Chapter 2 Asset Security Flashcards
What are the procedures for data classification
- Define classification levels - WHAT
- specify criteria for classification (age, use, etc) - WHAT
- Identify data owners for classification - WHO
- Identify data custodian - WHO
- Indicate protection mechanisms for each level - HOW
- Document exceptions
- Identify method to transfer custody
- Review classification and ownership - REVIEW
- Procedures for declassification
- Integrate issues into security awareness program
What is the difference between Sensitive, Confidential and Private Data
Sensitive: disclosure can lead to major issues (financials, project details etc)
Confidential: Critical to company survival (IP, trade secrets, healthcare, code)
Private : relates to humans (medical records, HR data, work history)
What are the different roles related to data handling
Data Owner
Data Custodian
System Owner
Data Analyst
Data Processor
What are the responsibilities of a data owner
- Decide on classification
- Responsible for protection and use
- Has due care responsibilities
- Ensures security and backup in place
- Approve access to / disclosure of data
- Is a business role
What are the roles of Data Custodian
- Responsible for maintaining and protecting the data
- Implement and maintain security controls
- Perform regular backups
- Validate integrity of data
- Restoring data
- retain records
- Follow company policy on information and data protection
- Is generally part of IT or security function
what are the responsibilities of system owner
- Responsible for one or more systems which houses data
- Ensures Adequate protection through technical stuff such as pwd mgmt, remote access, OS config etc
Data Analyst
- Responsible for the data architiect/ structure across company
- May setup new system or be involved in purchase of a product
Data Processors
- Users who deal with the data on a daily basis
- Should be trained for proper handling and reporting of misuse
- Should be audited regularly
what are the 3 core questions to address in a data protection policy
WHAT data to keep,
for how LONG and
WHERE to keep
(the where in this case refers not only to the physical/logical storage location but also to the data strcuture in which the data is located e.g emails, DBs, phone records, etc.)
What should be considered for data to be readily accessible
- Taxonomy (HR, year, third party etc)
- Classification (same as the data classification in use)
- Normalization (tagging to make it searchable)
- Indexing (querying data)
What is the Electronic Discovery Reference Model
finding the right balance between too less and too much retention
What is data remanence
when deleting data only marks memory as available without wiping it
What are the means to counter data remanence
- Data overwriting
- Degaussing
- Physical destruction
- Encryption of data
What are typcial challenges with Data in USE (vs transit/Rest)
- The data in RAM can remain accessible for a long time till machine is powered off.
- data in RAM can be accessed by rouge processes which sidestep the regular control
- Data in RAM that is not encrypted can also be subjected to side-channel attacks.
What are the considerations in writing a Privacy policy
- WHAT personal data is collected
- WHY this data is collected
- WHO has access to this data
- WHO owns the data
- RIGHTs of the subject
- WHEN do we destroy data
- WHAT laws apply