Chapter 2 Asset Security Flashcards
What are the procedures for data classification
- Define classification levels - WHAT
- specify criteria for classification (age, use, etc) - WHAT
- Identify data owners for classification - WHO
- Identify data custodian - WHO
- Indicate protection mechanisms for each level - HOW
- Document exceptions
- Identify method to transfer custody
- Review classification and ownership - REVIEW
- Procedures for declassification
- Integrate issues into security awareness program
What is the difference between Sensitive, Confidential and Private Data
Sensitive: disclosure can lead to major issues (financials, project details etc)
Confidential: Critical to company survival (IP, trade secrets, healthcare, code)
Private : relates to humans (medical records, HR data, work history)
What are the different roles related to data handling
Data Owner
Data Custodian
System Owner
Data Analyst
Data Processor
What are the responsibilities of a data owner
- Decide on classification
- Responsible for protection and use
- Has due care responsibilities
- Ensures security and backup in place
- Approve access to / disclosure of data
- Is a business role
What are the roles of Data Custodian
- Responsible for maintaining and protecting the data
- Implement and maintain security controls
- Perform regular backups
- Validate integrity of data
- Restoring data
- retain records
- Follow company policy on information and data protection
- Is generally part of IT or security function
what are the responsibilities of system owner
- Responsible for one or more systems which houses data
- Ensures Adequate protection through technical stuff such as pwd mgmt, remote access, OS config etc
Data Analyst
- Responsible for the data architiect/ structure across company
- May setup new system or be involved in purchase of a product
Data Processors
- Users who deal with the data on a daily basis
- Should be trained for proper handling and reporting of misuse
- Should be audited regularly
what are the 3 core questions to address in a data protection policy
WHAT data to keep,
for how LONG and
WHERE to keep
(the where in this case refers not only to the physical/logical storage location but also to the data strcuture in which the data is located e.g emails, DBs, phone records, etc.)
What should be considered for data to be readily accessible
- Taxonomy (HR, year, third party etc)
- Classification (same as the data classification in use)
- Normalization (tagging to make it searchable)
- Indexing (querying data)
What is the Electronic Discovery Reference Model
finding the right balance between too less and too much retention
What is data remanence
when deleting data only marks memory as available without wiping it
What are the means to counter data remanence
- Data overwriting
- Degaussing
- Physical destruction
- Encryption of data
What are typcial challenges with Data in USE (vs transit/Rest)
- The data in RAM can remain accessible for a long time till machine is powered off.
- data in RAM can be accessed by rouge processes which sidestep the regular control
- Data in RAM that is not encrypted can also be subjected to side-channel attacks.
What are the considerations in writing a Privacy policy
- WHAT personal data is collected
- WHY this data is collected
- WHO has access to this data
- WHO owns the data
- RIGHTs of the subject
- WHEN do we destroy data
- WHAT laws apply
MEDIA Management life-cycle areas
- Tracking (audit logging)
- Effectively implementing access controls
- Tracking the number and locatioin of backup versions
- Documenting the history of changes to media
- Ensuring environmental conditions do not endanger media
- Ensuring media integrity
- Inventoring the media on a scheduled basis
- Carrying out secure disposal activities
- Internal and external labeling of each media piece
What are the key points to note about DLP
- it is in context of sensitive data
- concerned with external parties (not internal)
- External party gaining access should be unathourised to do so in order to classify as a leak
What is the difference between Data loss and data leak
Data Loss – we do not know where the data is
Data Leak – we know that data and confidentiality has been compromised
What are the general approaches to implementing DLP
Data inventories : find and characterize all data in the organization
Data flows : Understanding how the data flows across the network , business processes and applications
Data Protection Strategies:
o Backup and recovery
o Data life-cycle – protecting data while it transitions from one part of the lifecycle to the other
o Physical security
o Security culture (embedded in users/ employees
o Privacy (monitoring of users/ employees data etc)
o Oragnisational change (M&A etc)
What are the administrative policies in reference to DLP
- Data inventories
- Data Flows
- Data protection strategies