CISSP Domain 2: Data Security Controls and Compliance Requirements Flashcards
What is Data State?
different states or phases that data can exist in throughout its lifecycle
What are the different data states?
- Data at Rest
- Data in Transit
- Data in Use
Describe Data at Rest.
What are the security considerations?
- data that is stored or saved in a fixed location, such as a hard drive, database, or any other persistent storage medium
- security considerations:
- Encryption
- Access Controls
- Secure Storage
Describe Data in Transit.
What are the security considerations?
- data that is being transmitted or transferred between systems or networks
- security considerations:
- Encryption
- Network Segmentation
- Authentication and Authorization
Describe Data in Use.
What are the security considerations?
- data that is actively being processed, accessed, or manipulated by applications, users, or system processes
- includes data being viewed on a computer screen, processed by applications, or manipulated within memory
- security considerations:
- Access Controls
- Endpoint Protection
- Secure Disposal
- secure disposal of data in use, such as clearing temporary files or wiping volatile memory, helps prevent residual data from being accessible after its intended use
What is Scoping?
- involves defining the boundaries and extent of the security controls within an organization
- essential to establish the scope of security controls to ensure that they are appropriately applied and aligned with the organization’s requirements and objectives
What are the scoping considerations?
- Organizational Boundaries
- identify the organizational units, departments, or systems that are included within the scope of the security controls
- Legal and Regulatory Requirements
- determine the specific legal, regulatory, or contractual obligations that impact the scope of security controls
- Assets and Systems
- identify the critical assets, information systems, and data that need to be protected
- Interfaces and Dependencies
- consider the external interfaces and dependencies that impact the security of the organization’s systems and assets
- Business Processes
- analyze the business processes that require protection and evaluate their impact on the scope of security controls
What is Tailoring?
- customizing the security controls to suit the specific needs, risks, and characteristics of an organization
- recognizes that a one-size-fits-all approach may not be suitable or feasible for every organization
What are the Tailoring considerations?
- Risk Assessment
- conduct a risk assessment to identify and prioritize the specific risks faced by the organization
- Risk Appetite
- consider the organization’s risk appetite and tolerance levels when selecting and implementing security controls
- Business Requirements
- take into account the unique business requirements, operational needs, and objectives of the organization
- Cost and Feasibility
- evaluate the cost and feasibility of implementing certain security controls based on available resources, budget constraints, and technical capabilities
- Compliance Obligations
- consider any specific compliance obligations or industry-specific standards that impact the customization and implementation of security controls
- Emerging Threats and Technologies
- stay updated on emerging threats, vulnerabilities, and technological advancements to ensure that security controls remain relevant and effective
What is a data protection method?
techniques and technologies employed to safeguard data and prevent unauthorized access, loss, or misuse
What’s Digital Rights Management (DRM)?
managing and enforcing access controls and usage rights for digital content
What are Digital Rights Management (DRM) technologies used for?
protect copyrighted materials, such as music, movies, e-books, and software
What’s DLP?
- Data Loss Prevention
- set of technologies and practices designed to prevent unauthorized disclosure, leakage, or loss of sensitive data
- focuses on identifying, classifying, and monitoring sensitive information within an organization to ensure its protection
What are the functions of DLP?
- Data Discovery and Classification
- Policy Enforcement
- Data Leakage Detection
- Incident Response
What does CASB stand for?
Cloud Access Security Broker
What is CASB?
- security control technology that acts as an intermediary between cloud service users and cloud service providers
- help organizations maintain security and control over data and applications stored in cloud environments
What are the security benefits that CASB provide?
- Visibility and Monitoring
- Data Encryption and Tokenization
- Access Control and Authentication
- Threat Detection and Prevention
- Compliance and Policy Enforcement
What’s pseudoanonymization?
- uses pseudonyms to represent other data
- when performed effectively, it can result in less stringent requirements that would otherwise apply under GDPR
What type of encryption may allow to work on encrypted data?
homomorphic encryption
What organization tracks data breaches?
Identity Theft Resource Center (ITRC)
What are the 2 types of DLP protection?
- network based
- endpoint based
What’s the reason personnel should never work on classified data on unclassified system?
some OSes fill slack space with data from memory, if a user worked on a top secret file moment ago and then creates a small unclassified file, the small file might contain top secret data pulled from memory
What tools can be used to hide data within slack space?
bmap on Linux and Slacker on Windows
When is pseudoanonymization most useful?
when releasing data set to a third party without releasing any privacy data to the third party
What’s anonymization?
- replaces private data with useful but inaccurate data
- data set can be shared and used for analysis purposes, but individual identities are removed
- is permanent
What’s the difference between scoping and tailoring?
- scoping focuses on security of the system
- tailoring assures that selected controls allign with the business mission
- scoping is part of tailoring
How can a data retention policy help to reduce liabilities?
by ensuring unneeded data isn’t retained
Encryption key is needed to be secured, what location is the most difficult to protect, if the key is kept and used in that location?
active memory, as the data needs to be decrypted to be used
What method provides the most complete list of connected devices to identify all the active systems and devices on the network
using network logs to identify all connected devices and track them from there
During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information?
Processing
What does organization need to ensure in the Preservation phase of the electronic discovery process?
organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion
What happens in the identification phase of the electronic discovery process?
identification phase locates relevant information but does not preserve it
What happens in the collection phase of the electronic discovery process?
occurs after preservation and gathers responsive information
Which of the data management security controls is most likely driven by a legal requirement?
record retention policies define the amount of time to keep data, and laws or regulations often drive these policies
