is a tool utilized as a part of access control measures, serving as an essential computing gateway to ensure valid permission to the data is granted to those that are authorized to have it. Employing MFA to develop the enterprise’s tactical plan for data security is paramount.
Encoding/encrypting the data that you want to protect places a logical lock on it that will only make it accessible to those who can decode/decrypt it. Its purpose is to protect digital data confidentiality. It is only as good as the type of encryption that is used for this purpose. Case in point, a deprecated encryption algorithm that is easily cracked cannot protect data confidentiality. Therefore, strong encryption is recommended if the data’s confidentiality is worth safeguarding.
Digital Rights Management (DRM)
Sensitive data in the form of personally identifiable information (PII), intellectual property, research, trade secrets, or any combination thereof account for more than 99% of an enterprise’s data that needs to be safeguarded. The security of this data begins with the creation of it. Several document development suites containing spreadsheets, presentations, word processing, and database management applications incorporate DRM within them.
DRM allows the creator to restrict access to only those that need to know, develop time restrictions on user access, disallow screen capture, restrict printing, downloading, and forwarding specific information. This is an essential fail-safe feature that protects the data if it falls into the wrong hands.
Data Loss Prevention (DLP)
DLP tools are those that are used to inspect data that resides within a computing system in accordance with provisions outlined in predefined regulatory requirements such as the Health Insurance Portability Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI-DSS) or Gramm-Leach-Bliley Act (GLBA) for example. These tools are implemented on computer systems to assist with preventing data egress either intentionally or unintentionally.
Common Vulnerability Exposure (CVE) Scanning
The enterprise must develop a routine CVE scanning strategy to identify weaknesses/vulnerabilities within its technological network. Security features and systems can become deprecated over time. They must be updated to address emerging threats developed by intruders to circumvent control measures put in place to safeguard data.
Offline – Standalone Security Controls
Often the enterprise overlooks the importance of safeguarding their data that exist in paper form. Paper documents must be treated with the same level of sensitivity as logical data. Sensitive information in paper form must be kept under lock and key when not in use. Clean desk policies must be established and enforced to maintain the security of the data continually. A data breach is a data breach, no matter if it takes place virtually or in the form of paper.
I once asked a major data security vendor that if I purchased every security product, he had available, could he guarantee that my data would never be breached? He answered without hesitation, no. The bottom line is, as long as your network has human interaction, it will never be 100% secure nor impenetrable. Given that this is the best case that you can ever make, endeavor to make your data as inaccessible as possible, to unauthorized entities. The most effective way to do this is through a layered security approach to defense. Utilizing all the tools mentioned above in tandem will provide a comprehensive strategy for safeguarding your data.
It’s the Data Stupid!
This story first appeared in the September 2020 issue of CISO MAG. Subscribe now!
About the Author
Zachery S. Mitcham, MSA, CCISO, CSIH is the VP and Chief Information Security Officer at SURGE Professional Services-Group. He is a 20-year veteran of the United States Army where he retired as a Major. He earned his BBA in Business Administration from Mercer UniversityEugene W. Stetson School of Business and Economics. He also earned an MSA in Administration from Central Michigan University. Zachery graduated from the United States Army School of Information Technology where he earned a diploma with a concentration in systems automation. He completed a graduate studies professional development program earning a Strategic Management Graduate Certificate at Harvard University extension school. Mr. Mitcham holds several computer security certificates from various institutions of higher education to include Stanford, Villanova, Carnegie-Mellon Universities, and the University of Central Florida. He is certified as a Chief Information Security Officer by the EC-Council and a Certified Computer Security Incident Handler from the Software Engineering Institute at Carnegie Mellon University. Zachery received his Information Systems Security Management credentials as an Information Systems Security Officer from the Department of Defense Intelligence Information Systems Accreditations Course in Kaiserslautern, Germany.
CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.