Determine Data Security Controls
Data security controls employed by the states of data, standards, scoping, tailoring, and data protection methods. Data exists in one of three states:
- Data at rest: Data that lives in external or auxiliary storage devices, such as hard disk drives (HDDs), solid-state drives (SSDs), optical discs (CD/DVD), or even on magnetic tape.
- Data in motion: Data that is moving between computing nodes over a data network such like the Internet and by e-mail, FTP, and messaging.
- Data in use: The information that is currently in use. This is the data available in endpoints.
These states are interrelated with each other.
A number of standards are available to determine security controls:
- PCI-DSS (Payment Card Industry Data Security Standard) : PCI-DSS is a security standard created by the Payment Card Industry Security Standards Council (PCI-SSC). The council is comprised of American Express, Discover, Master Card, Visa, and others. PCI-DSS pursues to protect credit cards by requiring vendors using them to take specific security precautions.
- OCTAVE® : This Standard describes a three-phase process for managing risk. Phase 1 identifies staff knowledge, assets, and threats. Phase 2 identifies vulnerabilities and evaluates precautions. Phase 3 conducts the Risk Analysis.
- ISO 17799/27002: ISO 17799 was a broad approach for information security code of practice by the IOS. ISO 17799 was renumbered to ISO 27002 in 2005, to make it consistent with the 27000 series of ISO security standards.
- COBIT: It stands for Control Objectives for Information and related Technology. COBIT was developed by ISACA (Information Systems Audit and Control. COBIT has four domains: 1- Plan and Organize 2- Acquire and Implement 3- Deliver and Support 4- Monitor and Evaluate.
- ITIL® (Information Technology Infrastructure Library): ITIL® contains five Service Management Practices:1- Service Strategy: helps to provide IT services 2- Service Design: details the infrastructure and architecture required to IT services 3- Service Transition: describes taking new projects 4- service Operation: covers IT operations controls 5- Continual Service Improvement: describes ways to improve IT services.
Scoping and Tailoring
Scoping: The process of determining which portions of a standard will be employed by an organization.
Tailoring: The process of customizing a standard for an organization.
Scoping and Tailoring include the following:
- Identifying and designating common controls in initial security control baselines.
- Application of scoping considerations to the remaining baseline security controls.
- Selecting compensating security controls, if needed.
- Assigning specific values to organization-defined security control parameters.
- Adding baselines with additional security controls and control enhancements, if needed.
- Providing additional specification information for control implementation, if needed.
Data Protection Methods
By using cryptographic methods, confidentiality and integrity requirements can be achieved more effectively. The following are some of the common cryptographic methods used in data security controls:
- Encryption: Converting data to a meaningless form. This is done by the encryption key. There are different types of keys with different lengths. The person holding the encryption key can restore the data in an understandable way. The Crypto-Variable is method of data protection will ensure confidentiality.
- Hashing: This method of data protection will ensure integrity. Data may be altered or modified by an unauthorized entity to commit fraud. Hashing or message digest methods are used to detect and prevent unauthorized modifications. In hashing, based on the contents of the document, a cryptographic value is computed that is called a Checksum.
- Digital signatures: In digital communications, establishing the identity of the receiver or the sender can be accomplished through digital signatures. Read more.