Implement Data Protection

(Back)

Objective

Safeguard information and assets hosted in cloud, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle.

Key Considerations

• Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments.
• Verify location of service, in accordance with Section 4.4.1.10 of the Directive on Service and Digital
• Ensure data in transit is encrypted by default (e.g. TLS v1.2, etc.).
• Leverage encryption mechanisms to protect the confidentiality and integrity of data hosted in the cloud service.
• Use CSE-approved cryptographic algorithms and protocols, in accordance with 40.111 and 40.062.
• Enable cloud service level Data Loss Prevention (DLP) policies to allow Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.
• Configure data classification policies to protect internal documents and emails
• Ensure expiration time for external sharing links is set
• Ensure that external users cannot share files, folders, and sites they do not own
• Ensure external file sharing in Teams is enabled for only approved cloud storage services

Additional Considerations

• Control document sharing by domains with allow list or deny list
• Explore Office 365 Advanced Data Governance for data governance, retention, and expiration (additional licensing required)
• Explore the use of automated DLP with Azure Information Protection for greater consistency and security beyond manual user assignment (additional licensing required)
• Investigate establishment of policies with Information Barriers (IB) to prevent individuals or groups from communicating with each other (additional licensing required)
• Investigate the use of Compliance Boundaries to create logical boundaries that control the user content locations (such as mailboxes, SharePoint sites, and OneDrive accounts) and support eDiscovery.

Validation

• TBD

References

1. Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsections B.2.3.4
2. SPIN 2017-01, subsection 6.2.4
3. Refer to the cryptography guidance in 40.111 and 40.062.
4. Refer to the guidance in Considerations for Cryptography in Commercial Cloud Services.
5. Refer to Section 4.4.1.10 of the Directive on Service and Digital
6. Related security controls: SC‑8, SC‑8(1), SC‑12, SC‑13, SC‑17, SC‑28, SC‑28(1)