This section covers how people and systems work with data. This includes any action you can take with the data, such as read, copy, edit or delete. The key subtopics are important to know:
- Markings and labels. You should mark data to ensure that users are following the proper handling requirements. The data could be printouts or media like disks or backup tapes. For example, if your employee review process is on paper, the documents should be labeled as sensitive, so that anyone who stumbles across them accidentally will know not to read them but turn them over to the data owner or a member of the management or security team. You also might restrict the movement of confidential data, such as backup tapes, to certain personnel or to certain areas of your facility. Without labels, the backup tapes might not be handled in accordance with company requirements.
- Storage. You can store data in many ways, including on paper, disk or tape. For each scenario, you must define the acceptable storage locations and inform users about those locations. It is common to provide a vault or safe for backup tapes stored on premises, for example. Personnel who deal with sensitive papers should have a locked cabinet or similar secure storage for those documents. Users should have a place to securely store files, such as an encrypted volume or an encrypted shared folder.
- Destruction. Your organization should have a policy for destruction of sensitive data. The policy should cover all the mediums that your organization uses for storing data — paper, disk, tape, etc. Some data classifications, such as those that deal with sensitive or confidential information, should require the most secure form of data destruction, such as physical destruction or secure data deletion with multiple overwrite passes. Other classifications might require only a single overwrite pass. The most important thing is to document the requirement for the various forms of media and the classification levels. When in doubt, destroy data as though it were classified as the most sensitive data at your organization.