In the context of its recurring control process, a company wished to assess the protection level of the data stored on its computer system. BlueKrypt carried out an audit on the basis of interviews and technical verifications. The analysis focused on the system, network and applications used.

Context

The assessment revealed positive points but also a few ones to be improved.

Positive points
  • Some services consider data protection as a limitation in the nature of the stored data and the implementation of some protections (for example: ciphering),
  • A jamming mechanism of the data has been set up,
  • Access to the environments is submitted to approval and other appropriate procedures.

 

Points to be improved
  • Confidentiality of the data is not uniformly guaranteed: information such as trigrams but also secret passwords are stored uncoded,
  • Data flows are not protected: it is possible to eavesdrop a flow with sensitive data on the network of the company,
  • Quite a lot of environments are still using generic accounts,
  • Production data is used by some services for tests without anonymity,
  • Managers are little sensitive to the importance of data protection.

 

The global level of data protection is assessed at "significant reservations" (Scale: satisfactory, to be improved, significant reservations, unsatisfactory).

Many substantial risks were identified during the assessment. Two aspects are mainly at stake:

  • Lack of data protection at the level of the data bases of some departments,
  • No confidentiality on the network flows.

To improve the protection level of the data, "high priority" and "more medium term" actions were identified to cover the risks.

Methodology

In the framework of this case study, we take as an example a methodology we applied to the protection of bank data.

banque method-en