CISSP Chapter 5 - Protecting Security of Assets

What are all the data roles?

- Data Owners - Asset Owners - Business/Mission Owners - Data Processor - Data Controller - Data Custodian - Administrator - Users and Subject

What are common data destruction methods?

- Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process removes only the directory or catalog link to the data. . Anyone can typically retrieve the data using widely available undelete tools - Clearing - or overwriting, is a process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tools. When media is cleared, unclassified data is written over all addressable locations on the media. Possible to retrieve some of the original data using sophisticated laboratory or forensics techniques - Purging - more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods. A purging process will repeat the clearing process multiple times and may combine it with another method, such as degaussing, to completely remove the data. The U.S. government doesn't consider any purging method acceptable to purge top secret data. - Degaussing - A degausser creates a strong magnetic field that erases data on some media in a process called degaussing. . Degaussing a hard disk will normally destroy the electronics used to access the data. However, you won't have any assurance that all the data on the disk has actually been destroyed. Does not affect CDs, DVDs or SSD Destruction is the final stage in the lifecycle of media and is the most secure method of sanitizing media.

NIST SP 800-53B formally defines Tailoring as "part of an organization-wide risk management process that includes framing, assessing, responding to, and monitoring information security and privacy risks" and indicates it includes the following activities:

- Identifying and designating common controls - Applying scoping considerations - Selecting compensating controls - Assigning control values

Sensitive data should be stored in such a way that it is protected against any type of loss. What are methods to store sensitive data?

-Encryption methods prevent unauthorized entities from accessing the data even if they obtain databases or hardware assets. Encryption of sensitive data provides an additional layer of protection and should be considered for any data at rest. If data is encrypted, it becomes much more difficult for an attacker to access it, even if it is stolen. - the value of any sensitive data is much greater than the value of the media holding the sensitive data. In other words, it's cost-effective to purchase high-quality media, especially if the data will be stored for a long time, such as on backup tapes

How does NIST-SP 800-18 outline responsibility for an asset owner?

1. Develop system security plan and coordinate with data/information owners 2. Maintain system security plan and ensure meet the system security requirements 3. Ensures that system users and support personnel receive appropriate security training 4. Updates the system security plan whenever a significant change occurs 5. Assists in the identification, implementation, and assessment of the common security control

What are the 3 methods to add data to classified network?

1. Manual - such as copying data from unclassified network to a USB device and carry it to the classified network 2. Unidirectional - a network bridge this connect the 2 networks but allows data to travel in only one direction (from unclassified network to the classified network) 3. Technical guard solution - combination of hardware and software placed between the 2 networks. A guard solution allows properly marked data to travel between the 2 networks.

What responsibilities does NIST SP 800-1 Rev. 1 Guide for Developing Security Plans for Federal Information Systems," outlines the following responsibilities for the Data owner?

1. Rules of behavior for appropriate and protection of data 2. Provide input to information system owner regarding security requirements and security controls for the systems where the info resides on 3. Decides who has access to IS systems and type of privilege access rights 4. Assist in identification and assessment of common security controls of the system

Explain CASB

A cloud access security broker (CASB) is placed logically between users and cloud resources. It can apply internal security controls to cloud resources. The CASB component can be placed on-premises or in the cloud.

What is Cloud Access security broker (CASB)?

A cloud access security broker (CASB) is software placed logically between users and cloud based resources It monitors all activity and enforces administrator-defined security policies A CASB would typically include authentication and authorization controls and ensure only authorized users can access the cloud resources. The CASB can also log all access, monitor activity, and send alerts on suspicious activity. In general, any security controls that an organization has created internally can be replicated to a CASB. This includes any DLP functions implemented by an organization. CASB can also detect shadow IT through logs EX: a company has decided to use a cloud provider for data storage but management wants all data stored in the cloud to be encrypted. The CASB can monitor all data going to the cloud and ensure that it arrives and is stored in an encrypted format

What is a subject?

A subject is any entity that accesses an object such as a file or folder. Subjects can be users, programs, processes, services, computers, or anything else that can access a resource.

What is data loss prevention (DLP) system?

A system that monitors and prevents the unauthorized transmission of sensitive data outside of an organization's network.

What is a user?

A user is any person who accesses data via a computing system to accomplish work tasks. Users should have access only to the data they need to perform their work tasks. You can also think of users as employees or end users

An organization is planning to use a cloud provider to store some data. Management wants to ensure that all data-based security policies implemented in the organization's internal network can also be implemented in the cloud. Which of the following will support this goal? A. CASB B. DLP C. DRM D. EOL

A. A cloud access security broker (CASB) is software placed logically between users and cloud-based resources, and it can enforce security policies used in an internal network. Data loss prevention (DLP) systems attempt to detect and block data exfiltration. CASB systems typically include DLP capabilities. Digital rights management (DRM) methods attempt to provide copyright protection for copyrighted works. End-of-life (EOL) is generally a marketing term and indicates when a company stops selling a product

A technician is about to remove disk drives from several computers. His supervisor told him to ensure that the disk drives do not hold any sensitive data. Which of the following methods will meet the supervisor's requirements? A. Overwriting the disks multiple times B. Formatting the disks C. Degaussing the disks D. Defragmenting the disks

A. Overwriting the disks multiple times will remove all existing data. This is called purging, and purged media can then be used again. Formatting the disks isn't secure because it doesn't typically remove the previously stored data. Degaussing the disks often damages the electronics but doesn't reliably remove the data. Defragmenting a disk optimizes it, but it doesn't remove data

Your organization's security policy mandates the use of symmetric encryption for sensitive data stored on servers. Which one of the following guidelines are they implementing? A. Protecting data at rest B. Protecting data in transit C. Protecting data in use D. Protecting the data lifecycle

A. Symmetric encryption methods protect data at rest, and data at rest is any data stored on media, such as a server. Data in transit is data transferred between two systems. Data in use is data in memory that is used by an application. Steps are taken to protect data from the time it is created to the time it is destroyed, but this question isn't related to the data lifecycle

An organization is planning to deploy an e-commerce site hosted on a web farm. IT administrators have identified a list of security controls they say will provide the best protection for this project. Management is now reviewing the list and removing any security controls that do not align with the organization's mission. What is this called? A. Tailoring B. Sanitizing C. Asset classification D. Minimization

A. Tailoring refers to modifying a list of security controls to align with the organization's mission. The IT administrators identified a list of security controls to protect the web farm during the scoping steps. Sanitization methods (such as clearing, purging, and destroying) help ensure that data cannot be recovered and is unrelated to this question. Asset classification identifies the classification of assets based on the classification of data the assets hold or process. Minimization refers to data collection. Organizations should collect and maintain only the data they need

You are tasked with updating your organization's data policy, and you need to identify the responsibilities of different roles. Which data role is responsible for implementing the protections defined by the security policy A. Data custodian B. Data user C. Data processor D. Data controller

A. The data custodian is responsible for the tasks of implementing the protections defined by the security policy and senior management. A data controller decides what data to process and how. Data users are not responsible for implementing the security policy protections. A data processor controls the processing of data and only does what the data controller tells them to do with the data

Define anonymization

Anonymization replaces privacy data with useful but inaccurate data. The dataset can be shared and used for analysis purposes, but anonymization removes individual identities. Anonymization is permanent

What is NIST SP 800-122 definition of PII?

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information

What is asset classification?

Asset classifications should match the data classifications. In other words, if a computer is processing top secret data, the computer should also be classified as a top secret asset. Similarly, if media such as internal or external drives hold top secret data, the media should also be classified as top secret

A database file includes personally identifiable information (PII) on several individuals, including Karen C. Park. Which of the following is the best identifier for the record on Karen C. Park A. Data controller B. Data subject C. Data processor D. Data Custodian

B. A data subject is a person who can be identified by an identifier such as a name, identification number, or other PII. All of these answers refer to the General Data Protection Regulation (GDPR). A data owner owns the data and has ultimate responsibility for protecting it. A data controller decides what data to process and how it should be processed. A data processor processes the data for the data controller

Which of the following provides the best protection against the loss of confidentiality for sensitive data? A. Data labels B. Data classifications C. Data handling D. Data degaussing methods

B. Data classifications provide strong protection against the loss of confidentiality and are the best choice of the available answers. Data labels and proper data handling are based on first identifying data classifications. Data degaussing methods apply only to magnetic media.

Administrators have been using tapes to back up servers in your organization. However, the organization is converting to a different backup system, storing backups on disk drives. What is the final stage in the lifecycle of tapes used as backup media? A. Degaussing B. Destruction C. Declassification D. Retention

B. Destruction is the final stage in the lifecycle of backup media. Because the backup method is no longer using tapes, they should be destroyed. Degaussing and declassifying the tape is done if you plan to reuse it. Retention implies you plan to keep the media, but retention is not needed at the end of its lifecycle.

Administrators regularly back up all the email servers within your company, and they routinely purge on-site emails older than six months to comply with the organization's security policy. They keep a copy of the backups on site and send a copy to one of the company warehouses for long-term storage. Later, they discover that someone leaked sensitive emails sent between executives over three years ago. Of the following choices, what policy was ignored and allowed this data breach? A. Media destruction B. Record retention C. Configuration management D. Versioning

B. Personnel did not follow the record retention policy for the backups sent to the warehouse. The scenario states that administrators purge onsite emails older than six months to comply with the organization's security policy, but the leak was from emails sent over three years ago. Personnel should follow media destruction policies when the organization no longer needs the media, but the issue here is the data on the tapes. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning applies to applications, not backup tapes

An administrator is planning to deploy a database server and wants to ensure it is secure. She reviews a list of baseline security controls and identifies the security controls that apply to this database server. What is this called? A. Tokenization B. Scoping C. Standards selection D. Imaging

B. Scoping is a part of the tailoring process and refers to reviewing a list of security controls and selecting the security controls that apply. Tokenization is the use of a token, such as a random string of characters, to replace other data and is unrelated to this question. Note that scoping focuses on the security of the system and tailoring ensures that the selected controls align with the organization's mission. If the database server needs to comply with external entities, it's appropriate to select a standard baseline provided by that entity. Imaging is done to deploy an identical configuration to multiple systems, but this is typically done after identifying security controls.

You are performing an annual review of your company's data policy, and you come across some confusing statements related to security labeling. Which of the following could you insert to describe security labeling accurately? A. Security labeling is only required on digital media. B. Security labeling identifies the classification of data. C. Security labeling is only required for hardware assets. D. Security labeling is never used for nonsensitive data

B. Security labeling identifies the classification of data such as sensitive, secret, and so on. Media holding sensitive data should be labeled. Similarly, systems that hold or process sensitive data should also be marked. Many organizations require the labeling of all systems and media, including those that hold or process nonsensitive data

Once an organization has identified and classified its assets, it will typically want to secure them. This is where security baseline comes in. What is a security baseline?

Baselines provide a starting point and ensure a minimum security standard

You are updating your organization's data policy, and you want to identify the responsibilities of various roles. Which one of the following data roles is responsible for classifying data? A. Controller B. Custodian C. Owner D. Use

C. The data owner is the person responsible for classifying data. A data controller decides what data to process and directs the data processor to process the data. A data custodian protects the integrity and security of the data by performing day-to-day maintenance. Users simply access the data.

Private organizations may use a different label for classifying data. What are the common labels for data classification?

Confidential or Proprietary or Class 3 (Top Secret) - typically refers to the highest level of classified data. would cause exceptionally grave damage to the mission of the organization. ex: Sony was attacked with 100tb stole such as unrelease movies Private or Class 2 (Secret) - data that should stay private within the organization but that doesn't meet the definition of confidential or proprietary data. Would cause serious damage. ex: Many organizations label PII and PHI data as private Sensitive or Class 1 (Confidential) - data breach would cause serious damage. Ex: IT personnel within an organization might have extensive data about the internal network, including the layout, devices, operating systems, software, Internet Protocol (IP) addresses, and more. If attackers have easy access to this data, it makes it much easier for them to launch attacks Public or Class 0 (unclassified) - no damage. public available sources. Organizations will take steps to protect the integrity of the data as if it's on their organization website

After data and asset classification, you must define security requirements and the security controls to implement those requirements. An example is security requirements for emails based on classification.

Confidential/Proprietary (highest level of protection for any data) Email and attachments must be encrypted with AES 256. Email and attachments remain encrypted except when viewed. Email can be sent only to recipients within the organization. Email can be opened and viewed only by recipients (forwarded emails cannot be opened). Attachments can be opened and viewed, but not saved. Email content cannot be copied and pasted into other documents. Email cannot be printed. Private (examples include PII and PHI) Email and attachments must be encrypted with AES 256. Email and attachments remain encrypted except when viewed. Email can be sent only to recipients within the organization. Sensitive (lowest level of protection for classified data) Email and attachments must be encrypted with AES 256. Public Email and attachments can be sent in cleartext

Administrators regularly back up data on all the servers within your organization. They annotate an archive copy with the server it came from and the date it was created, and transfer it to an unstaffed storage warehouse. Later, they discover that someone leaked sensitive emails sent between executives on the internet. Security personnel discovered some archive tapes are missing, and these tapes probably included the leaked emails. Of the following choices, what would have prevented this loss without sacrificing security? A. Mark the media kept off site. B. Don't store data off site. C. Destroy the backups off site. D. Use a secure off-site storage facility.

D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won't protect it if it is stored in an unstaffed warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite or offsite backups are destroyed, security is sacrificed by risking availability

Your organization is donating several computers to a local school. Some of these computers include solid-state drives (SSDs). Which of the following choices is the most reliable method of destroying data on these SSDs? A. Erasing B. Degaussing C. Deleting D. Purging

D. Purging is the most reliable method among the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure that data is removed. It ensures there isn't any data remanence. Erasing or deleting processes rarely remove the data from media but instead mark it for deletion. Solid-state drives (SSDs) do not have magnetic flux, so degaussing an SSD doesn't destroy data

Developers created an application that routinely processes sensitive data. The data is encrypted and stored in a database. When the application processes the data, it retrieves it from the databases, decrypts it for use, and stores it in memory. Which of the following methods can protect the data in memory after the application uses it? A. Encrypt it with asymmetric encryption. B. Encrypt it in the database. C. Implement data loss prevention. D. Purge memory buffers.

D. Purging memory buffers removes all remnants of data after a program has used it. Asymmetric encryption (along with symmetric encryption) protects data in transit. The data is already encrypted and stored in the database. The scenario doesn't indicate that the program modified the data, so there's no need to overwrite the existing data in the database. Data loss prevention methods prevent unauthorized data loss but do not protect data in use

An executive is reviewing governance and compliance issues and ensuring the security or data policy addresses them. Which of the following security controls is most likely driven by a legal requirement? A. Data remanence B. Record destruction C. Data user role D. Data retention

D. Record retention policies define the amount of time to keep data, and laws or regulations often drive these policies. Data remanence is data remnants on media, and proper data destruction procedures remove data remnants. Laws and regulations do outline requirements for some data roles, but they don't specify requirements for the data user role

The IT department is updating the budget for the following year, and they want to include enough money for a hardware refresh for some older systems. Unfortunately, there is a limited budget. Which of the following should be a top priority? A. Systems with an end-of-life (EOL) date that occurs in the following year B. Systems used for data loss prevention C. Systems used to process sensitive data D. Systems with an end-of-support (EOS) date that occurs in the following year

D. Systems with an EOS date that occurs in the following year should be a top priority for replacement. The EOS date is the date that the vendor will stop supporting a product. The EOL date is the date that a vendor stops offering a product for sale, but the vendor continues to support the product until the EOS date. Systems used for data loss prevention or to process sensitive data can remain in service.

A company maintains an e-commerce server used to sell digital products via the internet. When a customer makes a purchase, the server stores the following information on the buyer: name, physical address, email address, and credit card data. You're hired as an outside consultant and advise them to change their practices. Which of the following can the company implement to avoid an apparent vulnerability? A. Anonymization B. Pseudonymization C. Move the company location D. Collection limitation

D. The company can implement a data collection policy of minimization to minimize the amount of data they collect and store. If they are selling digital products, they don't need the physical address. If they are reselling products to the same customers, they can use tokenization to save tokens that match the credit card data, instead of saving and storing credit card data. Anonymization techniques remove all personal data and make the data unusable for reuse on the website. Pseudonymization replaces data with pseudonyms. Although the process can be reversed, it is not necessary

What are some methods associated with DRM Solutions?

DRM License - A license grants access to a product and defines the terms of use. A DRM license is typically a small file that includes the terms of use, along with a decryption key that unlocks access to the prod Persistent Online Authentication - Persistent online authentication (also known as always-on DRM) requires a system to be connected with the internet to use a product. The system periodically connects with an authentication server, and if the connection or authentication fails, DRM blocks the use of the product Continuous Audit Trail - A continuous audit trail tracks all use of a copyrighted product. When combined with persistence, it can detect abuse, such as concurrent use of a product simultaneously but in two geographically different locations Automatic Expiration - Many products are sold on a subscription basis. For example, you can often rent new streaming movies, but these are only available for a limited time, such as 30 days. When the subscription period ends, an automatic expiration function blocks any further access.

DRM methods are used to protect copyrighted data, but they aren't used to protect trademarks, patents, or trade secrets

DRM methods are used to protect copyrighted data, but they aren't used to protect trademarks, patents, or trade secrets

What is data location?

Data location refers to the location of data backups or data copies A best practice is to keep a backup copy on site and another backup copy off site

Define DLP

Data loss prevention (DLP) systems detect and block data exfiltration attempts by scanning unencrypted files and looking for keywords and data patterns. Network-based systems (including cloud-based systems) scan files before they leave the network. Endpoint-based systems prevent users from copying or printing some files

What is data maintenance

Data maintenance refers to ongoing efforts to organize and care for data throughout its lifetime. In general, if an organization stores all sensitive data on one server, it is relatively easy to apply all the appropriate controls to this one server. In contrast, if sensitive data is stored throughout an organization on multiple servers and end-user computers and mixed with nonsensitive data, it becomes much harder to protect it

Understand the importance of data and asset classifications

Data owners are responsible for defining data and asset classifications and ensuring that data and systems are properly marked. Additionally, data owners define requirements to protect data at different classifications, such as encrypting sensitive data at rest and in transit. Data classifications are typically defined within security policies or data policies

What is a data custodian?

Data owners often delegate day-to-day tasks to a data custodian. A custodian helps protect the integrity and security of data by ensuring that it is properly stored and protected. For example, custodians would ensure that the data is backed up by following guidelines in a backup policy. If administrators have configured auditing on the data, custodians would also maintain these logs.

Describe data remanence

Data remanence is the data that remains on media after it should have been removed. Hard disk drives sometimes retain residual magnetic flux that can be read with advanced tools. Advanced tools can read slack space on a disk, which is unused space in clusters. Erasing data on a disk leaves data remanence.

What is Data Remanence?

Data remanence is the data that remains on media after the data was supposedly erased. It typically refers to data on a hard drive as residual magnetic flux or slack space. If media includes any type of private and sensitive data, it is important to eliminate data remanence Some operating systems fill this slack space with data from memory. If a user was working on a top secret file a moment ago and then creates a small unclassified file, the small file might contain top secret data pulled from memory. This is one of the reasons why personnel should never process classified data on unclassified systems Using system tools to delete data generally leaves much of the data remaining on the media, and widely available tools can easily undelete it

What is declassification

Declassification involves any process that purges media or a system in preparation for reuse in an unclassified environment. Sanitization methods can be used to prepare media for declassification

What is Digital Rights Management (DRM)

Digital rights management (DRM) methods attempt to provide copyright protection for copyrighted works. The purpose is to prevent the unauthorized use, modification, and distribution of copyrighted works such as intellectual property. Here are some methods associated with DRM solutions

Explain DRM

Digital rights management (DRM) methods provide copyright protection for copyrighted works. The purpose is to prevent the unauthorized use, modification, and distribution of copyrighted works

Identify the difference between EOL and EOS

End-of-life (EOL) identifies the date when a vendor plans to stop selling a product. End of-support (EOS) identifies the date when a vendor plans to stop supporting a product. Organizations should replace products before the EOS date

Know the difference between EOL and EOS.

End-of-life (EOL) is the date announced by a vendor when sales of a product stop. However, the vendor still supports the product after EOL. End-of-support (EOS) identifies the date when a vendor will no longer support a product.

What is EOL, EOS and EOSL?

End-of-life (EOL), end-of-support (EOS), and end-of-service-life (EOSL) can apply to either software or hardware. In the context of asset retention, they apply directly to hardware assets. Most vendors refer to EOL as the time when they stop offering a product for sale EOS refers to the time when this support ends. Most hardware is on a refresh cycle based on the EOL and EOS time frames. Organizations sometimes retain legacy hardware to access older data, such as data on tape drives.

Compare data destruction methods.

Erasing a file doesn't delete it. Clearing media overwrites it with characters or bits. Purging repeats the clearing process multiple times and removes data so that the media can be reused. Degaussing removes data from tapes and magnetic hard disk drives, but it does not affect optical media or SSDs. Destruction methods include incineration, crushing, shredding, and disintegration

DLP systems can typically perform deep lvl examination. What are these?

Ex: users embed the files in compressed zip files, a DLP system can still detect the keywords and patterns. However, a DLP system can't decrypt data or examine encrypted data. Most DLP of discoverability capability - to discover location of valuable data within an internal network.

How does HIPPA define PHI?

Health information means any information, whether oral or recorded in any form or medium, that— (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

What is Anonymization?

If you don't need personal data, another option is to use anonymization. Anonymization is the process of removing all relevant data so that it is theoretically impossible to identify the original subject or person

What is the benefit of tokenization?

In the past, credit card data has been intercepted and stolen at the POS system. However, when tokenization is used, the credit card number is never used or known to the POS system. Tokenization is similar to pseudonymization. Pseudonymization uses pseudonyms to represent other data. Tokenization uses tokens to represent other data. Neither the pseudonym nor the token has any meaning or value outside the process that creates them and links them to the other data. Pseudonymization is most useful when releasing a dataset to a third party (such as researchers aggregating data) without releasing any privacy data to the third party. Tokenization allows a third party (such as a credit card processor) to know the token and the original data. However, no one else knows both the token and the original data.

What are data states?

It's important to protect data in all data states, including while it is at rest, in motion, and in use Data at rest - Data at rest (sometimes called data on storage) is any data stored on media such as system HDD, SDD, storage area, backs ups, etc. Strong symmetric encryption protects data at rest. Data in transit - sometimes called data in motion or being communicated, is any data transmitted over a network. includes internal network or public network. A combination of symmetric and asymmetric encryption protects data in transit. Data in use - also known as data being processed refers to data in memory or temporary storage buffers while an application is using it. Applications often decrypt encrypted data before placing it in memory. This allows the application to work on it, but it's important to flush these buffers when the data is no longer needed. Apps sometimes can work on encrypted data using homomorphic encryption

What is data lifecycle?

Managing data from the start of it creation until end of it's use (When data is destroyed)

What is a business/mission owner?

NIST SP 800-18 refers to the business/mission owner as a program manager or an information system owner. As such, the responsibilities of the business/mission owner can overlap with the responsibilities of the system owner or be the same role.

What are the 2 primary DLP systems?

Network Based DLP - scans all outgoing data for specific data. It is place on edge of the network to scan all data leaving the organization. Cloud-based DLP is a subset of network based DLP. Endpoint Based DLP - endpoint-based DLP can scan files stored on a system as well as files sent to external devices, such as printers. An example: an organization's endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer

What is the easiest way to prevent loss of data?

One of the easiest ways to prevent the loss of data is to simply not collect it. As an example, consider a small ecommerce company that allows customers to make purchases with a credit card. It uses a credit card processor to process credit card payments. If the company just passes the credit card data to the processor for approval and never stores it in a company server, the company can never lose the credit card data in a breach

What is the 1st step in the data lifecycle?

One of the first steps in the lifecycle is identifying and classifying information and assets.

How to remove data remanence?

One way to remove data remanence is with a degausser. A degausser generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives. only effect on magnetic media For SSD, SSDs use integrated circuitry instead of magnetic flux on spinning platters. Because of this, degaussing SSDs won't remove data. However, even when using other methods to remove data from SSDs, data remnants often remain. best method of sanitizing SSDs is destruction. Another method of protecting SSDs is to ensure that all stored data is encrypted. If a sanitization method fails to remove all the data remnants, the remaining data would be unreadable

Identify common uses of pseudonymization, tokenization, and anonymization

Organizations use pseudonymization when they want to create a dataset that they can transfer to others. The new dataset doesn't hold any privacy data. However, the organization still holds the mapping of the pseudonyms and the original data and can reverse the process. Organizations that process credit card data use tokenization. A third party holds the mapping of the token and the credit card data, but the organization doesn't need to maintain the credit card data. Organizations use anonymization to remove all privacy data from a dataset. When this is done correctly, the GDPR no longer applies, but it's often possible to discover the original data

What is Personal Identifiable information (PII)?

Personally identifiable information (PII) is any information that can identify an individual

Define PII and PHI

Personally identifiable information (PII) is any information that can identify an individual. Protected health information (PHI) is any health-related information that can be related to a specific person. Many laws and regulations mandate the protection of PII and PHI.

What is proprietary data?

Proprietary data refers to any data that helps an organization maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets. If competitors can access the proprietary data, it can seriously affect the primary mission of an organization

What is Protected Health Information (PHI)?

Protected health information (PHI) is any health-related information that can be related to a specific person. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) mandates PHI protection

Define pseudonymization

Pseudonymization is the process of replacing some data elements with pseudonyms or aliases. It removes privacy data so that a dataset can be shared. However, the original data remains available in a separate dataset

What is Pseudonymization?

Pseudonymization refers to the process of using pseudonyms to represent other data. When pseudonymization is performed effectively, it can result in less stringent requirements that would otherwise apply under the European Union (EU) General Data Protection Regulation (GDPR) A pseudonym is an alias. pseudonymization can prevent data from directly identifying an entity, such as a person. As an example, consider a medical record held by a doctor's office. Instead of including personal information such as the patient's name, address, and phone number, it could just refer to the patient as Patient 23456 in the medical record The GDPR refers to pseudonymization as replacing data with artificial identifiers. These artificial identifiers are pseudonyms

What is randomized masking

Randomized masking can be an effective method of anonymizing data. Masking swaps data in individual data columns so that records no longer represent the actual data. However, the data still maintains aggregate values that can be used for other purposes, such as scientific purposes Ex; original data tells use the avg age of people. Swapping so names and age is randomized will still tell the avg age of people. Unlike pseudonymization and tokenization, anonymization cannot be reversed. After the data is randomized using an anonymization process, it cannot be returned to the original state.

What is record retention?

Record retention involves retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed. An organization's security policy or data policy typically identifies retention time frames. Some laws and regulations dictate the length of time that an organization should retain data, such as three years, seven years, or even indefinitely

Understand record retention policies

Record retention policies ensure that data is kept in a usable state while it is needed and destroyed when it is no longer needed. Many laws and regulations mandate keeping data for a specific amount of time, but in the absence of formal regulations, organizations specify the retention period within a policy. Audit trail data needs to be kept long enough to reconstruct past incidents, but the organization must identify how far back they want to investigate. A current trend in many organizations is to reduce legal liabilities by implementing short retention policies with email

Proper destruction ensures that it cannot fall into the wrong hands and result in unauthorized disclosure. NIST SP 800-88 Rev 1 Guideline for media sanitization provides comprehensive details on different sanitization methods. What are they?

Sanitization methods (such as clearing, purging, and destroying) help ensure that data cannot be recovered. Proper sanitization steps remove all sensitive data before disposing of a computer

What is scoping in the tailoring process?

Scoping is a part of the tailoring process and refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT systems you're trying to protect. Or, in the simplest terms, scoping processes eliminate controls that are recommended in a baseline

Know about security control baselines

Security control baselines provide a listing of controls that an organization can apply as a baseline. Not all baselines apply to all organizations. Organizations apply scoping and tailoring techniques to adapt a baseline to their needs

Describe sensitive data?

Sensitive data is any data that isn't public or unclassified. It includes personally identifiable information (PII), protected health information (PHI), proprietary data, and any other data that an organization needs to protect. PII is any information that can identify an individual.

Define sensitive data?

Sensitive data is any information that isn't public or unclassified. It can include confidential, proprietary, protected, or any other type of data that an organization needs to protect due to its value to the organization, or to comply with existing laws and regulations

Know how to manage sensitive information.

Sensitive information is any type of classified information, and proper management helps prevent unauthorized disclosure resulting in a loss of confidentiality. Proper management includes marking, handling, storing, and destroying sensitive information. The two areas where organizations often miss the mark are adequately protecting backup media holding sensitive information and sanitizing media or equipment when it is at the end of its lifecycle

What is Shadow IT?

Shadow IT is the use of IT resources without the approval of or knowledge of the IT department.

Describe the difference between scoping and tailoring

Tailoring refers to modifying a list of controls to ensure they align with the mission of the organization. Tailoring includes scoping. Scoping refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT systems you're trying to protect

After selecting a control baseline, organizations fine-tune it with tailoring and scoping processes. A big part of the tailoring process is aligning the controls with an organization's specific security requirements. As a comparison, think of a clothes tailor who alters or repairs clothes. If a person buys a suit at a high-end retailer, a tailor modifies the suit to fit the person perfectly. Similarly, tailoring a baseline ensures it is a good fit for the organization. What is tailoring?

Tailoring refers to modifying the list of security controls within a baseline to align with the organization's mission

What is a data processor under GDPR?

The GDPR defines a data processor as "a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller."

What is a data subject?

The GDPR defines a data subject (not just a subject) as a person who can be identified through an identifier, such as a name, identification number, or other means. As an example, if a file includes PII on Sally Smith, Sally Smith is the data subject

What is an asset owner?

The asset owner (or system owner) is the person who owns the asset or system that processes sensitive data

What is a data owner?

The data owner (sometimes referred to as the organizational owner or senior manager) is the person who has ultimate organizational responsibility for data. The owner is typically the chief executive officer (CEO), president, or a department head (DH). Data owners identify the classification of data and ensure that it is labeled properly. They also ensure that it has adequate security controls based on the classification and the organization's security policy requirements.

Know the responsibilities of data roles

The data owner is the person responsible for classifying, labeling, and protecting data. System owners are responsible for the systems that process the data. Business and mission owners own the processes and ensure that the systems provide value to the organization. Data controllers decide what data to process and how to process it. Data processors are often the third-party entities that process data for an organization at the direction of the data controller. Administrators grant access to data based on guidelines provided by the data owners. A user, or subject, accesses data while performing work tasks. A custodian has day-to-day responsibilities for protecting and storing data.

what is a system owner?

The system owner is responsible for ensuring that data processed on the system remains secure. This includes identifying the highest level of data that the system processes. The system owner then ensures that the system is labeled accurately and that appropriate security controls are in place to protect the data. System owners interact with data owners to ensure that the data is protected while at rest on the system, in transit between systems, and in use by applications operating on the system

Describe the three data states

The three data states are at rest, in transit, and in use. Data at rest is any data stored on media such as hard drives or external media. Data in transit is any data transmitted over a network. Encryption methods protect data at rest and in transit. Data in use refers to data in memory and used by an application. Applications should flush memory buffers to remove data after it is no longer needed

What is COBIT? Control Objectives for Information and Related Technology (COBIT).

These methods help business owners and mission owners balance security control requirements with business or mission needs. The overall goal is to provide a common language that all stakeholders can use to meet security and business needs.

What is Tokenization?

Tokenization is the use of a token, typically a random string of characters, to replace other data. It is often used with credit card transactions An Ex: Becky is associated with credit card with her smartphone Starts with 1. Registration - register the card on the app, the credit card processor sent the credit card to a tokenization vault controlled by the credit card processor. The vault creates a token (a string of characters) and records the token along with the encrypted credit card number, and associates it with the user's phone 2. Usage - when Becky uses the card on her smartphone. The phone passes the token to POS system and POS system send token to credit card processor to authorize the change. 3. Validation - credit card process sends token to tokenization vault. Vault answers with the unencrypted credit card data for the credit card processor to process the charge. 4. Completing the sale: Credit card processor sends a reply to POS system to indicate the change is approved.

Define tokenization

Tokenization replaces data elements with a string of characters or a token. Credit card processors replace credit card data with a token, and a third party holds the mapping to the original data and the token

What are the govt data classification and the definition?

Top Secret - unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage Secret - unauthorized disclosure of which reasonably could be expected to cause serious damage Confidential - unauthorized disclosure of which reasonably could be expected to cause damage Unclassified - unclassified data is available to anyone, though it often requires individuals to request the information using procedures identified in the Freedom of Information Act (FOIA)

What is airgap

air gap is a physical security control and means that systems and cables from the classified network never physically touch systems and cables from the unclassified network. Additionally, the classified network can't access the internet, and internet attackers can't access it. Ex: one network only process classified data and another network process unclassified data

What is Cryptographic Erasure

cryptographic erasure or cryptoshredding to destroy the data. However, these terms are misleading. They don't erase or shred the data. Instead, they destroy the encryption key, or both the encryption key and decryption key if two are used. With the cryptographic keys erased, data remains encrypted and can't be accessed When using cloud storage, destroying the cryptographic keys may be the only form of secure deletion available to an organization.

Data classifications are typically included in the security policy or a data policy. What is a data classification?

data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity. The policy identifies classification labels used within the organization. It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification Govt ex of data classification: Top secret, secret, confidential and unclassified

What is a data controller?

data controller is the person or entity that controls the processing of the data. The data controller decides what data to process, why this data should be processed, and how it is processed An example, a company that collects personal information on employees for payroll is a data controller. If they pass this information to a third-party company to process payroll, the payroll company is the data processor. In this example, the payroll company (the data processor) must not use the data for anything other than processing payroll at the direction of the data controller

What is the 1st step in determining compliance requirements?

starts by first determining everywhere the organization operates, and what compliance requirements apply

NIST SP 800-53B, "Control Baselines for Information Systems and Organizations," includes a comprehensive list of security controls and has identified many of them to include in various baselines. Specifically, they present four baselines based on the potential impact to an organization's mission if there is a loss of confidentiality, integrity, or availability of a system. What are they?

the 4 baseline are Low Impact baseline - Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a low impact on the organization's mission Moderate Impact baseline - controls for moderate impact to the organization High impact baseline - controls for high impact to the organization Privacy Control baseline - This baseline provides an initial baseline for any systems that process PII. Organizations may combine this baseline with one of the other baselines