Security Control 17:
Data Loss Prevention

Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow
17.1 Restricted data should be eliminated where possible or must always be encrypted at rest using industry standard strong encryption technologies. REQ REQ REQ

17.2

Use secure, authenticated, and encrypted mechanisms to move data between networks.

REQ REQ REC

17.3

Store and deliver physical copies of data such as printed reports in a secure manner.

REQ REQ REC

17.4

Dispose of physical and digital copies of data in a secure manner.

REQ REQ OPT

17.5

Deploy appropriate encryption software to mobile devices.

REQ REC OPT

17.6

Data stored on removable and easily transported storage media such as USB tokens (i.e., "thumb drives"), USB portable hard drives, and CDs/DVDs should be encrypted.

[additional details]

When feasible, systems should be configured so that all data written to such media are automatically encrypted without user intervention.

REQ REC OPT

17.7

If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives.

[additional details]

If such devices are required, if feasible software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.

REQ REC OPT

17.8

Network monitoring tools should analyze outbound traffic looking for a variety of anomalies, including large file transfers, long-time persistent connections, connections at regular repeated intervals, or unusual protocols and ports in use.

REQ REC OPT

17.9

Conduct periodic scans, at least annually, of server machines to determine whether restricted data (i.e., personal, identity, health, credit card, and classified information) is present on the system in clear text.

REQ REC OPT

17.10

Use outbound proxies to be able to control all information leaving.

REC OPT OPT

17.11

Use network tools to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them.

REC OPT OPT

Additional Reading