Information security and data privacy

Information security and data privacy

Data privacy law in Brazil is shaking up companies when it comes to information security technologies and processes. It’s important to always bear in mind that the LGPD (Lei Geral de Proteção de Dados) was implemented to bring benefits to Brazilian citizens.

However, this is a process directly affecting companies as they need to organize their data, adapt their processes, train their employees, and implement information security technologies.

According to DNASec®, there are 10 pillars of technology that should be used as implementation guides, remembering that there is a minimum deployment according to each company’s size and type of business.

Therefore, considering the needs of companies based on size and business criticality regarding technology deployment, we can enumerate some of them. Follow the article to find information about the following technologies:

  • Data access security and workspace access
  • Data encryption at rest
  • Data and document classification
  • Endpoint protection against data theft, hijacking, and destruction
  • Backup and data protection technologies
  • Privileged access control to data environments
  • Vulnerability management
  • User education tools, compliance, and phishing
  • Event correlation and incident response tools
  • Audit, protection, and control of personal data traffic and usage

Information security in work environments

Currently, information security in work environments has become a critical point of attention, as they are the primary means for hackers to gain access to privileged environments and steal data.

To address these risk points, we should explore the following actions:

  • Implementation of VPN access with multi-factor authentication;
  • Removal of Terminal Services access open to any type of origin on the internet;
  • Segmentation of internal networks for database servers and desktop network application;
  • RBAC access controls on systems;
  • Strong password policies for users on all systems;
  • Centralization of passwords with SSO (Single Sign-On);
  • User behavioral analysis tools.

Data encryption at rest

Storing data on disk and in databases is an action that prevents asset theft or unauthorized access to databases containing personal information.

In this case, when a device – whether it’s a laptop, mobile phone, or even servers and their storage components – is stolen or lost, personal data won’t be accessible to unauthorized individuals.

To achieve this objective, it’s necessary to implement security processes and technologies as listed below:

  • Disk encryption software;
  • MDM (Mobile Device Management) solution for mobile device control.

Data and document classification

From the perspective of data classification, it’s important to consider that documents and information should be classified according to an information security policy.

This happens after the correct implementation of the information classification process, along with appropriate training and involvement of the right people for using document classification labeling tools.

The necessary software, services, and solutions for this objective are:

  • Information classification policies and data usage;
  • Information classification software.

Endpoint protection against theft, hijacking, and data destruction

When we talk about endpoints, it no longer makes sense to think of a traditional antivirus endpoint. However, we should always consider a next-generation endpoint, or in other words, a Next Generation Endpoint.

Currently, it replaces traditional antivirus and incorporates several defenses for computers and laptops. Additionally, it will add layers of telemetry and data collection for investigation and protection against the execution of malicious scripts.

In addition to NG Endpoints, we cannot overlook DLP Endpoints, which should be deployed after a rigorous definition of business rules and clear documentation of what constitutes an incident, even if it involves personal data.

With this in mind, we should consider the following in this process:

  • Documentation policy for incidents and their responses;
  • NG Endpoint software with EPP, EDR, or xDR;
  • DLP software.

Backup Technologies and Information Security

Backups and data copies must be meticulously planned as they represent the last line of defense in a data hijacking or even complete destruction scenario.

Backups should be stored outside the production environment and isolated from any risk of contamination or compromise.

In this regard, we should anticipate the following in the environment:

  • Backup solution with the ability to cross-identify personal data;
  • Backup solution with data protection against ransomware attacks;
  • Network segmentation service for the backup environment to safeguard backup catalogs.

Privileged Access Control to Data Environments

Privileged access control and password management are currently among the most critical and frequent points for attackers to gain entry into the network environment through credential leaks.

This access must be controlled, audited, logged, and restricted in such a way that passwords are never in the hands of users, as well as current Privileged Access Management (PAM) solutions.

These solutions can monitor the creation of new administrative users in the environment and even detect if someone has changed an administrator password. Moreover, they can change passwords without human intervention.

To achieve these objectives, it is necessary to implement:

  • Policy for privileged access management
  • PAM solution

Vulnerability Management in Information Security

The vulnerability management process enables the identification of risks in utilized applications by defining classifications, treatment methods, responsibilities, and timeframes for remediation.

A malicious user can compromise personal data and sell it on web forums, as well as engage in blackmail by demanding a financial sum as a condition for the “rescue” of the data.

An effective information security management comprises the following stages:

  • Identification: Using a scanning tool or security agents such as antimalware to locate vulnerabilities.
  • Asset prioritization: Establishing a list of business-critical assets where vulnerabilities carry greater weight and are addressed first.
  • Assessment: Upon identifying vulnerabilities, it’s possible to enumerate them and correlate them with CVEs (Common Vulnerabilities and Exposures – a public list of security flaws), assigning a score according to CVSS (Common Vulnerability Scoring System – a methodology for defining scores for vulnerabilities), as well as using business criticality factors to prioritize the execution of more critical fixes.
  • Reporting: Documenting vulnerabilities allows understanding their evolution and the effectiveness of the management program, tracking how many emerged since the last scan, how many were closed or mitigated, and controlling the risk level.
  • Remediation: In the remediation stage, it should first be verified if patches are available or if remediation doesn’t impact the functionality of any system. If possible, the fix should be applied and validated. Otherwise, it should be determined if there’s a possibility to mitigate its risk, whether by isolating the asset in question or applying other compensatory controls.

Nevertheless, if remediation of the vulnerability isn’t possible, the risk can be accepted by documenting the approval of this exception and setting a deadline to revisit the vulnerability.

User Education, Compliance, and Phishing Tools

Typically, network users and employees are considered the “weakest link in the chain.” To reverse this scenario, we must consider the maxim by Eliyahu M. Goldratt, physicist, and administrator: “A chain is only as strong as its weakest link.”

Therefore, actions of awareness, cultural assimilation, and training programs should be implemented, utilizing compliance and phishing programs, which are highly beneficial in the cultural assimilation process for information security.

Moreover, from a corporate perspective, compliance and data privacy are also used for user training and obtaining consent regarding security rules, taking into account the demands of remote work models.

With this in mind, we can consider the implementation of the following policies and solutions:

  • Compliance and anti-corruption policy;
  • Code of ethics and conduct;
  • Privacy policy and personal data handling policy;
  • Phishing solutions and user training.

Event Correlation and Incident Response Tools

Corporate incident response processes, whether related to security, availability, or data privacy, require trained professionals ready to react to any type of incident in the work environment.

However, for incident response processes to function correctly, the monitoring of security and data privacy events must be appropriate, with prior and intelligent screening.

To achieve this, the following steps need to be implemented:

  • Implementation of Business Continuity Plan;
  • Risk analysis of the environment;
  • Monitoring plan;
  • Incident response plan;
  • SIEM (Security Information and Event Management) solution and monitoring

Auditing, information security, and control of personal data traffic and usage

Software and auditing processes, as well as protection and control in the handling and usage of personal data, are highly necessary to comply with the directives of the General Data Protection Law.

After all, it stipulates that companies handling data must prove the integrity of data processing and the application of necessary security tools to protect the personal data being processed.

Therefore, the implementation of the following solutions is necessary:

  • DLP (Data Loss Prevention) software;
  • Endpoint auditing system;
  • Database and active directory auditing software.

Conclusion

In conclusion, we can affirm that, in addition to all technological support, it is extremely important that the human factor also walks hand in hand with the guidelines governing the LGPD (General Data Protection Law).

Therefore, it is essential to remember that conducting an information security assessment before even implementing technologies, understanding the minimum requirements of each, is truly necessary.

Considering cultural value as well, companies with a more traditional work dynamic that have not yet entered more consistently into the universe of innovation and technology have extra work with their teams.

An effective effort must be made with all employees so that they understand the importance of the results obtained through the implemented methods, and so that everyone sees the process from the same perspective.
This text was written by George Silverio da Silva, Chairman at BoxGroup.

Follow our newsletter!

Follow our newsletter!

Recent articles:

By browsing, you accept the cookies that we use on this website to improve your experience. More information.

Ao navegar neste site, você aceita os cookies que usamos para melhorar sua experiência. Mais informações.