1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and Nationl Museum of American History.

Related content

Data lifecycle management

Objective • Data lifecycle controls should ensure the confidentiality, integrity and availability of data collected, used or stored by the organization, throughout the useful “life” of that data, including secure disposal at the end of that cycle, to prevent unauthorized disclosure, modification, removal or destruction of information assets, or interruptions to business activities.

Sensitivity level • All data should be classified as to sensitivity, in order to assure appropriate security treatment throughout the data lifecycle. This could include classifications based on:

confidentiality, integrity and availability dimensions of each data type or collection;
intentions and capabilities of likely threats to each data type or collection; and
legal-regulatory-certificatory authorities that condition data sensitivity determinations.

Retention period • All data should be classified as to retention period, in order to assure its integrity and availability for an appropriate period. This could reflect:

the organization’s business requirements; and
legal-regulatory-certificatory requirements.

Information handling • Appropriate procedures for the handling and storage of information should be established to protect data from unauthorized disclosure or misuse. This could include:

administrative, physical and technical access restrictions appropriate to the data sensitivity level;
handling and labeling of all media according to its indicated classification (sensitivity) level;
where appropriate to the sensitivity, maintenance of formal records of data transfers, including logging and an audit trail; and
review at appropriate intervals of distribution processes and authorized recipient lists.

Information back-up • Back-up copies of information and software should be made, and tested at appropriate intervals, in accordance with an agreed-upon back-up policy. This could include:

formal definition of the level of backup required for each system – scope of data to be imaged, frequency of imaging, duration of retention – on the basis of legal-regulatory-certificatory authorities and business requirements;
complete inventory records for the back-up copies, including content and current location;
complete documentation of restoration procedures for each system;
storage of the back-ups in a remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site(s);
appropriate physical and environmental controls for the back-up copies where-ever located;
appropriate technical controls, such as encryption, for back-up copies of sensitive information in storage locations and during transport to/from the primary site(s);
regular testing of back-up media; and
regular testing of restoration procedures.

Management of storage media • Policies and procedures should be established for management of storage media, particularly removable media. This could include, as appropriate to the sensitivity of the data:

logging and an audit trail of removals of media from or relocations within the organization's premises;
a requirement for authorization prior to removal or relocation;
redundant storage, that reflects the risks to the media relative to the importance of the data;
cascading storage, where storage retention requirements exceed the rated life of the media;
restrictions on the types of media, and usages thereof, where necessary for adequate security;
registration of certain types of media; and
secure disposal of media when no longer needed.

Physical media in transit • Media containing information should be protected against unauthorized access, misuse or corruption while in transit. This could include:

procedures and standards for authorizing couriers, and a list of currently authorized couriers;
packaging standards, including technical protections (e.g., encryption); and
physical protection standards (e.g., locked containers, tamper-evident tagging).

Electronic data transfers • Information transferred by electronic means should be appropriately protected. This could include:

protecting transferred information from unauthorized access, modification or diversion by appropriate technical means (e.g., encryption);
ensuring correct addressing and routing;
ensuring the general reliability and availability of information transfer services;
limiting the use of less-secure systems for transfers (e.g., public Internet); and
requiring authentication and message content protection mechanisms when using public networks (e.g., digital signatures and content encryption).

Disposal of media • Media should be disposed of securely and safely when no longer required, using approved procedures. This could include:

requiring use of generally-accepted secure disposal methods for media that contains (or might contain) sensitive data;
procedures and policies to identify data that qualifies as sensitive, or a policy that all information will be considered sensitive in the absence of unequivocal evidence to the contrary; and
where appropriate to the sensitivity of the data, logging and an audit trail of disposal operations.

Security of system documentation • Like organizational data, documentation for organizational data systems should be appropriately protected against unauthorized access. This could include:

policies and procedures for secure storage of documentation, whether in paper and electronic form; and
authentication and access control measures, where appropriate to the sensitivity of the documentation.

Information exchange policies and procedures • Formal exchange policies and procedures should be developed and implemented to protect the exchange of information both within and outside the organization, covering the use of all types of communications facilities and data storage media. This could include:

physical and technical measures designed to protect exchanged information from interception, copying, modification, mis-routing or destruction;
procedures for the detection of and protection against malicious code (see also Controls against malicious code);
procedures for the protection of wireless communications;
use of cryptographic methods where appropriate to achieve sufficient protections;
policies or guidelines about acceptable and unacceptable uses of communications facilities and media;
retention and disposal guidelines for all exchanged information;
user awareness and training about these policies and guidelines; and
compliance with all relevant legal-regulatory-certificatory requirements for information exchange.

Exchange agreements • Agreements should be established for the exchange of information and software between the organization and external parties and, where appropriate, within the organization. This could include:

specification of management responsibilities for controlling/approving agreements about transmissions and receipts of information;
procedures to ensure appropriate identification and labeling, appropriate notifications to sender and recipient, traceability and non-repudiation;
minimum technical standards for packaging and transmission; specification of ownership and responsibilities for data protection, copyright, license compliance and similar considerations; and
specification of responsibilities and liabilities in the event of an information security incident.

SOURCES: ISO-27001/27002:2005 sects. 9.2., 10.5 – 10.8.