Domain 2 - Asset Security Flashcards
Government Classification Levels
- Unclassified: No damage
- Sensitive but unclassified: Minimal damage
- Confidential: Damage
- Secret: Serious Damage
- Top Secret: Exceptionally Grave Damage
Commercial Classification Levels
- Public: No damage
- Sensitive: Damage
- Private: Serious Damage
- Confidential/Proprietary: Exceptionally Grave Damage
Senior management statement of policy
States importance, support and commitment to policy
GDPR Principles
- Data breach notification: 24 hours
- Creation of centralised data prevention authorities in each EU member state
- Individuals have access to own data
- Data portability between service providers
- Right to be forgotten
Information security officer
- Ensure policies etc. are written by app. Unit
- Implement/operate CIRTs
- Provide leadership for security awareness
- Communicate risk to senior management
- Stay abreast of current threats and technology
Data Owner
- Ultimate organizational responsibility for data
- Categorize systems and data, determine level of
classification - Required controls are selected for each classification
- Select baseline security standards
- Determine impact information has on organization
- Understand replacement cost (if replaceable)
- Determine who needs the information and
circumstances for release - Determine when information should be destroyed
- Responsible for asset
- Review and change classification
- Can delegate responsibility to data custodian
- Authorize user privileges
Data Custodian
- Day-to-day tasks, grants permission to users in DAC
- Adhere to data policy and data ownership guidelines
- Ensure accessibility, maintain and monitor security
- Dataset maintenance, , archiving
- Documentation, including updating
- QA, validation and audits
- Run regular backups/restores and validity of them
- Insuring data integrity and security (CIA)
- Maintaining records in accordance to classification
- Applies user authorization
- Implement security controls
System Owners
Select security controls
System Administrators
Assign permission to access and handle data
Clearing/overwritting
Renders data inaccessible by normal means. – Prepping media for reuse at same level. Removal of
sensitive data from storage devices in such a way that the data may not be reconstructed using normal system functions or utilities. May be recoverable with special lab equipment. Data just overwritten.
Purging
Overwriting data multiple times. More intensive than clearing. More intense than clearing. Media can be reused in lower systems. Removal of sensitive data with the intent that the data cannot be reconstructed by any known technique.
Degaussing
Only works on HDDs and Magnetic tapes, NOT on optical media.
Erasing
Simply hitting delete on OS, marks storage space as unavailable instead of clearing the data
Security labelling
Use of security attributes for internal data structures within an organisation. This is for machines
Security marking
Use of human readable security attributes, such as ‘Personal’
Santising
Series of processes that removes data, ensures data
is unrecoverable by any means. Removing a computer from service and disposed of. All storage media removed or destroyed.
Scoping
reviewing baseline security controls and selecting only
those controls that apply to the IT system you’re trying to protect.
Tailoring
modifying the list of security controls within a baseline
so that they align with the mission of the organization.
Supplementation
adding assessment procedures or assessment details to adequately meet the risk management needs of the organization.
Link Encryption
is usually point to point EVERYTHING ENCRYPTED
“Black pipe, black oil, black ping pong balls” all data is encrypted, normally did by service providers
End to End Encryption
You can see ALL BUT PAYLOAD, normally done by
users
