Implement Incydr: Resources
Overview
This article contains resources you can use when implementing Incydr at your company.
Considerations
Code42 Insider Risk Advisors can provide you with additional resources for Incydr. Contact your Customer Success Manager (CSM) to engage Advisory Services.
Critical assets questionnaire for data owners
Every owner of critical data assets at your company should answer the following questions. Use them to develop other questions specific to your organization. Note that each question may have several answers.
| Questions | Example |
|---|---|
| What is the critical file or intellectual property? | Software code for new product x |
| What is the file format? | .js |
| Where is it located? |
Developer local repositories under X directory structure, or in a more restrictive environment, GitHub and only on the segmented development jump box host or virtual desktop infrastructure (VDI) platform. |
| What are our guidelines for handling this kind of asset? | All source code is expected to only be resident in GitHub. The transmission of source code to USBs or other locations is not allowed. |
| What will be the financial impact resulting from loss? | $5,000,000 to develop |
| What will be the compliance impact resulting from loss? | None |
| What will be the contractual impact resulting from loss? | We have a contact with the customer X who takes protection of its data very seriously. |
Data classification matrix
Create a matrix for classifying data at your company. Following is an example
|
|
Public |
Internal |
Confidential |
Restricted |
|---|---|---|---|---|
|
Description |
Information freely available and communicated to the general public with a low likelihood of exposing unnecessary risk. |
Information generally available to employees and approved non-employees. Confidentiality of information is preferred, but may be subject to open records disclosure. |
Information received from third parties pursuant, non-disclosure agreements or equivalent confidentiality provisions, and information where disclosure has the potential to negatively influence operations, cause financial losses, provide advantages to competitors, cause a drop in consumer confidence, expose employee privacy, or expose you to legal action. Information integrity and accessibility to maintain operational effectiveness. |
Information critical to company operation, entrusted assets, or otherwise subject to industry, contractual, legal regulations, or generally under the purview of the legal department. Disclosure, alteration, or destruction of this data represents a significant risk. |
|
Examples |
|
|
|
Business or insider information
Regulated data
|
Data handling matrix
Create a matrix of acceptable data handling at your company. Following is an example.
|
|
Public |
Internal |
Confidential |
Restricted |
|---|---|---|---|---|
|
Portable device (USB) |
No |
No |
No |
No |
|
Collaboration platforms |
Yes |
Yes |
Yes |
None to public channels |
|
Internal corporate email to internal corporate email |
Yes |
Yes |
Yes |
None to distribution lists |
|
Internal corporate email to external email |
Yes |
Yes |
Yes |
Yes if encrypted |
|
Corporate sanctioned cloud storage (e.g. GDrive) |
Yes |
Yes |
Yes, but no public links | Yes, but no public links |
|
Corporate sanctioned apps or SaaS |
Yes |
Yes |
Yes, but no public links | Yes, but no public links |
|
Customer required cloud storage |
Yes |
Yes |
Yes, but no public links | Yes, but no public links |
|
Contractor, third party, or service provider required cloud storage |
Yes |
Yes |
Yes, but no public links |
Yes, but no public links |
|
File transfer services |
Yes |
Yes |
No |
No |
|
Printers |
Yes |
Yes |
Yes |
Yes |
Unauthorized data transfer and deletion attestation template
Following is an example template you can modify to give your employees in the event they are implicated in a data incident.
Code42 is not providing legal advice. Instead, this template is provided as an example for general informational purposes only. Consult with your legal counsel before using this template.
You signed an Employee Agreement with X Software, Inc. (“X”) and agreed to abide by the Corporate Security Policy. Both your Employee Agreement and Corporate Security Policy require you to protect the confidentiality of data belonging to X (“X Data”). You may only use X Data as required to perform your job duties and only on X approved devices and systems.
We observed a transfer of X Data in violation of your Employee Agreement and the Corporate Security Policy, as described on Exhibit A (“Transfer”).
Due to the seriousness of this matter, we require that you agree and acknowledge that:
- You have permanently deleted all X Data involved in the transfer (including any copies, duplicates, subsets, extracts, derivates and related materials) from all unauthorized devices and systems.
- You have not transferred any other X Data to unauthorized devices or systems.
- You have not provided access to X Data to an unauthorized third party.
- You have reviewed and acknowledged X’s corporate security policy and understand your responsibilities with regards to X Data.
(Any other transfers of X Data, or attempts to transfer X Data, to an unauthorized device or system may result in disciplinary action, including termination.)
If you have any questions regarding this matter or whether a device or system is approved for X Data, please contact security@X.com.
By signing below, I confirm that I understand and agree to the above statements.
By: ________________________________________
Name: ______________________________________
Date: _______________________________________
EXHIBIT A
[Attach documentation of unauthorized transfer]
Additional resources
Following are additional resources to help you determine how to handle data assets:
- Regulations:
- Standards:
- Government agencies
Related topics
Other articles in this series: