Data Spill Management Guide

Download CSOC Protect Notice, Data Spill Management Guide (PDF), August 2012

Introduction

  1. A data spill is the accidental or deliberate exposure of classified, sensitive or official information into an uncontrolled or unauthorised environment or to persons without a need-to-know. A data spill is sometimes referred to as unintentional information disclosure or a data leak.
  2. Data spills usually fall into one of two categories:
    1. The transfer of sensitive information to a system which is not accredited to handle the information. Such a transfer may be performed via email or digital media.
    2. The disclosure of sensitive information on the Internet, including web forums, social networking websites, Internet search engine caches and other types of cloud-based storage.
  3. This document provides guidance to agencies on managing data spills in their environment.
  4. Data spills are considered cyber security incidents and are reportable under the DSD Cyber Security Incident Reporting scheme.
  5. Agencies should refer to the latest version of the Australian Government Information Security Manual (ISM) for sanitisation guidance for specific media. Further advice is provided in DSD’s Data Spill Sanitisation Guide and the Cyber Security Incidents chapter of the ISM.

Data spill management overview

  1. Educating users on agency system and web usage policies, as well as how to appropriately identify and handle information with protective markings, can greatly assist in preventing data spills (ISM controls: 0251, 0252, 0255, 0818, 0820, 0922, 1339).
  2. However, in the event of a data spill, agencies should use the following five step process:
    1. Identify. Recognise that a data spill has taken place and commence this process.
    2. Contain. Determine the breadth of the data spill to prevent further dissemination of sensitive data.
    3. Assess. Decide on the most appropriate method to sanitise the data spill for your situation and desired level of residual risk.
    4. Remediate. Remediate the data spill based on your assessment.
    5. Prevent. Implement prevention measures to stop similar incidents from occurring in the future.
  3. This process should be followed for every data spill which occurs, as each instance is different and may require a distinct response.

Step 1: Identify

  1. Data spills are usually identified by system users. In accordance with the ISM, agencies must include in standard procedures for all personnel with access to systems that they notify an IT Security Manager of a suspected data spill or access to data that they are not authorised to see (ISM control 0130).
  2. Data spills can also be identified through monitoring, auditing and logging. For example:
    1. Preventing non-protectively marked e-mails from being sent or received by an agency’s e-mail server or e-mail client (ISM controls 0562, 0875 and 1022).
    2. Using data loss prevention tools like SpillGuard1 that can warn system users and alert administrators of possible security classification violations.
  3. When a data spill is identified, agencies must assume that the spilled data is compromised and base remediation procedures or risk management on a worst-case scenario (ISM Control 0129).
  4. An immediate assessment should be performed to:
    1. Track data flow, movement and storage locations of the spilled data to assist in determining what devices and systems are affected.
    2. Identify affected system users, including any external to the agency.
    3. Determine the length of time between the data spill and the identification of the data spill.
  5. Personnel required to assist in the management of the data spill should also be identified. This can include:
    1. information owners
    2. subject matter experts
    3. the Agency Security Advisor (ASA)
    4. the IT Security Advisor (ITSA)
    5. IT Security Managers (ITSM) or IT Security Officers (ITSO)
    6. communications security officers (COMSO).

Step 2: Contain

  1. Containment may involve physically isolating or logically separating affected systems from the network (ISM control 0136). Logical separation can be achieved by temporarily removing software functionality or applying access controls to systems to prevent further exposure.
  2. For example, the containment process taken by the ITSM for a data spill involving an internal email may include:
    1. The sender and recipients of the email are identified, contacted and told not to forward or access the sensitive email.
    2. Determine if it is necessary to retain a copy of the email so that the classification of the material can be verified by the information owner for a damage assessment.
    3. Determine if it is necessary to delete the email from affected users’ inboxes as quickly as possible to prevent dissemination of the sensitive email.
    4. Proceed to the assessment phase to determine what further actions are required, including potential sanitisation of the email server and workstations.
  3. Selection of containment actions should be made in consideration of an agency’s environment.

Step 3: Assess

  1. After containment, to prevent further access and exposure of the data, a thorough assessment should be performed. This includes:
    1. Identifying affected system users, systems and devices. While the identification process highlights the systems and users that are initially affected, a more thorough assessment should be performed after the containment process. This should include devices such as workstations, backup storage, printers, print servers, network shares, email inbox and servers, content filtering appliances, web mail and external systems. Agencies should involve their system and network administrators in this process.
    2. Contacting the information owner. The information owner must be contacted and notified of the data spill (ISM control 0133). The information owner will be able to provide guidance on whether the data is correctly classified and indicate the approach to minimise exposure. Codeword-related data spills must be reported to the compartment holder.
    3. Contacting relevant authorities. Data spills must be reported to the DSD Cyber Security Operation Centre under the Cyber Security Incident Reporting scheme. (ISM controls 0132 and 0140).
    4. Perform a damage assessment. Agencies should perform a damage assessment to determine what harm was caused by the inadvertent disclosure of data. Agencies must assume that the spilled data was accessed by unauthorised individuals and determine actions to manage and mitigate the extent of the data spill (ISM Control 0129).

Step 4: Remediate

  1. Agencies should work in collaboration with the information owner to determine a satisfactory remediation of the data spill. DSD is available for consultation in the event that an agreed clean-up solution cannot be reached.
  2. Remediation is usually achieved through a balance of technical sanitisation controls and risk management. For data spills involving classified data, agencies should review specific sanitisation requirements from the latest version of the ISM.
  3. For each of the systems identified during the assessment stage, a remediation strategy should be developed that takes into account:
    1. access controls to the data and the systems that hold the data
    2. utilisation rate of memory storage (i.e. ability for the system to naturally overwrite free space through data attrition and growth)
    3. criticality of the system to the business (e.g. mission critical SAN or a user workstation)
    4. the duration of exposure of the data (i.e. is it a recent exposure or has the data been exposed for a long period of time)
    5. sanitisation options available for the media (e.g. raw disk overwrite, file overwrite or physical destruction)
    6. disposal consideration of the asset at end of life (i.e. will the asset be resold or physically destroyed)
    7. balancing the risk of drawing attention to the data versus accepting the damage
    8. resources, impacts and financial costs to business to replace or sanitise affected systems.
  4. All remediation actions should be documented and appropriately stored based on the classification of the remediation plan.

Step 5: Prevent

  1. The action causing the data spill must be reviewed to determine why it occurred (e.g. non-adherence of policy, gaps in existing procedures or absence of a technical control).
  2. The review should result in implementing preventative measures to reduce the likelihood of future data spills occurring. This may include additional user training or improved technical controls between data of different sensitivities.
  3. ASAs should perform a protective briefing for users who may have been inadvertently exposed to the data spill.

Further information

  1. For further information on technical controls and sanitisation advice, see our Data Spill Sanitisation Guide.
  2. Further advice on managing data spills can be found in the Australian Government Information Security Manual (ISM). This document assists in the protection of official government information that is processed, stored or communicated by Australian government systems.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.