OWASP Core Rule Set
Often and not without reason, people realize that the adequately secure handling of purely business-related information and records is one of the more herculean core-tasks of information security. But: No business can afford to not think about it. This because the amount of data a business has to deal with keeps growing extraordinarily fast. And also because data and records are more often than not handled in a mostly unstructured way. However, business information as well as records are in critical need of protection and, also, businesses have to observe legal and regulatory prerequisites when it comes to storage and revision-proofing of said data.
A short note: Even if the following few sentences are only tangentially related to the subject at hand, they are interesting in the way that they can lead us to at least one interesting conclusion concerning the main body of this article.
A study conducted by the IDC (International Data Corporation) measures the annual data growth in numbers. The 2014 report offers a projection of the digital universe of the year 2020. At that time, the term Big Data is considered to be a fait accompli.
But, this, as mentioned, just as a side note.
The big problem for businesses is in our current context not the extreme amount of data but the fact that, according to the IDC study, up to 80 percent of all data is being stored in unstructured form.
The accumulation of information and records leads to the following starting point:
In addition to that:
In this article, I want to only look at the relevant information and records in a business, premising that they have been identified. This article is about showing, how business critical information and records can be handled in an organized manner with the concept of a life cycle management concept. This means, the focus when handling said data should be on Security and Compliance. The organizational anchoring of the subject on the governance level is a crucial point in order to lay the groundwork for protection of business information and records that is both compliant with legal and business requirements.
The following should therefore be a simple overview, which covers basic aspects from an organizational point of view in order to protect data and records and should be treated as such. It also shows the boundaries and frameworks are regularly encountered.
|Basics of Information and record protection||Information Life Cycle and Information Gathering (and their identification)|
|Basics of data, information and records protection from a legal point of view.|
|Basics and protection concepts of data and records security in both the electronic and physical world|
|Tasks and responsibilities||Data Ownership|
|Management of the records and data|
|Tasks and function of archiving|
In Switzerland there are various legal prerequisites that have more or less of an impact or relation to the organization of information and records in a business.
|Law / Article||Subject||Content|
|OR 957a||Rightful Accounting|
|OR 958||Duty of Disclosure|
|OR 717||Duty of Care and Fidelity|
|OR 957 ff.||Duty to write and keep business records|
|The complete, truthful and systematic compilation of all occurrences in a business.|
|Proof of every single booking procedure.|
|The Readability thereof|
|The practicability when taking into account the nature and size of the business|
|OR 962||Duration of archival period (10 years).||Not keeping and archiving the records is punishable under article 325 of the Swiss Penal Code, known as the Strafgesetzbuch or StGB.|
|The archiving duration of 10 years is to be understood as a minimum amount of time, due to the fact that there are special legal timeframes set (i.e. Art. 70 Abs. 3 MwStG, Art. 116 Abs. 3 UVV) that dictate a longer period of time and then there’s business interests that justify a longer period of record keeping|
|OR 963||Duty of Publication (electronic documents must be legible at all times for evidence)|
|DSG Article 7||Duty to protect personal data requiring special protection against unauthorized access and manipulation by means of technological and organizational tools|
|VDSG Article 8 – 11||The fourth paragraph, technical and organizational means, describes what is to be understood by technical and organizational means.|
|Geschäftsbücherverordnung; GeBüV (No English translation available)||Decree over the keeping and archiving of business records (Geschäftsbücherverordnung; GeBüV)|
|Verordnung des EFD über elektronische Daten und Informationen EFD-I||This decree governs the technical, organizational and procedural requirements when it comes to power of evidence and the control of electronic or similarly generated data and information according to articles 122-124 MWSTV|
|Art. 13 der Bundesverfassung||Decrees that every person has the right that his or her privacy and their family life is respected, as is their place of residence, their postal and communication traffic and they are protected against misuse of their personal data|
|Special Laws||Further laws and legal regulations in special cases: Bank law (no English translation available), money laundering law, stock market law|
Add to that various internal regulations that should be established in a business:
There are numerous Data Life Cycle Models (DLM) which all contain the basic four phases that can be expanded on when needed. The protection of business information and records has to be based on all the defined phases of the DLM. This means, for every phase there has to be a corresponding measure and mode of behaviour.
|Usage||Usage||Every acquisition and establishing of access to business information and records.|
|Input||Input||Every form of active editing of business information and records, especially analysis and editing.|
|Storage||Saving||Every form of keeping and archiving and storing of business information and records on any sort of storage device during the phase|
|Archiving||Every form of tamper-proof archiving of business information and records after the project has concluded until the data’s destruction|
|Output||Output||Forwarding and Publication: Every form of publication and transmission of business information and records to another internal or external person or office or system.|
In order to differentiate between relevant business information and records and other data, the definitions of these terms have to be clearly outlined. There are many context dependent definitions of the following terms, which differentiate between locations of looking them up. It is therefore of great importance that the characteristics of the definitions are based on the reality of the business, due to the relevance of context. Here’s a simplified attempt at a definition.
|Data||Data is being represented as binary values in electronic systems|
|As unstructured objects such as images built from singular pixels or as a set of characters with a defined syntax such as a letter or a number|
|Information||Following the definition of data, information is data with additional context||For example: A data set is structured and can be automatically analyzed. A text file is often weakly structured. A picture on the other hand is – for example – unstructured and can’t be automatically analyzed without further effort|
|This means: From data, there can be information gathered. Using the same data, people or systems can gain very different information.|
|Business Information and Records||Business information: all messages and data that contain an expression and indications that concern the business of a company||Business records or information legally document an agreement or deal|
|Business records or information contain a legally true and unaltered information|
|A business record or information is identified by the signature of its author and authenticates its content.|
|A business record or information represents a value (asset)|
|A business record or information could be: Accounting Book, receipts, correspondence as well as all data containers (paper, hard drives, USB sticks, SD cards, CD Rom, DVD, etc.) that contain writings or images, acoustic or other digital data and information, that are elicited during business, edited, forwarded and publicized, especially e-mail.|
Once the terminological definitions and the meanings are defined and documented, it quickly becomes apparent that this business relevant information can be found everywhere in a business. This means that the duties connected with the basic protection of this information should fall on all employees on every level of the company hierarchy. Each member of staff of a business should be directly responsible for the right treatment and the protection of information and records that are in their scope of influence.
This fact cannot be stressed upon enough. In fact, it should be anchored in the business guidelines and be taught and refreshed on a regular basis. During these teaching sessions, it’s of vital importance to rely heavily on situations that mirror the daily occurrences in the business and provide illustrative material from mainstream media, where there’s basically reports every day that chronicle misuse of critical business information.
|Need to know und Access Rights||Information and records should only be accessible by people, places and systems that have direct need due to their function in a business|
|Access to collections of information, files and archives should be restricted using appropriate means such as keys, passwords etc. Access should only be granted to authorized personnel|
|Necessity and Earmarking||Information and Records should only be elicited, forwarded, edited and published as is needed to fulfill the business’ needs.|
|Classification||Classification of information regarding confidentiality, integrity and availability as well as liability|
|Validity and Completeness||Special attention is to be paid to the validity and completeness of the business information and records. This means that the records and information are true and complete in regards to their purpose in the business at the moment of their editing. The validity and completeness should be verified upon repeated editing and the files and records should be kept up to date.|
|Adequate management of records||Business records should be systematically managed at all times. This includes storage, archiving, destruction and deletion according to the DLM. It is also advisable to make sure that the information is retrievable after elicitation and editing, especially if the data grows a lot. (Examples: Metadata / Flags / Tags in a document management system)|
|Binding originals|| Originals of contracts are to be kept in a secure archive. The should be especially marked to avoid confusion. |
Status 1: Active
Status 2: Inactive, time of safekeeping in archive, date of destruction etc.
|Safekeeping and Archiving||Business records that are not actively edited anymore should be separated from productive data and files. This means that they should be put into an archive or destroyed immediately. During this, the directions of the data owner are to be respected.|
|The archiving term of the business records should be reflecting the law or the binding contract. Or, when there is no legal dictate, by decision of the data owner|
|Legal texts, booking receipts and business correspondence have to be kept on file for ten years (OR 962).|
For each identified collection of information there should be a data owner who gets officially named. In addition to that, an archive owner should also be named. In this context, a collection of information is considered to be an amount of business information and records that is limited and displayed by certain criteria and is usually organized by a system (i.e. a chronology).
The data owner should be responsible for the treatment and the protection of the business information and the records that have been collected in the collection of information that was entrusted to him. This means that he is responsible for the organizational and technical management of the files that are contained in said collection.
|Data owner||Definition of classification|
|Implementation of higher security standards if needed|
|Clearance to have the files destroyed|
|Access rights based on a _need to know_-principle|
|Compilation of Handling Guide (Vademecum, or definition of the rules of management of the records for the collection of information) in accordance with the CISO|
|Handling Guide||Definition of type of records and files in the collection.|
|Viewing and access rights to the kind of data (physical or electronic)|
|Type of storage (electronic or physical)|
|Classification of confidentiality and higher requirements towards availability and integrity of the individual kinds, the duration of archival as well as the location of the archive for each individual kind of data.|
|The annual check of the Handling Guide to see if it’s still up to date.|
|Archive owner||The coordination and surveillance of the physical and electronic archival of the business records.|
|Systematic organization of the archive including its inventory|
|Guarantee that files and records can be found if requested (Duty of Edition).|
|Definition of how people’s access to the files is recorded. These logs are to be handled and kept under the same article of law (GeBüV, article 8) as business records.|
|Definition of how the files can be added or temporarily removed from the archive. These logs are to be handled and kept under the same article of law (GeBüV, article 8) as business records.|
|Destruction and deletion of archived records and information after their archival period has expired|
With this, the organizational basis of business information and records – at least in an abstract form – is covered. Of course, it would make this article way over length if we would work out all the concrete steps needed that are de facto necessary to get from this overview to an established culture of secure handling of relevant business data that is autonomously running in the business. I simply attempted to elaborate on some frameworks, aspects, subject and possible points of action and give some food for thought in order to better protect very specific business information from an organizational point of view.
Still, it remains a huge challenge, to differentiate between data and information that has business relevancy and are subject to legal and regulatory prerequisites and – let’s call it by its slightly disrespectful name – garbage data.
You could even go as far as to think about the possible need of something that could be called a Data Waste Officer in a security environment. A person who makes sure that we digital messies to add some kind of system to the disorganized compulsive hoarding of data and to come up with suggestions and measures to contain, reduce and structure the data flood in order to bring success to the attempt to identify, secure and organize information assets in need of protection.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here