The following information is a part of our free cybersecurity and compliance Academy course.
How to Properly Manage Sensitive Data Overview
You likely handle and process many types of data at your business every day. Some of it—like your inventory data—may not need protection. However, information your customers give you will most likely need to be protected.
Sensitive data can include:
Credit card and banking data
Social security or other identifying numbers
Birthdate, address, or age
And physical or mental health records
Depending on what kinds of sensitive data you handle, certain security mandates—like HIPAA, PCI, or GDPR—may apply to you. Each mandate has its own requirements for how you need to handle and process that data. Requirements could include things like data-flow diagrams or risk analyses.
But, regardless of whether any of these mandates apply to your business, it’s crucial that you take seriously the responsibility to protect sensitive data.
This section will outline what you need to know and the steps you need to take.
Risk Assessment and Risk Management Plan
CONDUCT A RISK ASSESSMENT
Organizations should annually perform a formal risk assessment. The purpose of the risk assessment is to help organizations document potential security vulnerabilities, threats, and risks.
A vulnerability is a flaw in system security controls that could lead to sensitive data being improperly accessed. For example, let’s say you have a system that requires your employees to log in using a username and password. That would be a system security control. Let’s imagine that you don’t have a good process in place for removing account access when an employee leaves the company. That lack of process is a vulnerability.
A threat is a person, group, or thing that could take advantage of a vulnerability. For example, what would happen if you have a disgruntled employee who leaves the company? They might want to get back into the system and obtain sensitive data after they were terminated. That disgruntled employee is a threat.
Risk is determined by understanding the probability of a threat exploiting a vulnerability and combining this probability with the potential impact to your organization. Thinking again about our disgruntled employee, how likely is it in your organization that someone will leave your organization and then gain improper access to sensitive data, and what would be the impact to your organization if it happened? That exploit probability combined with exploit impact is your risk.
THREAT + VULNERABILITY = EXPLOIT
EXPLOIT PROBABILITY X EXPLOIT IMPACT = RISK
Here are 5 steps to help you conduct your own risk assessment and develop a risk management strategy:
STEP 1: MAP OUT YOUR DATA FLOW
To protect data, you have to know where it is created, received, transmitted, and maintained in your organization. This is called your scope. To identify your scope, you have to understand how sensitive data flows within your organization.
Start with the assumption that everything is in scope until you’ve verified otherwise. Verifying that a system is out of scope requires that you confirm proper network segmentation and make sure necessary controls are in place.
There are four main parts to consider when defining your scope:
Where sensitive data is created or enters your organization
What happens to it in your systems (such as processing, storage, etc.)
Where it leaves your environment
Where potential or existing leaks may be
Afterwards, you need to follow all possible leaks, which can be best done by creating a data flow diagram. A data flow diagram documents all the information you found in your environment, and lays it out in a graphical format.
Create a diagram that shows how data enters your network, the systems it touches as it flows through your network, and any point at which it may leave your network.
STEP 2: IDENTIFY VULNERABILITIES, THREATS, AND RISKS
Once you understand the scope of your environment, you can start listing the vulnerabilities and threats related to that environment. Consider the following:
What vulnerabilities exist in your systems, applications, processes, or people?
What threats exist that could exploit each of those vulnerabilities?
What probability does each potential exploit carry?
STEP 3: ANALYZE YOUR RISK LEVEL
You need to decide what risks could and/or will impact your organization, your data, and ultimately, your customers. Risk ranking is a crucial part of your risk analysis that will eventually translate to your risk management plan.
STEP 4: CREATE YOUR RISK MANAGEMENT PLAN
The risk analysis outcome, with its risk rankings, provides the basis for your risk management plan. The risk management plan is the step that works through issues discovered in the risk analysis and provides a documented instance proving your active acknowledgment (and correction) of data risks.
STEP 5: TEST YOUR ENVIRONMENT
It’s difficult—if not impossible—to find every weakness in your organization on your own. To take your security to the next level and to avoid weaknesses in your system, consider implementing additional security services such as:
Internal and external vulnerability scans: Automated testing for weaknesses inside and outside your network
Penetration tests: Live, hands-on testing of your system’s weaknesses and vulnerabilities
Gap analysis: Consultation on where your gaps in security and compliance exist and what steps need to occur next
A complete and thorough risk analysis is critical as the launching pad for securing your sensitive information.
The purpose of the risk analysis is to help organizations document potential security vulnerabilities, threats, and risks.
- White Paper: Your PCI Risk Assessment in Five Steps
- White Paper: Your HIPAA Risk Analysis in Five Steps
- Article: What is a Risk Assessment, and Why Does Your Business Need One?
- Article: How to Start a HIPAA Risk Analysis
- SecurityMetrics Solution: SecurityMetrics PANscan®
- SecurityMetrics Solution: SecurityMetrics PIIscan
- SecurityMetrics Solution: Consulting
If you need to keep data on your systems for any period of time, you should encrypt it. Encryption renders stored data useless to attackers by turning it into unusable strings of indecipherable characters. Because encryption technology is very specialized and very complex, it is not a good idea to come up with your own encryption algorithms, always use an industry accepted and proven encryption method.
Industry best practice would be to use these encryption types: AES-128, AES-256, or better.
If you get into encryption of card data (or other sensitive data), the most common mistake is poor encryption key management. The keys used to encrypt data must be protected very carefully and not shared openly or easily. Key management process is typically a pretty involved process be sure to get some help as you develop your process for protecting, using and changing encryption keys.
Due to the complexity of encryption rules, some SMB organizations choose not to store sensitive information at all but pass it on to service providers to look after. You can use technologies such as 3rd party tokenization or data vaults to store your sensitive data.
FULL DISK ENCRYPTION
Historically, one of the largest reported threats to electronic data has been loss or theft of a physical device. While employing adequate physical security and mobile device procedures is the first line of defense to prevent these types of incidents, they still sometimes occur despite an organization’s best efforts.
Which is why full disk encryption is the best way to protect you from penalties associated with a breach when a device is lost or stolen. For example, the HITECH act of 2009 modified the HIPAA Breach Notification Rule, stating that if a device is lost or stolen and it can be proven that the data is unreadable by either secure destruction or encryption, the loss may not need to be reported as a breach.
Full disk encryption for laptops and desktops is very easy to put into use and usually comes with no additional cost as most current operating systems come equipped with the capability. But most of these solutions rely on your login password as a key for the decryption; this means that your full disk encryption is only as secure as your login password. There is full disk encryption software that can be installed that do not rely on your login password but implement a second decryption passphrase. This is more secure but less user-friendly.
IMPLEMENT MOBILE ENCRYPTION
If you can, avoid storing sensitive information on any type of mobile computing platform (such as laptops, smartphones, tablets) to limit the threat of a data breach altogether.
If you need to store data on smartphones or tablets, you need to be mindful because encryption software may not be as readily-available and easy to maintain from a corporate perspective. Don’t forget about these mobile devices when conducting your risk assessment; be sure to consider the access to and presence of sensitive data on these platforms.
Additionally, if you backup your mobile device on your hard drive, ensure the backups are encrypted.
Article: Securing Mobile Devices with Mobile Encryption
SecurityMetrics Solution: SecurityMetrics PANscan®
SecurityMetrics Solution: SecurityMetrics PIIscan
PROPERLY DESTROYING SENSITIVE DATA
As you work on your risk management plan, place high priority on removing any unnecessary sensitive data.
The first step to managing/deleting old data is deciding how long you need to keep data. For example, many states have requirements on the amount of time that healthcare organizations must keep patient data. This can be for uses and disclosures and even the patient record. Hence, organizations commonly maintain data for a minimum of a decade. Also, if a patient has passed away, there will be additional requirements for data retention that healthcare organizations need to consider.
If you delete sensitive information such as patient records, Social Security Numbers, credit card numbers, it’s probably still on your computer and accessible to attackers. When you empty the Recycle Bin or Trash, it doesn’t actually wipe the files off your computer. It simply marks the files as acceptable to overwrite and are generally no longer visible to the user.
For the average user, those files are nearly impossible to retrieve because the operating system deletes the references to those files. Yes, your computer can’t find those files for you anymore, but they still exist. For those with more advanced computer skills (aka hackers), that data is still accessible by looking at the unallocated disk space.
Think of the Recycle Bin or Empty Trash like putting sensitive documents in the trash can next to your desk. You can easily retrieve these documents if you need to. All you do is pull them out of the trashcan.
Overwriting is the process where software or hardware products are used to overwrite media with non-sensitive data. It can be a great way to securely delete sensitive data on systems still in use. However, make sure that you use an iterative overwrite on all the data referenced, not just part of it.
Degaussing on the other hand is useful if you have magnetic tapes and hard drives. Degaussing uses a special device that uses an electro-magnet with massive field strength to erase data on magnetic media. This method is particularly helpful if you want to reuse the hardware.
One of the most secure methods to permanently delete data is to physically destroy it. Prior to destruction, keep the media in a locked container labeled something like “To Be Shredded”.
You can then go to an organization that has industrial-sized shredders to dispose of larger hardware. Some types of media require physical destruction for secure data deletion. Solid state drives (SSD) and optical media like DVDs and CDs generally must be destroyed physically.
When thinking about how to permanently delete files off your network, don’t forget about any archived data, including:
External hard drive backups
CD or DVD backups
Article: Secure Data Deletion: Permanently Deleting PHI in Healthcare
Wireless Networks (Wi-Fi)
Many organizations nowadays have wireless networks (i.e., Wi-Fi), with guest Wi-Fi access becoming a norm. The problem is many offices don’t have their Wi-Fi set up correctly with adequate encryption, turning this free amenity into a liability.
This is also the case if you do not segment guest and non-guest wireless networks with a firewall. If you haven’t segmented your networks, you probably have allowed access to your system and data, and you don’t even know it. Guest wireless networks should always be segmented from your non-guest wireless network by a firewall.
In addition, make sure that only staff can connect to your non-guest network(s) with approved devices, and these devices follow your BYOD policies.
WIRELESS SECURITY BEST PRACTICES STOP USING SSL/EARLY TLS WHERE POSSIBLE
Based on vulnerabilities in web encryption, if your organization has existing implementations of SSL and early TLS not necessary for regular business operations, immediately remove or discontinue all instances. New implementations should not use SSL or early TLS.
If you need to continue using SSL/early TLS, consider implementing the following:
Upgrade to a current, secure version of TLS configured not to accept fallback to SSL or early TLS.
Encrypt data with strong cryptography before sending over SSL/early TLS (i.e., use field-level or application-level encryption to encrypt data prior to transmission).
Set up a strongly-encrypted session first (e.g., IPsec tunnel), then send data over SSL within the secure tunnel.
Check firewall configurations to see if SSL can be blocked.
Check that all application and system patches are up to date.
Check and monitor systems to ID suspicious activity that may indicate a security issue.
Security best practice is to set up your Wi-Fi with Wi-Fi Protected Access II also known as WPA2. Since 2006, WPA2 has been the most secure wireless encryption standard. For additional protection, use a virtual private network or VPN to encrypt your Internet traffic.
Avoid using outdated wired equivalent privacy (WEP) encryption, as it is easy to compromise.
Another important safety aspect is to make sure the Wi-Fi password is secure. Don’t use the default password or username that comes with the wireless router.
SCAN ROGUE WIRELESS ACCESS POINTS
Rogue wireless access points can allow attackers unauthorized access to secure networks, granting them the access to attack your network remotely.
Which is why it’s vital to scan for rogue wireless access points, particularly if they are attached to your non-guest network. This helps you identify which access points need to be changed.
- Article: Wireless Access Point Protection: Finding Rogue Wi-Fi Networks
- Article: Could Your Waiting Room Wi-Fi Be Sabotaged?
- Article: WPA2 Security Flaw “KRACK” Puts Wi-Fi Devices at Risk
Secure Remote Access
REMOTE ACCESS BASICS
Remote access applications, such as GoToMyPC, LogMeIn, pcAnywhere, or RemotePC allow employees to work from home. For example, doctors often prefer to access patient data outside of the office, and some IT and support teams use remote access to manage the network offsite.
Remote access is great for workforce convenience, but can cause issues for security. Often, remote access is not properly implemented with adequate security, such as implementing multi-factor authentication.
Attackers commonly target organizations that use remote access applications. If a remote access application is vulnerable, it allows an attacker to completely bypass firewalls and gain direct access to sensitive networks and data.
ENABLE MULTI-FACTOR AUTHENTICATION (MFA)
Remote access can be secure as long as it uses strong encryption and requires at least two independent methods of authentication. Be sure to enable strong/high encryption levels in your remote access configuration.
Configuring multi-factor authentication requires at least two of the following three factors:
Something only the user knows (e.g., a password)
Something only the user has (e.g., a cell phone, an RSA SecureID token)
Something the user is (e.g., a fingerprint, ocular scan, voiceprint)
A few examples of effective multi-factor authentication include:
The remote user enters their username and password, and then must enter an authentication code that is available to them through an RSA token in their possession.
The remote user enters a password and biometric to log in to a smartphone or laptop. The individual then provides a single authentication factor (e.g., another password, digital certificate, signed challenge response) to connect to the corporate network.
Multi-factor authentication makes things difficult for attackers. For example, if you implement google authenticator on your phone, an attacker would have to learn your password and have your cell phone before being able to gain remote access to your systems.
Ideally, your authentication mechanisms should be independent of each other; or in other terms, there’s a physical separation between mechanisms, so that access to one factor does not grant access to another, and if one factor is compromised, it does not affect the integrity or confidentiality of any other factor.
If a remote access application configuration only requires a username and password, the application has been configured insecurely.
- White Paper: Securing Your Remote Desktop Connection
- Webinar: Understanding the New Multi-Factor Authentication Supplement
- Article: Configuring Your Remote Desktop Connection: What You’re Doing Wrong
How to Properly Manage Sensitive Data Quiz
You dispose of sensitive documents by… (Choose only ONE best answer.)
Throwing them in the trash
You should conduct risk assessments… (Choose only ONE best answer.)
Every five years
Every other year
Which of the following can be used as multi-factor authentication factors: (Choose only ONE best answer.)
Something only the user “knows” such as a password
Something only the user “has” such as a cell phone or an RSA SecureID token
Something the user “is” such as a fingerprint, ocular scan, or voiceprint
All of the above
If you need to store sensitive data, you should… (Choose only ONE best answer.)
Not encrypt it
Answer Code: Q1: C, Q2: C, Q3: D, Q4: B