D2_Sensitive Information and Media Security Flashcards
Data has 3 States:
- Data at Rest (Stored data):
This is data on disks, tapes, CDs/DVDs, USB sticks.
We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs).
Encryption can be hardware or software encryption. - Data in Motion (Data being transferred on a network).
We encrypt our network traffic, end to end encryption, this is both on internal and external networks. - Data in Use: (We are actively using the files/data, it can’t be encrypted).
Use good practices: Clean desk policy, print policy, allow no ‘shoulder surfing’, may be the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Mission/business owners:
Senior executives make the policies that govern our data security
Data/information owners:
Management level, they assign sensitivity labels and backup frequency.
This could be you or a data owner from HR, payroll, or other departments.
Data custodians:
These are the technical hands-on employees who do the backups, restores, patches, and system configuration. They follow the directions of the data owner.
System owner
System owner: Management level and the owner of the systems that house the data.
• Often a data center manager or an infrastructure manager.
Data controllers and data processors
- Controllers create and manage sensitive data in the organization (HR/Payroll)
- Processors manage the data for controllers (Outsourced payroll).
Security Administrators
Responsible for firewalls, IPS’ (Intrusion Prevention Systems), IDS’ (Intrusion Detection Systems), security patches, create accounts, and grants access to the data following the data owners’ directions.
Supervisors:
Responsible for user behavior and assets created by the users. Directly responsible for user awareness and needs to inform the security administrator if there are any changes to user employment status, user access rights, or any other pertinent changes to an employees’ status
users
These are the users of the data. User awareness must be trained; they need to know what is acceptable and what is not acceptable, and the consequences for not following the policies, procedures, and standards.
Auditors
Responsible for reviewing and confirming our security policies are implemented correctly, we adhere to them, and that they provide the protection they should.