Domain 2 - Asset Security Flashcards
Sensitive Data
Sensitive data is any information that isn’t public or unclassified. It can include confidential, proprietary, protected, or any other type of data that an organization needs to protect due to its value to the organization, or to comply with existing laws and
regulations.
Personally identifiable Information (PII)
Personally identifiable information (PII) is any information that can identify an individual.
Eg: name, social security number, date and place of birth, mother’s maiden name, or biometric records
Protected Health Information (PHI)
Protected health information (PHI) is any health-related information that can be related to a specific person. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of PHI.
Eg: health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse
Proprietary Data
Proprietary data refers to any data that helps an organization maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets.
Protected by Copyrights, Patents and trade secret laws to an extent.
Top Secret
Grave Damage to National Security
Secret
Serious Damage to National Security
Confidential
Damage to National Security
Unclassified
Doesnot meet description for the other three.
Available to any one with a Freedom of Information (FOI)
Classification Authority
Is the entity that applies the original classification to the sensitive data and strict rules identify who can do so.
Confidential Email
- ) Can only be viewed, not saved
- ) Email content cant be copied and pasted into other docs
- ) Emails cant be printed
- ) Forwarded emails cant be opened
- ) Only to recipients in the org
Why do we manage Sensitive Data
Key goal is to prevent Data Breaches
Handling Sensitive Data
Refers to the secure transportation of media through its lifetime.
Storing Sensitive Data
AES-256. Use Heating, ventilation and HVAC
Data Remanence
Data remanence is the data that remains on a hard drive as residual magnetic flux.
Removing Data Remanence
One way to remove data remanence is with a degausser. A degausser generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives.
Degaussers using power will reliably rewrite these magnetic fields and remove data remanence. However, they are only effective on magnetic media.
Erasing
Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media
Clearing
Clearing, or overwriting, is a process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools. When media is cleared, unclassified data is written over all addressable locations on the media.
Purging
Purging is a more intense form of clearing that prepare media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods
Declassification
Declassification involves any process that purges media or a system in preparation for reuse in an unclassified environment
Sanitization
Sanitization is a combination of processes that removes data from a system or from media. It ensures that data cannot be recovered by any means
Destruction
Destruction is the final stage in the life cycle of media and is the most secure method of sanitizing media.
Methods of destruction include incineration, crushing, shredding,disintegration, and dissolving using caustic or acidic chemicals
Record Retention
Record retention involves retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed.
An organization’s security policy or data policy typically identifies retention time frames.
Data Owners
The data owner is the person who has ultimate organizational responsibility for data. The owner is typically the CEO, president, or a department head (DH). Data owners identify the classification of data and ensure that it is labeled properly.
They also ensure it has adequate security controls based on the classification and the organization’s security policy requirements.
System Owner
The system owner is the person who owns the system that processes sensitive data
Data Processor
A data processor is any system used to process data.
The EU Data Protection law defines a data processor as “a natural or legal person which processes
personal data solely on behalf of the data controller.”
Administrators
A data administrator is responsible for granting appropriate access to personnel. They don’t necessarily have full administrator rights and privileges, but they do have the ability to assign permissions.
Custodians
Data owners often delegate day-to-day tasks to a custodian. A custodian helps protect the integrity and security of data by ensuring it is properly stored and protected.
For example, custodians would ensure the data is backed up in accordance with a backup policy.
