Data has a lifecycle from ingest or creation to archiving or destruction. Data moves through an organization during its lifetime and possibly touched by many different users and organizations in its travels. There is also the possibility of leakage, theft, and accidental exposure of proprietary information during this lifecycle. A data security plan addresses and documents security controls throughout the entire data lifecycle. If you’re looking to create a data security plan, this example walks you through the main components you need to consider.
The Data Security Plan Overview
The data security plan is your guiding document for ensuring security every step of the way through the data lifecycle. It is a living document and may be changed as technology changes, as data changes, and as security needs change. It should be reviewed at least annually to make required updates, to remove outdated technology, and to add security features as needed. These are the components that should be in a data security plan.
An accurate, up-to-date asset inventory is an essential part of the data security plan and should be the first step your organization takes in creating the plan. An inventory is an auditable record that security professionals can turn to as needed for determining security controls and investigating security incidents.
In your plan, you must identify all assets in your organization and provide details of each component. Hardware assets should be recorded separately from data assets. Each hardware asset should include specific data points including the
- Asset type
- Asset name
- Serial number
- Internal inventory identification/asset tag number
- Asset owner/responsible party
- Warranty information.
Hardware assets include servers, workstations, laptops, routers, bridges, firewalls, switches, uninterruptible power supplies (UPSs), external disks, MiFi devices, tablets, mobile phones, and any other device capable of storing or transmitting data on a network.
Data and software assets must also be inventoried, recorded, and the information kept in the data security plan. Examples of data assets include policies, procedures, knowledge bases, raw data, statistical data, patient records, contact information, plans, proprietary code, customer information, and any other data stored, processed, created, ingested, or collected that might be sensitive, confidential, secret, or that falls under the government-controlled unclassified information (CUI) designation. The data type, data owner, storage location, and classification should be identified for each data asset.
Disaster recovery (DR) is a significant component of the data security plan and should be covered thoroughly for each asset described in the Asset Inventory. Disaster recovery includes:
- Offsite storage
- Hot sites
- Warm sites
- Backups and backup rotation
- Secure storage
- Offsite storage
- Redundant hardware
- Battery backups
- Data retention
- Redundant connectivity.
This portion of the data security plan may mostly mirror the business disaster recovery plan, however the two differ in that specific security controls are required to be identified in the data security plan.
Examples of data and asset protection information for a data security plan are:
- Servers are backed up daily to a secure server via network backup software. Each server has encrypted RAID 10 drive arrays. Each server is equipped with redundant network connections, redundant power supplies, and are connected to UPS units.
- Workstations all have brand X cloud-based backup software installed and all user data is backed up hourly.
Physical Security Controls
Physical security controls must be included in your data security plan. Gates, security guards, visitation policy, security cameras, monitoring/alerting, door alarms, locks, keycard access, retina access, fingerprint scanners, locked doors, combination locks, and access code protection must be listed for general areas such as building access, server room/data center access, and computing hardware (server/workstation) theft control and access, if applicable.
Network Security Controls
Network protection is a basic defense against intrusion and data theft from external sources. Network controls are important to any network’s security beginning with an externally-facing firewall that limits incoming traffic to only a few specific protocols. In this section of the data security plan, security administrators should outline security controls that include firewalls, secure WiFi, virtual private network (VPN) connectivity, VLAN network segmentation, data-in-flight encryption, and disabling of unused Ethernet ports.
Data Storage and Retention
Policies, procedures, and guidelines covering data storage and retention are required for the data security plan. Storage includes storage type, encryption of data at rest, offsite storage, multiple copy policies, retention policies, and decommissioning policies and procedures. Data destruction for each storage device should be described in detail. Paper, disks, portable drives (USB), laptops, tablets, workstations, and mobile devices all must be covered in this section.
Data Transmission Controls
Additional security controls also include encrypted backups, data-in-flight encryption, encrypted email, mobile device data transmission, and fax controls. Regulatory compliance for some industries include suggested and required network controls covered in this section of the data security plan. This section also includes data loss prevention measures and controls.
Authentication and Authorization
Authentication and authorization controls and policies require new users to request access to protected assets such as physical building access, VPN gateways, Active Directory domains, network shares, and other internal corporate assets. Administrators should adhere to the principle of least privilege and should implement role-based access control (RBAC) or attribute-based access control (ABAC) or a hybrid implementation of the two solutions.
All asset access and activities should be traceable and auditable to specific users. There should be no shared accounts. All access to protected assets is to be granted on a need-to-know basis. Administrators should hold two accounts: one for administrative duties and one for general use.
All security controls for this section must be documented which may include username/password, multi-factor authentication, keycard access, biometrics, and other solutions. Periodic authentication checkpoints should be implemented to verify access. Further security in this area may need to include secure onboarding, offboarding, and role change practices.
Implementing the Data Security Plan
It’s one thing to draft a data security plan but it’s quite another to implement one. And chances are good that you have a significant number of the prescribed security controls in place. You only need to implement and enforce what you lack. You’ll also need to budget for new hardware, software, security controls, training, personnel, and external consultancy to help you implement and maintain your plan.
Budgeting for your Plan
Government and industry regulations require a best effort in implementing security controls. These entities are made up of people who realize that implementing new technologies, hiring new personnel, and using external assistance are expensive undertakings. Most agencies allow you to phase-in your plan over several quarters or even over multiple years to help spread out the costs associated with implementation.
Putting the Plan into Practice
You’ll probably have to purchase new hardware and software to fully protect your data assets. Training is essential to make everything work properly and to maintain your new infrastructure and software assets. Documentation, governance, and additional meetings are all additional burdens that you will have to factor into your overall cost of implementation.
For example, documenting your hardware assets requires time. Even if you have an automated discovery solution, there will be data points that you have to add to the asset records. You also have to realize that inventory is always in flux. You purchase new hardware, you decommission old hardware, you repurpose hardware, you return user licenses to the pool, and you reassign user licenses on a continuous basis. Maintaining inventory requires effort from your resources.
Governance also requires effort from multiple resources. Change management requires that all changes must go through governance which requires documentation and adherence to secure practices. All of this effort must be accounted for when implementing a plan because it’s likely that a lot of the effort is new to your organization.
As new security threats arise, you’ll have to reassess your security controls for network, computing hardware, mobile devices, anti-malware controls, data storage, and more. The data security plan is always a work in progress and should never be thought of a simple policy or guideline. It is a working, living document that governs how you secure your data on an ongoing basis.
Partner with Experts in Data Security
One way to shorten the process of creating a data security plan is to outsource some of the work. Partnering with experts for managed servers means a trusted partner is monitoring the cybersecurity of that portion of your data. Whether you store your data in-house or choose to colocate, you’ll still need a data security plan for all your assets. If you’re interested in data hosting off-site, contact ColoCrossing to learn more about our services.