D2. Asset Security Flashcards
This is a critical first step toward ensuring the security of your systems and data.
Identifying and classifying information assets
These are the foundational steps in establishing an information security asset management program.
- Creating an inventory of what assets an organization has
- Where the assets are located?
- Who is responsible for the assets?
Is the process of organizing data into groups or categories that describe the data’s sensitivity, criticality, and value.
What is data classification?
A cornerstone of data security and risk management, this helps to determine the security controls necessary to manage and safeguard the confidentiality, integrity, and availability of data.
What is data classification?
What are the three (3) primary steps of data classification?
- Context-based
- Content-based
- User-based
Derived from metadata like ownership, location, or other values that can indirectly indicate sensitivity or criticality.
What is context-based?
Derived by inspecting the contents of files and directly identifying sensitive data, rather than inferring it from metadata.
What is content-based?
Involves manual assignment of data classification and is based on user’s understanding of the data and your organization’ classification scheme.
What is user-based?
Generally considered the highest level of classification outside of government or military organizations. The loss of this data can cause serious risk to the organization.
What is confidential classification scheme?
Losing this data will raise the risk to the organization, even if it is just repetitional damage (strategy documents or inter organizational correspondence can be considered sensitive).
What is sensitive classification scheme?
Usually compartmental data that might not do the company damage but must be kept private for other reasons (employee renting statistics and salary ranges).
What is private classification scheme?
Data that is disclosed outside the company on a limited basis or contains information that could reduce the company’s competitive advantage, such as technical specification of a new product.
What is proprietary classification scheme?
Data that if lost would have little or no impact to the company.
What is public classification scheme?
Other labels used to designate documents (but not considered classifications).
For Official Use Only (FOUO) and Limited Official Use
Is the process of grouping types of data with comparable sensitivity labels.
What is data categorization?
Identifying the sensitivity, criticality, and value of the information systems and assets that store, process, and transmit that data, as well as the data itself.
What is asset classification?
Involves grouping assets based on their relative level of sensitivity and the impact to the organization should the assets be compromised.
What is asset classification?
What are the major benefits of classification?
- Accurate asset inventory
- Insight into the environment
- Optimize change, vulnerability, and management programs
- Maintenance windows
- Security controls and segmentation
- Protection of sensitive data
- Identify rouge assets
- Understand potential risks posed by vulnerabilities
- Identify proprietary assets and intellectual property
- Forecast cost
- Compliance and Regulation controls
Assets should be identified and controlled based on their level of.
What is sensitivity?
While data classification is the most important element on a data label, asset labels may contain other information, such as.
- Title of the asset
- Data owner
- Data retention period (if applicable)
This helps keep asset handling efficient and cost-effective.
What is marketing and labeling of public data or unclassified information?
This aids by using digital marketing to identify and prevent sensitive information from leaking out of an organization.
What is Data Loss Prevention (DLP)?
These are critical to your organization’s overall asset security management.
What are handling and storage guidelines?
What are the consideration to data storage?
- Encryption
- Limiting the volume of data retained
- Backups
The process of modifying the assigned classification of an asset to a lower level of sensitivity.
What is declassification?
Methods to declassify assets include.
What is de-identification and tokenization?
The process of removing information that can be used to identify an individual (PII).
What is Data de-identification?
The data de-identification process involves taking any personally identifying data fields and converting them to.
What is masked, obfuscated, encrypted, or tokenized data fields?
Is the process of substituting a sensitive data element with a nonsensitive set of characters or numbers called a token.
What is tokenization?
This is the source to trust, if there is a conflict between what the tools are reporting, and also the source used for official reports and other data requests, such as part of an audit.
What is the system of record?
What the components of a typical asset management lifecycle?
- Strategy
- Plan
- Design
- Procure
- Operate
- Maintain
- Modify
- Dispose
Activities critical to implementing a formal asset management program include.
- Assignment of ownership
- IT asset management
- Configuration management
- Change management
Is a set of business practices related to governing and maintaining IT assets, including hardware, software, data, and related processes.
What is Information technology asset management (ITAM)?
The International Standards Organization (ISO) has established this official set of standards related to ITAM.
What is the ISO 19770 family of standards?
The ISO 19770 family of standards consist of
ISO/IEC 19770-1: Best practices and demonstrate compliance
ISO/IEC 19770-2: Software identification (SWID)
ISO/IEC 19770-3: Common terminology for describing software entitlement rights, limitations, and metrics
ISO/IEC 19770-4: Standardize reporting of resource utilization
ISO/IEC 19770-5: overview of ITAM and defines volcabulary
Relates to asset management and asset security, this keeping inventory current, system and software configurations must be controlled and documented
What is configuration management?
Identifies the version and settings of all configuration items (CI) in a product, system, or subsystem; and answers the question ‘what do I need to build the system correctly?’
What is a system baseline?
Is a minimum set of safeguards required to protect a given system.
What is a security baseline?
This enables validate security products to automatically perform configuration checking using NCP checklists.
What is Security Content Automation Protocol (SCAP)?
An IT discipline focused on ensuring that organizations employ standard processes to make changes to their assets, and prevent arbitrary and unexpected modifications to their hardware and software inventory.
What is Change management?
What are the stages of the data lifecycle?
- Collect
- Store
- Use
- Share
- Retain
- Destroy
This is when data is generated or aggregated?
What is collect?
Term used when data is saved into a storage system or repository.
What is store?
Term used data is processed and/or analyzed, by users or systems, for its intended purpose.
What is use?
Term used when data is shared with authorized external users and systems.
What is shared?
Term used when data is kept (archived) for a predefined period of time.
What is retain?
Term used when data is deleted and permanently removed from storage, making it inaccessible and unusable.
What is destroy?
A high-level process that describes how data can flow through an organization.
What is data lifecycle?
This is an individual or group of individuals responsible for dictating how and why data should be used, as well as determining how the data must be secured.
What are data owners?
Data owners (information owner/steward) have complete control over information and can/be
- Responsible and accountable for their data
- Held liable for negligence
- by the organizations data policy, authorize to use, collect, share, and store
- set access protection rules
- in collaboration with information system owners, determine security controls for access and use in the system
Using reasonable measures and efforts to protect assets deemed valuable or assigned sensitivity levels, is referred to as?
What is due care?
Term used to describe taking all expectable or practical steps to maintain due care, including verifying that everything is being done as intended by due care.
What is due diligence?
This is the person, agency, company, or other body that, alone or jointly with others, determines the purpose and means of data processing.
What is the data controller?
Data controllers negotiate privacy protections for personal data with data processors via secure contractural terms and assurances, called
What is a data processing agreement?
Is responsible for maintaining data on the IT infrastructure, in accordance with requirements established by the data owner and the business.
What is a data custodian?
Party responsible for transferring, transmitting, or otherwise handling data on behalf of a data owner is?
What is a data processor?
The data processor performs data manipulation on behalf of this role.
What is data controller?
This is the customer or intended recipient of data. The party who consumes that data.
What is users?
Identified or identifiable natural people from whom or about whom information is collected.
What is data subjects?
Notifying a user how the information collected will be used (consent), and about a nation’s citizen or residents must be deleted from foreign systems before being removed from systems in the data subjects’s nation, is referred to as.
What is data location?
What are the six steps of the data lifecycle?
- (Consent) - collect
- Store
- Use
- Share
- Retain
- Destroy
This involves all manner of processing, analyzing, and sharing data.
What is use?
Process of continuously monitoring your data and applying principles like least privilege and defense in depth.
What is data maintenance?
Term used to regarding considerations made for how long data will be retained before being securely destroyed.
What is data retention?
Final stage of the data lifecycle, often neglected, by regulation or for functionality, this term refers to the process to remove data.
What is data destruction?
This occurs when data destruction efforts were insufficient to prevent the reconstruction of the data.
What is data remanence?
This is when the data is no longer needed and they key is deleted, the data is rendered unusable or unreachable.
What is cryptographic erasure?
This is the guideline for media sanitization
What is NIST SP 800-88?
To achieve a level of assurance of adequate asset sanitization, the following techniques can be used:
- Cleansing (digitally wiping data)
- Purging (degaussing)
- Destruction (shredding, burning, or pulverizing)
You would used these requirements for specific techniques to achieve the desired level of assurance in sanitization
- Zeroing (erase and overwrite with zeros)
- Overwriting (random passes of 0 and 1 combinations to overwrite previous data)
- Degaussing (magnetic media is erased)
This article is commonly referred to as the right to be forgotten
What is EU GDPR’s Article 17 - The Right to Erasure
Security controls are based on these:
- Classification of the asset
- Data state
- compliance requirements
- Industry standards
What are the three categories of control?
What are technical controls, administrative controls, and physical controls?
Security controls (technical, administrative, and physical) have applicable types of controls described as?
- Deterrent
- Preventative
- Detective
- Corrective
- Recovery
These are examples of data states
- At rest
- in motion
- In use
Data that is stored on a system and not actively being written to, read from, transmitted, or otherwise processed.
What is data at rest?
This is a common form of security control for data at rest, and can be employed across an entire volume of storage
What is full-disk encryption?
This is a microcontroller chip integrated into the computer hardware that provides a crypto processor
What is Trusted Platform Module (TPM)?
This is a hard disk drive or solid state drive that automatically encrypts and decrypts drive data without the need for additional encryption software
What is self-encrypting drive (SED)?
This refers to data that is actively being transmitted across a network, between multiple networks, or from one location to another. Also described as data in motion.
What is data in transit?
These technologies help secure data in transit
What are transport layer security, HTTPS, and virtual private networks (VPN)?
This method of data-in-transit security where the traffic is encrypted and decrypted at each network routing point
What is link encryption?
This type of system of communication ensures that only the sender and recipient can read the data
What is End-to end encryption?
This term refers to data that is actively being processed by an application being used by a user
What is data in use?
Establishing a baseline of security controls begins with.
What is the scoping and tailoring process?
Is the process the organization undertakes to consider which security controls apply and what assets they need to protect.
What is scoping?
Is the process of modifying the set of controls to meet the specific characteristics and requirements of the organization.
What is tailoring?
This control augments a primary control’s ability to achieve a control objective or replace the primary control to meet the given control objective
What are compensating controls?
The minimum set of security controls that are required is referred to as
What is security baseline?
These controls are based on specific threats or regulatory requirements of an organization or an industry
What are supplemental controls?
A collection of documented policies and procedures that define how to mange an enterprises’ security
What is a security framework?
Is a set of tools and processes focused on controlling the use, modification, and distribution of intellectual property (IP) throughout its life-cycle.
What is digital rights management (DRM)?
Is a related technology that more broadly protects data from unauthorized access by controlling who can view, copy, delete, or otherwise modify data.
What is information rights management (IRM)?
Sometimes referred to as data leakage prevention, is the set of technologies and practices used to ensure that sensitive data is not lost or accessed by unauthorized parties.
What is Data Loss Prevention (DLP)?
Data Loss Prevention consists of these three core stages
- Discovery (finding all instances of data) and classification (act of categorizing that data based on its sensitivity and value)
- Monitoring (inspecting data as it moves throughout the life-cycle)
- Enforcement (actions taken to prevent policy violations identified during the monitoring stage)
This is a software application that sits between cloud users and cloud services and applications; actively monitors all cloud activity and implement centralized controls to enforce security.
What is Cloud Access Security Broker (CASB)?
CASB aims to serve these four primary functions:
- Visibility
- Data security
- Threat protection
- Compliance
What are the three primary types of CASB solutions?
- Forward proxy
- Reverse proxy
- API-based
