CCSP Book Chapter 3: Data Classification

Question 1

• Data Owner
• Data Custodian
• Processing
• Data Processor
• Who is responsible for the data?

Answer 1

• Data Owner - aka data controller; it is the organization or individual that has collected or created the data; From a cloud perspective, the cloud customer is the data owner
• Data Custodian - could be a database administrator; any person that is tasked with the daily maintenance and administration of the data; they must also apply proper security controls and processes as directed by the data owner;
• Processing - anything that can be done to the data (copying it, printing it, destroying it, using it)
• Data Processor - any organization or person that manipulates, stores, or moves the data on behalf of the data owner; The CSP is the data processor; Data processors may not have a direct relationship with the data owner, they can be 3rd party or even further removed down the supply chain
• Who is responsible for the data? - data owners are always responsible or their data even if the data processor is responsible for the data being compromised;

Question 2

Phases of the Data Lifecycle

Answer 2

1. Create (data owner determined at this stage)
2. Store
3. Use
4. Share
5. Archive
6. Destroy

Question 3

• Data Categorization
• Data Classification
• Data Mapping
• Data Labeling

Answer 3

• Data Categorization - can categorize data any way by its use; i.e. Functional Unit, by project, regulatory compliance, business function
• Data Classification - can classify in any way by its trait; i.e. Sensitivity, Jurisdiction, Criticality
• Data Mapping - data between organizations (or even departments) must be normalized and translated so that it conforms in a way that is meaningful to both parties; i.e. if data is classified as sensitive in one organization and that data is transferred, the other organization should understand the protection mechanisms that should be put in place for that data
• Data Labeling - indicate who data owner is (usually in terms of office or role, not name), date of creation, date of scheduled destruction/disposal, confidentiality level, handling directions, disseminations/distribution instructions, access limitations, source, jurisdiction, applicable regulation

Question 4

• Data Discovery Methods
  
  • Label-Based Discovery
  • Metadata-Based Discovery
  • Content-Based Discovery

Answer 4

• Data Discovery Methods - could mean several kinds of tasks are taking place; i.e. attempts to create an initial inventory, e-discovery to find electronic evidence for investigation or lawsuit, or datamining tools to discover trends and relations in data already in organization’s inventory
  
  • Label-Based Discovery - labels created in the create phase make it easy to discover data through the label.
  • Metadata-Based Discovery - metadata is often automatically created in the SW or HW used to create the parent data; i.e. Digital cameras create a lot of metadata
  • Content-Based Discovery - as it states - discovering data based on content

Question 5

• Datamining
• Real-Time Analysis
• Agile Business Intelligence
• Structured vs Unstructured Data

Answer 5

• Datamining - ability to run queries on big data to detect trends and patterns
  
  • Real-Time Analysis - concurrently create and use data while datamining
• Agile Business Intelligence - state of the art datamining that involves recursive, and iterative tools that can detect trends in trends
  
  • Structured vs Unstructured Data - structured data is sorted according to meaningful attributes; unstructured data is unsorted

Question 6

• Jurisdictional Requirements
  
  • The U.S.
  • Europe
  • Asia
  • South/Central America
  • Australia/New Zealand

Answer 6

• Jurisdictional Requirements - challenge with having data in the cloud is not knowing where that data is located
  
  • The U.S. - there is no overarching federal statute, but there are industry-specific legislation (i.e. HIPAA, GLBA, PCI, etc)
  • Europe - EU General Data Protection Regulation (EU GDP Regulation)
  • Asia - each country follows different things. Japan and Singapore follow EU GDP Regulations whereas China has the opposite view of privacy and everything must be accessible through the Chinese government.
  • South/Central America - similar to Asia, follows different things and lacks privacy protection frameworks with exception of Argentina that follows similar regulation as EU GDP with its Personal Data Protection Act
  • Australia/New Zealand - has Australian Privacy Act which maps to EU GDP statutes

Question 7

• IRM
  
  • IP
  • Copyright
  • Fair Use

Answer 7

• Information Rights Management (IRM) aka DRM (data rights), ERM (enterprise data) E-DRM (enterprise-data rights) - managing information according to who has the rights to it
  
  • Intellectual Property Protections - valuable belongings that are intangible
    
    • Copyright - the legal protection for the expression of ideas; i.e. film, music, software, art work;
      
      • this does not protect the title of the works, i.e. if someone wanted to make another movie called Star Wars with a different storyline, they can;
      • it does not cover ideas, specific words, slogans, recipes, formulas;
      • protects the tangible expression of an idea, not the form of an idea i.e. copyright protects the content of a book, not the actual hard cover; copying the contents of a book is copyright infringement and stealing the book is theft;
      • copyright belongs to the author or whoever they sell those copyrights to, not the owner of the physical book; the creator is the only one who can perform the work, profit from it, makes copies, broadcast, sell etc
      • duration: typically 70 years after the author’s death or 120 years after the first publication of a work for hire;
      • copyright infringement - usually dealt with via civil case. if demonstrated willful infringement, can be criminal case (i.e. piracy)
      • Fair Use - there are exceptions to copyright exlusitivity

Question 8

• Trademarks
• Patents
• Trade Secrets

Answer 8

• Trademarks - applied to specific words and graphics; representations of an organization, its brand (name, logo, phrase, color, sound, etc). Must be registered within jurisdiction (USPTO); USPTO, federally owned - R symbol to signify trademark. States also offer trademark registration and that is symbolized by TM
  
  • Lasts forever, never expires as long as its being used; Trademark infringement exists;
• Patents - also done at the USPTO; protects intellectual property (inventions, processes, materials, decorations, plant life); typically lasts for 20 years; process to get patent can take many months, years; patent infringement exists; Globally, patent holders may apply to World Intellectual Property Office (WIPO) for approval under Patent Cooperation Treaty which has 152 signatory member nations;
• Trade Secrets - intellectual property that involved many of the same aspects as patents (processes, formulas, commercials methods); This also includes aggregations of information (lists of clients, suppliers, etc); similar to copyrights where protections exist upon creation with no additional requirements for registration; must be kept a secret;
  
  • Trade secret protection is not exclusive, so if another person has the same or similar methods, processes they are legally free to use that to their own benefit (i.e. Pepsi and Coca Cola); Even someone who discover’s someone else’s secret through legitimate means is free to patient it; Lasts forever as long as owner is using it

Question 9

IRM Tool Traits

• Rudimentary Reference Checks
• Online Reference Checks
• Local Agents Checks
• Presence of Licensed Media
• Support-Based Licensing
• Replication Restrictions
• Jurisdictional Conflicts
• Agent/Enterprise Conflicts
• Mapping Identity and Access Management (IAM) and IRM

Answer 9

IRM Tool Traits

• Rudimentary Reference Checks - content itself can check for proper usage or ownership (i.e. vintage computer games would pause and have player confirm information to prove ownership)
• Online Reference Checks - i.e. Microsoft Office online checks for license
• Local Agents Checks - i.e. Steam. tool checks protected content against user’s license to make sure games are not pirated
• Presence of Licensed Media - some IRM tools require the presence of licensed media, such as disks; disks have cryptographic media
• Support-Based Licensing - IRM implementation (i.e. updates) are predicated on the need of continual support; this is true for production software; i.e. a licensed user is able to update and patch whereas unlicensed user cannot
• Replication Restrictions - no copying
• Jurisdictional Conflicts - can only be used in certain locations; may be a problem when working in the cloud
• Agent/Enterprise Conflicts - IRM may be required to be installed locally, may not always function on BYOD or in cloud
• Mapping Identity and Access Management (IAM) and IRM - IRM IAM may not align with enterprise/cloud IAM

Question 10

• API conflicts
  
  • Persistent Protection
  • Dynamic Policy Control
  • Automatic Expiration
  • Continuous Auditing
  • Replication Restrictions
  • Remote Rights Revocation

Answer 10

• API conflicts - IRM tool does not work across all different applications (i.e. Windows, Apple, Linux). They should have the following minimum functions regardless of the type of content or format:
  
  • Persistent Protection - protection of the content should be consistent should be persistent across all platforms
  • Dynamic Policy Control - the IRM tool should allow content creator and data owners to modify ALCs and permissions for the protected data
  • Automatic Expiration - IRM protections should cease when legal protections cease; for licenses, when they expire, access should end
  • Continuous Auditing - comprehensive monitoring of content’s use and access history
  • Replication Restrictions - restrict replication in every form (screenshot, printing, electronic duplication, email attachments, etc)
  • Remote Rights Revocation - owner should be able to revoke rights at any time as a result of litigation or infringement

Question 11

Include the following in Data Retention Policy

• Retention Periods
• Applicable Regulation
• Retention Formats
• Data Classification
• Archiving and Retrieval Procedures
• Monitoring, Maintenance, and Enforcement

1. Considering cloud migration and data retention
2. Legal Hold

• At what phase of the data lifecycle is this policy applied to?

Answer 11

Data Retention Policy

• Retention Periods - length of time organization should retain data; this is usually data that has been archived for. long-term storage; this can be changed in contract or based on statute (regulatory guidance)
• Applicable Regulation - several regulations can be conflicting, so important to list applicable regulatory guidance; if there are conflicts, important to explain senior management decision to resolve issue
• Retention Formats - description of how data is archived (i.e. what media it is stored on, handling specifications, retrieval procedures); i.e. there are regulations that require data to be encrypted when archived;
• Data Classification - this should be defined in policy. the higher the level, the more protection and longer retention period
• Archiving and Retrieval Procedures - this could be addendum to policy because it may need constant updates; Storage of data can be very useful to correct production errors, BC/DR backups, and datamining for business intelligence purposes; Important to define procedures on how to send data into storage to be archived and how to recover it and use it in production
• Monitoring, Maintenance, and Enforcement - as with all policies, the policy should detail how often the policy will be reviewed. by who, and consequences for failure to adhere to the policy and who is responsible for enforcing policy

1. Considering cloud migration and data retention - when migration to cloud, ensure CSP can adhere to organization’s retention policy; it is difficult to ensure the cSP is not retaining organization’s data beyond the retention period
2. Legal Hold - legal hold supersedes organization’s retention and destruction policies; if an organization is being sued, they must halt all data destruction of relevant data until the lawsuit has been fully resolved; Legal holds even supersede Federal Laws such as HIPAA; considered temporary paramount retention period

• At what phase of the data lifecycle is this policy applied to? - archive phase

Question 12

Data Audit

• What would be included in Audit Policy?
• What should an organization ensure Auditor does not have with Organization?
• Why is auditing logs challenging?
• How can auditing pose a challenge for organizations using the cloud?
• What phases of the data lifecycle does the data audit policy address?

Answer 12

Data Audit

• What would be included in Audit Policy - Audit periods, scope, responsibilities (internal and/or external, processes and procedures, regulations, monitoring, maintenance, and enforcement)
• What should an organization ensure Auditor does not have with Organization - The organization should ensure auditors does not have any type of relationship with data owners and auditors should not report to data owners about their audit to avoid conflict of interest
• Why is auditing logs challenging? - it not a priority, organizations do not have the resources to spend so much time on repetitive tasks; requires someone who is new and experienced; need someone with understanding of the operation
• How can auditing pose a challenge for organizations using the cloud? - the cloud provider may not want to, or be able to (due to operational or contractual reasons) disclose log data to the customer for security, liability, or competitive reasons
• What part of the data lifecycle does the data audit policy address? - all phases; it is important to know how data is being audit in each phase of the data lifecycle (creation, store, use, share, archive, destroy)

Question 13

Data Destruction / Disposal

• Traditional Environment vs Cloud
• What to include in policy
• What is a concern for any of these methods?
• What phase of the data lifecycle does this policy apply to?

Answer 13

Data Destruction / Disposal

• Traditional Environment vs Cloud -
  
  • Traditional
    
    • Physical Destruction of Media and HW - burning, melting, impact (beating, drilling, grinding) or industrial shredding; *preferred method since data is unrecoverable*
    • Degaussing - applying strong magnetic fields to HW and media and clearing them; does NOT work on solid state drives
    • Overwriting - multiple passes of random chars are written to storage areas, with final pass of 0s and 1s; time-consuming for large storage areas, not effective for solid state drives which are resistant to overwriting
    • Crypto-shredding aka Cryptographic Erasure - encrypt data with strong encryption and take the key generated and encrypt those keys with different encryption and destroying the resulting keys of the 2nd round of encrypting;
    • HW and media cannot be sanitized by simply deleting data; deleting data just removes the logical pointers to the data for processing purposes but the data still resides;
  • Cloud - crypto-shredding is the only method that is feasible because the customer will not know where their data resides at al times and if they’re on a public cloud, they cannot destroy HW since other customers are using it;
• What to include in policy - process, applicable regulations, when data should be destroyed
• What is a concern for any of these methods? - Data remanence
• What phase of the data lifecycle does this policy apply to? - Destroy phase