CISSP Domain 2: Data Security Controls and Compliance Requirements Flashcards
What is Data State?
different states or phases that data can exist in throughout its lifecycle
What are the different data states?
- Data at Rest
- Data in Transit
- Data in Use
Describe Data at Rest.
What are the security considerations?
- data that is stored or saved in a fixed location, such as a hard drive, database, or any other persistent storage medium
- security considerations:
- Encryption
- Access Controls
- Secure Storage
Describe Data in Transit.
What are the security considerations?
- data that is being transmitted or transferred between systems or networks
- security considerations:
- Encryption
- Network Segmentation
- Authentication and Authorization
Describe Data in Use.
What are the security considerations?
- data that is actively being processed, accessed, or manipulated by applications, users, or system processes
- includes data being viewed on a computer screen, processed by applications, or manipulated within memory
- security considerations:
- Access Controls
- Endpoint Protection
- Secure Disposal
- secure disposal of data in use, such as clearing temporary files or wiping volatile memory, helps prevent residual data from being accessible after its intended use
What is Scoping?
- involves defining the boundaries and extent of the security controls within an organization
- essential to establish the scope of security controls to ensure that they are appropriately applied and aligned with the organization’s requirements and objectives
What are the scoping considerations?
- Organizational Boundaries
- identify the organizational units, departments, or systems that are included within the scope of the security controls
- Legal and Regulatory Requirements
- determine the specific legal, regulatory, or contractual obligations that impact the scope of security controls
- Assets and Systems
- identify the critical assets, information systems, and data that need to be protected
- Interfaces and Dependencies
- consider the external interfaces and dependencies that impact the security of the organization’s systems and assets
- Business Processes
- analyze the business processes that require protection and evaluate their impact on the scope of security controls
What is Tailoring?
- customizing the security controls to suit the specific needs, risks, and characteristics of an organization
- recognizes that a one-size-fits-all approach may not be suitable or feasible for every organization
What are the Tailoring considerations?
- Risk Assessment
- conduct a risk assessment to identify and prioritize the specific risks faced by the organization
- Risk Appetite
- consider the organization’s risk appetite and tolerance levels when selecting and implementing security controls
- Business Requirements
- take into account the unique business requirements, operational needs, and objectives of the organization
- Cost and Feasibility
- evaluate the cost and feasibility of implementing certain security controls based on available resources, budget constraints, and technical capabilities
- Compliance Obligations
- consider any specific compliance obligations or industry-specific standards that impact the customization and implementation of security controls
- Emerging Threats and Technologies
- stay updated on emerging threats, vulnerabilities, and technological advancements to ensure that security controls remain relevant and effective
What is a data protection method?
techniques and technologies employed to safeguard data and prevent unauthorized access, loss, or misuse
What’s Digital Rights Management (DRM)?
managing and enforcing access controls and usage rights for digital content
What are Digital Rights Management (DRM) technologies used for?
protect copyrighted materials, such as music, movies, e-books, and software
What’s DLP?
- Data Loss Prevention
- set of technologies and practices designed to prevent unauthorized disclosure, leakage, or loss of sensitive data
- focuses on identifying, classifying, and monitoring sensitive information within an organization to ensure its protection
What are the functions of DLP?
- Data Discovery and Classification
- Policy Enforcement
- Data Leakage Detection
- Incident Response
What does CASB stand for?
Cloud Access Security Broker