Show
The primary goal of information security is to protect the fundamental data that powers our systems and applications. As companies transition to cloud computing, the traditional methods of securing data are challenged by cloud-based architectures. You don’t have to lift and shift existing problems. Moving to the cloud creates a field of opportunity to reexamine how you manage information and find ways to improve things. In this blog, we’ll discuss information governance and the Data Security Lifecycle as they relate to cloud computing, and provide recommendations that you can take with you on your cloud migration journey. What is Data/Information Governance?Data/information governance means ensuring that the use of data and information complies with organizational policies, standards, and strategy. This includes regulatory, contractual, and business requirements and objectives. Note that data is different from information, but the terms can be used interchangeably. Information is data with value. Data Security Lifecycle vs Information Lifecycle ManagementInformation Lifecycle Management is a tool to help understand the security boundaries and controls around data from its creation through retirement. Although Information Lifecycle Management is a fairly mature field, it doesn’t map well to the needs of security professionals. The Data Security Lifecycle is different from Information Lifecycle Management in that it reflects the different needs of the security audience. It includes six phases from creation to destruction. Once created, data can bounce in between phases without restriction, and may not pass through all stages (not all data is eventually destroyed).
Locating Data in the LifecycleDue to regulatory, contractual, and jurisdictional issues, it’s important to understand the logical and physical locations of data. The lifecycle represents the phases information passes through but doesn’t address its location or how it’s accessed. Data is accessed and stored in multiple locations, each with its own lifecycle. The data security lifecycle is not a single, linear operation, but a series of smaller lifecycles running in different operating environments. At nearly any phase, data can move into, out of, and between these environments. Users know where data lives and how it moves, but how is it accessed? Data is accessed using a variety of different devices that have different security characteristics and may use different applications or clients. The Functions Performed With DataThere are three functions that can be performed with data, by a given actor and a particular situation:
RecommendationsHere are some of our key recommendations for information governance:
To learn more about information governance, check out Domain 5 of the Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. This document also covers best practices in 13 other cloud security domains. You can learn more about the Data Security Lifecycle in this free sample of the CCSK online course.
AboutThe Technical Data Management process provides a framework to acquire, manage, maintain and ensure access to the technical data and computer software required to manage and support a system throughout the acquisition life cycle (see Systems Engineering (SE) Guide, Section 5.24 System Security Engineering for information regarding protection of critical program information). Key Technical Data Management considerations include understanding and protecting Government intellectual property and data rights, achieving competition goals, maximizing options for product support and enabling performance of downstream life-cycle functions. DoDI 5000.85, 3D.2.b.(5)(k) IP and 3D.3.c.(5) IP Strategy contains IP and IP Strategy policy for Major Capability Acquisition programs. Acquiring the necessary data and data rights, in accordance with Military Standard (MIL-STD)-31000, for acquisition, upgrades, and management of technical data provide:
Technical Data Management Activities and ProductsThe Program Manager (PM), Systems Engineer, and Lead Software Engineer, in conjunction with the Product Support Manager, should ensure that life-cycle requirements for weapon system-related data products and data rights are identified early and appropriate contract provisions are put in place to enable deliveries of these products. SE Guidebook Figure 4-12 below shows the activities associated with Technical Data Management. SE Guidebook Figure 4-12: Data Management Activities Identify Data Requirements
Acquire Data
Receive, Verify and Accept Data
Caution: Acceptance of delivered data not marked consistent with the contract can result in the Government "losing" legitimate rights to technical data and can incur significant legal liability on the Government and the individual Government employees. Regaining those rights generally requires costly and time-consuming legal actions. Store, Maintain and Control Data
Use and Exchange DataPlan for and establish methods for access and reuse of product data by all personnel and organizations that perform life-cycle support activities. In support of the Government’s requirement for a Technical Data Package (TDP), the PM should also consider all product-related data (e.g., technical manuals, repair instructions and design/analysis data) to:
Contractually deliverable data should be identified and ordered at the specific "data product" level, (e.g., two-dimensional drawings, three-dimensional Computer-Aided Design (CAD) models, technical manuals, etc.). SE Guidebook, Figure 4-13 below provides a notional representation of different types of product-related data. Caution: PMs, Systems Engineers and Lead Systems Engineers should be aware that terms such as "technical data," "product data," and "TDP" are imprecise, not equivalent, and often incorrectly used interchangeably. Resources for establishing and conducting Technical Data Management activities include but are not limited to:
Data ProtectionThe Program Manager is responsible for protecting system data, whether the data is stored and managed by the Government or by contractors. The DoD policy with regard to data protection, marking, and release can be found in:
Data containing information subject to restrictions are protected in accordance with the appropriate guidance, contract, or agreement. Guidance on distribution statements, restrictive markings and restrictions on use, release or disclosure of data can be found in the DFARS (Subpart 252.227-7013 and 7014), and DoDI 5230.24. When digital data are used, the data should display applicable restriction markings, legends and distribution statements clearly and visibly when the data are first opened or accessed. These safeguards not only ensure Government compliance regarding the use of data but also guarantee and safeguard contractor data delivered to the Government and extend responsibilities of data handling and use to parties who subsequently use the data. P.L. 107-347 (SEC 208 para (b)) and DoDI 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance" requires that PIA be conducted before developing or purchasing any DoD information system that collects, maintains, uses or disseminates personally identifiable information about members of the public, federal personnel, DoD contractors and, in some cases, foreign nationals. Available PIA guidance provides procedures for completing and approving PIAs. All data deliverables should include distribution statements. Processes should be established to protect all data that contain critical technology information, as well as ensure that limited distribution data, intellectual property data or proprietary data are properly handled throughout the life cycle, whether the data are in hard-copy or digital format. Products and Tasks
Source: AWQI eWorkbook ResourcesKey termsIntellectual Property (IP) Statutes, Regulations, Guidance
DD, Engineering Digital Engineering pageDigital Engineering DAU Training Courses
ACQuipedia ArticlesMedia
Communities of Practice
What is the correct order of change control procedures regarding changes to systems and networks?What is the correct order of steps in the change control process? The sequence of events during the change control process is request, impact assessment, approval, build/test, implement, and monitor.
What is not one of the three tenets of information security?Explanation: While safety is a critical concern, it is not one of the three tenets of information security, which are confidentiality, integrity and availability.
When should an organization's managers have an opportunity to respond to the findings in an audit?When should an organization's managers have an opportunity to respond to the findings in an audit? Managers should include their responses to the draft audit report in the final audit report.
What is the first step in information security quizlet?the initial step in establishing an information security program is the: development and implementation of an information security standards manual.
|