Cybersecurity Risk Management: NIST CIS
Data Management Policy
Purpose
Managing data within an enterprise includes data classification, inventory, handling, retention, and disposal. The Data Management Policy provides the processes and procedures for governing data within Murdock’s Services. This includes creating a data inventory and classifying data based on sensitivity. Additionally, procedures for securely protecting data from unauthorized access or modification alongside appropriate for methods for how users should handle their data during their day-to-day work activities. Finally, authorized methods to destroy and remove data from the enterprise are discussed.
Responsibility
Murdock’s Services is responsible for managing the client’s data as this information is housed on business computers primarily maintained by Murdock’s Services. Information owners are responsible for coordinating data maintenance activities with Murdock’s Services.
Murdock’s Services has the responsibility to protect data associated with their role from unauthorized access and disclosure. Murdock’s Services is responsible for informing all users of their responsibilities associated with protecting data entrusted to them.
Exceptions
Exceptions to this policy are likely to occur. Requests for exception must be made in writing and must contain:
The reason for the request,
Risk to the enterprise of not following the written policy,
Specific mitigations that will not be implemented,
Technical and other difficulties, and
Date of review.
Policy
Data Acquisition
The Data Acquisition Policy focuses on acquisition security by implementing rigorous safeguards to protect data integrity and confidentiality throughout the acquisition process.
Key elements include ensuring that all data is obtained from authenticated and approved sources, thereby minimizing risks of data tampering or unauthorized access.
The policy mandates the use of secure protocols, such as SSL/TLS, for data transmission, coupled with encryption for sensitive data, both in transit and at rest.
Access controls are strictly enforced, requiring that only authorized personnel can initiate data acquisition, complementing this with multi-factor authentication where feasible.
Logging and monitoring mechanisms are established to track all acquisition activities, enabling real-time detection of anomalies and facilitating comprehensive audits.
Regular risk assessments and security training for employees are mandated to ensure awareness of potential vulnerabilities and best practices in data handling.
This proactive approach to acquisition security not only fortifies Murdock’s Services data assets but also aligns with recognized frameworks like NIST and CIS, ensuring compliance with regulatory requirements and bolstering overall organizational cybersecurity posture.
Data Inventory
IT must conduct an inventory of data on an annual basis.
All sensitive data must be marked accordingly in the data inventory.
A data owner must be associated with all data tracked within the inventory.
Data with specific data retention needs must be labeled accordingly.
All data owners are required to contact Murdock’s Services upon the creation of, or obtaining, sensitive data to ensure the data is tracked within the data inventory.
Data Classification
Murdock’s Services must establish and enforce labels for sensitive data.
Murdock’s Services must review data classification labels and their usage on an annual basis.
Data Protection
Murdock’s Services must configure access control lists on enterprise assets in accordance with user’s need to know. This is to include laptops, smartphones, tablets, centralized file systems, remote file systems, databases, and all applications.
Sensitive data must be encrypted on all user devices.
Data Handling
Murdock’s Services has developed and maintains a written data retention plan.
All data and documents must be preserved for the appropriate amount of time as dictated by regulatory, legal, and business requirements.
Data Disposal
Murdock’s Services, or other authorized parties, must destroy data that have outlasted their specified retention timeframes.
All users are required to contact Murdock’s Services before disposing of sensitive data.
Non-sensitive data may be disposed of without speaking to Murdock’s Services via common destruction methods (e.g., trash, commonplace deletion from a computer system).
Sensitive data destruction must be performed in a manner that preserves confidentiality.
Reports, correspondence, and other printed media:
Shredding – Documents must be shredded using NIST approved cross-cut shredders,
Shredding Bins – Disposal must be performed using locked bins located on-site using an NIST approved shredding service, or
Incineration – Materials are physically destroyed using an NIST approved incineration service.
Portable Media (e.g., Solid State Drives (SSDs), digital video discs (DVDs), universal serial bus (USB) data storage devices):
Physical Destruction – Complete destruction of media by means of shredding, crushing, or disassembling the asset and ensuring no data can be recovered.
Hard Disc Drives (HDDs) and other magnetic media to include printer and copier hard-drives:
Overwriting – Using a program to write binary data sector by sector onto the media, or
Physical Destruction – Crushing, disassembling, or degaussing the asset to ensure no data can be extracted or recreated.
Tape Cartridges
Degaussing – Using strong magnets or electric degaussing equipment to magnetically scramble the data on a hard drive into an unrecoverable state, or
Physical Destruction – Complete destruction of the tapes.
Third-party service provider systems (e.g., cloud services) must be disposed of by first requesting the appropriate methods to permanently delete data stored in their systems, and then performing those actions according to the received instructions.
All destruction of data must be logged in the data inventory, when applicable.
Murdock’s Services must obtain proof of destruction if using a third-party disposal contractor.