Protect data from loss

Summary

Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach.

To better protect personal information, the minimal data required for a transaction should be collected, used and retained.

Make sure sensitive or official information cannot leave your entity's network without authority or detection.

The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information.

Why this countermeasure matters

Allowing data to leave your entity's network without authority or detection can lead to staff or contractors:

• publicly releasing official, sensitive or classified information
• providing sensitive or classified information to others for dishonest gain, such as helping a company win a government contract
• selling sensitive or classified information to criminals and scammers
• using sensitive or classified information to commit fraud themselves.

How you might apply this countermeasure

Some ways to implement this countermeasure include:

• scanning emails sent to or from external email addresses and setting aside any that contain sensitive information for further checks
• limiting access to collaboration websites that enable documents to be uploaded
• controlling access to supporting ICT systems, networks (including remote access), infrastructure and applications
• controlling the use of removable storage media and unapproved connected devices
• network management practices and procedures to identify and address network structure or configuration vulnerabilities
• using encryption particularly when transferring information
• adhering to the requirements under the Protective Security Policy Framework
• referring to guidelines in the Australian Government Information Security Manual and the Australian Cyber Security Centre’s Strategies to Mitigate Cyber Security Incidents.

How to check if your countermeasures are effective

Here are some ways to measure the effectiveness of this type of countermeasure:

• conduct pressure testing to test if fraudulent activity would be prevented or detected
• consult subject matter experts about data loss protection controls
• confirm that information security requirements comply with requirements of the Protective Security Policy Framework and other national frameworks and guidelines, including the  Australian Government Information Security Manual and Strategies to Mitigate Cyber Security Incidents
• conduct a process walk through by sitting with a staff member while they show you how the controls work
• review the controls to determine if it would prevent or detect different methods of information disclosure
• confirm controls are always on and automatically applied
• confirm that detection tolerances or parameters are appropriate
• confirm that detection parameters or thresholds are not widely known
• arrange or review results of technical testing to conform controls are working to specifications
• confirm that the systems/processes underlying the data loss protection controls are adequate and reliable
• confirm that data/information breaches go to the most appropriate staff/team for review
• review a sample of detected incidents
• analyse reports related to the data loss protection controls such as how many breaches are reported and how often
• review who has access to change the controls
• confirm that someone cannot manipulate the data loss protection controls and test this if required
• check what other reporting occurs such as if executives review data/information disclosure reports during committee meetings.