Guidance

B3. Data security

Created:  28 Jan 2018
Updated:  30 Apr 2018

Principle

Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause disruption to essential services. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the delivery of essential services. It also covers information that would assist an attacker, such as design details of networks and information systems.

Description

The protection in place for data that supports the delivery of essential services must be matched to the risks associated with that data.

As a minimum, unauthorised access to sensitive information should be prevented (protecting data confidentiality). This may mean, for example, protecting data stored on mobile devices which could be lost or stolen.

Data protection may also need to include measures such as the sanitisation of data storage devices and/or media before sending for maintenance or disposal.

Protect data in accordance with the risks to essential services posed by compromises of data integrity and/or availability. In addition to effective data access control measures, other relevant security measures might include maintaining up-to-date, isolated (e.g. offline) back-up copies of data, combined with the ability to detect data integrity failures where necessary. Software and/or hardware used to access critical data may also require protection.  

It is important to ensure that data supporting the delivery of essential services is protected in transit. This could be by physically protecting the network infrastructure, or using cryptographic means to ensure data is not inappropriately viewed or interfered with. Duplicating network infrastructure to prevent data flows being easily blocked provides data availability.

Some types of information managed by an OES would, if acquired by an attacker, significantly assist in the planning and execution of a disruptive attack. Such information could be, for example, detailed network and system designs, security measures, or certain staff details. These should be identified and appropriately protected.  

(Note: data supporting the delivery of essential services must be identified in accordance with Principle A3 Asset Management. Important data to protect may include operational data, network traffic, configurations, as well as data that could provide an insight or advantage to an attacker, such as network and information system designs)

Guidance

Design to protect data

Networks and information systems should be designed to protect important data, for example: 

  • protecting the confidentiality of sensitive data by minimising the number of copies of data, the detail these include and by retaining operationally sensitive data on segregated systems (this includes design documentation)
  • removing functionality that could allow greater access than has been authorised
  • protecting the integrity of data essential to the operation of the service by providing a read-only copy (e.g. through a DMZ) for non-essential business system consumption
  • only deploying well-tested cryptographic suites in common use by your chosen software stack
  • protecting availability through resilience measures such as multiple network paths and tested automatic backup systems
  • consider suitable means to retain access to essential information in the event of an incident. For example network diagrams needed for restoration, safety-critical information or essential forecasting data

Consider applying the NCSC principles of protecting bulk personal data to data supporting the delivery of essential services.

Protecting data in transit

Data in transit may be at risk of attacks such as interception, traffic replay, manipulation or jamming. VPNs are one of the most common and effective cryptographic methods used to assure the confidentiality and integrity of data transmitted over an untrusted network, such as remote access or between two sites. 

TLS is often used to protect external data connections such as web browser traffic and IPSec is a well-known encryption technology for individual communication links. Where cryptography is deployed to protect communication links, you should protect cryptographic material such as certificates and keys from external or unauthorised access.

Alternative communications links or network paths are recommended for critical data paths.

For cloud services, see our guidance on protecting data in transit

Protecting data at rest

Wherever data is stored, even temporarily, it may be vulnerable to unauthorised access, tampering or deletion.

You should identify where data supporting the delivery of essential services is stored, including:

  • exports from core operational systems to other business systems
  • on mobile devices
  • removable media
  • in temporary caches
  • in systems used for remote access.

You should reduce these unauthorised access, tampering and deletion risks to stored data by limiting the quantity and detail of data held to the minimum necessary for business purposes, especially on devices and media that are more vulnerable to unauthorised access or that could be stolen. 

Where dedicated systems and removable media are used, the storage devices can be hardware or software encrypted. You should take suitable measures to physically protect devices and media containing data supporting the delivery of essential services.

Backups remain an essential part of resilience measures and should be appropriately secured.

For cloud services, refer to NCSC cloud security principle 2 on asset protection and resilience.

Protecting data on mobile devices 

Mobile devices may be used by the operator of essential services, a partner or third-party supplier. Whether owned and managed by the operator or not, these devices are likely to contain business data. Potentially, data important to the delivery of the essential service could be on these devices.

Well-configured and managed, business-owned, devices are preferred to personal or external organisation equipment: refer to the NCSC End User Device Security Collection for security principles and platform-specific guidance.

It may be possible to gain sufficient assurance that a partner or supplier applies security controls to the same rigour (or better).

In addition to good mobile device management, ensure that mobile devices accessing data supporting service delivery are well monitored.

Secure disposal

Data important to the delivery of the essential service is likely to be found on network and information system media and operational equipment, including IT and operational technology (OT) assets.  Service management systems, along with network and mobile devices are familiar targets for secure sanitisation. Some essential services may also need to consider the data stored on defunct OT and safety systems.

References

NCSC 10 Steps: Home and Mobile Working

NCSC End User Device Security Collection

ISO/IEC 27002

IEC 62443-2-1

ENISA Big Data Security (2016)

 

 

< Back to Principle B2                   Forward to Principle B4 >

Topics

Was this guidance helpful?

We need your feedback to improve this content.

Yes No