Domain 2 Flashcards
Data Lifecycle
Create > Store > Use > Share > Archive > Destroy
No classifying
Information Lifecycle
Create > Classify > Store > Use > Archive > Destroy
No sharing
Data Security Controls
(5 types)
- Marking, label, handle, Classify
- Handling
- Destruction
- Retention
- Tape Backup Security
Data Destruction Methods
(5 types)
- Erasing: performing the Delete operation (typically recoverable)
- Clearing (Overwrite): Preparing media for re-use and ensure data cant be recovered
- Purging: More intense clearing, for reuse in less secure envs
- Degausing: erasing via strong magnetic field
- Destruction: physically destroying media (Most secure)
Security Controls Baseline
Listing of controls that an org can apply as a baseline
Data Protection
Confidentiality is often protected thru encryption at rest and transport
Data Classification
Non-Government (public)
Class 3: Confidential / Proprietary
- Exceptionally severe damage
Class 2: Private
- Serious Damage
Class 1: Sensitive
- Damage
Class 0: Public
- No Damage
Data Classification
Government
Class 3: Top Secret
- Exceptionally severe damage
Class 2: Secret
- Serious Damage
Class 1: Confidential
- Damage
Class 0: Unclassified
- No Damage
Sensitive Data
Any info that is NOT public or unclassified
Personally Identifiable Info (PII)
any info that can ID an individual
Protected Health Info (PHI)
Health info related to a specific person
- Covered by HIPAA
Data Roles
Data Owner
Usually in Senior Mgmt can delegate some day to day duties. Cannot delegate total responsibility
Data Roles
Data Custodian
Usually in IT Dept. Does NOT decide which controls are needed, but implements them
TIP
if ?’s mention “Day to day” duties it means the custodian
Data Roles
Data Administrator
Grants access to personell via RBAC
Data Roles
User
Anyone who access the data
Data Roles
Business / Mission Owner
Overlaps or is same as system owner
Data Roles
Asset Owner
Owns the asset that processes sensitive data and related security plans
GDPR Terms
Data Processor
Natural / legal person, public authority, agency, or body which processes personal data soley on behalf of the data controller
GDPR Terms
Data Controller
Person / entity that controls processing of the data
GDPR Terms
Data Transfer
GDPR restricts transfers to countries outside of EU
GDPR Terms
Anonymization
Removing all relevant data so it is impossible to ID original person
If done correctly, GDPR is no longer relevant
GDPR Terms
Pseudonymization
Using aliases to represent the data
- Can make less stringent regulations
- Use if you need the data, but reduce exposure
- Make sure the alias mapping is secured