Information Handling - Data Leak Prevention in the Corporate World
Published on 26 Jan 2018
by GOsafeonline
Data classification, in the context of information security, is the classification of data based on its level of impact to the organisation if disclosed, altered or destroyed without authorisation. To protect the company’s valuable data and to enable the employees to recognise them, a data classification plan should be included in the corporate policy of a company. There are various classifications that an organisation may adopt, depending on the company’s needs. Some common classification levels are “Secret”, “Confidential”, “Restricted”, “Public”, etc. By classifying data according to these levels, it helps to determine the type of security controls that are required for safeguarding that data.
Answer the 10-question checklist below to determine if your company has implemented measures to prevent the leakage of data:
Checklist
Personnel
1. Does your company require employees to sign a non-disclosure or confidentiality agreement?
(a) Yes (b) No
2. Are your company’s employees aware of the information security threats and concerns, their responsibilities and liabilities in safeguarding the company’s data?
(a) Yes (b) No
3. Is there a process in place to ensure that all system accounts owned by former employees are terminated within a defined period?
(a) Yes (b) No
Policy
4. Does your company have a policy that defines the classification of data?
(a) Yes (b) No
If your answer to question 4 is “Yes”, please answer questions 5 and 6.
5. Does the classification policy define the protection measures for various data classification levels and storage media types (e.g. paper, CDs, hard disks, etc.)?
(a) Yes (b) No
6. Does your company have guidelines that defines the methods to destroy sensitive/classified data?
(a) Yes (b) No
Enforcement
7. Does your company enforce the labelling of all information with their respective data classification levels?
(a) Yes (b) No
8. Is the transmission of classified data restricted to official communication channels (e.g. internal corporate email) and storage media only?
(a) Yes (b) No
9. Does your company provides employees with the necessary tools to destroy sensitive/classified data (e.g. paper shredder, secure erasure software, etc.)?
(a) Yes (b) No
10. Does your company implement measures (e.g. Data Loss Prevention software, restrict transfer of company’s data to Internet or non-official storage media, etc.) to prevent the leakage of data through endpoint devices (e.g. employee’s laptop)?
(a) Yes (b) No
If your answer to all the questions is “Yes”, WELL DONE! You have some security measures in place to prevent data leakage in your company. However, these are not the only measures that you can put in place to prevent data leakage in your company. For more measures to prevent data leakage, you can refer to the list below. Companies can also refer to other international guidelines such as the ISO/IEC 27001 for the controls that can be put in place to manage information security.
Some Measures to Prevent Data Leakage
Never leave your devices unattended | Do not leave your devices unattended. For portable devices, store them securely in locked drawers to decrease the risk of hackers physically accessing your sensitive data. |
Print sensitive documents in a secure manner | Always use the secure printing option when printing documents that contain sensitive data. This adds a layer of security by prompting for a password before the document is printed. Once printed, the document is automatically deleted from the printer’s memory to eliminate the risk of sensitive information being accessed by someone else. Sensitive printouts should also be collected from the printer immediately and not left unattended. |
Non-disclosure / confidentiality agreement | A non-disclosure / confidentiality agreement serves as a contract between the organisation and employee to restrict the sharing of classified information, knowledge and materials to third parties. |
Classification of Data | Classifying and labeling data ensures that it is given the right protection. Organisation should provide a clear guideline on how employees should handle the various classified data. |
Use official communication channel and storage media | Communication of classified data should only be done using official email account instead of personal email accounts to reduce unauthorized or accidental disclosure of information. Ensure that classified data are only stored and transferred through official storage media, with regular audit check to ensure these media are accountable. |
Encrypt the data | Protect classified data stored on electronic storage media (such as hard disks, flash storage, optical discs, etc) by encrypting them with strong encryption algorithms (e.g. AES 256-bit, Twofish 256-bits). This prevents others from obtaining the content stored in the media or decrypting them easily even if the media is lost. |
Proper Disposalof Used Media | When the media (e.g. hard disk) on which classified data were stored are no longer need, exercise caution in dealing with their disposal. Improper disposal methods could result in the classified data being recovered and misused. For paper documents, shredding should be done. For optical storage media (e.g. CD/DVDs), physical destruction (i.e. destroying the optical layer of the disc) should be performed. For electronic storage medium (e.g. hard disk, thumbdrive, etc), secure erasure (i.e. repetitively overwriting the memory space with 1s or 0s); degaussing – only applicable to hard disk (i.e. process of eliminating magnetic field); or even crushing the medium to bits should be performed. |
