Chapter 3 – Data Classification

Question 1

Data Ownership

Answer 1

assign responsibilities according to who has possession and legal ownership of that data.

Question 2

Data Owner

Answer 2

org that collected/created the data; usually department head/business unit manager; cloud customer is usually the data owner (international treaties/frameworks refer to as the data controller)

Question 3

Data Custodian

Answer 3

person or entity tasked with the daily maintenance/administration of the data; role of proper security controls and processes as directed by the data owner; sometimes a database admin

Question 4

Data Processor

Answer 4

any org or person who manipulates, stores, or moves the data on behalf of the data owner; cloud provider is a data processer (international law)

Data processors do not necessarily all have direct relationships with data owners; processors can be third parties or further removed down the supply chain

Question 5

Data Lifecycle

Answer 5

understand it in order:
Create > Store > Use > Share > Archive > Destroy

Question 6

Create

Answer 6

data owner will be identified in this first phase; data security and management responsibilities require action; data owner will categorize the data

Question 7

Data Categorization: Regulatory Compliance

Answer 7

can categorize by specific datasets (GLBA, PCI, SOX, HIPAA, GDPR, other international, national, and local compliance)

Question 8

Data Categorization: Business Function

Answer 8

different use of data (billing, marketing, operations)

Question 9

Data Categorization: Functional Unit

Answer 9

department or office with its own category and data controls

Question 10

Data Categorization: By Project

Answer 10

define datasets by projects associated with as means of creating discrete, compartmentalized projects

Question 11

Data Categorization: Data Classification

Answer 11

responsibility of the data owner; assigned by the org’s policy based on characteristics of dataset

Sensitivity: used by the US military; assigned to the sensitivity of the data, based on negative impact an unauthorized disclosure would cause

Jurisdiction: geophysical location of the source/storage point of the data might determine how the data is handled; PII gathered from citizens from EU is subject to the EU privacy laws

Criticality: data deems critical to org survival classified in a manner distinct from trivial, basic operational data; BIA helps determine this

Question 12

Data Categorization: Data Mapping

Answer 12

data between organizations (or departments) normalized and translated so it is meaningful to both parties; in classifications, mapping is necessary so data that is sensitive must be protected in one org must be recognized by the receiving org

Question 13

Data Categorization: Data Labeling

Answer 13

when data owner creates, categorizes, and classifies the data, it also must be labeled; should indicate who the data owner is (office or role, not name or identity); should take any form to be enduring, understandable, and consistent; Ex: labels on hardcopy data might be printed headers/footers, labels on electronic files might be embedded in the filename/nomenclature; labels should be evident and communicate pertinent concepts without disclosing data they describe;

Question 14

Data Categorization: What may data labels include?

Answer 14

Date of creation
Date of scheduled destruction/disposal
Confidentiality level
Handling directions
Dissemination/distribution instructions
Access limitations
Source
Jurisdiction
Applicable regulation

Question 15

Data Discovery

Answer 15

used to refer several kinds of tasks to determine and accurately inventory the data under its control; org is attempting to create an initial inventory of data it owns, org is involved in electronic discovery (e-discovery), and can modern the use of datamining tools to discover trends and relations in the data already in the org’s inventory
E-Discovery: legal term for how electronic evidence is collected as part of an investigation/lawsuit

Question 16

Label-Based Discovery

Answer 16

labels created will aid in any data discovery efforts; org can determine what data it controls and amounts of each kind; labels are useful when the discovery effort is undertaken in response to a mandate with specific purpose (court order/regulatory demand); can easily collect and disclose all appropriate data if labeled

Question 17

Metadata-Based Discovery

Answer 17

data about data, a listing of traits and characteristics about specific data elements/sets; can be useful for discovery purposes; data discovery uses metadata the same way as labels to scan field for particular terms for certain purposes

Question 18

Content-Based Discovery

Answer 18

discovery tools can be used to located and identify specific kinds of data by delving into the content of datasets (even without labels/metadata); basic term searches or sophisticated pattern-matching technologies

Question 19

Data Analytics

Answer 19

technological options to provide additional findings and assigning types to data; modern tools create new data feeds from sets of data that already exist within the environment; modes used are real-time analytics, datamining, and agile business intelligence

Question 20

Datamining

Answer 20

an outgrowth of the possibilities offered by regular use of the cloud (big data); when org collects data streams and run queries across the feeds, the org can detect and analyze previously unknown trends and patterns that can be useful

Question 21

Real-Time Analytics

Answer 21

tools can provide datamining functionality concurrently with data creation and use; the tools rely on automation and require efficiency to perform properly

Question 22

Agile Business Intelligence

Answer 22

tate-of-the-art datamining involves recursive, iterative tools and processes that can detect trends and identify more oblique patterns in historical and recent data

Question 23

Jurisdictional Requirements: USA

Answer 23

address privacy with industry-specific legislation (GLBA for banking/insurance, HIPAA for medical care, etc.) or with contractual obligations (PCI); granular data breach notification laws exist that are enforced by states and localities (New York/California); strong protections for intellectual property

Question 24

Jurisdictional Requirements: Europe

Answer 24

has massive, exhaustive, comprehensive personal privacy protections (EU General Data Protection Regulation); good intellectual property protectio

Question 25

Jurisdictional Requirements: Asia

Answer 25

data privacy protection levels differ by country; with its Act on the Protection of Personal Information, Japan and Singapore adheres to the EU model, China has a legal requirement the opposite of privacy (all IT traffic and communications in China must be accessible by the Chinese government); disparate levels of intellectual property protection

Question 26

Jurisdictional Requirements: South/Central America

Answer 26

most countries lack privacy protection frameworks; Argentina is an exception; their Personal Data Protection Act is in direct correlation with the EU legislation; has various intellectual property mechanisms

Question 27

Jurisdictional Requirements: Australia/New Zealand

Answer 27

has the Australian Privacy Act mapping directly to the EU statutes; provide strong intellectual property protections and strong privacy protections

Question 28

IRM (Information Rights Management)

Answer 28

managing information in accordance with who has rights to it; can be DRM (digital/data rights management), ERM (enterprise); uses a variety of tools to enforce intellectual property rights such as support-based licensing, local agent enforcement, and media-present checks

Question 29

Copyright

Answer 29

legal protection for expressions of ideas; in the US, granted to anyone who first creates an expression of an idea (literary works, films, music, software, and artistic works); does not cover ideas, specific words, slogans, recipes, formulae; lasts for 70 years after the author’s death/120 years after the first publication of a work for hire; creator is the only entity legally allowed to do the following: perform the work publicly, profit from the work, make copies of the work, make derivative works from the original, import or export the work, broadcast the work, sell/assign the rights

Question 30

Trademarks

Answer 30

intended to be applied to specific words and graphics; representations of an org – its brand; can be the name of an org, logo, phrase, color, sound, or combo of these

Question 31

Patents

Answer 31

legal mechanism for protecting intellectual property in the form of inventions, processes, materials, decorations, and plant life; lasts about 20 years from time of patent application

Question 32

Trade Secrets

Answer 32

has same aspects as patented material (processes, formulas, commercial methods, etc.); includes aggregations of information (list of clients/supplies)

Question 33

IRM Tool Traits

Answer 33

material protected by IRM solutions need some form of labeling/metadata associated with the material for the IRM tool to function properly

Question 34

Rudimentary Reference Checks

Answer 34

content itself can check for proper usage/ownership; Ex: vintage games will pause in operation until player entered information acquired with the purchase of a licensed copy of the game (word/phrase from manual shipped with game)

Question 35

Online Reference Checks

Answer 35

Microsoft software packages (Windows OS/Office programs) requiring product key at installation; program will check against online database when connected to the Internet

Question 36

Local Agent Checks

Answer 36

user installs reference tool that checks the protected content against the user’s license; Ex: Steam when installing games purchased, agents check user’s system against online license database to ensure games are not pirated

Question 37

Presence of Licensed Media

Answer 37

disks for example, is required to be present when the content is being used; IRM engine is on the media, often installed with a cryptographic engine that identifies the unique disk and the licensed content and allowing usage based on that relationship

Question 38

Support-Based Licensing

Answer 38

predicted on the need of continual support for content (production software); vendor can prevent unlicensed versions from getting support (updates/patches)

Question 39

What are replication restrictions in IRM in the cloud?

Answer 39

IRM often prevents unauthorized duplication, but the cloud may create, close, and replicate virtualized host instances, which can interfere with automatic resource allocation processes.

Question 40

What are jurisdictional conflicts in cloud computing?

Answer 40

Cloud services extend across boundaries and borders, which can pose problems when intellectual property rights are restricted by locale.

Question 41

What are agent/enterprise conflicts in IRM?

Answer 41

IRM solutions requiring local installation of software agents for enforcement may not function properly in cloud environments, virtualization engines, or various BYOD platforms.

Question 42

How do IAM and IRM conflict?

Answer 42

The extra layer of access control (ACLs) can cause conflicts between IRM, IAM, and enterprise/cloud IAM, especially if outsourced to a third party (CASB).

Question 43

What are API conflicts in IRM?

Answer 43

IRM tools incorporated into content may not offer the same level of performance across different applications (content readers/media players).

Question 44

What is persistent protection in IRM?

Answer 44

Persistent protection follows the content it protects regardless of location, duplication, or utilization.

Question 45

What is dynamic policy control in IRM?

Answer 45

Dynamic policy control allows content creators and data owners to modify ACLs and permissions for the protected data under their control.

Question 46

What is automatic expiration in IRM?

Answer 46

Protection should cease when legal protections cease, as many digital content licenses expire; access and permissions for protected content should also expire.

Question 47

What is continuous auditing in IRM?

Answer 47

Continuous auditing allows for comprehensive monitoring of the content’s use and access history.

Question 48

What are the purposes of replication restrictions in IRM?

Answer 48

The purpose is to restrict illegal or unauthorized duplication of protected content across various forms of copying.

Question 49

What is remote rights revocation in IRM?

Answer 49

The owner of intellectual property rights should have the ability to revoke rights at any time, often due to litigation or infringement.

Question 50

What is data control in IRM?

Answer 50

Data control protects data beyond the CREATE lifecycle phase, requiring specific policies for retention, audit, and disposal.

Question 51

What are retention periods in data retention policy?

Answer 51

Retention periods specify how long an organization should keep data, often mandated by regulation or contractual agreements.

Question 52

What is applicable regulation in data retention policy?

Answer 52

Applicable regulations can be mandated by statute or contract; policies should refer to all relevant regulatory guidance.

Question 53

What are retention formats in data retention policy?

Answer 53

Retention formats describe how data is archived, including media storage types and handling specifications.

Example: Some data must be encrypted while in storage.

Question 54

What is data classification in data retention policy?

Answer 54

Organizations can use data classification levels to determine how long specific datasets or types of data need to be retained.

Question 55

What are archiving and retrieval procedures?

Answer 55

These procedures mandate detailed descriptions of processes for sending data into storage and recovery.

Question 56

What is monitoring, maintenance, and enforcement in data retention policy?

Answer 56

This includes details on how often policies will be reviewed, amended, consequences for non-compliance, and responsible entities.

Question 57

What is legal hold in data retention policy?

Answer 57

Legal hold supersedes retention/destruction policies during litigation, requiring suspension of relevant data destruction activities.

Question 58

What is data audit?

Answer 58

Organizations need to regularly review, inventory, and inspect the usage and condition of their data, with a defined audit policy.

Question 59

What is data destruction/disposal in the cloud?

Answer 59

Due to the cloud environment, hardware destruction or overwriting is nearly impossible; crypto-shredding is the primary option for data disposal.

Question 60

What is crypto-shredding?

Answer 60

Crypto-shredding involves encrypting data with a strong engine, encrypting the keys with another engine, and then destroying the resulting keys.