Control 17.7: Train Workforce on Sensitive Data Handling

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.

Category

Procedural

Purpose

The act of labeling data according to its sensitivity is a type of data classification. It often involves placing a “PROPRIETARY”, “SENSITIVIE”, OR “CONFIDENTIAL” mark on a document. These markings allow organizations to more easily make the appropriate security decisions to govern their own data. This often involves allocating additional resources and developing policies to protect sensitive company information. For instance, placing trade secrets on a cloud platform may not be wise if their secrecy is pivotal to the business continuing normal operation. If an organization does not perform data classification, it is more likely that unintentional data loss may occur. Therefore, clearly labeling data prevents intentional and unintentional data breaches.

Automation

This Sub-Control is generally not automatable. Third-party organizations offer platforms that can help to train users in the proper way to handle sensitive information.

Guidance and Tools

Proper sensitive data handling begins with having a sensitive data policy. This policy should detail what information is considered sensitive, how employees should identify it, and how to handle the data. One this policy is in place; it is important that employee be trained on how to follow the policy and be reminded of the importance of seeking approval for any exceptions. Be sure to include the follow in the policy and subsequent training:

  • How to identify sensitive information.
  • How to transmit sensitive information within the organization.
  • When it is appropriate and how to transmit sensitive information outside the organization.
  • How to direct outside organizations to transmit sensitive data to you.
  • Where to digitally store sensitive information.
  • What to do if you find sensitive information in an unauthorized location.
  • When it is appropriate to print sensitive information, how to store printed copies, and how to dispose of it.
  • How long to retain sensitive information and how to securely dispose of it.
  • How to seek exceptions to sensitive data policy.