Chapter 2 Asset Security Flashcards

1
Q

What are the procedures for data classification

A
  1. Define classification levels - WHAT
  2. specify criteria for classification (age, use, etc) - WHAT
  3. Identify data owners for classification - WHO
  4. Identify data custodian - WHO
  5. Indicate protection mechanisms for each level - HOW
  6. Document exceptions
  7. Identify method to transfer custody
  8. Review classification and ownership - REVIEW
  9. Procedures for declassification
  10. Integrate issues into security awareness program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the difference between Sensitive, Confidential and Private Data

A

Sensitive: disclosure can lead to major issues (financials, project details etc)

Confidential: Critical to company survival (IP, trade secrets, healthcare, code)

Private : relates to humans (medical records, HR data, work history)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the different roles related to data handling

A

Data Owner

Data Custodian

System Owner

Data Analyst

Data Processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the responsibilities of a data owner

A
  1. Decide on classification
  2. Responsible for protection and use
  3. Has due care responsibilities
  4. Ensures security and backup in place
  5. Approve access to / disclosure of data
  6. Is a business role
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the roles of Data Custodian

A
  1. Responsible for maintaining and protecting the data
  2. Implement and maintain security controls
  3. Perform regular backups
  4. Validate integrity of data
  5. Restoring data
  6. retain records
  7. Follow company policy on information and data protection
  8. Is generally part of IT or security function
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what are the responsibilities of system owner

A
  • Responsible for one or more systems which houses data
  • Ensures Adequate protection through technical stuff such as pwd mgmt, remote access, OS config etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Analyst

A
  • Responsible for the data architiect/ structure across company
  • May setup new system or be involved in purchase of a product
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data Processors

A
  • Users who deal with the data on a daily basis
  • Should be trained for proper handling and reporting of misuse
  • Should be audited regularly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what are the 3 core questions to address in a data protection policy

A

WHAT data to keep,

for how LONG and

WHERE to keep

(the where in this case refers not only to the physical/logical storage location but also to the data strcuture in which the data is located e.g emails, DBs, phone records, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should be considered for data to be readily accessible

A
  • Taxonomy (HR, year, third party etc)
  • Classification (same as the data classification in use)
  • Normalization (tagging to make it searchable)
  • Indexing (querying data)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Electronic Discovery Reference Model

A

finding the right balance between too less and too much retention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is data remanence

A

when deleting data only marks memory as available without wiping it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the means to counter data remanence

A
  • Data overwriting
  • Degaussing
  • Physical destruction
  • Encryption of data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are typcial challenges with Data in USE (vs transit/Rest)

A
  • The data in RAM can remain accessible for a long time till machine is powered off.
  • data in RAM can be accessed by rouge processes which sidestep the regular control
  • Data in RAM that is not encrypted can also be subjected to side-channel attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the considerations in writing a Privacy policy

A
  • WHAT personal data is collected
  • WHY this data is collected
  • WHO has access to this data
  • WHO owns the data
  • RIGHTs of the subject
  • WHEN do we destroy data
  • WHAT laws apply
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

MEDIA Management life-cycle areas

A
  • Tracking (audit logging)
  • Effectively implementing access controls
  • Tracking the number and locatioin of backup versions
  • Documenting the history of changes to media
  • Ensuring environmental conditions do not endanger media
  • Ensuring media integrity
  • Inventoring the media on a scheduled basis
  • Carrying out secure disposal activities
  • Internal and external labeling of each media piece
17
Q

What are the key points to note about DLP

A
  • it is in context of sensitive data
  • concerned with external parties (not internal)
  • External party gaining access should be unathourised to do so in order to classify as a leak
18
Q

What is the difference between Data loss and data leak

A

Data Loss – we do not know where the data is

Data Leak – we know that data and confidentiality has been compromised

19
Q

What are the general approaches to implementing DLP

A

Data inventories : find and characterize all data in the organization

Data flows : Understanding how the data flows across the network , business processes and applications

Data Protection Strategies:

o Backup and recovery

o Data life-cycle – protecting data while it transitions from one part of the lifecycle to the other

o Physical security

o Security culture (embedded in users/ employees

o Privacy (monitoring of users/ employees data etc)

o Oragnisational change (M&A etc)

20
Q

What are the administrative policies in reference to DLP

A
  • Data inventories
  • Data Flows
  • Data protection strategies
21
Q
A