Application Data Security Controls
The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking, and erasure.
- See Server Data Security Controls for procedures regarding SQL column encryption.
- See Application Firewall for firewall procedures.
- See Endpoint Encryption for endpoint encryption procedures.
FISMA (The Federal Information Security Management Act) has a set of requirements to ensure your data is secure. The National Institute of Standards and Technology Special Publication 800-53 has a set of guidelines that ensure you are FISMA compliant. These include:
- Create an inventory of information systems.
- Select applicable security controls.
- Implement the security controls.
- Assess the security controls.
- Authorize the information systems.
- Monitor the security controls.
The PCI Security Standards Council is an organization that sets security standards designed to ensure that all companies maintain a secure environment for the use of and transmission of credit card information. While the scope of PCI Compliance is large, the official PCI v4 compliance lists a few best practices designed to help every day use of credit card information.
- Review logged data frequently (see the documentation on Server Intrusion Detection).
- Ensure that all failures in security controls are detected an responded to promptly.
- Review changes that could introduce security risk.
- Perform risk assessment.
- Review external connections and third-party access (see the KB article on Endpoint Credentials and Access Control).
More information can be found here.
Standards for High Risk Digital Data Protection v. 6
Virginia Tech has a list of standards used in the protection of high risk digital data. A full in-depth breakdown of these standards can be found here. Some of these standards utilize techniques explained in the KB articles listed below.