5.3 Data Protection
5.3 Data Protection
-
Endpoints:
-
a. Encrypt all Windows servers equipped with a Trusted Platform Module (TPM) using BitLocker with default settings.
-
b. Encrypt all Storage Area Networks (SANs) utilizing their latest firmware's default encryption settings.
-
c. Encrypt all ZFS and CEPH volumes using their built-in default encryption methods.
-
d. Backup all encryption keys and recovery passwords to DTC's key vault, password management system, Professional Services Automation (PSA) tool, documentation system, and/or Remote Monitoring and Management (RMM) platform.
-
e. Ensure that all storage components and assets processed through DTC for recycling or repurposing are wiped in accordance with Department of Defense (DoD) minimal secure data wipe requirements. Document this process with a certificate maintained by DTC.
-
-
Backup Data:
-
f. Encrypt all backup data at the application level using robust encryption algorithms, such as AES-256, to ensure data confidentiality and integrity during storage and transmission.
-
g. Manage and store backup encryption keys securely, separate from the backup data, utilizing DTC's key vault or other secure key management solutions.
-
h. Regularly review and update backup encryption protocols and key management practices to align with evolving security standards and best practices.
-
i. Implement immutability for all backup data, ensuring that backups cannot be altered or deleted for a minimum retention period of 14 days. If immutability is not feasible, utilize an air-gapped interface for backup deletion to protect against unauthorized modifications and ransomware attacks.
-
Technical Controls:
| Control ID | Description | Tools/Methods |
|---|---|---|
| a | Encrypt Windows servers with TPM using BitLocker default settings. | NinjaRMM, Microsoft Windows Bitlocker, OEM TPM 2.0 installed. |
| b | Encrypt SANs using latest firmware's default encryption settings. | iXSystems all products, Dell SAN Products, Storage Spaces Direct |
| c | Encrypt ZFS and CEPH volumes using built-in default encryption methods. | ZFS native encryption commands; CEPH encryption configurations, iXSystems TrueNAS |
| d | Backup encryption keys and recovery passwords to designated secure locations. | 1Password, IT Glue, HaloPSA, NinjaRMM, Azure Key Vault |
| e | Wipe storage components per DoD minimal secure data wipe requirements and document with a certificate. | Microsoft Intune Wipe Method, Active@ KillDisk, DBAN |
| f | Encrypt all backup data at the application level using robust encryption algorithms. | MSP360, Veeam Backup & Replication, Restic, Rclone, Backblaze, ZFS |
| g | Manage and store backup encryption keys securely, separate from backup data. | 1Password, IT Glue, HaloPSA, NinjaRMM, Azure Key Vault |
| h | Regularly review and update backup encryption protocols and key management practices. | Yearly Penetration Test, Quarterly CTO Policy Reviews |
| i | Implement immutability for all backup data with a minimum retention period of 14 days, or utilize an air-gapped interface for backup deletion. | MSP360, Veeam Backup. and Replication, Backblaze, Rclone |