Data Classification Flashcards
What is the most important step in properly handling and controling data?
Assigning responsibilities according to who has possession and legal ownership of it, which are usually associated with named roles.
What role collects and creates the data?
Data owner
Who is usually the data owner?
Cloud customer
Many international treaties/frameworks refer to the data owner as…
The data controller
Who is the person/entity tasked with daily maintenance and administration of the data?
Data custodian
The _____ applies the proper security controls and processes as directed by the data owner.
data custodian
Who might be the data custodian?
Database administrator
Who is tasked with ensuring the data’s context and meaning are understood and data is used properly?
Data stewards
Who manipulates, stores, or moves data on behalf of the data owner?
Data processor
Copying, printing, destroying, and utilizing data is called…
Processing
From an international perspective, who is the data processor?
The Cloud Provider
T/F Data processors can be third parties
True
______ remain legally responsible for all data they own.
Data owners
T/F System owners are always data owners.
False - not necessarily
- Regulatory compliance
- Business function
- Functional unit
- Project
All drive _____
Data categorization
Who is in the best position to categorize the data?
Data owners
Who is responsible for data classification?
Data owner
Data classification types:
- Sensitivity
- Jurisdiction
- Criticality
Data classification is often based on…
Organizational policies
What is it called when data shared between orgs must be normalized and translated so that it’s meaningful to both parties?
Data mapping
Data classifications and labels are carried through mapping to ensure…
That data used in another context does not lose its security controls and oversight.
- Date of creation
- Date of scheduled destruction/disposal
- Confidentiality level
- Handling directions
- Dissemination/distribution instructions
- Access limitations
- Source
- Jurisdiction
- Applicable regulation
Information a label includes
Why are labels often used as part of data management tools?
For lifecycle and security controls.
What is a key technology component and capability in the data lifecycle?
Automated labeling
What helps an org track where their data is flowing, what ports/protocols are in use, how data is secured, and what controls are in place?
Data flow diagrams
What is it called when an org is creating an initial data inventory, doing electronic discovery, or using data mining tools to discover trends in data already in the inventory?
Data discovery
What is a listing of traits and characteristics about specific data elements or sets?
Metadata
Sorted data by meaningful attributes.
Structured data
Relational databases are a type of _______?
Structured data
Unsorted data, like email content, is considered ______?
Unstructured data
T/F It’s easier to perform data discovery on unstructured data.
False - easier on structured data b/c it’s already arranged.
________ uses tags or other elements to create fields and records w/in data w/out requiring rigid structure.
Semi-structured data
What are some examples of semi-structured data?
XML and JSON
What two things are key to designing and security data discovery and usage models?
Understanding how data will be used and analyzed.
Data mining, real-time, and business intelligence.
3 types of data analytics methods
The actions that authorized users can take and how those rights are set, applied, modified, and removed.
Data rights
What rights are critical to ensuring that use of IRM does not disrupt the business while still being effective?
Provisioning
What describes what can/cannot be done with data and who can/cannot perform certain actions?
Access Models
_____ describe the rights a user has to content and _____ are used to validate the identify of the user/computer.
Licenses and certificates
- Rudimentary reference checks
- Online reference checks
- Local agent checks
- Support-based licensing
4 ways IRM can be applied
- Replication restrictions
- Jurisdictional conflicts
- Agent/enterprise conflicts
- Mapping identity and access management (IAM and IRM)
- API conflicts
Challenges faced by employing IRM in the cloud
- Persistent protection
- Dynamic policy control
- Automatic expiration
- Continuous auditing
- Replication restrictions
- Remote rights revocation
Things IRM should provide, regardless of content/format
What is an ACL?
Access control list
Retention periods are often expressed in days for _____ and years for _____.
Ephemeral data (logs) and business data
- Retention periods
- Regulation and compliance
- Data classification
- Retention
- Data deletion
- Archiving and retrieval
- Monitoring, maintenance, and performance
Things data retention policies should address.
Who will delete the data, requirements for deletion, procedure documentation to show how secure deletion occurs/is validated, and compliance/legal requirements.
Things policies for data deletion should specify
_____ involves identification/collection/production of data related to a case, and _____ ensure data required for a case is collected and preserved.
E-discovery and legal holds
A legal hold occurs when an organization is notified that:
- A law enforcement/regulatory entity is commencing and investigation
- A private entity is commencing litigation against the org
What rule dictates that a legal hold notice has primacy, even over federal laws like HIPPA?
Federal Rules of Evidence
What can be used to regularly review, inventory, and inspect the usage and condition of owned data?
Data audit
Audit periods/scope/responsibilities, processes/procedures, regulations, and monitoring/maintenance/enforcement are things to consider when conducting _____.
Data audits
- It’s not often a priority.
- It’s mundane/repetitive.
- Reviewer needs to understand the operation.
- It’s expensive.
Challenges in reading and analyzing logs
What are the 3 areas to consider for audit mechanism planning and implementation in cloud environments?
- Log collection
- Log correlation
- Packet capture
You can only perform packet capture in what environment?
IaaS
- Physical destruction
- Degaussing
- Overwriting
- Crypto-Shredding
on-premise data destruction options
What is the only data destruction option in the cloud?
Crypto-shredding
- Process for disposal
- Applicable regulations
- Clear direction on when data should be destroyed
3 things a data disposal policy should include
Encrypting data with a strong encryption engine, then encrypting those keys with a different encryption engine, and then destroying those keys is called?
Crypto-shredding
What allows data to be destroyed while leaving media intact by using multiple passes of random characters written to location where data resides?
Overwriting
Applying strong magnetic fields to hardware and media where data resides is called?
Degaussing
T/F Degaussing does not work with solid-state drives like SSD, flash media, and thumb drives.
True
Burning, melting, impact, industrial shredding data is called?
Physical destruction of media and hardware
T/F Hardware/media can always be sanitized by simply deleting the data?
False - deleting doesn’t erase data, it just removes the logical pointers to the data
In SaaS and PaaS environments, data destruction can only be approached through:
Contractual requirements
What is data left over after sanitization and disposal methods have been attempted?
Data remanence
