W3C Standard for a Database Engine Within the Browser – Cool, but Will it Create More Security Holes?
The Fix for the SSL Renogiation Flaw Has Been Finalized
Ecryption Keys Will Contunie to Get Bigger (Note that This Refers to RSA Asymmetric Keys – 128-bit Symmetric Keys are Still Strong
Google Chrome Takes the Lead in Browser Sandboxing
Google Loalized Search – Do You Want Google to Know Where You Are (and Have Been)?
Controls – What Kind of Armor Do We Need?
Up to this point, we have classified the types of sensitive data under our care, determined where that data lives, and documented the various channels over which it is transmitted. Now that we have found it, how do we keep it safe? The mechanisms used to protect data are controls. Controls fall into three categories:
Administrative Controls: These are policies and procedures that are designed to let everyone who comes into contact with data know what access and what actions are permissible. These have to be backed up by physical and technical controls.
Physical Controls: These are tangible protections mechanisms, such as locks, video cameras, etc. Physical security is often overlooked by IT professionals.
Technical Controls:, In terms of data protection, these generally fall into two categories – access controls and encryption controls.
Access Controls are used to prevent data from being viewed, transmitted, or printed.
Encryption Controls are used where we cannot control access, or as an additional control in case our access controls are not effective. If data is properly encrypted, it does not matter whether it is viewed, copied, or printed. There are two aspects to maintaining proper encryption controls – encryption strength and key management. These have been discussed in depth in other Security Corner articles.
The types of controls available will vary, depending upon the environment. The cost of controls varies greatly. Cost is sometimes measured in terms of dollars (or Rand, etc.), but more importantly, the cost of a control must be measured in terms of the effort required to implement it and the amount of inconvenience it imposed on those who use the system.
The details of these controls are beyond the scope of this article. They have been the focus of past articles and will certainly be the focus of future articles. The important point in terms of our Information Management Plan is to determine what controls are available and which ones have acceptable costs.
In Part 7 of this series, we will take the three types of information we have gathered – data classifications, data locations and transmission channels, and controls, and use them to generate a matrix. From that matrix, we will generate information protection policies.
Dennis H in West Virginia, US
January 11, 2010