Handling Sensitive Information and Assets

Identify and Classify Assets 
171
make mistakes. Many times, people get accustomed to handling sensitive information and 
become lackadaisical with protecting it.
For example, it was reported in 2011 that the United Kingdom’s Ministry of Defense 
mistakenly published classified information on nuclear submarines, in addition to other 
sensitive information, in response to Freedom of Information requests. They redacted the 
classified data by using image-editing software to black it out. However, anyone who tried 
to copy the data could copy all the text, including the blacked-out data.
Another common occurrence is the loss of control of backup tapes. Backup tapes should 
be protected with the same level of protection as the data that is backed up. In other words, 
if confidential information is on a backup tape, the backup tape should be protected as con-
fidential information. However, there are many cases where this just isn’t followed. As an 
example, TD Bank lost two backup tapes in 2012 with more than 260,000 customer data 
records. As with many data breaches, the details take a lot of time to come out. TD Bank 
reported the data breach to customers about six months after the tapes were lost. More 
than two years later, in October 2014, TD Bank eventually agreed to pay $850,000 and 
reform its practices.
More recently, improper permissions for data stored in Amazon Web Services (AWS) 
Simple Storage Service (S3) exposed dozens of terabytes of data. AWS S3 is a cloud-based 
service, and the U.S. government’s Outpost program openly collected the data from social 
media and other internet pages. Scraping the web for data and monitoring social media 
isn’t new. However, this data was stored in a openly accessible archive named CENTCOM. 
The archive wasn’t protected with either encryption or permissions.
Policies and procedures need to be in place to ensure that people understand how to 
handle sensitive data. This starts by ensuring that systems and media are labeled appropri-
ately. Additionally, as President Reagan famously said when discussing relations with the 
Soviet Union, “Trust, but verify.” Chapter 17, “Preventing and Responding to Incidents,” 
discusses the importance of logging, monitoring, and auditing. These controls verify that 
sensitive information is handled appropriately before a significant loss occurs. If a loss does 
occur, investigators use audit trails to help discover what went wrong. Any incidents that 
occur because personnel didn’t handle data appropriately should be quickly investigated 
and actions taken to prevent a reoccurrence.

Download 19,3 Mb.

Do'stlaringiz bilan baham: