Sample Data Security Policy Template

Learn how PurpleSec’s experts can help protect your organization’s data against cyber attacks.

Author: Josh Allen / Last Updated: 5/20/22

Reviewed By: Michael Swanagan, CISSP, CISA, CISM & Rich Selvidge, CISSP

View Our: Editorial Process

Organizational security is increasingly important in today’s business environment.

We live in an increasingly digital age and businesses rely on data now more than ever.

SMEs and large enterprises are evolving towards increasingly data driven workflows, making data security both complex and critical to sustaining operations.

Recently, a sharp increase in work from home has extended the corporate network to include remote workers, presenting new cyber security challenges.

Failure to properly secure data can result in significant financial losses to an organization including operational downtime, loss of reputation, and can even include regulatory fines or class action lawsuits.

Organizations need to proactively protect their data from cyber-attacks by implementing security controls, but they also need to formalize and document those controls within a data security policy

Together, these high level data security policies and controls reduce the probability of a cybersecurity breach and ensure that business operations can be sustained indefinitely, even in the event of a security breach.

But before security policies and controls can be designed an effective data security strategy must be implemented to inventory and classify data according to sensitivity and criticality.

This process contextualizes data so that mitigating policies and controls can be designed relative to the risk that each type of data represents to operations.

Corporate data is stored and accessible across many locations and in many formats such as:

• Local file-shares and databases
• Cloud applications
• File-shares
• Databases
• Mail servers
• Mobile devices
• Web applications
• Third party applications

Each type comes with its own set of data security challenges that need to be considered when calculating relative risk.

What Is A Data Security Policy?

Data security policies are formal documents that describe an organization’s data security goals and specific data security controls an organization has decided to put in place.

Data security policies may include technical controls, administrative controls, and physical controls depending on the business model and specific threat being mitigated.

Examples of technical controls include using network security appliances to monitor for suspicious activity, installing anti-virus products on all endpoints, and using content-filtering proxies to monitor data entering and leaving the network (known as data-loss-prevention, or DLP).

Administrative controls such as acceptable-use policy define the allowed uses of corporate devices and networks and restrict uses that represent an unacceptable security risk, and physical controls can include deploying locks, surveillance cameras, and security guards to protect areas where sensitive data could be accessed.

The ultimate goal of the data security policy is to ensure that IT best practices are being used to protect all data assets, vulnerabilities can be identified and remediated in a timely manner, breaches can be quickly detected and remediated, reducing dwell time, and procedures are in place to enable fast and complete recovery from a security breach.

Data security policies need to consider the risk to data from three main perspectives, known as the CIA Triad:

• Confidentiality – Data cannot be accessed by unauthorized people or systems.
• Integrity – Data is not modified by unauthorized people or systems, system failure, or any other unwanted causes.
• Availability – Data is accessible when it is needed.

Data Policy As A Solution

An effective data security program includes policies and controls that reduce the risk of a security breach, and mitigate the negative impact that a security breach has on business operations.

The first step is to conduct a thorough security risk assessment to identify critical systems and datasets.

This risk assessment is then used to shape appropriate policy that addresses each data asset’s unique risk by combining IT security best practices with updated threat intelligence.

A data security program should include a vulnerability management program to identify and remediate vulnerabilities for identified assets, continuous monitoring for indicators of compromise (IOCs), and response plans for taking action when IOCs are detected.

Threats to data are typically considered from the perspective of the CIA Triad and a comprehensive data security policy should protect data from each of the CIA Triad perspectives.

Let’s take a look at the elements of a solid data security policy.

Why You Need A Policy For Data Security

Data plays a key role in business operations and needs to be protected with a comprehensive and organized set of security controls and procedures.

The main reason for a data security policy is to set guidelines for:

• Data Inventory Management
• Data Classification
• Data At Rest
• Data In Transit
• GDPR

The potential consequences of failing to properly protect data are high. IBM Security’s 2021 Cost of a Data Breach Report estimates an average cost of $4.24 million USD per incident.

A data breach can lead to proprietary business information being leaked to competitors, customer data being exposed in a way that results in regulatory fines or loss of brand reputation, or ransomware could outright destroy or render data temporarily inaccessible with a high cost for getting it back.

Formally documenting the security controls used to protect data, is a demanding task in itself.

Without an organized systematic approach to data security, it is impossible to make a reliable assessment of the risk landscape that an organization faces every day.

Data Inventory Management

The first process in developing data security policies is to inventory and classify all of the data your organization handles.

This is a complex task and can quickly become overwhelming for an IT team.

Software tools exist that can help reduce the burden of managing a data inventory and enhance capabilities such as helping to organize risk and keep track of security controls applied to each set of data.

Data Classification

Classification of data is a critical step towards the goal of addressing risk appropriately.

Data classification is the process of labeling data with a sensitivity level, criticality level, and according to its value.

Data classification helps an organization to identify the relative risk for each dataset in the data inventory.

These relative risk scores provide context that will guide the design of policies and controls that will effectively mitigate risk appropriately.

The point is that not all data requires the same level of security and it is better to apply resources contextually according to risk.

Data At Rest

The term “data-at-rest” refers to data that is being stored.

This could be data stored in local network file shares, workstation endpoints, and removable drives, on cloud-based systems or production servers that host web applications, databases, files, backup images, and even off-site locations where long-term physical backups are stored.

A proper data security policy helps ensure that all forms of data-at-rest are protected with appropriate controls.

These controls typically include protecting the data from unauthorized access by implementing strong access controls, ensuring that the data’s integrity is protected by keeping regular backups, and ensuring that data systems are available when it needs to be accessed.

Data In Transit

“Data-in-transit” (sometimes referred to as “data-in-motion”) refers to data that is being transferred from one system or location to another.

This usually refers to data passing over private networks or the public internet and includes data that is passing over any medium such as Ethernet, WiFi 802.11, and other wireless frequencies such as 5G, Bluetooth, NFC, and others.

Data in transit primarily represents a potential threat to confidentiality (the data could be “sniffed” by an unauthorized user during transmission) and to integrity (the data could be modified by an attacker in transit), although availability should also be considered (the network appliances could be saturated with traffic and fail to deliver data).

A proper data security policy will ensure that data is protected from unauthorized access and modification by applying strong encryption for data traveling between endpoints.

Data Protection Policy For GDPR

Implemented in 2018, GDPR enforces data handling requirements for organizations that do business in the EU.

According to GDPR organizations must apply special protections to any data that qualifies as personally identifiable information (PII).

PII refers to any data or combination of data that can be used to uniquely identify an individual.

This includes, (but is not limited to):

• Names
• Addresses
• Registration numbers such as driver’s license number or government ID
• Financial data

This data can be found in a number of forms such as databases, invoices, CRM and accounting applications, images, and email. Non-compliance could result in hefty fines and penalties.

What Should a Data Security Policy Include?

Data security policy should be customized to support each organization’s specific business operations and strategy, meaning which policies and controls to include depends on an assessment.

At a minimum a data security policy should cover:

• Network Security
• Workstation Security
• Password Security
• Acceptable Use Policy
• Encryption
• Email
• Remote Access
• Data Retention
• Data Backup
• Mobile Device Data

All data security policy programs should begin with a risk assessment that includes building an asset inventory and calculating relative risk scores for all assets.

After the risk assessment, an organization can choose from many general cyber security frameworks such as:

• NIST Cybersecurity Framework (CSF)
• ISO 27001
• COBIT-5
• CISA Cyber Resilience Review (CRR)
• CERT Resilience Management Model (CERT-RMM)

Or, cyber security advisories that apply to the specific asset type being secured such as “NIST SP 800-210 General Access Control Guidance for Cloud Systems” for cloud-based resources or “NIST SP 800-45 Guidelines on Electronic Mail Security” for securing email servers and client applications.

Although there are many templates to choose from, care should be taken to select a framework that is closely aligned to the business model that is being protected.

In addition, each region that a business operates in may have specific regulations and requirements which need to be taken into consideration when designing a data protection policy.

Network Security

Network security controls protect your network and thus the data it contains from breaches that could lead to data exfiltration, data destruction, or both.

A network needs to be designed with security in mind including consideration for physical and logical segmentation, installation of security devices such as firewalls, and monitoring and logging solutions.

A network also needs to be hardened with secure configuration of devices and monitored for changes to configuration.

For large enterprises, security products such as Security Orchestration And Response (SOAR) and Extended Detection and Response (XDR) solutions provide extended security capabilities that utilize network telemetry data to identify and alert to suspicious activity.

The ultimate goal of managing your network security is to design and implement a network that is able to prevent attackers from gaining access to sensitive data, monitor for indicators of compromise (IOC), and alert security teams with relevant information when suspicious activity is detected.

Workstation Security

Workstation endpoints are critical to security because they can both host sensitive data and potentially provide access to data hosted remotely.

A compromised workstation could have data stolen and sent back to an attacker, have ransomware executed on it, causing data to be destroyed, inaccessible, or held hostage until payment is made to the attacker, be used to pivot to a local or cloud server that hosts sensitive data, or simply have a system failure that results in a failed hard-drive.

For these reasons, it’s essential to consider workstation security by enforcing IT security best practices.

Some examples of security controls that should be applied to workstation endpoints include:

• Configuring the user accounts with least privileges
• Requiring passwords with an effective amount of entropy
• Installing and maintaining updated endpoint security products (anti-virus) to detect and prevent malicious execution of malware

Password Security

Passwords are important to many aspects of IT security. They are the front line of protection for accounts and systems that hold sensitive data.

A compromised password could result in the exploitation of an entire corporate network so it is important to follow password security best practices, and supplement password based authentication with multi-factor authentication whenever possible.

Keyspace refers to the minimum possible number of combinations that a password policy enforces.

Enforcing minimum keyspace ensures that users select strong passwords, making them more difficult to brute-force or crack.

After enforcing the use of strong passwords, passwords must be stored with a strong hashing algorithm such as bcrypt that increases the burden of password cracking by adding a salt (nonce) to each stored password.

Acceptable Use Policy

Employees are critical to an organization’s security posture. You might create a strong data security policy, but if end-users do not know about their responsibilities, the policy is of little use.

Acceptable use policy outlines how enterprise assets are to be used and also clearly outlines restrictions to their use.

Examples of those restrictions include which applications may or may not be installed on particular devices, or which websites or types of activities may be performed on devices within the corporate network.

Of course, policies are only words and monitoring should be used to ensure that policies are being followed.

Encryption

Sensitive data needs to be encrypted to protect it from unauthorized access. This includes both data-at-rest and data-in-transit.

A proper data security policy should define the methods of encryption (algorithms and bit strengths) that are recommended by industry advisors for providing an appropriately strong level of encryption.

Some examples of encryption include SSL/TLS certificates that authenticate the identity of web-servers or other cloud-based resources, full-disk encryption that can be used to secure device hard-drives, removable drives, or mobile devices, and password hashing that is used to prevent storing plaintext passwords.

Email

For most companies, email data holds critical business secrets and customer information, making it a critical form of data to protect.

There are some critical ways that email data needs to be secured. Email is only as secure as the password and authentication that protects it, so strong password, and MFA should be enforced.

In addition, SSL/TLS should be used for all connections to email servers and only secure versions of SMTP, IMAP, or POP protocols should be used.

Finally, if your company is using its own mail server instead of a managed email provider, the server should be segmented from other servers, access should be protected with best practices including strong authentication mechanisms least privilege.

Remote Access

Digital transformation has increased the use of cloud-based resources and data and applications are often accessible remotely.

For public cloud services, VPN, and remote desktop connections (RDP) this means the service’s IP address is publicly accessible to attacks.

Therefore special consideration should be made for security controls.

For example, updates should be applied regularly, especially if they include security patches, vulnerability scanning and penetration testing can be done periodically to ensure proper configuration and implementation, and if the cloud resource is managed by a 3rd party vendor, you should evaluate your level of trust for the vendor since you are trusting them with protecting your data.

Data Retention

Data retention usually refers to the obligations that an organization must meet in order to satisfy legal and business data archival requirements.

For example, publicly traded companies must retain financial data for up to X days, months, or years.

However, data retention policies may refer to operational policies that an organization implements to ensure that critical backups are stored for a sufficiently long time and disposed of properly.

Contrastingly, GDPR enforces a “right to be forgotten“, which is the right to have private personal information removed from internet searches and company databases, in which case a company must ensure that data is not retained.

Data Backup

Although strong proactive security controls can reduce the probability of a successful cyber-attack, security posture should also be reactive.

That is security controls should also be prepared to remediate the damage done by a successful cyber attack.

Backups are perhaps the most important tool for remediating a cyber attack, but may also prove critically useful in cases of system failure or user error.

The 321 backup strategy is perhaps the oldest advice for backups and dictates that 3 copies of all data should exist including the production copy in use and at least two backups, 2 different formats should be used, and 1 copy should be stored off-site.

Mobile Device Data

In order to consider data security policy for mobile devices, we should again consider data at rest and data in transit.

Since mobile devices can be easily stolen, full-drive encryption should be considered essential for any mobile device that will hold sensitive data.

It’s also worth considering a good mobile backup solution.

With respect to data in transit, it is essential that mobile users not use unencrypted connections to WiFi access points, and even encrypted public WiFi access should only be used if absolutely necessary.

Furthermore, WiFi networks used by guests should be segmented from internal network resources and configured to prevent forwarding network data that could reveal information about devices on the internal network such as network management broadcast packets.

How To Design and Implement an Effective Data Security Policy

Designing and implementing an effective data security policy requires a process that includes several general steps, although the process will be different for each organization.

Those steps can be summarized as follows:

1. Build a comprehensive asset inventory.
2. Identify all datasets and classify its relative risk for exposure sensitivity and operational criticality.
3. Use relative risk scores to design appropriate data security policies.
4. Design security controls for each dataset that are appropriate and comprehensive with respect to the underlying infrastructure.
5. Test the security controls for effectiveness.
6. Document the process including any lessons learned.
7. Maintain, monitor and update the data security controls as needed.

The process should include consulting with trusted industry standards that define IT security best practices with respect to the data sensitivity, operational criticality and the underlying infrastructure that the data resides.

It’s important to note that the controls used to implement the policies are routinely tested for effectiveness and continuously monitored.

In addition, if changes are made to business operations or infrastructure, the data security policy should be reevaluated and updated as required.

Wrapping Up

A good data security policy program should be designed with consideration for an organization’s specific assets, and configuration of infrastructure.

The ultimate goal is to implement proactive security controls so that data is well protected, and also have reactive security controls that can mitigate the damage done when a security breach happens.

After creating a comprehensive data inventory and calculating the relative risk for each type of data, industry standard security frameworks can be used to design policies and controls that apply industry best practices.

While not easy, the endeavor of designing, implementing, and maintaining a good data security policy is far more desirable than experiencing catastrophic losses that are commonly attributed to ransomware attacks, or other types of cyber attacks.