Domain 2: Asset Security Flashcards
Considerations for an Assets value
Value to organization Loss if compromised Legislative drivers (-) Liabilities Value to competitors Acquisition Costs Etc.
Data Classification
Development of sensitivity labels for data and the assignment of those labels for the purpose of configuration baseline security based on value of data
3 C’s for Classification
Cost (Value)
Classify (Criteria for classification)
Controls (Determining the baseline security config for each)
Who Determines data classification
Data owner
Who maintains the data
Data Custodian
Sensitivity
Amount of damage that would be done should the information be disclosed
Criticality
Time sensitivity of the data. Usually driven by the understanding of how much revenue a specific asset generates, and without that asset, there will be lost revenue
States of Data
Data at rest, in process, in transit
Data at rest
Data that is being stored, often encrypted
How its secured: File System Encryption, EFS, TPM
Data in Process
Data that is being used
How is it secured: No easy way, could encrypt in RAM
Data In Transit
Data moving across the network
How is it secured: SSL/TLS, IPSec, SSH
Unauthorized usage/access
prevention: strong authentication, encryption, obfuscation, anonymization, tokenization, masking, organizational policies and layered defense
Liability due to noncompliance
Prevention: Due care and due diligence, Service Level Agreements (SLAs)
DoS and DDoS
Prevention: Redundancy and data dispersion
Corruption, modification, destruction of data
Prevention: hashes/digitally signed files