Implementing Stricter Controls for Confidential Data
5.1 Remediate Security of Computing Resources Consider testing computers upon network access to verify that they are fully patched.
5.2 Standards for Security Configuration of Computing Resources Some network resources include: firewall, intrusion detection/prevention, and router configuration. Note: Standards are not policies-- Standards are specific, prescriptive
5.3 Encryption Standards and Strategies for Data If data is confidential, it is usually beneficial to encrypt it to protect it from unauthorized access, either as it transits networks, as it is stored in files or databases, or both. In some cases, such as credit card data, encryption is contractually required.
5.4 Standards Regarding: confidential data on mobile devices, home computers, and data storage and archiving
5.5 Identity Management and Resource Provisioning Process
5.6 Data Retention and Secure Disposal of Equipment and Data Computers, disk drives, tapes, and other data are all to often donated to charity, sent to a dump, or sold as surplus with confidential information intact on them. Technical procedures might include how to archive old documents and what specific steps should be taken to sanitize media prior to disposal.
5.7 Background Checks on Individuals Handling Confidential Data Persons with criminal records or credit histories indicating an inability to handle money responsibly may not be ideal candidates to handle confidential data. Yet many institutions do not perform any checks on employees or potential employees handling confidential data. This is a sensitive topic at many institutions, thus the "consider" in the statement.
- USG/BOR Human Resources Administrative Practice Manual: Background Investigation
- UWG Background Investigation Policy and Procedure