Domain 2 - Asset Security Flashcards
Government Classification Levels
- Unclassified: No damage
- Sensitive but unclassified: Minimal damage
- Confidential: Damage
- Secret: Serious Damage
- Top Secret: Exceptionally Grave Damage
Commercial Classification Levels
- Public: No damage
- Sensitive: Damage
- Private: Serious Damage
- Confidential/Proprietary: Exceptionally Grave Damage
Senior management statement of policy
States importance, support and commitment to policy
GDPR Principles
- Data breach notification: 24 hours
- Creation of centralised data prevention authorities in each EU member state
- Individuals have access to own data
- Data portability between service providers
- Right to be forgotten
Information security officer
- Ensure policies etc. are written by app. Unit
- Implement/operate CIRTs
- Provide leadership for security awareness
- Communicate risk to senior management
- Stay abreast of current threats and technology
Data Owner
- Ultimate organizational responsibility for data
- Categorize systems and data, determine level of
classification - Required controls are selected for each classification
- Select baseline security standards
- Determine impact information has on organization
- Understand replacement cost (if replaceable)
- Determine who needs the information and
circumstances for release - Determine when information should be destroyed
- Responsible for asset
- Review and change classification
- Can delegate responsibility to data custodian
- Authorize user privileges
Data Custodian
- Day-to-day tasks, grants permission to users in DAC
- Adhere to data policy and data ownership guidelines
- Ensure accessibility, maintain and monitor security
- Dataset maintenance, , archiving
- Documentation, including updating
- QA, validation and audits
- Run regular backups/restores and validity of them
- Insuring data integrity and security (CIA)
- Maintaining records in accordance to classification
- Applies user authorization
- Implement security controls
System Owners
Select security controls
System Administrators
Assign permission to access and handle data
Clearing/overwritting
Renders data inaccessible by normal means. – Prepping media for reuse at same level. Removal of
sensitive data from storage devices in such a way that the data may not be reconstructed using normal system functions or utilities. May be recoverable with special lab equipment. Data just overwritten.
Purging
Overwriting data multiple times. More intensive than clearing. More intense than clearing. Media can be reused in lower systems. Removal of sensitive data with the intent that the data cannot be reconstructed by any known technique.
Degaussing
Only works on HDDs and Magnetic tapes, NOT on optical media.
Erasing
Simply hitting delete on OS, marks storage space as unavailable instead of clearing the data
Security labelling
Use of security attributes for internal data structures within an organisation. This is for machines
Security marking
Use of human readable security attributes, such as ‘Personal’
