Virginia Tech® home

Application Data Security Controls

Introduction

This procedure guide is deprecated. It was written for the 3.7 version of VT’s Minimum Security Standard.

The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking, and erasure.

Procedures

Encryption

FISMA Compliance

FISMA (The Federal Information Security Management Act) has a set of requirements to ensure your data is secure. The National Institute of Standards and Technology Special Publication 800-53 has a set of guidelines that ensure you are FISMA compliant. These include:

  • Create an inventory of information systems.
  • Select applicable security controls.
  • Implement the security controls.
  • Assess the security controls.
  • Authorize the information systems.
  • Monitor the security controls.

PCI Compliance

The PCI Security Standards Council is an organization that sets security standards designed to ensure that all companies maintain a secure environment for the use of and transmission of credit card information. While the scope of PCI Compliance is large, the official PCI v4 compliance lists a few best practices designed to help every day use of credit card information.

  • Review logged data frequently (see the documentation on Server Intrusion Detection).
  • Ensure that all failures in security controls are detected an responded to promptly.
  • Review changes that could introduce security risk.
  • Perform risk assessment.
  • Review external connections and third-party access (see the Endpoint Credentials and Access Control documentation).

More information can be found here.

Standards for High Risk Digital Data Protection v. 6

Virginia Tech has a list of standards used in the protection of high risk digital data. A full in-depth breakdown of these standards can be found here. Some of these standards utilize techniques explained in the relevant documentation listed below.