|Option||Low Risk||Med Risk||High Risk|
|Transform sensitive content||Yes||Yes|
|Flow rate controls||Yes||Yes|
Transforming sensitive content, in particular by using encryption, is appropriate except in primary stores, and should follow the controls identified under data at rest, in motion, and in use identified elsewhere in Security Decisions.
Access controls should always be used at the network, system, and data record level as a basic and widely available mechanism that is a sound first line of defense against attempts at unauthorized access. The more trustworthy the system, the more effective these access controls are. As risks increase, higher surety trusted systems should be applied for these separation access controls.
Separation mechanisms include access controls, but are more commonly considered in terms of network separation via zoning and subzoning, physical separation, and other related mechanisms. Digital diodes, one-way UDP traffic, and guards may also be used to allow inward-only information flows and restricted release of sensitive information through review processes.
Flow rate controls are used to limit the amount of harm that can result from leakage. This typically applies to situations in which communication is required but particular classes of use are provided to particular individuals. The individuals who are only supposed to access small quantities of content are limited in the amount they can gain access to per unit time and therefore in the extent to which they can cause harm through leakage.
Contractual mechanisms are used when outsourcing is required for business benefits. These mechanisms should include adequate liability for release of information, defined protections by the outsourcer, and the ability to audit and test their security. For high sensitivity information, outsourcing should not be used as the risks are typically too high to transfer via contract.