- Foundation Topics
- Asset Security Concepts
- Identify and Classify Information and Assets
- Information and Asset Handling Requirements
- Provision Resources Securely
- Data Life Cycle
Information and Asset Handling Requirements
Organizations should establish the appropriate information and asset handling requirements to protect their assets. As part of these handling requirements, personnel should be instructed on how to mark, label, store, and destroy or dispose of media.
Handling requirements are spelled out in organizational standards and other documentation. Organizational standards and documentations must be enforced to ensure proper asset handling. Handling requirements inform custodians and users how to protect the information they use and systems with which they interact. Handling requirements dictate by classification level how information must be stored, transmitted, communicated, accessed, retained, and destroyed. Handling requirements can extend to incident management and breach notification. Handling requirements extend to automated tools, such as data loss prevention (DLP) solutions. Handling requirements should be succinctly documented in a usable format. Handling requirements compliance should be referenced in the acceptable use policy (AUP). Users should be introduced to handling requirements during the onboarding process. Handling requirements should be reinforced throughout the user life cycle.
Marking, Labeling, and Storing
Plainly label all forms of storage media (tapes, optical drives, and so on) and store them safely. Some guidelines in the area of media control are to
Accurately and promptly mark all data storage media.
Ensure proper environmental storage of the media.
Ensure the safe and clean handling of the media.
Log data media to provide a physical inventory control.
The environment where the media will be stored is also important. For example, damage could occur to magnetic media above 100 degrees Fahrenheit (38 degrees Celsius).
Media marking refers to the use of human-readable information about the media, while media labeling refers to the use of security attributes in internal data structures. Marking is usually written on the media itself so the correct media can be easily identified. Labeling is internal to the media itself. A backup tape may be marked with a server name or other identifier of the asset to which the backup belongs. If an administrator accesses the backups on the backup tape, each backup will be labeled with a descriptive name that usually includes the date, time, and type of backup. In addition, ACLs may be configured on the different backup files to limit the users who can access the backup files.
Labeling is the vehicle for communicating the assigned classification to custodians, users, and applications (for example, access control and DLP). Labels make it easy to identify the data classification. Labels can take many forms: electronic, print, audio, or visual. Labeling recommendations are tied to media type. In electronic form, the classification label should be a part of the document name (for example, Customer Transaction History_Protected). On written or printed documents, the classification label should be clearly watermarked, as well as in either the document header or footer. For physical media, the classification label should be clearly marked on the case using words or symbols.
Destruction
During media disposal, you must ensure no data remains on the media. The most reliable, secure means of removing data from magnetic storage media, such as a magnetic tape cassette, is through degaussing, which exposes the media to a powerful, alternating magnetic field. It removes any previously written data, leaving the media in a magnetically randomized (blank) state. More information on the destruction of media is given earlier in this chapter, later in the “Data Remanence and Destruction” section, and in Chapter 7, “Security Operations.”