During major organisational change, data is often moved to align with a new operating model. Examples include:
- File system migration – Relocation of typical electronic folders containing documents, spreadsheets, reports, pictures etc.
- Data Extract, Transformation and Load – Strongly typed data, such as that stored in a database is extracted and then loaded into a new system. This can include data from line of business applications, email systems, personnel, payroll, etc.
Managing security risks during data migration
Where data is being migrated using online transfer, organisations should:
- Ensure the destination environment and the communications infrastructure used to conduct data transfers are appropriately secure (e.g. via the use of encryption) for the sensitivities and classifications of data being transferred.
- Use two trusted staff to oversee the transfer and verify that data is being sent to the intended destination. On significant data transfers the investment in an extra set of eyes to double check details is worthwhile.
- Use an Australian Signals Directorate (ASD) Approved Cryptographic Algorithm listed within the Australian Government Information Security Manual (ISM)  to generate a checksum prior to and after the transfer to ensure that data has not been corrupted or modified in transit.
- Ensure data is appropriately secured in its destination environment, including any storage where it is being temporarily staged.
Organisations should also consider that activities associated with legitimate data transfers may present a cover opportunity for data exfiltration by advanced adversaries and as such should put in place any additional security controls considered appropriate.
Using public cloud as an intermediary
Organisations may also wish to use public cloud storage as an intermediary in transferring data. In such cases, organisations should:
- use cloud storage from a vendor on the Government’s Certified Cloud Services List
- for private, sensitive or classified data, use an ASD Approved Cryptographic Algorithm to encrypt the data before it is transferred
- ensure the cloud storage has appropriate access controls and limits access to only those staff and systems involved in the data transfer.
For Commonwealth entities, the ISM specifies security controls relating to encryption (security control 1162) and use of public cloud for official and classified data (security control 1395). These security controls should be reviewed and applied as appropriate.
Organisations should only consider transferring unencrypted data to public cloud storage if that would be in line with their existing operating models.
Organisations are reminded that the Privacy Act 1988  (the Privacy Act) obligates them to take reasonable steps, such as those outlined above, to protect private information in their possession.
Physical data transfers
For physical data transfers, organisations should:
- encrypt data using an ASD Approved Cryptographic Algorithm with key transferred via an alternate secure path
- transfer the media containing the data from person to person using trusted staff
- protect the media in an appropriately secure briefcase or container during transit.
For Commonwealth entities, the ISM specifies security controls relating to encryption of data at rest outside Security Zones (security controls 1161 and 0459). Furthermore, recommendations in the Attorney-General’s Department’s Protective Security Policy Framework (PSPF)  for official and classified data should be reviewed and applied as appropriate.
Organisations conducting physical transfers should be mindful that media used for transfer will likely retain a recoverable copy of data stored on it. This is particularly relevant if organisations do not encrypt data for transfer. As such, media should be sanitised before being released for general use or disposal. The ISM contains guidance on media sanitisation, destruction and disposal.
Preparing for security risks after data migration
Preserving file system permissions
When transferring file systems, organisations may need to take additional steps to preserve access control lists. In many cases there is no native support to move access control lists between different systems (such as between two Microsoft Windows servers in different domains). Aftermarket tools and other processes are available to support this requirement if needed.
New business rules
If data is imported into a new system it may be subject to a different set of business rules and organisations may unintentionally provide more access than required.
Before importing data into an existing system, organisations should review system and data architecture, business rules, and security architecture with a view to the newly imported data and satisfy themselves that access remains in line with business rules and cyber security principles such as least possible privilege.
Importing bad data
An organisation importing file system data should take reasonable steps to ensure data is free from malicious software. Organisations should scan the imported data with two high quality antivirus products with up-to-date signatures. This should include scanning imported email boxes, irrespective of whether they come in database format or not.
Microsoft Office macro security
Organisations that have implemented Microsoft Office macro security, in line with the Essential Eight , may need to consider how they will vet and approve any macro enabled files which arrive as part of a data transfer.
Organisations which only permit vetted and approved macros to run will need to ensure that incoming staff understand the process for macro vetting and approval. The staff that vet macros should be prepared for a spike in workload in the short term, with a scaled increase in workload based on the size of the new organisation in the long term. Additional staff may need to be allocated to this role.
Organisations may also need to identify any critical macros that support key business functions so that review and enablement of these macros can be tasked as part of the data transfer activity to minimise interruption to business.
Different security context
Data that arrives as part of a data transfer may be exposed to a greater security risk if it is placed in an environment with a lower cyber security posture. Organisations should pay particular attention to high value assets including:
- sensitive data about people
- key intellectual property
- commercially sensitive data.
Before transferring data, the current custodian or owner should ensure that the data will be protected with an equivalent or greater level of security at the destination. Alternatively, if there is an increase in security risk, then this should be communicated to the current and new owners.
Organisations are reminded that the Privacy Act obligates them to take reasonable steps to protect private information in their possession, including assessing the security context of any partner or other organisation they share private information with.
Decommissioning old data holdings
Once it has been confirmed that data has been transferred between organisations successfully, organisations may need to delete any historical copies. In such cases, organisations should be mindful of their need to retain official records in accordance with the legislation in their jurisdiction and should seek advice from their archives office.
Organisations are also reminded that the Privacy Act requires them to either destroy or de-identify private information if they no longer have a valid reason to retain it. Organisations should review the Australian Privacy Principles  and the Privacy Act for further information.
For specific advice on how to sanitise media and dispose of ICT assets, organisations should review guidance in the ISM. Organisations should also consider how they address their cloud holdings. For specific advice on how to sanitise cloud storage and compute, organisations should consult their cloud service provider’s advice. Finally, for destruction of physical records, organisations should seek guidance from the PSPF.