Chapter 5 Protecting the Security of Assets

Question 1

What are sample data classifications for a typical company?

Answer 1

Confidential or proprietary data would cause exceptionally grave damage to the mission of the organization.

Private information refers to data that should stay within the organization but does not meet the definition of confidential. Typically includes PII, PHI, internal employee data, and some financial data.

Sensitive information would cause damage to the mission. Might include internal network layout.

Public data is often posted publicly. Still need to think about integrity and availability.

Question 2

What is data remanence?

Answer 2

Data that remains on media after it was supposedly erased.

Slack space is the unused space in a disk cluster. Some systems fill this space with data from memory. Can use a degausser, but this is only useful on magnetic media. For SSDs, only disintegrators will work.

Question 3

What is erasing?

Answer 3

Performing a delete operation.

Question 4

What is clearing?

Answer 4

AKA overwriting. Data is written over all addressable locations on the media. May not get everything.

Question 5

What is purging?

Answer 5

Prepares media for reuse. Could include repeating the clearing process multiple times, and combined with other methods.

Question 6

What is degaussing?

Answer 6

Running a magnet over magnetic tape. However, if done to a hard drive, someone could put the platters on a different drive. Doesn’t work for optical media.

Question 7

What is cryptographic erasure?

Answer 7

Destroy the encryption keys. Should be combined with another method in case someone discovers the keys.

Question 8

What is digital rights management?

Answer 8

Attempts to provide copyright protection and prevent unauthorized use.

A DRM license grants access to a product and defines the terms of use. Typically a small file with a decryption key.

Persistent online authentication, aka always-on DRM, requires a system to be connected to the Internet to use a product. The system periodically connects with an authentication server.

Continuous Audit Trail tracks all use of the product. Combined with persistence, it can detect abuse, such as the product being used at the same time in two different locations.

Automatic expiration means that if you don’t pay to extend a subscription, access is automatically blocked.

Digital watermarks are intended to make it easier to detect the unauthorized copying of a file.

Question 9

What is a Cloud Access Security Broker?

Answer 9

Software placed between users and cloud-based resources. Can be on-premises or in the cloud. Monitors all activity accessing the cloud. For example, it could ensure that all data your employees are storing in the cloud is encrypted. Can be effective at detecting shadow IT.

Question 10

What is Pseudonymization?

Answer 10

Using pseuodnyms to represent other data. Doing this can avoid more stringent requirements under GDPR. The process can be reversed to find the true name of the person.

Question 11

What is tokenization?

Answer 11

Use of a token, typically a random string of characters, to replace other data. Typically used with credit cards. Difference from pseudonymization is the use of random characters instead of a fake name.

Question 12

What is anonymization?

Answer 12

Process of removing relevant data so it is not personally identifiable. Difficult in practice. Randomized masking means swapping data in individual data so that the aggregate is still accurate, but no one line is correct. Cannot be undone.

Question 13

Who is the data owner?

Answer 13

Person with ultimate responsibility for the data. ID the classification of the data, ensure it is labeled correctly, and make sure there are security controls. Under SP 800-18, they must:

–establish the rules for appropriate use and protection of the subject data/information
–provide input to system owners regarding security requirements
–decide who has access to the information system
–Assist in the ID and assessment of the common security controls where the information resides

Question 14

What are the responsibilities of system owners?

Answer 14

–Developing a system security plan
–Maintaining a system security plan and ensuring the system is deploying and operating
–Ensuring that system users and support personnel receive appropriate training
–Updating the system security plan as appropriate
–Assisting in the ID, implementation, and assessment of common security controls

Question 15

What are the responsibilities of business owners?

Answer 15

Ensuring that systems provide value to the organization.

Question 16

What are the responsibilities of data processors and data controllers?

Answer 16

GDPR defines a data processor as an entity that processes personal data on behalf of the data controller. For example, a third party payroll company would be the data processor. It must follow the direction of the data controller. The controller is the one that collected the data in the first place.

Question 17

What are the responsibilities of the data custodian?

Answer 17

Data owners often delegate day-to-day tasks to the custodian. The custodian helps protect the integrity and security of the data.

Question 18

What is the difference between tailoring and scoping?

Answer 18

Tailoring refers to modifying the list of security controls within a baseline to align with an organization’s mission.

Scoping refers to reviewing a list of baseline security controls and selecting only those that apply to the IT systems you’re trying to protect.