The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
Points of focus:
- Restricts the Ability to Perform Transmission
- Uses Encryption Technologies or Secure Communication Channels to Protect Data
- Protects Removal Media
- Protects Mobile Devices
The organization has defined procedures for the safe disposal of laptops that are no longer required.
Procedures have been established for the theft or loss of mobile devices.
The user may be required to e.g.:
The organizational process in the event of a device loss may include e.g. clearing the device (at least the contents of the organization) remotely.
Laptops are protected by full-disk encryption.
Organisation's data can only be processed on a predefined, trusted network, or by using a VPN service defined by the organisation.
For example, a coffee shop's Wi-Fi network is often either completely unencrypted or the password is easily accessible to everyone. In this case, the information sent online is vulnerable to spyware. A VPN connection encrypts information regardless of network settings.
Unnecessary media should be disposed of in a safe, industry-accepted manner (such as by incineration, shredding or wiping) in accordance with formal procedures. Media that requires safe disposal must be clearly marked.
Data destroyed in accordance with the process should not be recoverable, even by forensic means.
Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).
Information included in application services transmitted over public networks must be protected against fraudulent and non-contractual activity and against unauthorized disclosure and alteration.
We use strong encryption and security protocols (eg TLS, IPSEC, SSH) to protect confidential information when it is transmitted over public networks in connection with the IT services we develop.
Mobile Device Management (MDM) helps secure and manage staff mobile devices, whether they are iPhones, iPads, Android devices, or Windows devices. E.g. a Microsoft 365 subscription includes the basics of mobile device management.
Mobile device management system can be used to e.g. configure device security policies, wipe remotely and get accurate device usage reporting.
The security policies defined in the mobile device management system aim to protect the organization’s data. For example, to reduce the risk of losing devices, you can specify that the device be locked after 5 minutes of inactivity or that the device be completely wiped after 3 failed login attempts.
It may make sense to test new policies first with a small group of users. Policies also require oversight. You can initially select a setting for policies that informs the administrator of settings that violate the policy, but does not completely block access.
When information is sent, for example, by postal, courier or transport services, paper documents or data media may be exposed to unauthorized use, misuse or distortion during transport.
To ensure safe transportation, the organization has defined procedures for:
When removable media is an important part of an organisation's operations, more specific rules have been defined for securing removable media and the information they contain.
.png)
