Web API calls that facilitate modification of data, or access to data not authorised for release into the public domain, are centrally logged.
Ensure sensitive data is protected across its lifecycle by enforcing Confidentiality, Integrity, and Availability (CIA) principles. For example, encrypt data at rest and in transit using industry-standard encryption (e.g., AES-256, TLS 1.2+) to prevent unauthorized access and disclosure; Implement integrity checks to detect and prevent unauthorized modifications or deletions of sensitive data; Ensure availability by securing data backups, implementing redundancy, and mitigating risks such as denial-of-service (DoS) attacks; Assume that user devices may be compromised, and apply additional encryption and security controls when transmitting or storing data on potentially untrusted endpoints; Continuously audit and monitor data protection measures to maintain compliance with security best practices and regulatory requirements.
Identify and understand the types and sensitivity of data stored and processed by applications, ensuring that basic data protection measures are in place. Protect all data associated with an application based on the requirements of the most sensitive data it stores or processes. Prohibit propagation of unsanitized sensitive production data to lower (non-production) environments, focusing data protection policies on production environments. Implement security controls like encryption, backups, and controlled data sharing to prevent unauthorized access and mitigate risks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-18-01-01-01 | Identify and Classify Data Elements | Identify all data elements processed and stored by the application. Classify these data elements based on their type and sensitivity level to ensure appropriate handling. | Preparation | Data Governance, Security Engineers |
| SSS-02-18-01-01-02 | Implement Controls to Protect Sensitive Data | Implement necessary controls to protect the most sensitive data, ensuring that data is handled according to its protection requirements. | Development | Security Engineers, IT Operations |
| SSS-02-18-01-01-03 | Prevent Propagation of Sensitive Data to Lower Environments | Implement controls to prevent the propagation of unsanitized sensitive data from production environments to lower (non-production) environments. This reduces the risk of exposing sensitive data during testing or development. | Development | DevOps Teams, Security Engineers |
| SSS-02-18-01-01-04 | Monitor Data Handling and Fate | Maintain awareness of how sensitive data is processed and handled, ensuring it is not inadvertently shared with external partners or improperly stored in backups or lower environments. | Post-deployment | IT Operations, Security Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1910) OWASP Application Security Verification Standard OWASP SAMM: Software Assurance Maturity Model (OM-1-A) |