Digital transformation and Economy 4.0 are creating new, unintended gateways for risk, vulnerability, and sabotage. A cyber-resilience strategy is quickly becoming essential for any modern organization. Implemented efficiently, it will help your company reduce the risks associated with not only the reputational damage, but also monetary losses associated with litigation or damages for disclosure of confidential information. The importance of information in today’s marketplace is receiving more and more attention from governments, not only while creating regulations, but also while establishing a new type of armed force aimed at ensuring the security of the digital life zone.
Fortunately, it is not necessary to create everything from scratch. Effective (at this point) approaches to securing information, business continuity practices, methods for monitoring traffic, and, once an attack has occurred, ways to recover information are already being developed.
Some of these methods have been translated into Polish, while others are available in English. However, they can be accessed by the so-called paywall. In my opinion, some of this knowledge should be available to the public for the common good. In this article, I will try to give at least a brief overview of effective practices, the implementation of which, will help secure information from disclosure to unauthorized persons.
One of the more well-known practices is the ISO 27001 standard. This is a standard that requires management to systematically track new attack vectors, as well as to monitor the effectiveness of security measures already in action. In addition to tracking risks, the standard also identifies their owners, security actors, and requires a comprehensive set of documentation outlining how risks will be mitigated or transferred. Monitoring of the effectiveness of the measures taken is assessed by periodic internal security audit, which identifies areas requiring further work. If the internal audit demonstrates the effectiveness of the measures taken, it is good to turn to external audit specialists, in order for them to confirm the effectiveness of the implemented security system or to identify areas for improvement. A third-party audit may end with the applicant’s certification of compliance, suggesting to potential contractors that their data is safe.
To effectively implement information access control, you need to separate the issue into 2 groups: physical security and logical security. In the physical security group, we can include all the methods of restricting access to physical copies of data by, for example, designating restricted zones for unauthorized access, locked cabinets, or clean desk policies.
It is also important to remember that a security system is only as strong as its weakest link. We know about cases where a company installs fireproof, anti-burglar door with a biometric access control system embedded in a plasterboard wall, or where the important room is located on the low first floor with a window open at night. Those cases are, of course, extremes, but they also show the level of misunderstanding of how physical security should be approached.
Several general types of logical access control
One of the elements of access control is how a user logs into the system. Dose a login give access to the files or to the database? However, this access can be controlled at many different levels:
- Network – limiting the ability to connect to the service.
- Physical – restricting access to where the information is located.
- Functional – designating and controlling high-risk functions, such as configuration changes or access to administrative functions.
Restricting access to information can refer not only to files and database functionality, but also to applications and interfaces, specific application screens and functions, and even specific fields in databases, the ability to transfer or edit this information.
Access control modes
We have four access control modes: restricted, mandatory, role-based, and attribute-based.
Restricted mode – access control is based on confirmation of identity and designation of the scope of access to information. The user has the option to further assign such access to other people or whole entities. This principle is applied to the lowest-importance information, the disclosure of which will in no way reflect negatively on the data controller.
Mandatory mode – access control is based on the importance of the information processed, defining the groups that absolutely need this information for their work, and blocking further sharing of this information with others. The user has access only to the selected functions and information, and every action of the user is recorded accordingly. In the event of disclosure of data processed at this level, an efficient system should be able to determine the location and cause of the leak, as well as limit the losses associated with it.
Role-based mode – the controller determines the roles played by a user or groups of users. Such roles define security groups and include certain sets of subject, in which all the subjects share common access needs. Call centers are a good example of this, there is a high turnover of employees, and newly hired employees perform predetermined tasks on narrow data.
Attribute-based mode – this is an approach newer than the role-based mode. It works on the specified user attributes of the indicated resource by excluding the possibility of accessing the information if some anomaly is detected, such as the wrong location of the user or the time at which they try to access it. Example: if the rule is that a user logs in from Warsaw between 8 a.m. and 5 p.m., then based on this behavior the system will know to block any attempts to gain access during nighttime hours in the territory of another country. This can only work efficiently if the set of rules defining the allowed behaviours of the users is properly and fully completed.
Data classification policy
At a high level, the data classification policy is supposed to provide a framework for protecting information. This is the basis for formulating the specific policies, procedures, and controls necessary to protect confidential data.
The scope clarifies whether the policy applies to all information systems in the organization, or whether there are certain exceptions.
Roles and responsibilities:
Identify key actors in the organization who will be involved in policy development, educating stakeholders on best security practices, identifying information risks, implementing controls, updating controls, and ensuring compliance with information classification policies.
Data classification categories
This is a detailed definition of the data categories into which all data will be classified (e.g., Confidential vs. Public) and detailing what specific types of data fall into each category. For example, in the case of a government agency, confidential data includes criminal law information that police departments have collected (e.g., criminal record information). Public information includes any data that can be made available to the public, such as reports on the performance of government functions. This section should outline how confidential information is handled, transferred, or processed.
Data classification, security policy and risk analysis are interrelated functions that an organization implements to enhance security.
The data classification policy expresses the organization’s tolerance for risk.
The security policy defines how the organization wants to approach data security to detect and prevent the compromise of information through misuse of data, networks, computer systems and applications.
Risk analysis helps the organization determine how to best protect organizational assets (including valuable information) while balancing business objectives and resource constraints.
- First, evaluate what you want to protect, only then secure it.
- Base classifications on your organization’s specific criteria and privacy requirements after a thorough regulatory assessment.
- Apply the principle of minimum possible access. According to this principle, the user is supposed to have access only to the information and resources they need to do the job.
- Use automation technology to simplify classification by quickly analyzing and grouping data based on established guidelines.
- Identify and understand the profile of the data processed. Some of the questions your policy should answer are, where and by whom the data was collected, where it is stored, who is responsible for confirming the accuracy of the data, and who is responsible for managing the data within the organization.
- Set clear, definable goals for what your policy will cover and achieve in line with your company’s purpose and ideology.
- Establish rules for responsibilities assignment and ensure accountability.
- Keep the policy simple, with as few classifications as possible.
- Review your policy at least once a year to stay up to date with all the internal and external changes.