Domain 2 - Asset Security Flashcards
what are the stages to data lifecycle
- create/update
- store/classification
- use
- share
- archive
- destroy - data cant stay around longer than necessary. it creates risk and liability. It can be stolen, it can be called as evidence for legal actions
What are some data security controls
- marketing, labeling, handling, classifications - classifications is the most important
- data handling - shipping, chain of custody. dont open boxes
- data destruction - erasing, clearing (overwriting w/ unclassified data)
record retention - if the retention policy is 1 year, it should be destroyed when it ages out @ 1 year - tape backup security - secure offsite facility, tapes labeled, ensure all understand the classification of the data
what is a security control baseling
- provides a listing of controls that an organization can apply as a baseline
- a group of controls that can be applied as a base standard or starting point that we work from
when it comes to data protection, what can you use to guarantee confidentiality
encryption
should asset classification match data classification
yes
what is (PII) personally identifiable information
- any information that can identify and individual
- (name (non common), SSN, birthdate/place, biometric records, education, medical history, financial transactions, mothers maiden name, criminal or employment history, etc.)
what is (PHI) protected health information
health related information that can be related to a specific person (covered by HIPAA)
define Data owner/controller
- usually a member of senior management or the board
- accountable for the protection of data
- define level of classification - responsible for security decisions for DATA
- holds legal rights and defines policies
- can delegate some duties
- can not delegate responsibility
define data custodian
- usually a member of IT
- does not decide what controls are needed
- implements controls from the data owner
- grants permissions, monitors, data archive, backup and restore checks, etc.
**** on behalf of the data owner
define data administrator
- responsible for granting appropriate access to personnel (often via RBAC) - roll based access control
define user
any person who accesses data via a computing system to accomplish work tasks
define business/mission owner
- senior executives make the policies that govern our data security
- can overlap or or be the same as the system owner
define system owner
- management level and owner of the systems that house the data
- often a data center manager or infrastructure manager
define security administrators
- responsible for firewalls, IPS, IDS, security patches, creates accounts
- grants access to data following the data owners direction
define supervisor
- responsible for user behavior and assets created by the users
- responsible for user awareness
- needs to inform the security administrator if there are any changes to user employment status, user access rights or any other pertinent changes to employees status
define asset owner
- owns assets or systems that process sensitive data and associated security plans
should each asset have an owner
yes, the owner is accountable for the protection of an asset
what do baselines define
minimum security requirements for each class
define classification
a system of classes ordered according to value
example: public, proprietary, confidential is one possibility of the the three classification an organization might use to define classes, with public being the least valuable and confidential being the most valuable
what is labeling of an asset
- noting the classification of an asset on an asset.
- the what, what the classification is
example: putting a label on a backup tape noting that its top secret
what is marking of an asset
- the how the asset should be protected based on its classification
- involves noting the handling instructions on the asset based on the classification
what is categorization
- the act of sorting assets into the defined classes
- its a process of putting assets into different classes
define data processor
- responsible for processing data on behalf of the owner
typical example: cloud service provider. they are storing and processing data on behalf of the owner
define data subject
- the individual to whom any personal data relates, its data about them
ways to protect data at rest
- encryption
- strong access controls - to make sure authenticated and authorized persons have access to data
- backups - to verify data is not lost or destroyed
end to end encryption attributes
- a protection for data in motion
- its encrypted right from the send and the data remains encrypted through all notes (switches, routers, firewalls etc.) that is passes on its way to the recipient
- only encrypted once it has reached the recipient, its never in plaintext in transit
4 perfect example: VPN - the downside the routing information (source and destination IP address) must be in plaintext
- this does not provide anonymity
link encryption attributes
1 encrypted and decrypted at every node
- packet including the header is encrypted at the source and sent to the first destination
- first source decrypts the packet, looks for the destination address, re-encrypts the packet and forwards to the next node
- advantage - routing information is hidden in transit
- downside - its decrypted at every node, not the best for protecting data
onion networks attributes
- provide confidentially and anonymity
- the sender device will predetermine a series of notes that the packet is going to pass through to the destination
- sender device will encrypt the entire packet for every node it will pass through
- each layer of encryption will use the specific encryption key for the next node, one layer (node) at a time
- last layer to be decrypted with only be at the destination and only then will the data be decrypted
- each node on the way only knows where the packet came from and the next node but not the ultimate source and destination
- each layer has zero access to the innermost layer
- downside is performance
example of an onion network: TOR the onion router
how to protect data in use
- good access controls
- potentially data loss prevention controls to monitor and control what users are doing with the data
- data in use cannot be encrypted
what is data archiving
- moving data that is no longer being used, to a cheaper storage solution for long term retention
- archived data is only kept as long as its useful or required by law
- protection of that data is in accordance to its classification
data destruction from best to worst
- burn it
- shred/disintegrate or drill a hole in the media — with the right tools partial data can still be recovered
- degaussing - applying a very strong magnetic field to magnetic media like hard drives or tape (not SSD) – sits between destruction and purging (it might permanently render media unusable)
- crypto shredding – encrypt the data with an excellent algorithm like AES 256 then we destroy every copy of the key (sits between purging and clearing)
- overwriting, wiping, erasure, all refer to writing all zeros or ones or some combination to all the sectors of a storage device (research has shown that no matter how many times you overwrite the data, some of the data may be recoverable) thus this is clearing
- the worst method of destroying data is formatting the drive. formatting by default leaves most if not all the existing data
3 types of defensible destruction in order from best down
- destruction
- purging
- clearing
define privacy
the state or condition of being free from being observed or disturbed by other people
what role do may regulations require the company to have
data controller - an owner for the privacy program that is accountable for the privacy controls within the organization
what is the main thing we are protecting from a privacy perspective
personal data - information that can be used on it own or in combination to identify an individual
what are 4 ways different laws can refer to personal information
- PII - personally identifiable information
- SPI - sensitive personal information
- PHI - personal health information
- PI - personal information
what are direct identifiers and some examples
something that can identify and individual on it own.
examples: government IDs, social insurance numbers, social security number, drivers license numbers, passport numbers, back account numbers, phone numbers biometric data etc.
what are indirect identifiers and examples
identifiers that on their own are not able to identify an individual but if you have enough indirect identifiers you can uniquely identify an individual
examples: age, gender, ethnicity, the state someone lives in, zip code or postal code etc.
what are online identifiers and examples
individual identifiers that are online
examples: email address, IP addresses, cookies
name this data lifecycle;
new data is generated or existing data is altered, updated or modified in some way
data creation/update
what happens in the store stage of the data lifecycle
data is committed to some sort of storage repository to memory or a hard drive
what is the 3rd stage and explanation of the 3 stage in the data lifecycle
- use stage
- this is where people or processes are “using” the data. this covers viewing, processing or in someway using the data but absolutely not modifying
explain the sharing stage of the data lifecycle
this is where we think about who the data can be shared with under what circumstances and with what controls in place
what happens in the archive state of the day lifecycle
- this is where data is moved to cheaper long term storage (usually tapes) maybe some form of cloud
- that data should be retained for as long necessary based on the retention policy
