Software, by Jayden

Security of data

Nov 13, 20255 min read

Backlinks

  • No backlinks found

Data is valuable, and could be worth a lot to both organizations and individuals. From sensitive information to original/irreplaceable files, it is of utmost importance that you keep them secure and safe.

Securing data

Data security refers to making sure that the only people who should be able to read the data can read it.

Measures such as organizational password policies, proper user authentication and permission handling secure data.

Characteristics of secure information

Characteristic
ProtectedProper authentication methods such as passwords are used to protect information. Firewalls, anti-malware, antivirus software and other software should also be correctly updated and set to protect data.
ConfidentialOnly authorized users can read, write, delete, etc. People only have access to the things that they need to have access to.
This is a requirement of Privacy and Data Protection Act 2014.
Risk managedRegular backups, appropriate handling of data (both digitally and physically), fire extinguishers and alarms should be fitted in data centers, etc.

Backing up data

Backups are key component to recover in case of an unplanned event.

For best results, backups should be consistent, on a regular basis and should happen between a short amount of time to minimize the amount of data loss if something were to happen. A good system should:

  • daily incremental backups
  • end-of-week backups
  • quarterly server backups
  • yearly server backups

Backup strategies

Australia Signals Directorate Australian Cyber Security Centre and their Essential Eight Maturity Model states that daily backups are necessary strategy against malware. The model defines 3 maturity levels:

Maturity level 1Maturity level 2Maturity level 3
Backups of important information, software and configuration settings are performed weekly.Backups of important information, software and configuration settings are performed daily.
Backups of important information, software and configuration settings are performed monthlyBackups are stored offline, or online but in a non-rewritable and non-erasable manner.Backups are stored offline, or online but in a non-rewritable and non-erasable manner.
Backups are stored for between one to three monthsBackups are stored for between one to three months.Backups are stored for three months or greater.
Partial restoration of backups is tested on an annual or more frequent basisFull restoration of backups are tested at least once.Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur.
Partial restoration of backups is tested bi-annual or more frequent basis.Partial restoration of backups is tested on a quarterly or more frequent basis.

3-2-1 rule and variations

The 3-2-1 rule is a well-known backup strategy:

  • 3 - Keep at least 3 copies of any important files or data, the original and two backups.
  • 2 - Keep the files or data on two different media types.
  • 1 - Keep one copy offsite

Other variants include:

  • 3-2-2 - keep 2 offsite copies instead of one
  • 3-2-2-1 - keep one copy offsite and offline, another copy offsite and cloud.

Data disposal

Data disposal is another key part of securing data and is often times enforced by law.

According to the Victorian Information Privacy Principles (IPP 4.2), organizations are required to destroy or permanently de-identify personal information if it is no longer used.

Public records

Under the Public Records Act 1973, public records cannot be destroyed unless authorized, using one of the following authorizations:

  • Normal Administrative Practice (NAP)
  • Retention and Disposal Authority (RDA)
  • Single Instance Disposal Authority (SIDA) Once an authorization has been issued, the information must be destroyed or de-identified, unless there is another legitimate purpose for retaining the information.

Organizations’ authority to destroy

Organizations are authorized to destroy certain records using the normal administrative practice authorization (NAP). Information such as:

  • transitory messages - for example, calendars, personal emails
  • rough working papers - for example, rough meeting notes or notes preparing correspondence
  • drafts not intended for further reference
  • copies retained for reference purposes only
  • published material not included in the organization’s records

Destruction methods

Physical information

  • Shredding
  • Pulping
  • Burning

Digital information

The process of deleting/overwriting digital information is called sanitization, the extent of sanitization used depends on the classification of the data.

Sanitization methods include:

  • Clearing - the information is cleared from the media or overwritten and is hidden under layers of nonsensical data so it cannot be retrieved through disk or file recovery utilities.
  • Purging - the information is randomized so that it is no longer readable and cannot be reconstructed.
  • Degaussing - recorded data is erased through demagnetizing magnetic media
  • Destruction - the most extreme form of sanitization ensures that the media is drastically altered by physically destroying carriers of digital information
    • Shredding
    • Disintegration
    • Incineration
    • Pulverization
    • Melting

Deleting data

Merely deleting data is not enough to get rid of data. Deleting data from your device doesn’t remove it completely, this is why recovery tools are able to still recover ‘lost’ or ‘damaged’ data. Hard drives that are thrown away and not properly destroyed are still sought after by scammers.

Potential strategies and recommendations are offered here.