QW: Develop and implement a "Data Protection Strategy" that defines procedural and technical mechanisms for protecting data at rest, data in use, and data in-transit. Specific computer systems and networks housing sensitive data should be inventoried. To the extent possible, applications and systems should be designed that store data on protected servers, rather than storing it on workstation or laptop machines.
Vis/Attrib: Network monitoring tools should analyze outbound traffic looking for a variety of anomalies, including large file transfers, long-time persistent connections, unusual protocols and ports in use, and possibly the presence of certain keywords in the data traversing the network perimeter. More sophisticated analyses of network traffic, such as transfer ratios at the workstation level, should be used once government-wide analysis uncovers effective parameters for such analyses. Furthermore, network monitoring tools must have the ability to do immediate network forensics to confirm the nature of the anomalies and to serve as a tuning mechanism to refine anomaly tools.
Config/Hygiene: Data should be moved between networks using secure, authenticated, encrypted mechanisms.
Config/Hygiene: Data stored on removable, easily transported storage media, such as USB tokens (i.e., “thumb drives”), USB portable hard drives, and CDs/DVDs, should be encrypted. Systems should be configured so that all data written to such media is automatically encrypted without user intervention.
Advanced: Deploy an automated tool on network perimeters that monitors for certain keywords and other document characteristics in an automated fashion to determine attempts to exfiltrate data in an unauthorized fashion across network boundaries and block such transfers while alerting information security personnel.
Advanced: Configure systems so that they will not write data to USB tokens or USB hard drives.
Advanced: Do not use account login names in user’s email addresses.
Procedures and tools for implementing this control:
Periodically, such as once per quarter, information security personnel should run a script that purposely tries to trigger the data leak protection functionality deployed at network perimeters by sending innocuous data with characteristics (such as certain key words, file size, or source address) to a test system located just outside the data leakage protection device and the firewall. These personnel should ensure that the attempted transfer was detected and an alert was generated, and should also