Asset Security

Question 1

VALUE OF ASSETS

Answer 1

Qualitative or

Quantitative

Question 2

PROTECTION OF VALUABLE ASSETS

Answer 2

SHOULD BE BASED ON VALUE

Question 3

EXAMPLES OF VALUABLE ASSETS

Answer 3

People

Information/data

Hardware

Reputation

Architectures

Software

Products

Processes

Intellectual Property/Ideas

Question 4

IDENTIFICATION AND DISCOVERY OF ASSETS

Answer 4

Inventory

Needs to be formal process

Question 5

ASSET CLASSIFICATION

Answer 5

Requires management support, commitment, and conviction

Accountability

Policies

Training/awareness/education

Question 6

CLASSIFICATION PROCESS

Answer 6

1. Asset inventory
2. Determine and assign ownership
3. Classify based on value
4. Protect and handle based on classification
5. Reassess (back to step 1)

Ensures information is market in such a way that only those with an appropriate level of clearance can have access to it.

Question 7

CATEGORIZATION

Answer 7

The process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization.

Question 8

ASSET LIFECYCLE

Answer 8

1. Identify and classify
2. Secure and store
3. Monitor and log
4. Recover
5. Disposition
6. Archive or
7. Destruction (defensible)

Question 9

EQUIPMENT LIFECYCLE

Answer 9

1. Define requirements
2. Acquire and implement
3. Operations and maintenance
4. Disposal and decommission

Question 10

CLASSIFICATION VS. CATEGORIZATION

Answer 10

CLASSIFICATION
The act of forming into a class or group
A distribution into groups, as classes according to common attributes

CATEGORIZATION
The process of sorting or arranging things into classes

Question 11

CLASSIFICATION AND CATEGORIZATION SYSTEMS

Answer 11

Canada’s - Security of Information Act

China’s - Guarding State Secrets

UK’s - Official Secrets Act

US NIST’s - Federal Information Processing Standards (FIPS 199)

NIST’s SP800-60 - Guide for Mapping Types of Information and Information Systems to Security Categories

Question 12

DATA CLASSIFICATION POLICY

Answer 12

Who will have access to data
How the data is secured
How long the data is to be retained
What methods should be used to dispose of data
Whether the data needs to be encrypted
The appropriate use of the data

Question 13

EXAMPLES OF CLASSIFICATION LEVELS

Answer 13

Top Secret
Company Restricted
Company Confidential
Public

Question 14

CLASSIFICATION ACTIONS

Answer 14

Done by owners

Data owner should decide the classification

Owners should review the classification on a regular basis and adjust it as necessary

Classification should allow for increase or decrease

Changes need to be documented

Question 15

PURPOSE OF CLASSIFICATION

Answer 15

Ensure that data receive appropriate level of protection

Provide security classifications that will indicate the need and priorities for security protection

Minimize the risks of unauthorized information alteration

Avoid unauthorized disclosure

Maintain competitive edge

Protect legal tactics

Comply with privacy laws, regulations, and industry standards

Question 16

CLASSIFICATION BENEFITS

Answer 16

Awareness among employees and customers of in the organization’s commitment to protect the information

Identification of critical information

Identification of vulnerabilities to modification - enable focus on integrity controls

Sensitivity to the need to protect valuable information

Question 17

ASSETS MANAGEMENT TERMS

Answer 17

DATA SUBJECT
DATA OWNER
DATA CUSTODIAN
DATA STEWARD
PERSONAL DATA
PROCESSING
DATA CONTROLLER
DATA PROCESSOR

Question 18

DATA OWNERSHIP

Answer 18

Accountable for important information security activities surrounding the life-cycle of information to:

Protect it

Ensure it is available to only those who require access

Destroy it when it is no longer needed

Question 19

INFORMATION OWNER

Answer 19

Have broader responsibilities than Data Owners

Responsibilities:

Determine the impact the information has on mission

Understand the replacement cost of the information

Know when the information is no longer accurate, needed , or should be destroyed

Determine who has a need for the information and under what circumstances it should be released

Question 20

DATA CUSTODIAN

Answer 20

Deals with consequences of the use of the data and responsible for integrity

Adherence to appropriate and relevant data policies, and procedures, baselines and guidelines

Ensuring accessibility to appropriate users, maintaining appropriate levels of security

Fundamental data maintenance, including but not limited to data storage and archiving

Data documentation, including updates to documentation

Assurance of quality and validation of any additions to data, including supporting periodic audits to ensure ongoing data integrity

Question 21

DATA PROTECTION BY ROLE

Answer 21

DATA OWNER - Accountable

DATA CONTROLLER - Accountable

DATA CUSTODIAN - Responsible

DATA STEWARD - Responsible

DATA PROCESSOR - Responsible

DATA SUBJECT - Control

Question 22

SOUND RECORD RETENTION POLICY

Answer 22

Train staff

Audit retention and destruction practices

Periodically review policy

Document policy, implementation, training and audits

Question 23

RECORD RETENTION HINTS

Answer 23

Information and data should only be kept as long as it is required (preferably legally required)

Keeping data longer than needed keeps RISK longer than needed

Data is a “snapshot” of information, which si always changing.

Question 24

ASSET RETENTION BEST PRACTICES

Answer 24

Promote cross-functional ownership

Promote cross-functional ownership for archiving, retention, and disposal policies

Plan and practice data retention and orderly disposal

Key areas of focus: media, hardware and personnel

Question 25

EXAMPLES OF DATA RETENTION POLICIES

Answer 25

European Document retention Guide 2013

State of Florida Electronic Records and Records Management Practices, November 2010

The Employment Practices Code, Information Commissioner’s Office, UK, November 2011

Wesleyan University, Information Technology Services Policy Regarding Data Retention for ITS-Owned Systems, September 2013

Visteon Corporation, International Data Protection Policy, April 2013

Texas State Records Retention Schedule (Revised 4th Edition)

Question 26

ESTABLISHING INFORMATION GOVERNANCE AND RETENTION POLICIES

Answer 26

Understand where the data is

Classify and define data

Archive and manage data

Question 27

EFFECTIVE ARCHIVING AND DATA RETENTION POLICIES

Answer 27

INVOLVE ALL STAKEHOLDERS

ESTABLISH COMMON OBJECTIVES FOR SUPPORTING ARCHIVING AND DATA RETENTION BEST PRACTICES WITHIN THE ORGANIZATION

MONITOR, REVIEW, AND UPDATE DOCUMENTED DATA RETENTION POLICIES AND ARCHIVING PROCEDURES

Question 28

SOUND RECORD RETENTION POLICY

Answer 28

EVALUATE STATUTORY REQUIREMENTS, LITIGATION OBLIGATIONS AND BUSINESS NEEDS

CLASSIFY TYPES OF RECORDS

DETERMINE RETENTION PERIODS AND DESTRUCTION PRACTICES

DRAFT AND JUSTIFY RECORD RETENTION POLICY

TRAIN STAFF

AUDIT RETENTION AND DESTRUCTION PRACTICES

PERIODICALLY REVIEW POLICY

DOCUMENT POLICY, IMPLEMENTATION, TRAINING AND AUDITS

Question 29

DATA QUALITY

Answer 29

DATA CAPTURE AND RECORDING AT THE TIME OF GATHERING

DATA MANIPULATION PRIOR TO DIGITIZATION

IDENTIFICATION OF THE COLLECTION AND ITS RECORDING

DIGITIZATION OF THE DATA

DOCUMENTATION OF THE DATA

DATA STORAGE AND ARCHIVING

DATA PRESENTATION AND DISSEMINATION

USING THE DATA

Question 30

DATA QUALITY STANDARDS

Answer 30

ACCURACY

PRECISION

RESOLUTION

RELIABILITY

REPEATABILITY

REPRODUCIBILITY

CURRENCY

RELEVANCE

ABILITY TO AUDIT

COMPLETENESS

TIMELINESS

Question 31

Organization for Economic Co-Operation and Development (OECD)
PRIVACY GUIDELINES

Answer 31

Collection Limitation

Data Quality

Purpose Specification

Use Limitation

Security Safeguards

Openness

Individual Participation

Accountability

Question 32

COLLECTION LIMITATION PRINCIPLE

Answer 32

There should be limits on the collection of data

Should be obtained by lawful and fair means

With the knowledge and consent of the subject

Question 33

QUALITY CONTROL (QC)

Answer 33

An assessment of the quality based on INTERNAL standards, processes, and procedures established to control and monitor quality.

Question 34

QUALITY ASSURANCE (QA)

Answer 34

An assessment of quality based on standards EXTERNAL to the process and involves reviewing of the activities and quality control processes to ensure final products meet predetermined standards of quality.

Question 35

ASSESSING AND IMPROVING DATA QUALITY

Answer 35

DATA QUALITY

DATA VERIFICATION

PREVENTION

CORRECTION

Question 36

BASELINES

Answer 36

MINIMUM LEVEL OF PROTECTION THAT CAN BE USED AS A REFERENCE POINT.

Question 37

SCOPING

Answer 37

LIMITING THOSE GENERAL BASELINE RECOMMENDATIONS BY REMOVING THOSE THAT DON’T APPLY.

Question 38

TAILORING

Answer 38

ALTERING BASELINE RECOMMENDATIONS TO APPLY MORE SPECIFICALLY

SCOPING THE ASSESSMENT PROCEDURES TO MORE CLOSELY MATCH THE CHARACTERISTICS OF THE INFORMATION SYSTEM AND ITS ENVIRONMENT OF OPERATION.

Question 39

BASELINE CATALOGS

Answer 39

INTERNATIONAL AND NATIONAL STANDARDS ORGANIZATIONS

INDUSTRY STANDARDS OR RECOMMENDATIONS

OTHER COMPANIES IN SIMILAR SECTOR

Question 40

GENERALLY ACCEPTED PRINCIPLES

Answer 40

INFORMATION SYSTEM SECURITY OBJECTIVES

PREVENT, DETECT, RESPOND AND RECOVER

PROTECTION OF INFORMATION WHILE BEING PROCESSED, IN TRANSIT AND IN STORAGE

EXTERNAL SYSTEMS ARE ASSUMED TO BE INSECURE

RESILIENCE FOR CRITICAL INFORMATION SYSTEMS

AUDITABILITY AND ACCOUNTABILITY

Question 41

LIFE-CYCLE OF NORMAL SYSTEM OPERATION

Answer 41

PREVENT

DETECT

RESPOND

RECOVER

Question 42

WHERE TO PROTECT DATA

Answer 42

IN PROCESS

IN TRANSIT

IN STORAGE

Question 43

RESILIENCE

Answer 43

ABILITY TO RETURN TO A KNOWN SET OF NORMAL OPERATIONS - WHEN ABNORMAL OPERATIONS ARE DETECTED.

Question 44

CSIS 20 CRITICAL SECURITY CONTROLS INITIATIVE

Answer 44

OFFENSE INFORMS DEFENSE

PRIORITIZATION

METRICS

CONTINUOUS MONITORING

AUTOMATION

Question 45

NIST SECURITY CONTENT AUTOMATION PROTOCOL (SCAP)

Answer 45

SUITE OF SPECIFICATIONS

MULTI-PURPOSE FRAMEWORK OF SPECIFICATIONS

Question 46

SCAP VERSION 1.2 CATEGORIES

Answer 46

LANGUAGES

REPORTING FORMATS

ENUMERATIONS

MEASUREMENT AND SCORING SYSTEMS

INTEGRITY

Question 47

FRAMEWORK CORE COMPONENTS

Answer 47

FRAMEWORK CORE IS A SET OF CYBER-SECURITY ACTIVITIES, DESIRED OUTCOMES, AND APPLICABLE REFERENCES THAT ARE COMMON ACROSS CRITICAL INFRASTRUCTURE SECTORS.

FRAMEWORK IMPLEMENTATION TIERS

FRAMEWORK PROFILE

Question 48

DATA STATES

Answer 48

DATA AT REST

DATA IN MOTION

DATA IN USE

Question 49

DATA AT REST

Answer 49

BACKUP DATA

OFFSITE STORAGE

PASSWORD FILES

OTHER SENSITIVE INFORMATION

USUALLY PROTECTED VIA CRYPTOGRAPHIC ALGOS

Question 50

DATA AT REST RECOMMANDATIONS

Answer 50

IMPLEMENT CONTROLS SUCH AS ENCRYPTION, ACCESS CONTROL AND REDUNDANCY

DEVELOP AND TEST AN APPROPRIATE DATA RECOVERY PLAN

USE COMPLAINT ENCRYPTION ALGOS

WHENEVER POSSIBLE USE AES FOR ENCRYPTION ALGOS DUE TO SPEED AND STRENGTH

FOLLOW STRONG PASSWORD REQUIREMENTS

DO NOT USE THE SAME PASSWORD FROM OTHER SYSTEMS

USE SECURE PASSWORD MANAGEMENT TOOLS TO STORE SENSITIVE INFORMATION SUCH AS PASSWORDS AND KEYS

SEND PASSWORDS SEPARATELY FROM ENCRYPTED FILE

DO NOT WRITE DOWN PASSWORD AND DO NOT STORE AT SAME LOCATION AS STORAGE MEDIA

VERIFY THAT REMOVABLE MEDIA WORKS USING DECRYPTION

DELETE USING DELETION GUIDELINES

REMOVABLE MEDIA SHOULD BE LABELED WITH TITLE, DATA OWNER AND ENCRYPTION DATE

Question 51

DATA IN TRANSIT PROTECTIONS

Answer 51

PREVENT THE CONTENTS OF THE MESSAGE FROM BEING REVEALED EVEN IF THE MESSAGE WAS

INTERCEPTED OR IN TRANSIT (EMAIL)

Question 52

DATA IN TRANSIT

Answer 52

DATA THAT MOVES - USUALLY ACROSS NETWORKS IS IN MOTION OR IN TRANSIT

Question 53

LINK ENCRYPTION

Answer 53

ENCRYPTS ALL DATA ALONG A COMMUNICATIONS PATH - USUALLY DONE BY SERVICE PROVIDERS

Question 54

END-TO-END ENCRYPTION

Answer 54

DATA IS ENCRYPTED AT START OF TRANSMISSION AND ONLY DECRYPTED AT THE REMOTE END

ROUTING INFORMATION REMAINS VISIBLE

Question 55

DATA IN USE

Answer 55

DATA BEING PROCESSED

NEEDS TO BE PROTECTED BY SECURE ENCLAVES (LAYERS OR VIRTUAL MACHINES)

Question 56

ENCLAVE

Answer 56

TERRITORY THAT IS ISOLATED OR DISTINCT FROM ANOTHER TERRITORY.

Question 57

INSECURE AND SECURE PROTOCOLS

Answer 57

TYPE INSECURE SECURE

Web Access HTTP HTTPS
File Transfer FTP, RCP FTPS, SFTP, SCP
Remote Shell telnet SSH v3
Remote Desktop VNC radmin, RDP

Question 58

PICKING ENCRYPTION ALGOS

Answer 58

The longer the key the better with complex passwords

Question 59

PICKING WIRELESS ENCRYPTION PROTOCOLS

Answer 59

ONLY STRONG ALGOS LIKE WPA2

Question 60

MEDIA

Answer 60

Media with sensitive information requires physical and logical controls

Media lacks means for digital accountability when the data is not encrypted

Extensive care must be taken when handling sensitive media

ENCRYPTION DOESN’T ENSURE ACCOUNTABILITY

Question 61

MARKING

Answer 61

Storage media must have:

Physical Label with sensitivity contained

Label should reflect if data is encrypted

Label may contain point of contact and retention period

When media is found without label it should be labeled at the highest sensitivity until identified

Question 62

HANDLING

Answer 62

Only designated personnel with sensitive media

Policies and procedures regarding proper handling of sensitive media should be communicated

Individuals handling the media should be trained on policies and procedures

Question 63

STORING

Answer 63

Sensitive media should not be left lying around where a passerby could access it

Wherever possible backup media should be encrypted and stored in a container

Question 64

DESTRUCTION

Answer 64

Media that is no longer needed or is defective should be defensively destroyed rather than simply disposed of.

Question 65

RECORD OF RETENTION

Answer 65

Information and data should only be kept as long as it’s required

Ensure that:

The organization understands the retention requirements for different types of data in the organization

The organization documents in a record’s schedule the retention requirements for each type of information

The systems, processes and individuals of the organization retain information in accordance with the schedule but no longer

Question 66

DATA REMANENCE

Answer 66

The residual physical representation of the data that has been in some way erased

After media is erased there may be some physical characteristics that allow data to be reconstructed

Question 67

DATA REMANENCE COUNTERMEASURES

Answer 67

Clearing

Purging

Destruction

Question 68

CLEARING

Answer 68

The removal of sensitive data from storage devices so there is assurance that the data may not be reconstructed using normal system function or software file/data recovery utilities

The data may still be recoverable - but not without special laboratory techniques

Question 69

PURGING

Answer 69

The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique

Question 70

DESTRUCTION

Answer 70

The storage media is made unusable for conventional equipment

Effectiveness of destroying the media varies

Destruction using appropriate techniques is the most secure method of preventing retrieval and referred to as “defensible destruction”

Question 71

DATA DESTRUCTION METHODS

Answer 71

OVERWRITING

DEGAUSSING

ENCRYPTION

Question 72

DEFENSIBLE DESTRUCTION

Answer 72

Physically breaking the media apart

Chemically altering the media into non-readable, non-reverse-constructible state

Phase transition

For magnetic media, raising its temperature above the Curie Temperature

Question 73

SOLID-STATE DRIVE (SSD) DESTRUCTION

Answer 73

SSD’s use flash memory for data storage and retrieval

Flash memory differs from magnetic memory in one key way: flash memory cannot be overwritten

Unlike HDD’s - overwriting is not effective for SSD’s

Cryptographic erasure, or crypto-erase, takes advantage of the SSD’s built-in data encryption

The best type of data destruction method is a combination of crypto-erase, sanitization, and targeted overwrite passes

Question 74

CLOUD-BASED DATA REMANENCE

Answer 74

Little to no visibility in to the management and security of the data in many cases

PaaS-based architecture can actually provide a solution for the issues raised by the data remanence in the cloud

Crypto-Erase/Crypto Shredding can work