Application Data Security Controls

Introduction

The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking, and erasure.

Procedures

Encryption

FISMA Compliance

FISMA (The Federal Information Security Management Act) has a set of requirements to ensure your data is secure. The National Institute of Standards and Technology Special Publication 800-53 has a set of guidelines that ensure you are FISMA compliant. These include:

  • Create an inventory of information systems.
  • Select applicable security controls.
  • Implement the security controls.
  • Assess the security controls.
  • Authorize the information systems.
  • Monitor the security controls.

PCI Compliance

The PCI Security Standards Council is an organization that sets security standards designed to ensure that all companies maintain a secure environment for the use of and transmission of credit card information. While the scope of PCI Compliance is large, the official PCI v4 compliance lists a few best practices designed to help every day use of credit card information.

  • Review logged data frequently (see the documentation on Server Intrusion Detection).
  • Ensure that all failures in security controls are detected an responded to promptly.
  • Review changes that could introduce security risk.
  • Perform risk assessment.
  • Review external connections and third-party access (see the Endpoint Credentials and Access Control documentation).

More information can be found here.

Standards for High Risk Digital Data Protection v. 6

Virginia Tech has a list of standards used in the protection of high risk digital data. A full in-depth breakdown of these standards can be found here. Some of these standards utilize techniques explained in the relevant documentation listed below.