Chapter 3 - Controls and Safeguards

Abstract

A data security program allows the management of data security risks and limits the organization's vulnerability to data compromise. The data security program includes data classification, risk assessment, risk mitigation strategy, controls to protect the data, monitoring and testing of the controls to verify that they are effective, and a process to continuously gather and analyze new threats and vulnerabilities. Information security controls are the technical, physical, administrative, and policy safeguards designed to protect sensitive data. As part of a defense in depth strategy, a variety of controls are necessary for a comprehensive and robust security framework. Lost or stolen laptops represent a significant source of data compromise. If sensitive data must be stored on a laptop, full-disk encryption should be used to prevent unauthorized parties from retrieving the data. The organization should evaluate all transfers of physical media containing sensitive information to discontinue unnecessary or redundant transfers. Sensitive data in transport should be encrypted. A variety of technical safeguards should be used for data security, including firewalls, intrusion detection systems, and vulnerability scanning. Sensitive data transmission should be performed only over a trusted path or medium with cryptographic controls. The organization should implement policies and processes governing the conditions under which remote access is granted and terminated, and all communications should be through a virtual private network that can provide a secure communications channel across a public network. All servers and workstations should be configured with antivirus software that is automatically updated on a daily basis with new virus definitions.