Skip to content

Page069

Data Controllers and Data Processors

Data controllers create and manage sensitive data within an organization. Human resources employees are often data controllers: they create and manage sensitive data, such as salary and benefits data, and reports from employee sanctions.

Data processors manage data on behalf of data controllers. An outsourced payroll company is an example of a data processor. They manage payroll data (used to determine the amount to pay individual employees) on behalf of a data controller, such as an HR department.

Data Location

As stated previously, a complete and current inventory of all assets is critical. This includes tangible assets such as computers and intangible assets such as data. Do you know where all your sensitive data (including Personally Identifiable Information) is? It may be in unexpected places. And, just like tangible assets: you can’t protect it if you don’t know you have it. This includes knowing the location of all your sensitive data.

Strict policies should govern where sensitive data may be stored. Systems that store sensitive data should require controls such as multi-factor authentication, enhanced monitoring, strong host-based controls like HIPS (Host-Based Intrusion Protection System), and others.

We often consider the attack surface of a system, which describes all the vectors that could allow compromise. For a service-side attack: this includes open ports, listening services, enabled protocols, etc. Considering the attack surface of data is equally important. The attack surface of data grows with each copy that exists. Many organizations possess multiple copies of the same sensitive data, and also collect too much sensitive data, as we will discuss next.

Learn by Example
Collecting Unnecessary Sensitive Data
An author’s client had the following policy for having the help desk reset a password after the user forgot it: call the help desk and ask them their secret word (set when the account was created), or physically visit the help desk and provide proper identification. The problem? The organization used the employee’s mother’s maiden name as their secret word. That is sensitive data. It’s also weak, given that it can often be determined using Internet searches or sites such as ancestry.com.

This is a common example of organizations unnecessarily collecting sensitive data. The author recommended changing the policy to use a different (non-sensitive) secret word, including reminding users to choose something unique (not used with any other system), and not discoverable via techniques such as Internet searches.

Data Maintenance

Data maintenance describes the operational process of protecting data on a day-to-day basis. The process begins when sensitive data is created and ends when it is destroyed (we will discuss data destruction shortly). This includes backup and restoration activities of custodians, using encryption, and monitoring proper use of data. Once policies are implemented that control where data may be stored (discussed in the previous Data Location section), detective controls should be used to detect sensitive data that is located outside of approved systems. Email is a common offender. Simple keyword searches across all storage owned by an organization (disks, storage area networks, email, etc.) can be highly effective for finding sensitive data located in policy-violating areas. Digital Rights Management (DRM) and Data Loss Prevention (DLP), discussed next, may be used during this process.