After identifying our informational assets and classifying them based on sensitivity, it is time to understand how they can be properly handled. Classification wouldn't make sense on its own if it's not manifested in the way the information is handled.


Human measures

Technology cannot do all the magic and prevent bad things from happening on its own. As the users of technology, we must first start securing ourselves by changing our behavior.

Limited and separate usage

The less you use your information with 3rd parties or the more controlled fashion you choose to do it through, will make data handling safer.

Example - while travelling, there might be a bigger need to use cash in certain countries than in others. Instead of withdrawing the necesarry cash from local ATMs whenever required, it is safer to withdraw an amount that will suffice from a known safe ATM (your own banks ATM in your country). This opens another risk, that of carrying a bigger amount of cash with you but that would be another topic.

Separating your information assets based on usage makes it easier to access them in a limited fashion.

Example - let's say you always carry your wallet around with you, containing cash, credit cards and some form of identification. For day-to-day things like going to the shop, it wouldn't make sense to carry your passport around with you if you already have a good enough form of identification. Same goes with virtual things - one would prefer to have a backup-only external HDD that will never be shared with anybody and another external HDD storing ok-to-share items like a non-sensitive photograph collection.

Personal policy for no or limited disclosure

Knowing your data and how you decided to treat it are the first two steps. The third step is to create secure habits and a mindset that follows what you decided.

Simply put, there is some data that :

  • you will always share
  • you will never share
  • you will have to share based on certain conditions - this is where disclosure is based on the need to know and context

Validating the need to know

Somebody or something just asking for your data is not enough. It is good to understand what causes the need to know that specific bit of information and how will it be used. This in turn will enable the data subject to assess whether that information should be really shared or not.

  • Why do you need this information ?
  • How will you use this information ?
  • If that information is not supplied, will this affect the way the service/product is delivered ?

Example - if a certain service like web hosting requires your national identification number to create an account, it is very normal to question their need to know. Is it really necessary that they process this information in order for them to create my account ? Providers may have their own policies that require this, but as a user, there is always the freedom to choose another provider.

Requesting information on how your data will be handled

After it has been understood and accepted that certain information must be shared for a certain service with a 3rd party, it must be decided if the 3rd party can properly handle our data.

This can be very difficult as explanations can be (and are normally) very technical and it cannot provide a clear understanding to non-technical users. One way to ease the process is to request for 3rd party assessments of the vendor, where the security posture is objectively attested.

Example - you want to purchase a subscription to a CRM (customer relation management) software where you want to add details about your customers and business. You have understood that you need to provide certain information to purchase this, like your credit card details, email address and phone number. You ask the following questions :

  • How will my data be handled ?
  • Who will have access to my data ?
  • In the eventuality of a data breach, how will I be informed that my data is compromised ?

The answers to the questions are not clear as they are formulated in a technical manner. The vendor then shows that it is ISO27001 certified (industry renowned security certification for companies). This ultimately proves that they are capable of securely handling your data.

Technical measures

Since most information handling is done digitally, technical measures are needed to securely store, process and transfer it.

Backup (preferably encrypted)

There are various ways data can be lost, regardless of the storage medium used. You can end up losing your USB stick with work documents or have your laptop stolen in a public area. Or you can even get your computer infected and your files become inaccessible.

Ideally all data (that you care about) should be backed up. Simply put, that means maintaining a copy of your data in a separate location, that would not be affected by the threat on your original data.

Backup should be preferably encrypted, to prevent others that can gain access to your data location from accessing, reading or changing it. Same goes for physical information assets (documents) - placing them in a document cover in a locked drawer would be the equivalent of encryption.

Encrypted storage

Data usually resides on one of your devices, 'waiting' to be used. If anybody else gains access to that device, the risk of having your files modified, destroyed or read by an unauthorized party is very big.

Example - if your laptop is stolen, the attacker can be prevented from actually accessing your files if full disk encryption has been implemented.

Encrypted transit

Information needs to be regularly transmitted over the internet. Whenever we log in to one of the online services that we use or whenever we type in our credit card details to shop online, that information passes the internet and can be intercepted by others.

Example - confidential information, such as credit card details should pass through an encrypted line over the internet, like VPN or over an HTTPS connection.

Access control

Access to information must be controlled based on how sensitive it is. Increasing the number of steps required to access the information makes it harder for it to be compromised. This is also known as increasing the 'authentication factor'.

  • 1 factor authentication - something you know is used to give you access to the information - e.g. a username and password are commonly used to access services like email
  • 2 factor authentication - 1 factor authentication in combination with something you have - e.g. after using your username and password, you are also required to use a one time code that you get from your bank token.
  • 3 factor authentication - 2 factor authentication combined with something you are - e.g. after using a username and password, a one time code you must know use something part of you to authenticate like the fingerprint.

Example - many banks provide its customers with internet access to their account details. To securely grant the access, the users are usually provided with a username and password and a device that will generate a one-time code, thus enforcing 2 factor authentication. An attacker can find out the username and password but it becomes more difficult to access the account as the device generating the code is also required.

Change log and notification

Even with strong access control and other measures in place, there still is a certain probability that your data will be compromised. If it could not have been prevented so far, it is useful to at least :

  • be notified when the data is compromised, changes have happened or
  • have a way of finding out what happened

Example - a typical notification mechanism is in place when transferring bigger amounts of money from your online bank account. Depending on the bank, you will either be asked to confirm the action by writing your password again, responding to an SMS or using a one-time code generated by a device.

Masking

There will always be situations where certain information is required to benefit from a service or to gain access to information where you don't necessary want to expose your information. If there is no clear need to know, then why should you ?

Example - the idea of 'masking' isn't new and

  • disposable (burner) phone - typically employed by the 'bad guys' in movies. One time use SIM card and phone are preferred when you do not want an action to trace back to you. This is not always ill intended, as it can be used for things like whistle-blowing.
  • spam email address - creating an email address used only subscription to various services or accounts that you don't really care too much
  • credit card masking - there are services offering fake credit card details that can point bank to your details. If your fake credit card details happen to be compromised, you can simply unlink them from your real details through a click.
  • IP address 'masking' through VPN/proxy - there are services that allow you to point your traffic through them, thus giving the internet the 'impression' of you connecting to other services from another location (virtual for IP address and physical based on the geolocation of the IP address)