I came a cross this data breach where developers of an organization stored some customer PII data on their github account. Common sense tells me that this is obviously stupid and careless thing to do.
My question is that is there any security standards that specifically regulate where and how organization should store customer data they collect? I have checked NIST 800-53 and googled a bit but could not find any clear guidelines. Like for example if database server should be in controlled internal network environment behind firewalls, data encrypted etc.
In the data breach example the data was put to public facing github server with only a password protecting the data and the account was probably shared one.
Any references to specific standards (and paragraphs) would be most helpful.
- 43
- 4
2 Answers
This White Paper from SANS discusses network architecture and the use of a DMZ: https://www.sans.org/reading-room/whitepapers/bestprac/infrastructure-security-architectureeffective-security-monitoring-36512
The PCI DSS is related to cardholder data but, if you substitute 'sensitive' for cardholder, the guidance is pretty good - see requirement 1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
Similarly, the PCI DSS discusses the use of encryption:
3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
- One-way hashes based on strong cryptography, (hash must be of the entire PAN).
- Truncation(hashing cannot be used to replace the truncated segment of PAN).
- Index tokens and pads (pads must be securely stored).
- Strong cryptography with associated key-management processes and procedures.
In relation to storage of production data the following is also required within PCI DSS:
- Development/test environments are separate from production environments with access control in place to enforce separation.
- A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
- Production data (live PANs) are not used for testing or development.
- 3,149
- 12
- 21
AndyMac has provided an excellent answer if you work with customer credit card data. If you handle customer data, but not credit card data, you can research the Service Organization Control (SOC 1, SOC 2) standards published by the AICPA for additional authoritative guidance. From the language of your post, you seem to be working in a service organization capacity so this guidance should be valuable to you.
One of the SOC 2 Trust Principles is Confidentiality defined as
Protecting data agreed upon with the customer as confidential from unauthorized access and disclosure.
Depending on the service offered by your company to customers, your company management would decide on which of the SOC 2 Trust Principles apply in a formal management representation letter. If confidentiality is one of the selected, your company management would have to implement controls that fulfill the criteria given with CC as presented in this document. As an example, the secure storage of customer data would be addressed by this confidentiality standard in CC 6.1:
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
Therefore, while there may not exact controls (and rightly so in my opinion) on how to protect customer data, there does exist standards on what needs to be met for data protection to be considered confidential. These SOC 2 standards have weight due to the SOC 2 report issued to customers being required to be audited by independent auditors such as myself.
- 1,736
- 1
- 12
- 22