2.2 Establish information and asset handling requirements
We must also establish policies for
- How data is handled
- How do we determine when somebody is permitted to access a piece of data?
- Where can they access the data from?
- What are the requirements for the computer that can access the data?
- What software can they use?
- Can they access the data from home?
- Do we require users to use MFA?
- How do we log access to the data?
- How do we determine when somebody is permitted to access a piece of data?
- How data is stored
- Is the data encrypted at rest?
- What kind of algorithm is used to encrypt the data?
- How is the system secured physically?
- How is the system labelled?
- Is the data encrypted at rest?
- Declassification
- How do we declassify data when it is no longer required?
- How do we know when the data is ready to be declassified?
- Who decides when the data should be declassified?
- How do we declassify data when it is no longer required?
- Deidentification
- How do we remove personal information from the data?
- How can we remove or mask personal information, but keep the data useful?
- How do we remove personal information from the data?
- Tokenization
- Tokenization is a process for making the data appear like the original, but with pseudo data.
- We tokenize the data when we want to hide the original data but have it retain its original form so that it can be processed.
- Tokenization is a process for making the data appear like the original, but with pseudo data.