Domain 2 Flashcards
Asset
An asset is any data, device, or other component of the environment that supports information or information system related activities.
The value of an Asset
The value of an asset is the worth of the asset to the owners, authorized users, and unauthorized users.
- Asset value can include the cost of liability or compromise.
The cost of an asset
The cost of an asset is the monetary value it takes to acquire, develop, maintain, or replace it.
Asset Classification purpose
The purpose of asset classification is to ensure that assets are properly identified and protected throughout their life-cycles.
Asset classifications inform handling instructions, control decisions, audit score, and regulatory compliance activity.
- Information assets are generally classified by content.
- Infrastructure and physical assets are generally classified by operational criticality.
Data Classification Schemas
- Government and Military
- Classifications for the private sector.
FIPS 199
Federal Information Processing Standard 199 (FIPS 199) requires that information and information systems be categorized as low, medium, or high security based upon confidentiality, integrity, and availability.
Government / Military Data Classifications.
- Top Secret (TS): Expected to cause exceptionally grave danger to national Security.
- Secret (S): Expected to cause serious damage to national security.
- Confidential: Expected to cause damage to national security.
- Unclassified: No threat to national interest.
Sensitive but Unclassified (SBU)
US federal agencies use the Sensitive byt Unclassified (SBU) designation when information is not classified but still needs to be protected and requires strict controls over its distribution.
Information System Asset
An information system asset is any data, device, or other component of the environment that supports information or information systems related activities.
- Information and information system assets should be assigned an owner and a custodian.
Asset Ownership Responsibilities
- Defining the asset.
- Assigning Value (AV).
- Classifying the asset.
- Confirming the level of protection required.
- Authorizing access rights and permissions.
- Authorizing disclosure.
- Ongoing governance.
Asset Custodian Responsibilities.
- Implementing protection mechanisms.
- Monitoring for problems or violations.
- Reporting suspected incident.
Asset Management
Asset Management is a set of activities that focus on th protection, accounting and integrity of infrastructure and physical:
Asset Management = Classification + Inventory + Configuration Management.
Inventory Management
Inventory Management is a set of policies, standards, and procedures used to maintain optimum inventory levels, track assets, and schedule replacements. Benefits:
- Tracking.
- Providing context for vulnerability and patch management.
Software Asset Management (SAM)
Software Asset Management (SAM) is the practice of managing the life-cycle of software assets within an organization. The two significant benefits of the SAM program are control and risk reduction.
Configuration Management (CM)
Configuration Management (CM) is a set of activities focused on establishing and maintaining the integrity of systems through control of the processes of initializing, changing, and monitoring the configurations.
Baseline Configuration.
A Baseline Configuration (BC) is a set of specifications for a configuration item (CI), that has been reviewed and agreed on (authorized), and which can be changed only through change control procedures.
Configuration Management
- Research | Plan.
- Approve Baseline Configuration.
- Assign CM version and update library.
- Implement.
- Configuration Changes.
- Monitor.
- Report.
- Repeat.
Commonly used privacy framework
OECD Privacy Principles.
Privacy Threshold Assessment
Used by organizations to identity PI and determine how to treat the data.
Information Life-Cycle.
- Collection.
- Use
- Retention / Archiving
- Deletion / Destruction
Information Retention
Retention is a protocol (set of Rules) within an organization that dictates types of unaltered data that must be kept and for how long.
- Data retention strategies must be aligned with business and legal requirements
Data Archiving
Data Archiving is the process of securely storing unaltered data for later potential retrieval.
Legal Hold
A legal hold is the requirement for a organization to preserve all forms of relevant information when litigation, audit, or government, investigation is reasonably anticipated. The objective is to avoid evidence spoliation.
eDiscovery
eDiscovery (also called electronic discovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal or criminal legal case.
Data Deletion
When a file is deleted, the corresponding entry in the Master File Table (MFT) is removed and the MFT entry is marked as ready to be re-used. The data for the file is separate from the MFT entry.
Data Remanence
Data Remanence is the residual representation of digital data that remains even after attempts have been made to delete or erase the data.
Secure Deletion
Secure Deletion ensures that the deleted file or file fragments cannot be retrieved and/or reconstructed.
Clearing
Clearing removes the data in such a way that data cannot be recovered using normal system functions of recovery utilities.
Purging
Purging, which is the removal of data that cannot be reconstructed by any known technique.
Destruction
Destruction, which is the physical act of destroying media in such a way that cannot be reconstructed.
Disk Wiping
Disk Wiping is a clearing technique that overwrites all addressable storage and indexing locations multiple times.
Degaussing
Degaussing is a purging technique that requires a machine or wand that produces a strong electromagnetic field which destroys all magnetically recorded data.
Destruction
Destruction is the physical act of destroying media in such as way that it cannot be reconstructed.
- Shredding: physically breaking media to pieces.
- Pulverizing: reducing media to dust.
- Pulp: Chemically altering media.
- Burning: Incinerating media.
Certificate of Destruction
Certificate of Destruction is issued by commercial services upon destruction of media (for example paper, CD/DVD, tape, and drives). The certificate should at a minimum include:
- Data of destruction.
- Description of media (including serial number, if appropriate)
- Method of destruction.
Witnesses.
- Company name.
Data Management
Data Management is defined as the planning and execution of policies and practices that protect and, when possible, enhance the value of data throughout its life-cycle
Data Ownership
Data Ownership refers to the responsibility for information which includes decisions pertaining to , and oversight of, classification, controls, access, and authorization throughout the data life-cycle.
Scoping
Scoping instructs an organization how to apply and implement security controls (baselines)
Tailoring
Tailoring allows an organization to align common security controls within specific objectives.
Data Obfuscation
Data obfuscation is the act of making a data set difficult to find or understand.
Data Loss Prevention (DLP)
Data Loss Prevention (DLP) automated tools are designed to detect and prevent data exfiltration (unauthorized release or removal of data)
How DLP Technology work?
- DLP technologies locate and catalogue data based on a predetermined set of handling standards.
- DLP tools monitor target data while in use, in motion, and at rest.
Possible DLP Implementations
- Network-Based (on premise)
- Storage Based
- Endpoint based.
- Cloud-based (off-premise)
Labeling
Labeling is the vehicle for communicating the assigned classification to custodian, users, and applications.
- Labels make it easy to identify the data classification.
- Labels can take many forms: electronic, print, audio, or visual.
- Labels should be appropriate for the intended audience.
_ Labels transcend institutional knowledge and provide stability in environments that experience personnel turnover
Term given to the unauthorized release or removal of data.
Exfiltration
Handling standards are generally organized by?
Classification Level
These assets inventory applications is used to discover and document devices and characteristics such as services, users, and groups.
Enumeration Tools.
This type of assessment is used to identify personal information that has been acquired by the organization and to determine how to treat the data.
Privacy threshold assessment
