Chapter 2 Asset Security

Question 1

What are the procedures for data classification

Answer 1

1. Define classification levels - WHAT
2. specify criteria for classification (age, use, etc) - WHAT
3. Identify data owners for classification - WHO
4. Identify data custodian - WHO
5. Indicate protection mechanisms for each level - HOW
6. Document exceptions
7. Identify method to transfer custody
8. Review classification and ownership - REVIEW
9. Procedures for declassification
10. Integrate issues into security awareness program

Question 2

What is the difference between Sensitive, Confidential and Private Data

Answer 2

Sensitive: disclosure can lead to major issues (financials, project details etc)

Confidential: Critical to company survival (IP, trade secrets, healthcare, code)

Private : relates to humans (medical records, HR data, work history)

Question 3

What are the different roles related to data handling

Answer 3

Data Owner

Data Custodian

System Owner

Data Analyst

Data Processor

Question 4

What are the responsibilities of a data owner

Answer 4

1. Decide on classification
2. Responsible for protection and use
3. Has due care responsibilities
4. Ensures security and backup in place
5. Approve access to / disclosure of data
6. Is a business role

Question 5

What are the roles of Data Custodian

Answer 5

1. Responsible for maintaining and protecting the data
2. Implement and maintain security controls
3. Perform regular backups
4. Validate integrity of data
5. Restoring data
6. retain records
7. Follow company policy on information and data protection
8. Is generally part of IT or security function

Question 6

what are the responsibilities of system owner

Answer 6

• Responsible for one or more systems which houses data
• Ensures Adequate protection through technical stuff such as pwd mgmt, remote access, OS config etc

Question 7

Data Analyst

Answer 7

• Responsible for the data architiect/ structure across company
• May setup new system or be involved in purchase of a product

Question 8

Data Processors

Answer 8

• Users who deal with the data on a daily basis
• Should be trained for proper handling and reporting of misuse
• Should be audited regularly

Question 9

what are the 3 core questions to address in a data protection policy

Answer 9

WHAT data to keep,

for how LONG and

WHERE to keep

(the where in this case refers not only to the physical/logical storage location but also to the data strcuture in which the data is located e.g emails, DBs, phone records, etc.)

Question 10

What should be considered for data to be readily accessible

Answer 10

• Taxonomy (HR, year, third party etc)
• Classification (same as the data classification in use)
• Normalization (tagging to make it searchable)
• Indexing (querying data)

Question 11

What is the Electronic Discovery Reference Model

Answer 11

finding the right balance between too less and too much retention

Question 12

What is data remanence

Answer 12

when deleting data only marks memory as available without wiping it

Question 13

What are the means to counter data remanence

Answer 13

• Data overwriting
• Degaussing
• Physical destruction
• Encryption of data

Question 14

What are typcial challenges with Data in USE (vs transit/Rest)

Answer 14

• The data in RAM can remain accessible for a long time till machine is powered off.
• data in RAM can be accessed by rouge processes which sidestep the regular control
• Data in RAM that is not encrypted can also be subjected to side-channel attacks.

Question 15

What are the considerations in writing a Privacy policy

Answer 15

• WHAT personal data is collected
• WHY this data is collected
• WHO has access to this data
• WHO owns the data
• RIGHTs of the subject
• WHEN do we destroy data
• WHAT laws apply

Question 16

MEDIA Management life-cycle areas

Answer 16

• Tracking (audit logging)
• Effectively implementing access controls
• Tracking the number and locatioin of backup versions
• Documenting the history of changes to media
• Ensuring environmental conditions do not endanger media
• Ensuring media integrity
• Inventoring the media on a scheduled basis
• Carrying out secure disposal activities
• Internal and external labeling of each media piece

Question 17

What are the key points to note about DLP

Answer 17

• it is in context of sensitive data
• concerned with external parties (not internal)
• External party gaining access should be unathourised to do so in order to classify as a leak

Question 18

What is the difference between Data loss and data leak

Answer 18

Data Loss – we do not know where the data is

Data Leak – we know that data and confidentiality has been compromised

Question 19

What are the general approaches to implementing DLP

Answer 19

Data inventories : find and characterize all data in the organization

Data flows : Understanding how the data flows across the network , business processes and applications

Data Protection Strategies:

o Backup and recovery

o Data life-cycle – protecting data while it transitions from one part of the lifecycle to the other

o Physical security

o Security culture (embedded in users/ employees

o Privacy (monitoring of users/ employees data etc)

o Oragnisational change (M&A etc)

Question 20

What are the administrative policies in reference to DLP

Answer 20

• Data inventories
• Data Flows
• Data protection strategies