Skip to main content

Secure Public Sector Data

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to safeguard high value assets in the cloud.
  • Explain how to securely handle public sector data in the cloud.
  • Identify media protections for public sector data in the cloud.
  • List best practices for data backup and storage in the cloud.

Now that we’ve talked about access control and encryption, let’s continue by discussing data handling controls for protecting public sector data in the cloud.

High-Value Assets

High-value assets (HVAs)—that sounds important, doesn’t it? That’s because it is! An HVA is information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system results in a serious impact on the organization’s ability to perform its mission or conduct business. It’s no surprise then that it’s essential to have special controls in place to protect these types of assets, especially when hosted in the cloud. These controls should be outlined in your organization’s data classification standard. The last thing you want is for a cybercriminal to gain unauthorized access to high value asset data, including public sector information!

To identify and protect high-value assets, start with a business impact analysis (BIA), which predicts the consequences of disruption of a business function and gathers information needed to develop recovery strategies. During the BIA, identify potential loss scenarios and associated costs from a compromise of the confidentiality, integrity, or availability (CIA) of mission critical data. Also identify recommendations for recovery. Depending upon the data contained in the HVA, it may be necessary to conduct other reviews, such as a Privacy Impact Assessment.

Because of the importance of safeguarding HVAs, only allow as small as necessary a subset of your organization’s employees access to them. Have policies and procedures in place for managing HVAs, and cover protections while the data is stored in your systems and when it’s shared externally.

Secure Data Handling

To make sure you handle public sector data in a way that complies with your organization’s requirements, always keep sensitive data in controlled, approved, and secure cloud environments with backup capabilities. Production servers provide greater security than your laptop, for example. Here are some additional steps you can take to keep public sector data secure.

  • Avoid accessing public sector data unless it’s required for your job.
  • Only access the data from an authorized or approved device issued by your organization.
  • Avoid downloading data to your computer, unless required for your job.
  • Do not export any information from a cloud environment whose disclosure can impact the CIA of the environment.
  • Do not use an external email account to send information.
  • Use only approved third-party storage sites.
  • Limit printing of data to only what’s necessary for your job, and keep your desk clean of sensitive data when stepping away or leaving for the day.
  • Encrypt and back up data to mitigate risk if data is lost or stolen.
  • Do not store information on Universal Serial Buses (USBs) or external hard drives.

You may be wondering what type of information disclosure can impact the CIA of your environment. This can include, for example, if a medical provider at the Department of Veterans Affairs exports patient data from the cloud system hosting that data, and emails it to the wrong patient. In determining potential impact, it’s key you consider the quantity of sensitive data. For example, breaches of 25 records of personally identifiable information (PII) and 25 million records may have different impacts. 

Also evaluate the sensitivity of the data fields when combined. Aggregating different data sets can increase the potential impact to the information if disclosed improperly. For this reason, it’s best to de-identify information where possible by removing account numbers, names, and other identifiable information when aggregating information. 

A USB crossed out

Media Protection

Whether at a cloud service provider (CSP) or a public sector organization, a limited number of employees need access to media that contains public sector data. It’s imperative that your organization maintains a media protection policy that describes how to properly handle backup tapes and other digital media like portable hard drives and USBs. In the policy, address media marking, storage, transport, sanitization, disposal, and use. If you’re in a position with access to media containing public sector data, it’s critical to review your organization’s policies and familiarize yourself with these processes.

Data Backup and Storage

In addition to identifying your mission critical data, it’s crucial that your organization backs up this data to maintain accessibility to pertinent information. Per your organization’s information security standards, back up public sector data in the cloud at a frequency consistent with recovery time and recovery point objectives. Define these objectives in your BIA. Define specific guidelines pertaining to these objectives by the regulations and standards applicable to your organization’s jurisdiction.

  • The recovery time objective (RTO) documents the amount of time an organization has to restore its processes to an acceptable service level after a disruption to avoid intolerable consequences associated with the disruption.
  • The recovery point objective (RPO) documents how fresh the recovered data must be.

Protect backup information and media at all storage locations, whether in the cloud or at an off-site storage facility. Sanitize, destroy, or both, data that’s no longer required in line with your organization’s data retention policy or standard. Define specific guidelines pertaining to data sanitization by the regulations and standards applicable to your organization's jurisdiction. Consider using a combination of online and offline backups for further recovery options.

The Bottom Line

You are the strongest link in your organization’s security efforts. You now have the knowledge to protect and safeguard your organization and customers. As someone who deals with public sector data in the cloud, you’re entrusted with very sensitive data. It’s up to you to be compliant and vigilant in your efforts to stay secure. Don’t forget, if you see something, say something by contacting your organization’s security team. Interested in learning more about cybersecurity careers and technologies? Head over to the Cybersecurity Learning Hub to explore other topics and hear from real security practitioners.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback