Establish Handling Requirements to Secure Data

By Lawrence C. Miller, Peter H. Gregory

Sensitive information such as financial records, employee data, and information about customers must be clearly marked, properly handled and stored, and appropriately destroyed in accordance with established organizational policies, standards, and procedures:

  • Marking: How an organization identifies sensitive information, whether electronic or hard copy. For example, a marking might read PRIVILEGED AND CONFIDENTIAL. The method for marking will vary, depending on the type of data we’re talking about. For example, electronic documents can have a marking in the margin at the footer of every page. Where sensitive data is displayed by an application, it may be the application itself that informs the user of the classification of data being displayed.
  • Handling: The organization should have established procedures for handling sensitive information. These procedures detail how employees can transport, transmit, and use such information, as well as any applicable restrictions.
  • Storage and Backup: Similar to handling, the organization must have procedures and requirements specifying how sensitive information must be stored and backed up.
  • Destruction: Sooner or later, an organization must destroy a document that contains sensitive information. The organization must have procedures detailing how to destroy sensitive information that has been previously retained, regardless of whether the data is in hard copy or saved as an electronic file.

You may be wondering, how do you determine what constitutes appropriate handling requirements for each classification level? There are two main ways to figure this out:

  • Applicable laws, regulations, and standards. Oftentimes, regulations such as HIPAA and PCI contain specific requirements for handling sensitive information.
  • Risk assessment. A risk assessment is used to identify relevant threats and vulnerabilities, as well as the establishment of controls to mitigate risks. Some of these controls may take the form of data handling requirements that would become a part of an organization’s asset classification program.