|Option||Low Risk||Med Risk||High Risk|
|Transform sensitive content||Yes||Yes|
|Flow rate controls||Yes||Yes|
|Chain of custody mechanisms||Yes||Yes|
Transforming sensitive content, in particular by using encryption, is appropriate except in primary stores, and should follow the controls identified under data at rest, in motion, and in use identified elsewhere in Security Decisions.
Access controls should always be used at the network, system, and data record level as a basic and widely available mechanism that is a sound first line of defense against attempts at unauthorized access. The more trustworthy the system, the more effective these access controls are. As risks increase, higher surety trusted systems should be applied for these separation access controls.
Separation mechanisms include access controls, but are more commonly considered in terms of network separation via zoning and subzoning, physical separation, and other related mechanisms. Digital diodes, one-way UDP traffic, and guards may also be used to allow inward-only information flows and restricted release of sensitive information through review processes.
Flow rate controls are used to limit the amount of harm that can result from leakage. This typically applies to situations in which communication is required but particular classes of use are provided to particular individuals. The individuals who are only supposed to access small quantities of content are limited in the amount they can gain access to per unit time and therefore in the extent to which they can cause harm through leakage. Similarly, databases are managed to limit total flows so as to limit consequences of protection failures over time.
Contractual mechanisms are used when multiple parties are involved in the content lifecycle. These mechanisms should include adequate liability for all aspects of protection, defined in agreements and other legal mechanisms, and include the ability to audit and test 3rd party protections to the extent required for the enterprise. For high sensitivity information, 3rd parties should be avoided where feasible as the risks are typically too high to transfer via contract.
Chain of custody mechanisms are used when custody is vital to the utility of content. These mechanisms should include personal responsibility and accountability (typically in the form of documented custody and control) for content across its lifecycle and for all processes interacting with it.
Exfiltration/movement detection mechanisms are used to detect movement of content where it should not go. Data leakage prevention and similar low surety mechanisms are widely used while higher surety mechanisms like tagged architectures provide protection as parts of trusted systems.