Domain 2: Asset Security Flashcards
Information lifecycle
Acquisition, Use, Archival and Disposal
Define the Acquisition information lifecycle stage?
This includes creation or copying of data and applying policy controls, such as encryption
Define the Use information lifecycle stage?
Where data is read or modified by users. Need to ensure confidentiality, integrity and availability are applied here.
Define the Archival information lifecycle stage?
Process of archiving or backing-up data for business or regulatory purposes
Define the Disposal information lifecycle stage?
Process of destruction of data that is no longer needed. Data must be rendered sufficiently difficult for an adversary to recover so that the risk of such recovery is acceptable to our organisation.
Define Data Classification
Development of sensitivity labels based on value of data
Define PII
Personally Identifiable Information. This is any information about an individual. This can include name, social security number, DOB, biometric records.
Define PHI
Protected Health Information. This is any health related information that can be related to a specific person. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of PHI.
Types of data that classification levels apply to?
ALL data, regardless of format, including digital, paper, video, fax, audio etc
Define common levels of classifications for Government/Military use
Top Secret, Secret, Confidential, Sensitive but unclassified, and Unclassified
Define common levels of classifications for private/commercial use
Confidential, Private, Sensitive, Public
Define information classification
Process of understanding the value and assigning classification labels for both physical assets, and digital assets
Define asset classification
Ensure that physical assets are also adequately protected, through use of sensitivity classification
Data protection key considerations
Who has access to the data, what controls are in place, and what devices can be used to access data.
Three states of data
Data at Rest, Data in Transit, Data in Use
Define Data at Rest
Involves data stored on media such as system hard drives, external USB drives, and backup tapes. Use of encryption is popular here.
Define Data in Transit
Involves data transmitted over a network. Use of TLS is applied here
Define Data in Use
Refers to data in memory or temporary storage buffers, while an application is using it. Application buffers are typically cleared after use
Define data breach
Any event in which an unauthorised entity can view or access sensitive data
Define data leak
Where the confidentiality of data has been compromised
Role of Executives
Hold ultimate responsibility for everything that happens in their organisation
CSO vs CISO
CSO focused on broader security risks (including, physical security), while CISO is typically much more technology focused
Define role of Data Owners
Responsible for ensuring the necessary security controls are in place, defining the security classifications and requirements. Owners can be held liable for negligence if they fail to perform due diligence in establishing and enforcing security policies to protect and sustain sensitive data.
Rules of Behaviour
Clearly delineate responsibilities and expected behavior of all individuals with access to the system.
Data custodians
Help protect data on a day-to-day basis. This includes, implementing and maintaining security controls, performing regular backups, validating integrity of data, restoring from backup media, retaining audit logs.
Asset/System Owner
Person who owns the asset. Ensures system is labelled accurately and that appropriate security controls are in place.
Business/Mission Owners
Responsible for ensuring systems provide value to business
Data processors
Any system/person that processes personal data on behalf of data controller
Data controllers
Person or entity that controls processing of data
Data Administrator
Responsible for granting appropriate access to personnel
Users
Any person who has access to data to accomplish work tasks
Security Administrator
Responsible for implementing and maintaining specific security network devices and software in the enterprise
Supervisor
Responsible for all user activity and any assets created and owned by these users
Change control analyst
Responsible for approving or rejecting requests to make changes to the network, systems, or software
Data analyst
Ensures company data is stored properly and follows a standardised naming scheme
Auditor
Auditors check that the organisation complies with its own policies, and applicable laws and regulations.
Four principles of retention
Taxonomy: scheme for classifying data, such as HR-1
Classification: use of sensitivity labels
Normalisation: retained data can come in a variety of formats, but can be read universally
Indexing: data can be accessed quickly
E-Discovery
Process of collecting and processing electronic material for use in litigation.
- Identification
- Preservation
- Collection
- Processing
- Review
- Analysis
- Production
- Presentation
Pseudonymisation
Use of alias, to represent other data. Such as use of patient number, instead of name.
Anonymisation
Process of removing all relevant data so that it is impossible to identify the original
Data Masking
Masks data in individual columns, so it cannot be identified
Erasing
Simply deleting a file from the device
Clearing (overwriting)
Overwriting a file with other junk
Purging
More intensive version of clearing. This overwrites data multiple times, however, is not suitable for top secret data.
Degaussing
Use of magnetic fields to destroy HDD’s and magnetic tapes
Scoping
Process of taking a broader standard and trimming out the irrelevant or otherwise unwanted parts
Tailoring
Customising specific provisions so they better address your requirements.
Define DLP
Data Loss Prevention, focused on preventing unauthorised external parties from gaining access to sensitive data. NOT for internal parties.
Four Step DLP Process
- Data Inventory: identify the most important data
- Data Flows: ensure that DLP tools are used strategically through specific network pathways.
- Data Protection Strategy: Through a risk assessment
- Implementation, Testing, and Tuning: Focus on ensuring the accuracy, interoperability, and policy engine are adequate for organisation’s needs.
Types of DLP
- Network DLP: Usually implemented at network perimeter, for the protection of data in motion.
- Endpoint DLP: Applies protection policies to data at rest and in use on endpoint devices.
- Hybrid DLP: Combination of both NDLD and EDLP
EU-US Privacy Shield
It is a framework for regulating exchange of information between EU and USA. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws, meant to protect European Union Citizens.
7 Principles of EU-US Privacy Shield
- Notice: an organisation must inform individuals about the purposes for which it collects and uses information about them
- Choice: an organisation must offer individuals the opportunity to opt out
- Accountability for onward transfer: organisations can only transfer data to other orgnaisations that comply with Notice and Choice principles.
- Security: must take reasonable precautions to protect personal data.
- Data integrity and purpose limitation: organisations should only collect data that is needed for processing purposes identified in the Notice principle.
- Access: individuals must have access to personal information on organisation holds about them.
- Recorse, enforcement, and liability: organisations must implement mechanisms to ensure compliance with the principles and provide mechanisms to handle individual complaints.
System hardening
Removing unncessary services, and changing default settings
Obfuscation
Process of hiding, replacing or omitting sensitive information
Tokenisation
Process of using tokens to represent other data, this is is similar to pseudonymization.
