Asset Security- Domain 2
Difference Between Data Owner/Controller and Data Custodian/Processor
"Based on the definitions that we have seen above, the difference between the data owner and the data custodian is that the owner is accountable for the protection of what they own based on the value of that asset to the organization. In an environment where a controller is required as part of compliance needs, the controller will act as the owner and, therefore, becomes accountable for the protection based on expectations related to legislation and regulations and enforced through policy and the implementation of those policies as standards, procedures, baselines, and guidelines. "the custodian of data is responsible for the protection of the data while in their custody. The "processor," therefore, acts as the custodian and is required to adhere to policies, standards, procedures, baselines, and guidelines as described above.
Protection requirements for the information
"These are the steps involved to do this properly: 1. Identify and locate assets, Including information. 2. Classify based on value .3. Protect based on classification.
(NIST) FIPS Publication 199
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems provides standards for categorizing information and information systems."
Framework Implementation Tiers
Framework Implementation Tiers ("Tiers") provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.
Asset life cycle
Identify and classify Secure Monitor Recover Disposition defensive destruction Archive (From archive going back to Identify and classify)
Share:
Information is shared with others, such as between users,to customers, and to partners, vendors, and other third parties. Not all data should be shared, and not all sharing should present a threat, but since data that is shared is no longer under the "
STRIDE
Is an acronym that stands for 6 categories of security risks: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.
USGCB
Is an example: United States Government Configuration Baseline (USGCB) The purpose of the USGCB initiative is to create security configuration baselines for IT products widely deployed across the federal agencies.
The Center for Strategic & International Studies (CSIS)
The Center for Strategic & International Studies (CSIS) 20 Critical Security Controls initiative provides a unified list of 20 critical controls that have been identified through a consensus of federal and private industry security professionals as the most critical security issues seen in the industry.
The Framework
The Framework is a risk-based approach to managing cybersecurity risk and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.
(NIST) National Checklist Program (NCP):
The NCP is the U.S.government repository of publicly available security checklists (or benchmarks) that provide detailed low-level guidance on setting the security configuration of operating systems and applications."
OECD Privacy Guidelines
The OECD has broadly classified these principles into the collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.
(NIST) Special Publications (SP) 800 Series
The SP 800 series presents documents of general interest to the computer security community and reports on research, guidelines, and outreach "efforts in computer security and its collaborative activities with industry, government, and academic organizations.
Wireless Connections
Wireless Connections When connecting to wireless networks to access a system handling sensitive data, only connect to wireless networks employing cryptographically strong wireless encryption standards such as WPA2."
Classification of assets
once assets have been located and identified, they can be classified by owners based on value and then protected based on classification. Classification of assets is essential to have proper controls be implemented to allow organizations to address compliance with relevant laws, regulations, standards, and policies. The first step in asset protection is to know what assets the organization has.
Lifecycle of data
the lifecycle of data is depicted as having six phases: create, store, use, share, archive, and destroy
As a baseline summary:
1. A baseline is a consistent reference point. 2. Baselines provide a definition of the minimum level of protection that is required to protect valuable assets." 3. Baselines can be defined as configurations for various PPT Considerations architectures, which will indicate the necessary settings and the level of protection that is required to protect that architecture.
Storage
1. Data and records are stored securely to avoid misuse or loss. 2. Any data file or record that contains personal data or personal sensitive data is considered as confidential."
U.S. Department of Defense Policies
1. Department of Defense Instruction 8510.01 (DoDI8510.01): 2. United States National Security Agency (NSA) IA Mitigation Guidance: 3. NIST Computer Security Division (CSD)
SCAP version 1.2 is comprised of 11 component specifications in five categories
1. Languages- The SCAP languages provide standard vocabularies and conventions for expressing security policy, technical check mechanisms, and assessment results. 2. Reporting Formats- The SCAP reporting formats provide the necessary constructs to express collected information in standardized formats. 3. Enumerations- Each SCAP enumeration defines a standard nomenclature (naming format) and an official dictionary or list of items expressed using that nomenclature. 4. Measurement and Scoring Systems: In SCAP, this refers to evaluating specific characteristics of a security weakness (for example, software vulnerabilities and security configuration issues)and, based on those characteristics, generating a score that reflects their relative severity. 5. Integrity- An SCAP integrity specification helps to preserve the integrity of SCAP content and results. Trust Model for Security Automation Data (TMSAD) is the SCAP integrity specification."
The five "critical tenets" of the CSIS initiative
1. Offense Informs Defense- "Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. " 2. Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment. 3. Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly. 4. Continuous Monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures. 5. "l Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics."
A Framework Profile
A Framework Profile ("Profile") represents the outcomes based on business needs that an organization has selected from the framework categories and subcategories. "
Baselines
A baseline is a minimum level of protection that can be used as a reference point. As a reference point, baselines can therefore be used as a comparison for assessments and requirements to ensure that those minimum levels of security controls are always being achieved.
Data owner
Accountable for determining the value of the data that they own and, therefore, also accountable for the protection of the data.
Recover
Any impact to the value of the asset will require the ability to recover from those impacts. An impact could be a failure in the security control or an event that impacts the value of the asset, but regardless, it will require the ability to recover from that negative eventuality.
Archive
Archiving typically means long-term storage.Requirements may be dictated by several factors, all of which need to be carefully identified and understood to properly meet the retention requirements."
Establishing Information Governance and Retention Policies
As part of proper asset governance, the establishment of effective asset archiving and retention policies needs to be done. These are the issues and factors to consider: 1. l Understand where the data exists 2. Classify and define data 3. Archive and manage data
Asset
Asset is anything that has value to an organization.In many cases, assets are also referred to as resources.
Asset management and data management
Asset management and data management need to include accountabilities and responsibilities for protection of assets based on classification.
Baseline catalogs
Baseline catalogs may specify safeguards to be used in detail, or they may suggest a set of security requirements to be addressed with whatever safeguards appropriate to the system under consideration.
Key of focus Retention
By focusing in three distinct areas, media, hardware, and personnel, you can ensure that retention is being addressed in a formal manner, aligned with the policies of the enterprise, and meant to ensure confidentiality, integrity, and availability of data as required.
Clearing
Clearing is defined as the removal of sensitive data from storage devices, using methods that provide some assurance that the data may not be reconstructed using most known data recovery techniques.
Categorization
Categorization is the process of sorting or arranging things into classes. This can be simplified as saying classification is the system, and categorization is the act of sorting into the classification system. Categorization is the process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization.
Baseline Considerations
Certain questions need to be considered when applying baseline security: PPT Objective of Baseline Protection PPT l Which parts of the enterprise or systems can be protected by the Baseline Catalogs same baseline? l Should the same baseline be applied throughout the whole enterprise? l At what security level should the baseline aim? l How will the controls forming the baselines be determined?
Classification and categorization
Classification and categorization is used to help standardize the protection baselines for information systems and the level of suitability and trust an employee may need to access information."
Classification
Classification is the act of forming into a class or classes. This can be rephrased as a distribution into groups, as classes, according to common attributes. The purpose of a classification system is to ensure protection of the assets based on value in such a way that only those with an appropriate level of clearance can have access to the assets.
Framework Components
Framework Components Each framework component reinforces the connection between business drivers and cybersecurity activities.
Create
Create: Creation is the generation or acquisition of new content,or the iteration or updating of existing content. The creation phase is the preferred time to classify content according to its sensitivity and value to the organization.
Data Custodians (משמורת, אַפּוֹטרוֹפּוֹס)
Custodians have the very important responsibility to protect the information while it's in their custody, according to expectations by the owners as set out in policies, standards, procedures, baselines, and guidelines. It will be up to the security function to ensure that the custodians are supported and advised and have the proper skills, tools, and architectures, etc. to be able to properly protect assets, such as information, while in their custody.
Data States
Data States It is typically agreed upon that data and information can be in three basic states: data at rest, data in motion (transit), and data in use.
Data classification
Data classification is all about analyzing the data that the organization has,in whatever form, determining its importance and value and then assigning it to a category or classification level.
Data custodian
Data custodians are responsible for the protection of the data while in their custody. That would mean safe custody, transport, storage, and processing of the data and the understanding and compliance to policies in regards to the protection of the data."
Data in Transit
Data in Transit- Data that moves, usually across networks, is said to be data in motion, or in transit. The risks associated with data in motion are the same as those associated with data at rest. This data most be encrypted.
Data in Use
Data in Use - A particularly troublesome problem to protect is data in use. It is really difficult to protect data in use.
Use
Data in use is usually most vulnerable because it is probably in clear text at that point and may be transported into unsecure locations such as servers and workstations. To be processed, data must be unencrypted."
Archive
Data leaving active use may need to be stored long-term. Archiving data for a long period of time can be challenging, especially from a security perspective. Considerations of security through the archive period may affect data access procedures. "
Data processor
Data processors are the entities that process the data on behalf of the data controller, therefore, they may be given the responsibility to protect the data, although the accountability would always remain with the controller."
Data Remanence
Data remanence is defined as the residual data remaining on some sort of object after the data has been deleted or erased. The problem related to data remanence is that there may some physical characteristics of that data remaining on the media even after we've tried to securely erase it.
Data steward (סוכן)
Data stewards are commonly responsible for data content, context, and associated business rules within the organization.
Data at rest
Databases, backup information, off-site storage, password files, and many other types of sensitive information need to be protected from disclosure or undetected alteration and availability.
classification process steps 1
Determine ownership to establish accountability.
Disposition
Disposition ( הערכות)
End-to-End Encryption
End-to-end encryption is generally performed by the end user within an organization. The data are encrypted at the start of the communications channel or before and remain encrypted until decrypted at the remote end
(NIST) FIPS Publication 200:
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, was created in response to the need for each U.S. federal agency to develop, document, and implement an enterprise-wide program to provide information security for the information and information systems that support the operations and assets of the agency, and it outlines minimum security requirements for U.S. federal information and information systems.
NIST Publications Series: Federal Information Processing Standards (FIPS):
FIPS is the official series of publications relating to standards and guide lines adopted under the Federal Information Security Management Act(FISMA) of 2002.
Retention (שמירה.החזקה)
Is defined as the continued and long-term storage of valuable assets driven by compliance requirements or corporate requirements. Companies are required to comply with legal and regulatory legislation in retaining assets, especially information and records. Each company should have those requirements clearly addressed and expressed in a retention policy that usually is accompanied by a retention schedule. This will then provide the basis for how long to keep data and assets around and also when they should be securely destroyed.
Documentation
It is very important for data owners to establish and document certain expectations that need to be passed on to others, such as custodians, as they relate to the data that is owned by the owners.
Identify and Classify
It needs to be classified based on its value. This is done by the owner, who is always in the best position to understand the value.
Defensible destruction
Knowing when and how to destroy assets can be very problematic, and many companies will avoid this problem by keeping everything for a very long time. Defensible destruction means eliminating and destroying assets, including information, in a quality controlled, regulatory-compliant, and legally defensible way. Every organization should have policies that address not only records retention and archiving, but also verifiable ways of destroying assets at the end of their lifecycle.
Link Encryption
Link Encryption Data are encrypted on a network using either link or end-to-end encryption. In general, link encryption is performed by service providers, such as a data communications provider on a Frame Relay network. Link encryption encrypts all of the data along a communications path.
Marking
Marking Organizations should have policies in place regarding the marking and labeling of media based on its classification."
Media storing
Media storing sensitive information requires physical and logical controls. Media lacks the means for digital accountability when the data is not encrypted.
(NIST) SP 800-37, Guide for Applying Risk Management Framework to Federal Information Systems:
NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems,establishes a common framework to improve information security, strengthen risk management processes, and encourage reciprocity among federal agencies."
(NIST) SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations provides guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government. "
(NIST) SP 800-60, Guide to Mapping Types of Information and Information Systems to Security Categories
NIST Special Publication 800-60, Guide for Mapping Types of information and Information Systems to Security Categories provides guidelines recommending the types of information and information systems to be included in each category of potential security impact.
NIST
NIST is the U.S. federal technology agency that works with industry to develop and apply technology, measurements, and standards.
Secure
Once information is discovered or created and classified based on its value, it needs to be secured based on that value. Each of the classification levels specified in the organization's classification system will dictate the protection requirements expressed as baselines. Baselines are minimum levels of security required for each of the classification levels used in the organization's classification scheme."
Monitor
Once information is secured based on its classification level, the security controls and the value of the asset needs to be monitored on a regular basis.
Handling
Only designated personnel should have access to sensitive media. Policies and procedures describing the proper handling of sensitive media should be promulgated (להפיץ)
Creating a Sound Record Retention
Policy Fundamentally, there are some basic steps that can be useful in guiding an organization in developing an effective asset retention policy: 1. Evaluate legal and regulatory requirements, litigation obligations, and business needs. 2. Classify assets and records. 3. Determine retention periods and defensible destruction procedures and methods. 4. Draft asset retention policy. 5. Provide training, awareness, and education to support policy. 6. Audit retention and destruction policy and procedures. 7. Periodically review policy and procedures. 8. Document policy, implementation, procedures, training. For every type of asset, the organization should determine the proper retention period through involvement with appropriate stakeholders by taking into consideration laws, regulations, and corporate requirements. As a result, certain assets may have very long retention periods.
Purging
Purging (טיהור), sometimes referred to as sanitizing, is the removal of sensitive data from media with the intent that the sensitive data cannot be reconstructed by any known technique.
Risk
Risk is something that can impact value
NIST Security Content Automation Protocol (SCAP)
SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the development of SCAP include standardizing system.
Scoping
Scoping can be defined as limiting the general baseline recommendations by removing those that do not apply. We "scope" to ensure the baseline control applies to the environment as best as it can.
Solid-State Drives (SSDs)
Solid-State Drives (SSDs) use flash memory for data storage and retrieval (retrieval). Flash memory differs from magnetic memory in one key way: flash memory cannot be overwritten.
Standards (Frameworks) Selection
Standards sometimes referred to as frameworks, that are focused on security can be very helpful to organizations in not only understanding baseline security controls, but can also be used in assessing the current state of security programs for organizations. The security professionals needs to be familiar with a wide range of standards and frameworks and the organizations and entities that are responsible for each of them.
Storing
Storing is the process of committing the data to some sort of storage media and in most cases happens at the same time as creation.
Supplementation
Supplementation involves adding assessment procedures or assessment details to adequately ( כראוי ) meet the risk management needs of the organization. Supplementation decisions are left to the discretion ( שיקול דעת) of the organization to maximize flexibility in developing security assessment plans when applying the results of risk assessments in determining the extent, rigor, and level of intensity of the assessments.
Tailoring
Tailoring is defined as altering baseline control recommendations to apply more specifically. This means we "tailor" to make sure controls apply as required probably specifically to the technology or environment.
Data controller
The data controller is assigned the accountability for protecting the value of the information based on proper implementation of controls.
Data subject
The individual who is the subject of personal data.
The information owner
The information owner, therefore, is in the best position to clearly understand the value, either quantitative or qualitative, of the information. The owner is also accountable for protecting the information based on that value. To determine the correct value, the owner, therefore, has the following accountabilities.
(NIST) Risk Management Framework
The management of organizational risk is a key element in an organization's information security program and provides an effective framework for selecting the appropriate security controls for an information system. The NIST Risk Management Framework is a risk-based approach to security control selection and specification and is comprised of activities related to managing organizational risk.
Destruction (הרס)
The media is made unusable by using some sort of destruction method. This could include shredding or melting the media into liquid by using very high temperatures. Destruction is thought of as being the best option, as long as the destruction method is a good one.
classification process 2
The next step in the classification process is to protect the assets based on their classification levels. A good way to achieve this would be to establish minimum security requirements for each of the classification levels that are being used.
Objective of Baseline Protection
The objective of baseline protection is to establish a minimum set of safeguards to protect the classified assets of the organization. Using this approach, it is possible to apply baseline protection enterprise-wide.
The phases depicted in our diagram are
The phases depicted (מתואר) in our diagram are
Opt out- Opt In Information
The processing of personal data is subject to "opt out" consent from the data subject, while the "opt in" rule applies in special cases such as the processing of sensitive and valuable health information.
privacy
The ultimate goal of privacy and data protection laws is to provide protection to individuals that are referred to as data subjects for the collection, storage, usage, and destruction of their personal data with respect to their privacy.
OECD
There is an organization that has been devoted to helping governments and organizations around the world in dealing with issues that focus on improving the economic and social well-being of people around the world. That organization is the OECD. The OECD provides a forum in which governments can work together to share experiences and seek solutions to common problems.
Key principles of Record Retention Policy
These are the key principles of this policy: Data must be stored securely and appropriately having regard to the sensitivity and confidentiality of the data. 2. Appropriate measures are put in place to prevent unauthorized access and processing of the data, or accidental loss or damage to the data. 3. Data is retained for only as long as necessary. 4. Data is disposed of appropriately and securely to ensure the data does not fall into the hands of unauthorized personnel.
Degaussing (Magnetic erases)
This technique uses a degausser that basically erases the information on the magnetic media by applying a varying magnetic field to the media to erase the information that was stored using magnetic technology. (Part of 3 option destruction(הרס) Overwriting- Using zeros and ones, Deggaussing, Encryption)
Building Effective Archiving and Data Retention Policies
To build an effective overall archiving and data retention strategy, consider the following guidelines: 1. Organizations need to involve the most important stakeholders in the process of aligning the organizational goals and objectives, with the legal requirements for the asset retention policies. 2. Establish common objectives for supporting archiving and data retention best practices within the organization. Understand the best practices that exist out there, especially in the same industry or in companies having similar goals and objectives. 3. On a regular basis, monitor, review, and update the asset retention policies and archiving procedures.
Value
Value can be expressed in terms of quantitative and qualitative methodologies, and both of these valuation methods are used to determine the level of protection that the assets require. Value can be expressed in terms of quantitative (numbers/monetary) and qualitative (grades such as high/medium/low, or top secret/secret/confidential, etc.).
"Picking Encryption Algorithms
When selecting algorithms to encrypt valuable data, keep these considerations in mind: Use these Always choose the encryption algorithms that support longer key lengths as they generally provide stronger protection. Since passwords are often used to control the keys within the cryptosystem, long complex passphrases are stronger than shorter passphrases.