Security Architecture 3.3

Question 1

Data Types - Regulated

Answer 1

Credit card information
Managed by third-party
Government laws, regulations.

Question 2

Data Types - Trade secrets

Answer 2

An organisations secret formulas
Often unique to an organisation.

Question 3

Intellectual Property

Answer 3

May be publicly visible
Copyright and trademark law.

Question 4

Data types - Legal information

Answer 4

Court records and documents
PII and other sensitive details
Usually stored in many different systems

Question 5

Data types - Financial Information

Answer 5

Internal company financial details
Customer financials
Payment records
Credit card data, bank records.

Question 6

Human readable / Non-human readable

Answer 6

Non human-readable - Barcodes, Encoded Data, images, QR codes
Human readbale - Plain text or numbers that humans can read.
Hybrid

Question 7

Classifying sensitive data

Answer 7

Some data may have different levels of classification.

Different levels require different security and handling
- Additional permission
-A different process to view
- Restricted network access.

Question 8

Data classifications- Proprietary

Answer 8

Proprietary
Data that is the property of an organisation
May also include trade secrets
Often data unique to an organisation.

Question 9

Data Classifications - PII

Answer 9

Personally Identifiable information.
Data that can be used to identify an individual. Name, DOB, Biometric information.

Question 10

Data classifications - PHI

Answer 10

Health information associated with an individual
Health status, health care records, payments for health care.

Question 11

Data classifications with examples

Answer 11

Sensitive - Intellectual Property
Confidential - Very sensitive, must be approved to view
Public - No restrictions on viewing the data
Private - Restricted access, mat require an NDA
Critical - Data that should always be available.

Question 12

States of data - Data at rest.

Answer 12

Data stored on a storage device. - Hard Drive, SSD, Flash drive.

Encrypt data. whole disk, database encryptions or file and folder level encryption.

Apply Permissions
- Access control lists
- Only authorised users can access the data.

Question 13

Data in transit

Answer 13

Should always be encrypted. Firewalls or IPS

Provide transport encryption
TLS (Transport Layer Security)
IPsec (Internet Protocol Security)

Question 14

Data in Use

Answer 14

Data is actively processing in memory. The data is almost always decrypted

Question 15

Data sovereignty

Answer 15

Data that resides in a country is subject to the laws of that country
Legal Monitoring, court orders.
Laws may prohibit where data is stored.

Question 16

Geolocation

Answer 16

Can be used to manage data access, limit administrative tasks unless secure area is used.

Question 17

Method to secure data -Geographic Restrictions

Answer 17

Identify based on IP subnet, Can be difficult with mobile phones.

Geolocation works with GPS to get an accurate location description.

Geofencing - Allowing or restricting based on a particular location.

Question 18

Methods to secure data - encryption

Answer 18

Encode Information into unreadable data
Original information is plaintext encrypted to ciphertext.

Must be able to decrypt original data.

Question 19

Methods to secure data - Hashing

Answer 19

Represent data as a string of text. Impossible to recover the original message from the hash.
Can be a digital signature - Authentication, non-repudiation.

Question 20

Obfuscation - Methods to secure data

Answer 20

Make something normally understandable very difficult to understand.

Question 21

Masking -Methods to secure data

Answer 21

A type of obfuscation to hide original data. Done on receipts.

Question 22

Tokenisation

Answer 22

Replace sensitive data with a on sensitive placeholder. There is no encryption or hashing algorithm which lowers overhead.

Question 23

Segmentation

Answer 23

Many organisations use a data source. One breach puts all of the data at risk. Separate the data into smaller pieces and store it in different locations

Sensitive data should have stronger security. The most sensitive data must be most secure.

Question 24

Permission restrictions

Answer 24

Control access to an account
The authentication process, password policies, authentication factor policies, other considerations.