Data Policies – CompTIA Security+ SY0-401: 4.4

How do you manage your data? In this video, you’ll learn the importance of creating security policies around data wiping, disposing of data, and data retention.

<< Previous Video: Permissions and ACLsNext: Embedded System Security >>


One data policy we commonly see is one around data wiping. This is one where we are removing data from a device. This is something the administrator usually initiates by clicking a button or flipping a switch, and removing part or all of the data on a remote device.

Data wiping may also be a policy we apply to hardware that we are retiring. If we have a computer that we are disposing of, or we’re transferring ownership of that device, there needs to be a policy in place to find out what you would do with the data on that device. Do you erase everything on the hard drives? Do you remove the storage devices and destroy those storage devices?

In any case we want to be sure that we are not letting any of the data that’s currently on that device get into the hands of a third party. These data wiping policies may also be based around your employee onboarding and offboarding process. If someone is leaving the organization, you want to be sure that the data is retained, but you want to be sure that data does not leave with the individual. And if this data is on a mobile device, it may be part of the standard policy that when somebody leaves the organization you’re also going to remotely wipe everything on their mobile device.

Other data policies might revolve around the disposing of data. You’re gathering all of this information into databases and storing it into your storage area networks, and then how do you ultimately remove that data from the database and dispose of it? There may be legal requirements around what you can keep and what you can destroy, so you’d want to be very clear of what those data policies might be.

Sometimes you’re removing data so that you can make room for more data. If you’re archiving information on to tapes and you’re storing those tapes at a third party or storing them locally, they’re going to take up physical room somewhere. And as you archive more data, you’re going to be storing a lot more information. So you may want to have a data policy that determines how long you archive that data so that you can remove the old data to make room for some of the new archives that you’re creating.

An important part of this data disposal policy should also revolve around Personally Identifiable Information, or PII. People usually don’t take well to their private information being stored at all, and certainly not over a long time frame. But if you’re in an environment where you need that personal information to be able to perform the function of your company, you have to at least store it on these devices at least temporarily.

And that is the key with PII. That you store it as little as possible. You perform the functions that’s needed, and when you no longer need that information, that may be the time very quickly to then dispose of anything that might be personal information. You also might want to destroy information just so it doesn’t get into the hands of anyone else.

This is especially important if you’re working with very sensitive data in a financial organization, a health care organization. Once that data is no longer needed, you may want to make sure that it’s destroyed so that it never moves anywhere outside of your organization.

Just as you have data policies for what you can destroy, you also need data policies for what you plan to keep. There maybe policies that say that you’re going to keep versions of programs or data files on a system for a certain amount of time. May want to make sure for instance that all of the accounting department spreadsheets are constantly saved so that you have multiple versions of a spreadsheet available. And if the accounting department needed to go back to a version of last week or last month, you would have a policy in place that allows those particular versions to be automatically saved over that entire time frame.

These retention policies may also be in use so that you can determine how far back you can go with something like backups. If you have a virus outbreak or malware outbreak, you may need to have a number of different backups available going back over as many as 30 days. And it’s your data retention policy that’s going to determine how much data you’re going to store so that you can plan for these types of problems.

You also want to think about the legal requirements around the data that you’re keeping. Email for instance is very common to have a legal restriction that maintains that data over years of time. So you have to already have that policy in place, and your processes available to back up your email and have it available for years at a time.

In some industries, certain types of data must be retained over a long time frame. For instance, with financial organizations all of the financial details must be stored over a very long period of time by law. And the data that you’re storing usually has different requirements for the storage, for instance, something like tax information or private customer information may require encryption as you’re storing this off to these devices. That way if you’re storing it on a backup tape, and that backup tape is then lost, you would at least be assured that none of the data on that tape would be accessible to anyone else.