Chap 2 - Information asset security Flashcards
what are assets
- people
- process / know-how
- facilities
- equipment
- retained knowledge
tangible assets
physical existence
intangible assets
exist in mind (e.g., brand)
IT asset mgmt lifecycle
- plan
- assign security needs
- acquire
- deploy
- manage
- retire
how to assign security needs to asset
either qualitative or quantitative.
the security needs first looks at classifying & categorizing the asset based on HARM to organization if hit
what is asset classification
process of recognizing the impact of asset if compromise based on CIA triad
what is asset categorization
process of grouping sets of data, information, knowledge that have comparable sensitivity –> similar security needs
what should classification/categorization policy include
- data classification/categorization -> criteria & process
- data access -> define role of subject who can access data
- data security -> generally available or restricted data by default
- data retention -> data retained for period of time (e.g., law -> telcos)
- data disposal -> printed VS digital
- data encryption -> if need to be encrypted and how
- appropriate use of data -> how to use the data
what are data sensitivity levels (classic)
- highly restricted
- moderately restricted
- low sensitivity / internal use
- unrestricted/ public
what are key issues related to classification & categorization
- responsibility
- accountability
what is the data security lifecycle
- creating
- storing
- using
- sharing
- archiving
- disposing
what are the key data roles (people)
- data subject -> individual who describe/identify by data
- data owner -> accountable for determining the value of the data
- data controller -> in absence of controller, he is accountable
- data steward -> responsible for the data content
- data processor -> entities that process data on behalf of controller
- data custodian -> responsible for the protection of the data (security)
what are the key data states
- data at rest
- data in motion (transit)
- data in use
what is the data lifecycle considerations
- data collection
- data location
- data maintenance
- data retention
- data remanence -> use e.g., CPU
- data destruction
what are the 3 ways for data destruction
- clearing -> overwrite data with random values also called “clobbering” or “zeroizing”
- Purging -> perform a delete operation - NOTE data may be recoverable
- physical destruction -> e.g. shred/destruct physically
Main applicable type of controls for data security
- administrative controls -> policies & procedures
- technical/logical controls -> tech solutions
- physical controls -> tangible mechanism e.g, fence/guards/lock…
Security controls categories
- directive controls -> policies & rules
- deterrent controls -> reduce likelihood of unwanted activity
- preventive control -> prevent activity from happening
- compensating controls -> mitigate the effect of unwanted activity
- detective control -> recognize or discover hostile activities
- corrective controls -> react to situation to remedy/restore operations
- recovery controls -> restore operations
why establishing a data security baseline
security baseline is the minimum level of protection as a reference point -> minimum understood & acceptable level of security requirements
definition of the minimum level of protection that is required to protect valuable assets
what are the security generally accepted principles
- info system security objectives
- prevent, detect, respond & recover
- protection of info while being processed, transit and stored
- external system assumed to be unsecured
- resilience for critical info system
- auditability and accountability
what is the difference between security control scoping & tailoring
scoping: limiting the general baseline to remove inapplicable controls
tailoring: involves scoping to further match organization which gives the FLEXIBILITY needed to avoid COMPLEX & COSTY assessment while meeting requirements
what is accountability
ensure the account mgmt has assurance that only authorized users have access & using properly
what is data defensible destruction
eliminating data using a controlled, legally defensible and regulatory compliant way
Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?
Sniffing, encryption
What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?
They may not be cleared, resulting in data remanence
What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?
Watermarks
Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?
Sanitization
How should you determine what controls from the baseline a given system or software package should receive?
Select based on the data classification of the data it stores or handles
Fred’s organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?
The cost of the sanitization process may exceed the cost of new equipment
Which of the following is the least effective method of removing data from media?
Erasing
what is erasing data
Erasing, which describes a typical deletion process in many operating systems, typically removes only the link to the file, and leaves the data that makes up the file itself
what is degaussing
Degaussing works only on magnetic media, but it can be quite effective on it
Chris is responsible for his organization’s security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary?
Use Microsoft Group Policy
What primary issue does personnel retention deal with?
Knowledge gained during employment
what is the difference between data clearing and data purging
Clearing: data removed, but fragments are recoverable
Purging: data removed, it is permanently gone –> degaussing is a form of purge
Which of the following is not a part of the European Union’s Data Protection principles?
A. Notice
B. Reason -> correct
C. Security
D. Access
Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan’s employer label all media instead of labelling only the media that contains data that could cause harm if it was exposed?
It prevents reuse of public media for sensitive data.
Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?
Follow the organization’s purging process, and then downgrade and replace labels.
Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?
Sensitive email should be encrypted and labelled.
What is the most important aspect of marking media?
Classification
