Data Security

From OWASP
Jump to: navigation, search

This article addresses data security controls implemented in software features or development processes. Data Security is the name given to a group of controls within the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework). Subcategories within this category include:

  • Data at rest is protected
  • Data in transit is protected
  • Protections against data leaks are implemented

Other administrative, operational and architectural controls are included as well, but the above list specifies measures that would be directly reflected in the coding of software features.

NIST Special Publication 800-53 lists additional related controls within the System and Communications Protection family, which comprises 41 controls in total. Depending on the relevance in a given project, there are at least six of these that could be implemented directly as software features and map back to the Data Security category in the Cybersecurity Framework, including:

  • Information in shared resources
  • Denial of service protection
  • Transmission confidentiality and integrity
  • Cryptographic protection
  • Transmission of security attributes
  • Protection of information at rest

These controls are implemented through means such as the proper use of cryptography, software security architecture, error handling, and processing labels applied to data.

ISO 27001:2013 includes controls related to data security within the System acquisition, development and maintenance group.

Further References

  1. Framework for Improving Critical Infrastructure Cybersecurity. U.S. National Institute of Standards and Technology. (2014). Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf on 24 May 2015.
  2. Joint Task Force Transformation Initiative. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53 revision 4. U.S. National Institute of Standards and Technology. (2013) http://dx.doi.org/10.6028/NIST.SP.800-53r4
  3. ISO/IEC 27001:2013. Wikipedia. Retrieved from http://en.wikipedia.org/wiki/ISO/IEC_27001:2013 on 24 May 2015.