What aspects of life cycles are considered in the protection architecture?
|Business||-Formation -Funding -Operation -Initial-public-offerings-(IPOs) -Joint-ventures -Mergers-and-acquisitions -Divestiture -Bankruptcy -Dissolution|
|People||-Conception -Pregnancy -Birth -Education -Marriage -Divorce -Training -Hiring -Promotion -Demotion -Suspension -Vacation -Illness -Leaves -Job-changes -Moves -Resignation -Termination -Retirement -Death -Legacy -Disgruntled-employees-and-ex-employees|
|Systems||-Conception -Design -Engineering -Implementation -Operation -Maintenance -Disasters -Recovery -Upgrades -Transformations -Consolidation -Obsolescence -End-of-life -Reconstitution -Resale -Destruction -Recycling|
|Content||-Inception -Observation -Entry -Validation -Verification -Attribution -Fusion -Separation -Analysis -Transforms (incl. conversion) -Transmission -Storage -Use -Presentation -Modification -Loss -Recovery -Reconstruction -Backup -Restoration -Migration -Transfer -Legal hold -Destruction|
Business life cycles have many interactions with information protection programs that are ignored in the literature to a large extent, even though their effects can be dramatic. Business changes often have significant impacts on employee behaviors and there are many cases in which these produce disgruntled employees, layoffs, firings, and organizational changes. These imply significant information protection issues beyond what is listed here.
Formation of businesses and the processes involved increasingly expose a lot of information to public view. For example, in order to form a corporation and get a bank account in the California today, you may have to provide a fingerprint to the bank and personal information to the state to allow them to track you down if they should want to. When businesses are formed, there are automatic processes that notify vendors, who pay the state for information about the formation, and use the data provided under force by the state to contact the owners to sell things to them. When new businesses are formed by existing businesses, there may be effects on credit and other similar interactions.
Funding processes involve a lot of detailed financial information, often including credit checks on individuals associated with the business and containing a wide array of private information. Funding processes are also used to feed data into large databases that are widely accessible for a fee or, in some cases, for free. The funding processes often involve information that can be readily used in identity theft, or in rare cases, business identity theft in which the identity of the business is stolen and used to perpetrate frauds. Funding profiles for businesses often ignore information protection issues and, as a result, protection is often lax in start-up processes to the detriment of the shareholders.
Operation of businesses include the sorts of information protection requirements described throughout the widely published literature.
Initial public offerings (IPOs) lead to the need to run companies as public rather than private entities and this has dramatic effects on the legal and regulatory requirements in terms of information protection. The basic issue with an IPO is that the value of their investment depends on the integrity, availability, confidentiality, accountability, and use control of the enterprise's information and infrastructure. As a result, the enterprise must meet due diligence requirements, be reasonable and prudent, and produce results that the CEO and CFO can attest to.
Joint ventures and similar business arrangements require special protective measures, particularly when companies compete in other markets. This is necessary in order to prevent (1) collusions or revelation of pricing information, which might violate restraint of trade requirements, (2) competitive information from being leaked, (3) corruption of one enterprise by the other through the joint venture, and (4) other similar negative consequences. However, the participants in the venture must still effectively work together and reach back into their respective infrastructures for day-to-day operations and provide content relevant to the joint venture.
Mergers and acquisitions lead to the combination of information technology components, capabilities, and systems, mixing of staff, and exchanges of content that are typically controlled by completely different information protection programs. There is a very significant cost associated with the transition of an entity into a new security operations process. Someone ultimately has to end up in charge, firewalls between entities have to be created so they can interoperate while the protection infrastructures are reconciled, information classifications have to be reconciled in order to gain proper controls, clearances and need-to-know designations have to be reconciled, interdependencies change, risk aggregations shift, and so forth. This is an effort comparable to the start up of a new protection program in one of the entities and major infrastructure changes in the other. These changes tend to produce disgruntled and laid off employees and this must also be considered.
Divestiture typically involves the splitting of content and systems between the two resulting entities. There are many implications for information protection. For example, for every role in each resulting entity, the split has to result in appropriate membership levels. Since those in roles tend to be organizationally bound, critical roles may be moved wholesale into one entity resulting in critical unfulfilled operational roles in the other. There are many solutions to this. Some of these situations involve large business units with their own mirror of the CISO organization, which makes it a lot easier. One of the entities may have to add positions to mirror what the enterprise did for them before divestiture. In a sale to another entity, that entity may have necessary functions already. In other cases, large parts of the IT organization are retained in one entity and its services leased to the other entity for a pre-arranged period of time for the transition. Typically these arrangement are for 3 years or more. These changes also tend to produce disgruntled employees and this must be considered.
Bankruptcy can either be for reorganization or for termination of the existence of the entity. Reorganization is not very significant from a protection standpoint other than the effect of creating disgruntled and frightened employees. Termination of a business leads to termination of all employees and sale of assets. This implies a variety of information protection functions that are usually poorly fulfilled and brings possible liability to the officers. Private information protected by law includes, but it not limited to, protected health information, individual financial information, human resources information like employee records, and business financial records. All of these must be properly stored or disposed of according to the legal requirements for that sort of data. Proprietary materials from third parties, like trade secrets, must be protected. Items covered by intellectual property rights, like copyrighted materials, may have to be protected. Classified or similarly controlled information has to be properly handled regardless of the business status of the entity. In short, end-of-life processes must be properly managed during a bankruptcy process.
Dissolution for any other reason than bankruptcy, or at the end of the bankruptcy process. also has to deal with the life cycle issues associated with systems, data, and people.
People have life cycles, and every facet of their life has implications for the enterprise and its information protection program. From before conception to long after burial, there are life cycle issues in the enterprise.
Conception is typically a private matter, however, prior to conception, health care programs at the enterprise have to reflect proper status of the mother in order to assure that medical care and job assignments are proper for the status of the individual. Women of child-bearing age are restricted from certain roles for liability and health reasons. These issues are handled by information systems and must be properly protected from disclosure or corruption while still being reflected in roles available to the individuals in use control processes.
Pregnancy usually brings more use restrictions and changes behavioral patterns of individuals. This leads to differences in behavioral detection models and responses to different sorts of behavioral detection results. Work hours may change, location may change, and in the latter stages, leaves may start, with the corresponding changes in use.
Birth creates new identities within enterprise systems, for example, associated with health care programs and in similar areas. These identities have different status than others within the enterprise records and require different protections.
Education impacts qualifications of employees for different positions and benefits are often associated with education. For children of employees, school and day care records may be available at the company for emergency contact or other purposes. These have special protection requirements as well because they may involve protection of minors.
Marriage often brings about name changes that need to be reflected in identity records, but these changes require historic association in order for time to be properly accounted for. Most current identity management systems handle such changes poorly. Marriage also has impacts on benefits and other similar issues that lead to the need to protect different information in different ways. Marriage changes behaviors, and the protection system must compensate for these changes as well.
Divorce, like marriage, often brings about name changes, requires tracking processes, changes of status, benefits, and other information, and has implications for privacy of records. Divorce is also a life change that may produce erratic behaviors. It tends to remove stabilizing factors that effect suitability for certain tasks, however; these effects are not universal. As a result, divorce should trigger an evaluation relative to life stability for people in sensitive positions. Divorce may also change identity-related information, contact information, and so forth, and this leads to potential tracking issues associated with granting access, just as marriage does.
Training and the tracking of training are important to the protection program because training affects qualifications, and because training requirements associated with certain job functions must be fulfilled in a timely fashion or the individual has to be decertified for those tasks.
Hiring processes involve background checks, verification of resume facts, and checking of references. These are important to initial establishment of clearances at hiring. For sensitive positions, more in-depth checks are required. In the information protection program, such checks are typically made part of the personnel reliability program. Hiring processes also involve requirements for initial awareness and training that must be fulfilled and documented, creation of new enterprise identity information, association of roles with individuals, and other similar processes associated with granting access to enterprise systems and the initiation of behavior and life cycle tracking processes.
Promotion typically comes with new responsibilities associated with information protection. The training and awareness program needs to include new security-related duties in the promotion process, including issues associated with the evaluation of security performance in subordinates, where appropriate. Promotion may result in changes in authorized access and this has to be reflected in role changes and access to systems, facilities, and information. Behavioral changes associated with the new position have to be reflected in detection profiles. Promotion also requires a process for hand-off of content and capabilities to replacements as appropriate.
Demotion is usually not a happy moment in a career and it is a time of change that can often generate a disgruntled employee. Behavioral changes must be watched as well as recalibrated for the new roles and responsibilities. Demotion typically results in role and access changes and these are typically supposed to happen during the meeting when the employee is notified of the change. Demotion also requires a process for hand-off of content and capabilities to replacements as appropriate.
Suspension of people mandates suspension of many but not all information technology privileges for the period of the suspension, tends to generate disgruntled employees, and results in behavioral changes that need to be reflected in behavior tracking systems. This also requires a process for hand-off of content and capabilities to replacements.
Vacation should lead to temporary suspension of many, but not all employee access rights for the period of the vacation. Vacations tend to lead to short-term changes in employee behavior upon return, but these end in a day or two in most cases. Training and awareness levels should be checked on return as well. A process for hand-off of content and capabilities to replacements may be needed.
Illness severe enough to produce days away should generate changes in access for the period of the illness.
Leaves typically run for periods of days, weeks, months, or more, and should be associated with temporary suspension of many, but not all, access rights. Upon return from a leave, training and awareness typically has to be undertaken to catch the individual up to the current situation. This includes updated security awareness and recertification on systems where the training requirements may have lapsed. Extended leaves also require a process for hand-off of content and capabilities to replacements, as appropriate, and return of the hand-offs upon return.
Job changes produce changed roles in most cases, resulting in the need to terminate previous accounts, create new ones, and so forth. This also requires a process for hand-off of content and capabilities to replacements as appropriate.
Moves involving home address changes or changes in workplace or office number lead to changes in access controls associated with network connections, and other similar changes within systems and tracking. Updates to historic records to reflect these changes are needed in order to assure that mail gets redirected, and movement of content and systems from place to place requires physical protection during the move. Inventory processes should be undertaken before and after such moves to assure that lost items of value are identified and that loss is prevented where possible. Moves often result in end of life processes for stored data, and this has to be properly handled as well.
Resignation typically involves a planned departure. The circumstances may dictate special precautions, and because resignations, unlike terminations, are not surprises, there are typically concerns about theft of proprietary information between the notice and the termination of duties. As soon as resignation is notified, information protection actions need to be taken to protect against actions of the terminal employee, and sensitive access should be removed or closely surveilled for the duration of employment. Most resignations are given on a few weeks notice, which provides time for transfer of content and knowledge, however; content should be immediately secured to the extent it is in tangible form to assure against any actions by a disgruntled employee who may be resigning. A standard resignation process should be in place to manage this process properly. Many resignations correspond to competitive moves and these should be examined if potential harm could result.
Termination typically involves a formal meeting in which the employee is notified of the termination. During this meeting, access should be suspended or terminated, all equipment and access devices should be gathered, and proper forms should be signed to acknowledge termination requirements and reaffirm employee agreement issues. Information technology should preserve data associated with the individual at this time and provide means for administrative access. The employee should be escorted from the start of the termination meeting until they leave the premises. If they need to clean out their desk, this should be supervised by an adequately knowledgeable person to assure that only authorized material is removed. This process should be well defined and consistently applied at all levels. Home access should also be terminated and any equipment or other materials in the worker's home should be gathered as part of the termination process. Remote control mechanisms may be used to disable access to content on uncontrolled worker systems, and keys to buildings and systems should be disables or otherwise rekeyed to prevent exploitation. A common practice is to withhold the last paycheck until extant material, like badges and equipment, is returned in good condition.
Retirement is usually a ceremonial time with a party and memories of various sorts displayed for fellow employees. From an information protection standpoint it is very much like any other termination. The process should be similar, well defined, and strictly followed.
Death of a worker may seem like the end of the life cycle tracking but it is not. It is processed similar to a termination except that the employee is unavailable for participation in the process. If there is a death in the worker's family rather than the worker, the life change will result in some behavioral changes as well as th need to invoke processes associated with insurance and so forth.
Legacy of employees, even after termination or death, continues for a substantial period. Records have to be retained for different time periods depending on specifics, but normally 7 years of history are retained for business records unless other requirements apply. Accounts and data may be used over a long time frame and these should be reassigned to those who take over the workload. The identity information associated with an employee may remain associated with their identity and data life cycle processes must be careful not to mis-associate identity with legacy information. Retirement funds and other similar financial or health-related information may continue to be handled for a long period of time, and benefits may accrue to dependents and descendants indefinitely.
Disgruntled employees and ex-employees There are really only three choices here; (1) terminate their employment, (2) make them happier with work, or (3) let them fester and eventually cause harm. Making them happy is preferred if they are highly productive. If this fails or if they are marginal in terms of performance, termination generally is preferred. Festering is undesirable but often done. Ex-employees without access predominantly threaten leaks and harassment and must be met with court orders and similar mechanisms when they get hostile.
Systems have life cycles that can be as short as a few weeks to as long as decades. Hardware replacement cycles typically dictate that components are replaced within 10 years of installation for most computer systems, but some supporting infrastructure equipment like telephony systems and cabling, air conditioning, and heating units last for 30 or 40 years. And many systems have all of their hardware and software replaced over time in an evolutionary process. As a rule of thumb, changes in systems have costs that increase by a factor of 3 to 10 for each step in the life cycle up to maintenance. So every poor protection-related decision made early that could have been changed for a dollar in the conceptual phase of the system results in repair costs in the range of hundreds of thousands to millions of dollars in operation.
Conception of systems typically comes from a few people who think up the idea of what the system will do. This is the point where considerations about information protection should start to enter the picture. The protection concept should be an inherent component of the idea underlying the effort. This is more important for bigger ideas that will have longer life cycles because the errors made early will turn into larger and larger costs over the life cycle.
Design of systems must consider information protection issues in order to make choices that lead down more fruitful, more securable, and less costly paths in the long run. Designers should consider all of the life cycle areas as well as the need for integrity, availability, confidentiality, use control, and accountability. They also need to have adequate expertise to make reasonably good design decisions with regard to these issues, and this requires adequate background and education in these specialty areas that is largely lacking in most engineering and computer backgrounds today.
Engineering systems to work within an environment often involves a lot of systems integration. In this effort there are many sources of incompatibilities between systems that have to be resolved in order to allow interoperability. These interface issues are also security issues in most modern systems. In many cases the engineering design has faults that are carried into implementation because the problems were not thought through as deeply as they should have been. Since there is no systematic approach to engineering solutions, it is the creativity of the engineers that has to be counted on. A large part of the engineering experience is related to what the engineers have seen before, so it is important that they be exposed to many of the more common security-related design faults in order to avoid them in future designs. There are also some limited tools that help check designs for known fault types. Design processes associated with high quality are typically applicable and the CMM-SEC and NSTSSI processes are good first steps to doing reasonably secure design.
Implementation involves security issues associated with procurement of components, design and code review processes, protection testing, audits, change control processes for the larger environment, and so forth. Implementation has to integrate system audit with enterprise audit and enterprise control into system control. Integration of intrusion detection and response systems, identity management, zoning policies, and other similar protection measures into systems happens at this time and, of course, it had better have been considered in the earlier phases.
Operation of systems involves all of the enterprise protection processes and has to produce metrics, generate audit trails, take control signals, fail in a safe mode for the rest of its environment, remain within control requirements, and perform useful tasks efficiently.
Maintenance processes introduce many opportunities for attack, often including remote maintenance or similar capabilities that bypass other protective barriers and controls. These require special maintenance modes and controls, including separation from other systems while in maintenance, sound change control processes for making changes, and verification and reintegration after maintenance. Maintenance periods typically involve different people than normal operation periods. Proper control over their presence and access has to be maintained. Storage media used in maintenance has to be protected as does data associated with testing processes, special access, and passwords associated with maintenance processes. Maintenance access should be disabled during normal operating periods.
Disasters occur from a wide range of causes and with enough frequency and range of effect that they destroy or disable components of systems within significant radii. Overall business function for substantial businesses has to survive disasters that leave most of its potential business operating, but not global catastrophes that would put it out of business regardless of information technology. This can only be done by redundancy in capabilities and people, and diversity of locations. During disasters, normal physical protections in place will almost certainly fail, but the overall protection, in terms of risk management requirements, must not fail, even at this time. Planning must include the potential for disasters.
Recovery processes involve the ability to restore business operations in a timely fashion after a disaster or other less harmful event. This requires people, systems, data, and business change-overs and a well-tested and practiced plan. Recovery should have well-defined starting and ending conditions and process checks along the way. During recovery, normal protective measures are often bypassed. Risk management should either dictate that the change in risk profiles be acceptable or otherwise mitigate these increased risks as part of the recovery process.
Upgrades to systems are commonly done without significant concern about protection, however, for medium and high valued systems, change control processes should be required. These processes assure that upgrades are thoroughly tested before being put into use. Testing normally covers operation over a period of time under benign circumstances. Protection testing for malicious attacks is a far different challenge. Malicious upgrades have been used by attackers, so verifying the source and integrity of the upgrade is vital to effective change control. Control over systems changes is often not feasible at the level desired, so at some point risk has to be accepted in most cases. As the value of the system increases, acceptance of risk should be made harder and harder.
Transformations of systems from function to function tend to happen over time. Transformations are typically evolutionary and, when not properly planned, they often result in protection issues. As a general rule, planning these changes to start at the conceptual level and work through all of the other early systems phases is an effective way to deal with transformations.
Consolidation of systems to join functions is a common cost saving activity, but as systems are consolidated, the risks associated with the preconsolidation systems are aggregated into the consolidated result. The resulting risk aggregation has to be analyzed and proper safeguards taken to compensate for the change in risk and resulting change in requirement for certainty associated with the result.
Obsolescence happens as systems near the end of their useful life cycle. As systems enter this phase of operation they are generally replaced or a decision is made to terminate the functions they provide. Over time the maintenance costs go up until it is more cost effective to recreate the system than to run it any longer. During this phase of operation there is a tendency to reduce the utility of the system and its criticality, thus reducing it protection requirements. The key thing to assure here is that protection is reduced only as the risk is reduced.
End-of-life happens for all systems eventually. As systems become decommissioned, care must be taken to assure that they are no longer needed. This typically involves running at least one full business cycle of every still desired function of the system before shutting the old system down. After the system is shut down, residual data remains an issue from a confidentiality standpoint and accountability remains an issue until all value is certified as gone. Formal policy, procedures, standards, and documentation are required for system end-of-life.
Reconstitution of systems after the end of their life cycle is rare but it can and sometimes does happen. In this case, all of the protective functions associated with its creation must be followed and reviewed for changes in situation between the time the system was decommissioned and when it will be reconstituted. After reconstitution, normal processes associated with end-of-life must be redone when the system is again decommissioned.
Resale of systems after decommissioning should be straight forward. The only real requirements are verification of the decommissioning process, its resulting elimination of residual data and value, and documentation associated with the accountability aspects of the sale and retention and disposition of content.
Destruction of systems, once data has been removed is used for cases where the junk value of the components resulting from destruction exceeds the resale value of the system or where disposal is less expensive than alternatives. Destruction can also happen as a result of events. If destruction is for resale value or disposal, end of life processes should assure that residual value is appropriate and destruction may proceed following all applicable laws and regulations associated with environmental and health standards. Many computer systems include parts with hazardous chemicals, such as PCBs, and care must be taken in disposal to avoid downstream liability. For systems destroyed as a result of events, additional end-of-life processes may be required to assure that residual value such as confidential data is not present in the “destroyed” form.
Recycling of components and materials is fairly common in the computer industry and it should be considered as an alternative to destruction and disposal. One of the best programs is the use of old computer equipment in schools, where 3-5 year old personal computers may be well-used for many years. Recycling of materials within systems, such as gold, silver, and other metals can often pay for the destruction and disposal process associated with the remaining components. Many companies now put used computers up for sale on e-bay or other auction sites. They may only get 10 cents on the dollar, but this is 10 cents they didn't have before, and they avoid the expense of proper disposal. If fully depreciated, income may need to be balanced against disposal costs. Finally, computer museums are starting to arise, so old high-valued systems may be turned into museum pieces at the end of their life.
Life cycles for data are often ignored because data is thought of as passive, however, data is the representation of the content that is vital to business operations. Throughout its life cycle, data must be properly cared for to assure that the business operates as it should. The terms data, information, knowledge, and wisdom are often intertwined and misused. Generally, data as presented here is the representation (i.e., a realization in tangible form) of content (the stuff that has utility). Information is defined as symbolic representations in any form. Knowledge is something that computers don't really have, but if they were to be considered in this light, knowledge would likely be considered the combination of information and processing suited to applying it to useful purposes. Wisdom is rarely found in people and certainly never found in computers except as data representing human wisdom if properly interpreted.
Inception of data occurs when real world events take place outside of the realm of the computer system or when the computer generates some internal signals at an electromagnetic, optical, mechanical, or other physical level. All sorts of data exists that cannot be sensed by computers and this is ignored by the computers leading to limitations on their cognitive input capacity.
Observation depends on the sensor capabilities and limits of the device doing the sensing and the ability of the system reading that sensory data to interpret it and transform it into a form that it can use. For example, many programs read inputs and ignore certain characters, and systems typically strip off protocol elements in the receipt of data. The limits of observation are also limits on the ability of the system to differentiate inputs of different sorts and a resulting loss of capacity to detect many deviations that could yield useful information about source and integrity.
Entry is generally considered the time at which the data becomes something that can be stored, used, processed, output, or otherwise comes into the control and possession of the computer system at the logical level of programs being able to act on it.
Validation processes are often used to check for proper syntax, limits, and internal consistency. Syntax checks are fundamental to effective security and failure to do proper syntax checks at input is responsible for the vast majority of current technical computer attacks. Generally, no input sequence that is not legitimate and valid for the application in context should be accepted. This includes limits on length, value, symbols and symbol sequences, and all of these in the context of program state. Limits are used to prevent excesses based on policies or design. For example, input length limits should correspond to designed storage for inputs and dollar value limits on transaction amounts should be determined by user, context, and company policies. Many inputs contain redundancy, such as the entry of a postal code and state in a form. Since many postal codes map to one state, any sort of inconsistency between an entered postal code and the entered state can lead to a detection of invalid input. Addresses can often be tracked to zip codes today because of the increasing accuracy of geographic data, so these checks can be very effective at correcting input errors as soon as possible.
Verification is the use of redundancy to confirm or refute assumptions. For most cases, verification implies a separate and different method of confirmation than the original source. For example, if the weather report indicates high humidity, it can be readily verified by a sensor. The level of verification typically depends on costs associated with verification and risks associated with the use of unverified data.
Attribution associates data to its source. Generally, there are 4 levels of attribution discussed in the literature. Level 1 attribution is associated with the physical input channel, such as the remote IP address, the wire that the signal arrived on, the telephone number of the remote data entry terminal, or the terminal connector that was used for the entry. Level 2 attribution seeks the indirect version of level 1 attribution, attempting to track data to the system or hardware device that first transmitted it. Level 3 attribution, also known as source attribution, associates data with its human or other real-world source, the party or condition responsible for its entry. Level 4 attribution associates data with the organization behind its source. Level 1 is usually relatively easy. Level 2 is very complicated unless a great deal of surveillance is in place. Level 3 depends on psychological characteristics and may be easier than level 2 if differentiation of source rather then specific identity is desired. Level 4 attribution requires an intelligence operation to be effective in a malicious environment. Attribution and the ability to verify attribution leads to assessment of trust. For example, when a well known expert says a product is good it may be taken far more seriously than when an anonymous reviewer on e-bay says it is good.
Fusion of data takes place in systems that typically do normalization and correlation of some sort. The result is typified by proximity to known situations in a state space. This produces secondary, tertiary, and n-ary derivative information that is applied or stored as data for other processes. Fusion is fraught with errors and assumptions and is thus a far more complex issue from a protection standpoint than data. Fused data also has mixes of the properties associated with the sources and processing mechanisms used to derive it. For example, if highly sensitive data like the schedule of a military operation is fused with common data, like weather information, the result may be highly sensitive (i.e., the change in schedule due to a storm) or far less sensitive (i.e., the total fuel consumption estimates for the operation which may vary because of weather, time, target location or other factors). Fusion leads to data aggregation as well, and this can cause two otherwise non-sensitive pieces of information to be sensitive when combined. For example, departmental total salary may not be sensitive while individual salary might be. But if you can get departmental totals before and after each new employee is hired into the department, you can readily derive the starting salary of each individual. Similarly, because of the nature of pricing of medical procedures and tests, knowing the medical fees paid leads to the procedures and tests performed, which in turn leads to the medical conditions of the patients. Thus medical bills become sensitive protected health information because of the ability to fuse them into protected health information.
Separation requirements associated with data are generated because only separation technologies are sure to limit the flow of information. Data separation is typically at the heart of zoning policies and other related issues. Generally, data is associated with classifications and users are associated with clearances. Data is only accessible to users when the user clearance is commensurate with the data classification. Functions performed are then limited based on the needs of the user with respect to the data.
Analysis of data involves the processing of the data through state machines so that the output of the state machine has utility in a different context. This is typically the sort of thing done when so-called raw data is mixed with other data, transforms, and process models to produce meaningful content for the user that is only indirectly related to the data itself. For example, temperature gradients on a wing may be mixed with simulation models and analyzed to determine aircraft stability. Errors in analysis may produce dramatic side effects, so the integrity of the analysis process is often critical to the business function. For example, analysis of data associated with a bridge may reveal or fail to reveal structural limitations that could cause the bridge to fail under load conditions.
Transforms (including "conversion"), are commonly used to change data media, representation, form, format, or utility. For example, data associated with a simulation may be transformed into graphical format and mapped into a picture to produce a graphic depiction of an event. Transforms are commonly used to extract subsets of data, for example to differentiate intrusion-related audit data from unrelated data. Transforms are used to change data into formats used in different applications or systems, like a transform from EBCDIC to ASCII for moving content from mainframes to personal computers. Transforms are used to reformat data, like putting a presentation into columns. Transforms are used to change media, for example to place the data on a backup tape. Transforms are used to encrypt data and decrypt it, to confirm non-alteration, and for other related purposes. All of these transforms are critical to the function they support and thus transforms must be protected for business function to be protected.
Transmission is generally associated with the data in motion as described elsewhere. In transmission, data becomes susceptible to a larger set of attacks associated with the larger physical space and increased number of media and systems it passes through, or comes into contact with.
Storage is generally associated with the data at rest state which is described elsewhere. In storage, data tends to be localized and concentrated in a small physical space, and thus has the advantage of being physically securable and the disadvantage of aggregating risk in space and time.
Use of data is generally associated with the data in use state described elsewhere. When in use, data must be in usable form. There are few options for protection of the data without protection of the mechanism that uses it. Thus protection of data in use typically involves protection of the operating environment.
Presentation of data typically involves transformation into a presentation format and display on an output device. This may be presentation for human consumption or for automation such as process control systems. It is critical that the presentation accurately represent the intent of the application. For example, many presentations are intentionally deceptive, or at least misleading in that they emphasize things the presenter wants to put forth and minimize issues the presenter wants to be ignored. The presentation of statistical information is notorious enough to have its own saying: "lies, damned lies, and statistics". From an information protection standpoint, this has a range of implications.
Modification of data can be accidental, intentional and appropriate, or malicious. Accidental modification is generally undesirable and can be covered by relatively simple statistically verifiable controls such as redundancy and fault tolerance. Intentional and appropriate modification is desirable from the standpoint of being able to enter and alter values associated with the business utility of the system. For example, changing your address so you can continue to get your mail when you change offices is a business function that involves legitimate alteration of address data. Malicious modification of data is highly undesirable and protection typically involves the use of cryptographic checksums for detection and access controls for prevention. Someone else changing your address as part of an identity theft is an example of the same change used for a malicious purpose. Integrity is a function of intent, and computers are notoriously bad at dealing with issues of intent.
Loss of data can cause business consequences associated with the value of the data unless appropriate protections are in place. Value comes in the form of business utility associated with its use. That utility may be lost from the loss of data. Redundancy protects against loss of utility unless all redundant copies are also lost or unavailable in a suitable time frame for use. Preventing release depends on confidentiality protections, typically mandating the use of encryption or prevention from physical access even when in possession of the data's container.
Recovery of lost data comes in one of several forms. The data may be backed up or otherwise kept, sent, or created redundantly, it may be regeneratable at a cost, it may be recoverable from partially broken or deleted media, and it may be located and recovered by physical or electronic means. Insurance may cover the value and the legal process may aid in recovery of the value through civil and/or criminal sanctions. With the exception of risk transfer techniques, these typically involve outside specialized expertise associated with data recovery, computer forensics, private investigation, or law enforcement processes.
Reconstruction of data is sometimes a choice if the data is derived from other data that is available, if fragments exist at different places, or if the original values can be derived from other data values associated with or derived from it. A really good example was a data set that was destroyed in a fire but was reconstructed from portions of it that were previously emailed to other parties. Those parties sent back copies of partial subsets and they were combined together to reconstruct enough of the original data to meet the need.
Backup of data is a fundamental process designed to assure availability over time. Different sorts of backup are required for different circumstances. The decision about which types to apply stem from timeliness, redundancy, transportation, quantity, and duration issues. For data that has to be restored from backups in near real time, duplicate (hot standby) systems are typically used. For data that has to be very redundant, the redundancy requirement leads to the number of copies and their diversity in space and media. For data in large quantity or that has to be at distant locations in some time frame, different media and bandwidth are acceptable. For backups required to last different amounts of time, different storage media and processes are used. All of these vary with the specifics of the application, almost all combinations of these are attainable, and the costs vary with the need. More and harsher requirements increase costs. For typical data, typical backup regimes include daily incremental backups of changed data kept for one week, weekly incremental or full backups of all data kept for a month, monthly full backups kept for a year, and annual full backups kept indefinitely or retained for the legally mandated duration for business records. Backups have to be tested by restoration on a regular basis in order to assure that they work, tracking backups and selectively restoring from them is problematic for sequential media such as tapes, and large-scale backup facilities on-site and off-site are commonly used for data centers. Data retention and disposition issues also drive back processes to an increasing extent.
Restoration from backups is a process that its typically tuned to the backup process. Restoration processes depend to a large extent on timeliness requirements and media. Restoration in real-time usually requires backups on media similar to the original, and in many cases is implemented by transaction replay processes at secondary sites. Less real-time restoration can involve wider ranges of processes.
Disposition typically consists of migration, transfer, legal holds and/or destruction:
Migration of content from system to system and/or media to media, a common practice as changes happen. Many migration issues need to be addressed, including issue like accessibility in a useful form for content from systems that are obsolescent or obsolete, assuring chain of custody across the migration, changes of media and form, changes in the way content is entered and viewed, and integrity of content as it is moved and possibly transformed in the process. Issues of destruction are also problematic in migration because of the need to retain and/or dispose of various versions.
Transfer of custody is a common practice ending the lifecycle in one custodial context and starting it again in another. It is part of disposition from the perspective of the transfering custodian and the initiation of content and custody for the transferee custodian. Issues of destruction are also problematic in migration because of the need to retain and/or dispose of various versions.
Legal hold of content fulfils legal obligations for retention when no other retention requirement or utility exists with the organization. In anticipation of litigation, or under other legal process, organizations are required to retain all content that might reasonably be considered relevant to the legal proceedings as soon as they become aware of the possibility of that content being relevant. It is generally expected that a process will be in place and properly documented and operating to identify such content, set it aside, preserve it, and be able to produce it on demand subject to legal actions.
Destruction of content is problematic. Generally there are several types of destruction processes associated with digital data and different methods associated with paper, CD-ROM, DVD, and fiche data that are most commonly used.
For digital data stored on disk or tape, deletion of files is most common and least effective. It is trivial to restore this data and it should never be used to destroy data of substantial value. Secure deletion based on multiple pattern-based overwrites is used against medium-grade threats. For higher grade threats electromagnetic erasure with high Oersted field generators can be used but is limited because generators may inadequately penetrate the media. Physical mangling of disks is ineffective against high-grade threats because remaining fragments store large quantities of data per unit area. Destruction of media and contents by burning at high temperatures or boiling in acid for long enough time is most effective.
For paper media, strip shredders are the most common method of destruction. They are ineffective and easily defeated, leaving only a false sense of security. These shredders are consistently and easily defeated. Cross-cut shredders are more secure but to be reasonably safe, shreds should be sized on the order of a few square millimeters for typical printouts. Sensitive and non-sensitive data should be joined in the shred bins to increase volumes. Shredding should be done by the individual doing the disposal, not through a service that shreds elsewhere. The best common process cross-cut shreds, then burns or pulps in a recycling process physically controlled by cleared personnel.
For CD-ROMs and fiche, data density is far higher than for paper. Shredders of the sort described above are effective but leave shards large enough to extract useful content. Burning or emulsification with acid is preferred.
For more details on retention and disposition issues, the reader is refered to The Sedona Conference (https://thesedonaconference.org/).