Data security checklist template
Step 1: Inventory critical data assets
| What to do | How to do it |
|---|---|
|
Define data discovery rules |
Know what type of sensitive data you collect and store. Create a combination of regular expression and keyword match data discovery rules specific to your organization. |
|
Scan data stores for sensitive data |
Scan data stores (including images and audio files) for sensitive data instances that match the configured rules. |
|
Employ data validation methods |
Use a combination of checks, proximity scanning, and compound-term processing to validate the data discovery results. |
|
Create compliance-specific discovery policies |
Create policies for the regulations you are obliged to adhere to. This will aid in preventing non-compliance and also speed up reporting. |
|
Map out the discovered sensitive data |
Know where your most critical data is stored. Maintain an inventory of sensitive data instances and keep it up to date by scanning files once they are created and modified. |
|
Categorize and classify sensitive data |
Use both automated and manual classification methods to tag files based on their sensitivity. This will help you define data protection policies based on these tags. |
|
Build file-based and user-based risk profiles |
Find out which storage location is most densely comprised of sensitive data and which employees store the most personal information. Analyze data discovery results and create detailed risk profiles for your storage repository and users. |
Step 2: Evaluate data security risks
| What to do | How to do it |
|---|---|
|
Locate sensitive data stored outside designated repositories |
Ensure that critical data is stored only where it should be. Establish workflows to move it from open shares and other unsecure folders to more protected locations. |
|
Remove sensitive files stored beyond their retention periods |
Avoid non-compliance penalties by listing old, stale, unmodified files and removing or archiving them if they are obsolete. |
|
Detect and discard duplicate copies of critical files to maintain the integrity of master files |
Improve data storage practices by listing and removing duplicate copies of files. |
|
Verify role-based access control and least privilege |
Scrutinize NTFS and share permissions to verify that critical data is only accessible by those who require access to it for their work. |
|
Perform periodic access rights reviews |
Prevent privilege creep and excessive access rights by periodically reviewing permissions. |
|
Spot and fix instances of broken inheritance |
Fix security vulnerabilities like broken inheritances and openly accessible folders. |
|
Limit the visibility of sensitive data |
Redact or anonymize instances of personal information from documents to prevent unnecessary disclosure. |
Step 3: Monitor access to critical data
| What to do | How to do it |
|---|---|
|
Track changes made to critical files |
Track file read, create, modify, overwrite, move, rename, delete, and permission change events in real time. |
|
Monitor file integrity |
Monitor risky activity such as failed attempts to read, write, or delete files, and critical changes made outside business hours. |
|
Set alerts for high-risk file modification, move, delete, and permission change actions |
Set up triggers to receive instant notifications about potential data security threats and anomalous file activities. |
|
Implement comprehensive antivirus and anti-malware systems |
Watch out for infected files, indicators of ongoing malware attacks, and other critical signs of impending data breaches with up-to-date malware detection tools. |
|
Deploy automated security incident response systems |
Configure responses to halt the spread of ransomware infections, shut down infected devices, disconnect rogue users sessions, and more based on the security alert triggered. |
|
Automate access reporting for compliance regulations |
Generate audit-ready reports to comply with the GDPR, PCI DSS, HIPAA, and other regulations. Store historical audit data for legal and forensic requirements. |
Step 4: Regulate endpoint activity
| What to do | How to do it |
|---|---|
|
Monitor the use of removable storage media |
Track and analyze the use of removable devices—including removable media devices such as USBs or mobile phones—in your network. |
|
Control the use of USB drives with allow lists and block lists |
Restrict the use of USB devices by selectively blocking read, write, or execute actions in USBs, and prevent unauthorized use by using allow and block lists. |
|
Manage the use of endpoints |
Block employees from using Wi-Fi, Bluetooth devices, CD or DVD drives, and other endpoints to limit the potential attack surface for data security threats. |
|
Prevent data leaks with policies for data exfiltration attempts via endpoints |
Customize data leak prevention (DLP) policies for organization-specific use cases. |
|
Prevent classified files from being removed from the network |
Map DLP policies to file classification tags to granularly prevent restricted-use files from being removed from the organizational network via email, USB drives, etc. |
|
Scan for vulnerabilities periodically |
Assess applications and endpoint devices for vulnerabilities and remediate issues before they can be used to carry out data theft. |
|
Improve user awareness |
Train your end users about social engineering attacks to prevent accidental data leaks from endpoints. |
|
Review and improve DLP processes |
Leak prevention is a process that should be kept in line with changing business conditions and needs. Continuously monitor the DLP strategy you've implemented and improve it wherever necessary. |
Step 5: Deploy cloud protection
| What to do | How to do it |
|---|---|
|
Audit cloud application usage |
Use deep packet inspection to audit how actors access cloud applications. Analyze upload, download, and other activity details across cloud storage and platforms such as Box, Dropbox, and Microsoft 365. |
|
Evaluate the risk associated with accessing web applications |
Score websites based on their reputation, and take measures to limit the use of low-reputed websites. |
|
Track accesses to shadow IT applications |
Monitor users who access shadow IT applications and gather details on how often they access them. |
|
Filter unsecure webpages |
Enforce access control measures across cloud applications to ensure that employees do not interact with sites that incite violence, host inappropriate content, spread malware, initiate spam campaigns, promote gambling, etc. |
|
Control file uploads and downloads |
Prevent users from uploading sensitive files to cloud repositories and from downloading potentially malicious files. |
Disclaimer: Data security requires a variety of solutions, processes, people, and technologies. This checklist is provided for informational purposes only and should not be considered as legal advice. ManageEngine makes no warranties, express, implied, or statutory, as to the efficacy of the information in this material.
How ManageEngine can help you streamline data security processes
Reinforce your measures to secure organizational data in all its states—at rest, in use, and in motion—with
ManageEngine DataSecurity Plus. DataSecurity Plus is a unified data visibility and security platform that:
- Audits file changes in real time, triggers instant responses to critical events, shuts down ransomware intrusions, and helps organizations comply with numerous IT regulations.
- Analyzes file storage and security permissions, deletes junk files, and detects file security vulnerabilities.
- Helps users assess the risks associated with sensitive data storage by locating and classifying files containing PII, PCI, and ePHI.
- Prevents data leaks via USBs, email, printers, and web applications; monitors file integrity; and audits cloud application usage.