Domain 2 - Asset Security Flashcards
Assigning labels to data within an organization. It also identifies the value of data and is critical to protect confidentiality and integrity. This ultimately drives what controls we put in place.
Data Classification
Government Data Classification Levels
Top Secret, Secret, Confidential, Unclassified
Commercial Data Classification Levels
Confidential, Private, Sensitive and Public
Responsible for defining data classifications and ensuring systems and data are properly marked.
Data Owner
Person who owns the system that processes sensitive data. Typically the same person as data owner
System Owner
Person who assigns permissions based on the principle of least privilege and the need to know.
Data Administrator
They help protect the integrity and security of data by ensuring it is properly stored and protected.
Data Custodian
Any person who accesses data via a computing system to accomplish work tasks.
Users
Any information that can identify an individual.
Personally Identifiable Information (PII)
Any health related info that can be related to a specific person.
Protected Health Information (PHI)
Data that remains on a hard drive as residual magnetic flux.
Data remanence
Simply performing a delete operation against a file, a selection of files, or the entire media.
Erasing
A process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools.
Clearing, or overwriting
An intense form of clearing that prepares media for reuse in less secure environments.
Purging
Involves any process that purges media or a system in preparation for reuse in an unclassified environment.
Declassification
A combination of processes that removes data from a system or from media.
Sanitization
Process to create a strong magnetic field that erases data on some media.
Degaussing
The final stage in the life cycle of media and is the most secure method of sanitizing media.
Destruction
Process includes marking, handling, storing and destroying sensitive information.
Managing sensitive information
They provide a listing of controls that an organization can apply as a baseline for security.
Security Control Baselines
Run by US Dept of Commerce. The goal is to prevent unauthorized disclosure of information, handled by data processors, and transmitted between data processors and the data controller.
Safe Harbor principles
Safe Harbor principles
- Notice: An organization must inform individuals about the purposes for which it collects and uses information about them.
- Choice: An organization must offer individuals the opportunity to opt out.
- Onward transfer: Organizations can only transfer data to other than organizations that comply with the Notice and Choice principles.
- Security: Organizations must take reasonable precautions to protect data.
- Data integrity: Organizations may not use information for purposes other than what they stated in the Notice principle and users selected in the Choice principle. Additionally, organizations should take steps to ensure the data is reliable.
- Access: Individuals must have access to personal information an organization holds about them. Individuals also have the ability to correct, amend, or delete information, when it is inaccurate.
- Enforcement: Organizations must implement mechanisms to assure compliance with the principles.
A process of identifying and documenting hardware components, software and the associated settings. The goal is to move beyond the original design to a hardened, operationally sound system.
Configuration Management. Config management also includes Change management and Patch management.
