Skip to content

Page066

Formal Access Approval

Formal access approval is documented approval from the data owner for a subject to access certain objects, requiring the subject to understand all of the rules and requirements for accessing data, and consequences should the data become lost, destroyed, or compromised.

Note When accessing North Atlantic Treaty Organization (NATO) information, the compartmented information is called, “NATO Cosmic.” Not only would a user be required to have the clearance to view NATO classified information, they would also require formal access approval from the NATO security official (data owner) to view the Cosmic compartmented information. Note that compartments are a testable concept, but the name Cosmic compartment itself is not testable.

Need to Know

Need to know refers to answering the question: does the user “need-to-know” the specific data they may attempt to access? It is a difficult question, especially when dealing with large populations across large IT infrastructures. Most systems rely on least privilege and require the users to police themselves by following policy and only attempting to obtain access to information that they have a need-to-know. Need to know is more granular than least privilege: unlike least privilege, which typically groups objects together, need-to-know access decisions are based on each individual object.

Sensitive Information/Media Security

Though security and controls related to the people within an enterprise are vitally important, so is having a regimented process for handling sensitive information, including media security. This section discusses concepts that are an important component of a strong overall information security posture.

Sensitive Information

All organizations have sensitive information that requires protection, and that sensitive information physically resides on some form of media. In addition to primary storage, backup storage must also be considered. It is also likely that sensitive information is transferred, whether internally or externally, for use. Wherever the data exists, there must be processes that ensure the data is not destroyed or inaccessible (a breach of availability), disclosed (a breach of confidentiality), or altered (a breach of integrity).

Handling

People handling sensitive media should be trusted individuals who have been vetted by the organization. They must understand their role in the organization’s information security posture. Sensitive media should have strict policies regarding its handling. Policies should require the inclusion of written logs detailing the person responsible for the media. Historically, backup media has posed a significant problem for organizations.

Storage

When storing sensitive information, it is preferable to encrypt the data.

Encryption of data at rest greatly reduces the likelihood of the data being disclosed in an unauthorized fashion due to media security issues. Physical storage of the media containing sensitive information should not be performed in a haphazard fashion, whether the data is encrypted or not. Care should be taken to ensure that there are strong physical security controls wherever media containing sensitive information is accessible.

Retention

Media and information have a limited useful life. Retention of sensitive information should not persist beyond the period of usefulness or legal requirement (whichever is greater), as it needlessly exposes the data to threats of disclosure when the data is no longer needed by the organization. Keep in mind there may be regulatory or other legal reasons that may compel the organization to maintain such data beyond its time of utility.