Domain 2. Asset Security Flashcards
Highest Level government Data Classification Label
Top Secret
Common data classification label NOT used in government
Confidential
Data Owner
Management level, they assign sensitivity labels and backup frequency.
This could be you or a Data Owner from HR, Payroll or other departments.
Often the same as System Owner
Mission/Business Owner
Senior executives make the policies that govern our data security.
System Owner
Management level and the owner of the systems that house the data.
Often a Data Center Manager or an Infrastructure Manager.
Often the same as Data Owner
Data Custodian
Technical, hands-on employees who do the things.
Follow directions of Data Owner
Data Users
Data User is any employee, contractor or third-party provider who is authorized by the Data Owner to access information assets.
Data Controller
Same as Data Owner when Data Owner doesn’t exist.
Data Processor
Processors manage the data for Controllers. Often a third party. i.e (Outsourced Payroll)
Only approved way to deal with Top Secret data when no longer needed.
Destruction
Does Asset Handling and Management include phishing training/employee education?
YES
Who is responsible for ensuring due diligence and due care is followed?
Generally the data owner
NGO data classifications
Public
Sensitive
Private
Confidential
EOL vs EOS
End of Life vs End of Support.
End of Life: Manufacturer no longer produces a product for sale.
End of Support: Manufacturer no longer supports the product, provides replacment parts, patches, or updates.
EOS or EOSL
EOS (end-of-support) and EOSL (end-of-service-life) are synonymous terms used to describe a product or solution that is no longer actively supported by its manufacturer.
Tailoring sec controls vs Scoping sec controls
Tailoring is customizing a set of existing security controls to align with an organization’s mission and objectives.
Scoping is reviewing and selecting initial security controls for a new information system.
NIST 800-53
NIST SP 800-53 is a set of standards that federal agencies are required to meet. NIST SP 800-53 was created in response to the passage of the Federal Information Security Management Act (FISMA).
Security and Privacy Controls for Information Systems and Organizations
Anonymization
Anonymization is the process of removing data to the point that it is impossible to identify the subject(s). This is most effective with large data sets with many categories. Anonymization also cannot be reversed, making it impossible to use a secondary data set to retrace steps associated with the anonymization process. What sets it apart is anonymization can’t be reversed because the technique requires the shuffling of a large data set and no database to link that random data back to the original subject(s).
Tokenization
Tokenization replaces sensitive data with a string of characters or a token. The original data is held by a third party but NOT retrievable.
Pseudonymization
Replaces data with a pseudonym or alias to protect privacy.
A separate database holds the actual identities and mappings to the pseudonym.
Military and Government data classifications
Unclassified
Sensitive but Unclassified
Confidential
Secret
Top Secret
Private/Civilian data classifications
Public
Sensitive
Private
Confidential
Kerckhoffs’s principle
Kerckhoffs’s principle is often described as “the enemy knows the system.” It assumes that everything about a cryptographic system is public knowledge except for the key.
Marking/Labeling
Marking and Labeling is when the classification level is physically added to the document or media.
Blowfish
Symmetric
Blowfish was invented by Bruce Schneier who chose not to patent it, but made it available for free, public use. Blowfish has a fixed block size of 64 bits and a variable key size anywhere from 32-448 bits. Blowfish uses 16 rounds of encryption, regardless of key length.
Poodle attack
In 2014, an attack known as the Padding Oracle On Downgraded Legacy Encryption (POODLE) demonstrated a significant flaw in the SSL 3.0 fallback mechanism. SSL is considered insecure and should be replaced by a new version of TLS.
Should PII be classified as Confidential?
Personally identifiable information (PII) generally does not help a company maintain a competitive edge over other companies. PII should be classified as Private, not Confidential.
TO DO - review: CISSP All-in-One Exam Guide, 8th Edition. Pg 198-201.
CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 182-185.
NIST SP 800-122
PII
Guide to protecting PII
NIST SP 800-124
Guidelines for Managing the Security of Mobile Devices in the Enterprise
NIST SP 800-171
Protecting controlled unclassified info in nonfederal info systems and orgs.
Used by non-government orgs when contracted by the us fed gov.
Data Protection Directive (DPD)
Non-enforceable predecessor to the GDPR
The Data Protection Directive (DPD) was not directly enforceable, forcing every European state to create their own individual laws pertaining to data privacy. This ultimately led to the United States creating their Safe Harbor Privacy Principles to comply with this European directive.
GDPR
General Data Privacy Requirement. Enacted in 2018.
Tagging -
Technique to attach additional information about a file, i.e. date of creation, creator, purpose, disposal timelines, etc.
e-Discovery
Electronic discovery (e-Discovery) is a term used to describe the process of identifying and producing electronically stored information (ESI) requested by a court subpoena.
Legal hold (AKA litigation hold)
Legal request that information is not destroyed.
Intangible Asset
Asset that you can’t touch. ALSO includes copyrights, trademarks, patents, and similar intellectual property.
Tangible Asset
Asset that you can touch.
Cryptoshredding
Secure data destruction process.
Delete data, overwrite with junk, encrypt the junk, throw away the encryption key.
NIST 800-37
NIST SP 800-37 introduces the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations.
Sanitization
Sanitization is a process that completely removes data or renders it impossible to recover from media. Sanitization can include the destruction of the media.
This is a parent term for all data removal methods.
Baseline
A baseline is the minimum level of acceptable security applied to a system. Baselines are used to standardize security levels across multiple systems.
Guidelines
Guidelines are recommended actions or behaviors if a standard does not apply.
Standards
Standards document, in detail, the security requirements for a subset of technology. Standards are generally referenced by and enforced in a separate security policy.
CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 24-25.
Procedure
Procedures are step-by-step instructions to accomplish a task.
Policy
Policies are high-level documents that align security objectives with business objectives.
