Security rules and procedures protect information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Examples of IT requirements that support secure data storage include the following (Niels, Dempsey, and Pillitteri, 2017):

Data Protection

Encryption of data (at rest and in transit)

• Encryption transforms intelligible data, called plaintext, into an unintelligible form, called ciphertext. This is reversed through the process of decryption.

Appropriate security technologies

• e.g., intrusion detection and protection systems, firewalls, configuration settings

Audit Trails

Records of system activity, including information on system processes, application processes, and all user activities, should be maintained. These records could be used to find security violations, application flaws, and/or understand performance problems within the system.

Separation of Data

Separation of data in this context means that individual clients may require that their data be stored in an environment that is either logically separated using software or physically separated using hardware isolation.

Separation of Duties

Separation of duties is the process by which roles specific to handling sensitive systems and data are segmented so that no single individual has total control of—or access to—a system. Separation of duties can reduce insider threats by limiting the access any one individual has to a system. Such separation can also serve as a checks and balances system for security. This differentiates the individuals who design or test a system from those who conduct security testing or monitoring.

References

Niels, M., Dempsey, K., & Pillitteri, V. Y. (2017). NIST special publication 800-12 Rev. 1: An introduction to computer security: The NIST handbook. Retrieved from https://doi.org/10.6028/NIST.SP.800-12r1. In the public domain.