Security Control 17:
Data Loss Prevention
Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework.
Key: REQ = Required, REC = Recommended, OPT = Optional
| ID | Details | High | Med | Low |
|---|---|---|---|---|
| 17.1 | Restricted data should be eliminated where possible or must always be encrypted at rest using industry standard strong encryption technologies. | REQ | REQ | REQ |
|
17.2 |
Use secure, authenticated, and encrypted mechanisms to move data between networks. |
REQ | REQ | REC |
|
17.3 |
Store and deliver physical copies of data such as printed reports in a secure manner. |
REQ | REQ | REC |
|
17.4 |
Dispose of physical and digital copies of data in a secure manner. |
REQ | REQ | OPT |
|
17.5 |
Deploy appropriate encryption software to mobile devices. |
REQ | REC | OPT |
|
17.6 |
Data stored on removable and easily transported storage media such as USB tokens (i.e., "thumb drives"), USB portable hard drives, and CDs/DVDs should be encrypted. When feasible, systems should be configured so that all data written to such media are automatically encrypted without user intervention. |
REQ | REC | OPT |
|
17.7 |
If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, if feasible software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained. |
REQ | REC | OPT |
|
17.8 |
Network monitoring tools should analyze outbound traffic looking for a variety of anomalies, including large file transfers, long-time persistent connections, connections at regular repeated intervals, or unusual protocols and ports in use. |
REQ | REC | OPT |
|
17.9 |
Conduct periodic scans, at least annually, of server machines to determine whether restricted data (i.e., personal, identity, health, credit card, and classified information) is present on the system in clear text. |
REQ | REC | OPT |
|
17.10 |
Use outbound proxies to be able to control all information leaving. |
REC | OPT | OPT |
|
17.11 |
Use network tools to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them. |
REC | OPT | OPT |