SlideShare una empresa de Scribd logo

CISSP - Chapter 2 - Asset Security

Descargar como PPTX, PDF
K
Karthikeyan Dhayalan

CISSP 2nd Chapter Asset Security

Educación
1 de 59
Asset Security
Information Life Cycle • Data that is combined to form meaning • Information has worth to the organization • Information is either created or copied (predominantly copied) • 4 Phase life cycle • Acquisition • Use • Archival • Disposal
Information Life Cycle Acquisition •Copying or created •System data and business process data are attached •Information is indexed •Access control on data access implemented •Roll-back capability to be provided Use •Presents the most challenge in protection •Controls to ensure Internal consistencies Archival •Important to decide on the needs for backup and how they are protected •Need to decide on the retention period Disposal •Two key aspects •Data is indeed destroyed •It is destroyed correctly •How and where is stored is critical for destruction Data Backup Data Archive • Copy of current data set that is used as backup if loss of the original data set • It becomes less useful over time • Copy of data set that is no longer in use, but retained for use later • Data from original location is destroyed
Understanding Sensitive Data • The First step in Asset security is to classify and label the asset • What is Sensitive Data? • Any information that is not public or unclassified • Any type of data that an organization has value upon and shall protect or comply with law and regulations • Personally Identifiable Information • Any information that can identify an individual • Race, name, SSN, date, place of birth, biometric, medical, financial, employment information • Protected Health Information • An health related information that can be related to an individual • Oral or written information created or received by health care related entities • Relates to past, present or future medical information of an individual • Proprietary Data • Any data that helps an organization to maintain a competitive edge • If lost, it can seriously affect the primary mission of an organization
Information Classification • Refers to the practice of differentiating between different types of information assets and providing some guidance as to how they must be protected • It is an ongoing process and not one-time effort • Important metadata item that should be attached to all information is ~ classification level • The classification level should be always attached throughout the lifecycle of the information
Information Classification • Classification • Identifies the value of the data to the organization • It also identifies how data owners can determine the proper classification, and personnel should protect data based on classification • Classification authority is the one who applies the original classification to the sensitive data • Categorization • Process of determining the impact due to the loss of CIA of information to an organization • Classification and categorization help to set baselines for information systems
Information Classification • Information is classified by Sensitivity, criticality or both • Sensitivity: • Loss to an organization if the information is released to unauthorized entities • Organizations can loose trust and spend expensive response efforts in remediation • Criticality • Indicator of how the loss will impact the fundamental business process of the organization • It is that which is required for the organization to continue business
Information Classification • Primary Purpose: • Helps indicate the level of confidentiality, integrity and availability protection that is needed for each type of data • Helps ensure data is protected in a most cost effective manner • Each classification should have separate handling requirements and procedures
Classification Guidelines • When classifying data, take into consideration • Who has access to data • How the data is secured • How long the data is retained • What methods used to dispose the data • Whether the data needs to be encrypted • What use of the data is appropriate • Keep the classification small • Classification should not be restrictive and detail oriented (either) • Each classification should be unique and separate from others; no overlap effects • Should outline how information is controlled and handled through its life cycle
Classification Procedure 1. Define Classification Levels 2. Criteria of classification levels 3. Data owners who will be responsible for Classification 4. Data custodians who will be responsible for maintaining data 5. Security controls for each classification level 6. Exception documentation to previous classification issues 7. Methods to transfer data ownership 8. Procedure to periodically review the classification and ownership 9. Declassification procedures 10. Classification awareness to all employees
Data Policy • Defines strategic long term goals for data management across all aspects of project or enterprise • High level principles that establish a guiding framework for data management • It should be flexible and dynamic • Should be readily adaptable for unforeseen circumstances, changing projects, potentially opportunistic partnerships while still maintaining its guiding strategic focus
Data Policy Definition considerations • Cost of providing access to data vs cost of providing the data Cost • Who owns the data and who maintains the data Ownership & Custodianship • What data is private, what data is made public Privacy • How protected the organization is from legal recourse Liability • What type of data is in question; what is the impact, type and level of threat, vulnerability for the data Sensitivity • May have impact on enterprise data policy Existing Law and Policy Requirements • Consideration should be given to legal request for data and policies that may need to be put in places Policy & Process
Roles and Responsibilities • Objectives of defining roles and responsibilities • Clearly define roles associated with functions • Establish data ownership through out the life cycle of the data • Instill data accountability • Ensure adequate, agreed-upon data quality and meta data metrics are maintained on a continuous basis
Data Owner • Key aspect of good data management involves identification of information owner • Individual or group that created, acquired or purchased information that supports the mission of the organization • Has legal rights over the data • Ownership implies the right to exploit the data as well as the right to destroy it
Data Owner - Responsibilities • Determine the impact the information has on the organization • Understand the replacement cost of the information • Establish the rules of appropriate use and protection of information • Decide who has access to the information and what privilege • Know when the information is inaccurate or no longer needed and should be destroyed • Provide input to system owners regarding security requirements and controls for the information system that hold the data • Assist in identification and assessment of common security controls • Delegates day-to-day maintenance to the data custodian
Data Owner - Responsibilities • Data Owner shall establish and document the following • The ownership, IP rights and copyrights for their data • The statutory and non-statutory requirements relevant to their business to ensure the data is compliant • The policies for data security, disclosure, pricing and dissemination • Contracts with users and customers on conditions of use, before the data is released
Data Custodian • Data custodian ensures important data sets are developed, maintained and are accessible within their defined specifications. • Best handled by entity that is most familiar with a datasets content and its management criteria • Responsibilities include • Adherence to data owner guidelines • Ensure access to appropriate users and maintaining appropriate level of security • Dataset maintenance, including data storage and archival • Dataset documentation, including changes to documentation • Quality Assurance and validation to assure ongoing data integrity
System Owner • A person who owns the system processing sensitive information • One system may have multiple information owners • Responsibilities • Develop a system security plan in coordination with Information owners • Maintain the plan and ensure it operates according to the agreed security requirements • Ensure system users and support personal get security training • Update the plan whenever major change happens • Assist in identification, implementation and assessment of common security controls
Other Roles • Security Administrator: • Responsible for maintaining specific security devices • Creating new user accounts, implementing new security software, testing security patches • Has the main focus of keeping the network secure; network administrator has main focus on keep the IT running • Supervisor • Ultimately responsible for all actions of the users under them • Responsible for making sure access changes are done for user accounts as and when there is change in user role
Other Roles • Data Analyst: • Ensures data is stored in a way that makes more sense to the company • Responsible for architecting a new system that will hold company information or advice in purchase of a product • Works with data owners to help ensure that the structures setup support business objectives • Change Control Analyst • Responsible for approving or rejecting requests to make changes to the IT environment • Makes sure certain changes do not introduce new vulnerabilities, it has been tested, and it is properly rolled out
Other roles • Data processor is an individual or organization that processes personal data solely on behalf of data controller • Data Controller is an entity that controls processing of personal data • Users are those who access data to accomplish work tasks. They should have access to only the data they need to perform their work
Data Quality • Data Quality determines the fitness for use or potential use of data • 2 factors considered for setting data quality expectations are • Frequency of Incorrect data fields or errors • Significance of error within a data field • Errors are more likely be determined when expectations are clearly documented • 2 Keys to improve data quality are • Prevention • Correction • Documentation is key to good data quality • Two types of data documentation • Records what data checks have been done and what changes have been made and by whom • Metadata that records information at the dataset level
Data Quality • Data Quality is assessed by applying Verification and validation procedures • Helps ensure data is valid and reliable Verification Process of checking the completeness, correctness and compliance of a dataset to ensure the data is what it claims to be Checks that the digitized data matches the source data Can be done by personnel who are less familiar with the data Validation Evaluates verified data to determine if data quality goals have been achieved and the reasons for deviation It follows data verification Checks that the data makes sense Requires in-depth knowledge about the data and should be conducted by experienced personnel
Data Quality Quality Control Assessment of data quality based on Internal standards, processes, and procedures established to control and monitor quality Quality control procedures monitor and evaluate the resulting products Quality Assurance Assessment of quality based on standards external to the process and involves reviewing of activities and QC processes to ensure final product meets predetermined quality standard Maintains quality through-out all stages of data development
Quality Control and Assurance • QA/QC are designed to prevent data contamination due to two fundamental types of errors • Errors of omission • Insufficient documentation of legitimate data values • They are harder to detect and correct • Can be revealed by rigorous QC procedures • Errors of commission • Caused by data entry, transcription or malfunctioning equipment • This is common, fairly easy to identify and effectively reduced by QA measures in data acquisition process as well as QC procedures after the data has been acquired
Stage of Data Management Process • Capture/Collect • Digitization • Storage • Analysis • Presentation • Use
Data Documentation • It is critical to ensure datasets are useable well into the future • The first step in data management process is to enter data into a electronic system • Objectives of Data documentation are • Ensure the longevity of the data and their re-use for multiple purposes • Ensures data users understand the context and limitations of datasets • Facilitate discovery of datasets • Facilitate interoperability of datasets and data exchange
Dataset titles and filenames • Titles and filenames should be descriptive • Should reflect the contents of the file and include enough information to uniquely identify the data file • Filename should be provided in the first line of the header rows in the file itself • Names should only contain numbers, letters, dashes and underscore • Lowercase is, less software and platform dependent, and hence is preferable • File name should not be more than 64 characters • Versioning and file creation date will help user know if they are using the correct file
Metadata • Definition: Set of data that gives information about other data • Three types of metadata: • Descriptive metadata: • Describes a resource for discovery and identification • title, keyword, tag, author • Structural metadata: • Facilitates navigation and presentation of electronic information; provides information about internal structure; binds related files • TOC, index, chapters, title page • Administrative metadata: • Provides information to help manage a resource • Filetype, who created, when it was created
Data Standard • Rules by which data are described and recorded • When adopting a standard adopt a minimally complex standard that addresses the largest audience • Benefits of data standard • More efficient data management • Increased data sharing • Higher data quality • Improved data consistency • Increased data integration • Better understanding of the data • Improved documentation of information resoruces
Data Lifecycle Control • Data management includes • Data specification and modeling • Database maintenance and security • Ongoing Audit • Archiving
Data Specification and Modelling • Successful database planning requires thorough user requirements analysis and followed by data modeling • Data modelling is the methodology that identifies the path to meet user requirements • Data modelling should be iterative and interactive • Data model consists of written documentation of the concepts to be stored in the database, their relationships, and diagram showing those concepts and their relationships • Data model is the tool to help the design and program teams understand the nature of information to be stored • Data model helps in communication between data content experts specifying what the databases need to do and database developers who are building the database
Database maintenance • Technology obsolescence is a significant cause for information loss • Major changes to hardware/software should be noticed and data should be migrated to newer platforms • Data should be stored in formats that are independent of specific platform or software • Versioning should be used in multi-user environments • Database management requires day-to-day system administration
Data Audit • Data audit process involves: • Identifying the information needs of the organization and assigning a level of strategic importance • Identifying the resources and services currently provided to meet those needs • Benefits of data audit are: • Awareness of data holdings • Promote capacity planning • Facilitate data sharing and reuse • Monitor data holding and avoid data leaks • Recognition of data management practices • Promote efficient use of resources and improved workflows • Increase ability to manage risks • Enable the development/refinement of data strategy
Data Retention • Data Retention Guidelines • Involve all stake holders in the process of aligning the business and legal requirements for the data retention policies • Establish common objectives for supporting archiving and data retention best practices • Monitor, review and update documented data retention policies and archiving procedures. • Data retention policy should • Outline the classification of records • Retention and destruction schedules • Parties responsible for retention and destruction • Procedures used for destruction • Training • Policy should answer the following questions • What data is stored? • How long is it stored? • Where is it stored?
Data Retention • For retained data to be useful, it should be accessible. Consider following issues for data accessibility • Taxonomy: • Scheme for classifying the data; could be functional, chronological, or combination of categories • Classification: • Sensitivity determines the controls we put in place during the lifecycle of the data • Normalization: • Data comes in many formats; storing the data in original format may render it inaccessible later in time; its prudent to tag data sets to ensure search ability and accessibility • Indexing: • Indexing archived data for future searches;
e-Discovery • Process of producing for a court or external attorney all ESI (Electronically Stored Information) pertinent to a legal proceeding • 8 Step Electronic Discovery Reference Model (EDRM) Identification Preservation Collection Process Review Analyze Production Presentation
Managing Sensitive Data • Marking (Labeling) • Ensures users can easily identify the classification of the data • It also includes digital marks or labels • Asset handling different classification of data, should be marked with the top most classification it handles • When media is found without label, it should be labeled with the highest level of sensitivity until appropriate analysis is done. • Handling • Refers to secure transport of media through its lifetime • Policies and procedures should be in place to ensure people understand how to handle sensitive data • Encryption is the obvious choice for protecting sensitive data at rest.
Data at rest • Three broad categories of encrypting tools for the data at rest • Self-encrypting USB Drives: • USB drives embed encryption algorithms within the Hard-drive • Everything in the drive is automatically encrypted • Files moving out of the drive are in decrypted state • Media Encryption Software: • Software used to encrypted the media • Flexibility of software allows encrypting various storage media types • Has the same problem as above, files outside the drive remain un-encrypted • File Encryption Software • Allows greater flexibility in encrypting specific files • Since encryption is applied at file level, it stays encrypted irrespective of the media it is stored.
Data in Transit • Mechanism to prevent content of the message is protected even if the message itself is intercepted. • Link encryption • Performed by service providers • Encrypts all data, including routing data, along a communications path • Communications nodes need to decrypt data in order to continue routing • It provides traffic confidentiality better than end-to-end encryption • Prevents inference attack • End to End Encryption • Generally performed by end user • Encrypted at the start of the communication channel • Routing information remains visible
Data in Use • Data residing in primary storage devices ~ Volatile memory (registers, memory cache, RAM) • Data in use generally cannot be protected by encryption • Attacks • Side Channel Attack: exploits information flow that is the electronic byproduct of a process (like encryption) • Data in use can be protected by • Ensuring software is tested against these attacks • Secure development process
Data Remanence • Data remanence is the data that remains in the hard drive as residual magnetic flux or after erasing • Data remanence in HDD is caused by the failure of the method used to clean the HDD • Commonly used method to address data remanence are • Erasing • Simple deletion process; does not remove the files, but only removes the catalog reference • Anyone can typically retrieve the data using widely available tools
Data Remanence • Clearing (overwriting/wiping/shredding) • Process of preparing media for reuse with assurance that cleared data cannot be retrieved using traditional recovery means • Unclassified data is written over all addressable locations on the media • Data recovery requires special laboratory techniques • Some media types don’t respond well to clearing • Purging • More intense form of clearing – repeats the clearing process multiple times • Provides assurance that data cannot be recovered using any known means • It can be combined with other means like degaussing to completely remove data
Data Remanence • Declassification • Any process that purges media or system in order for reuse in unclassified environment • Sanitization • Combination of process that ensures data is removed from the system • It ensures data cannot be recovered by any means • Includes ensuring non-volatile memory is erased, external drives removed and sanitized • Degaussing • Generates heavy magnetic fields which realign the magnetic fields in magnetic media, only effective on magnetic media (does not affect, CD/DVD/SSD) AC erasure – medium is degaussed by applying alternating field that is reduced in amplitude over time DC erasure – medium is saturated by applying a unidirectional field
Asset Management • Asset management is the foundation for Information Security • Inventory management deals with what assets are there, where they reside and who owns them • Configuration management adds a relationship dynamic relating the other items in the inventory • IT Asset Management (ITAM) introduces financial aspects of the asset – cost, value and contractual status • ITAM also refers to full lifecycle management of the asset • ITAM is designed to manage the physical, contractual and financial aspects of the asset
Asset Management Enablers • A single, centralized, relational repository • Organizational alignment and defined process • Scalable technologies and infrastructure
Equipment Lifecycle • All equipment's have a useful life; they get depreciated over time or when they are no longer capable of performing its tasks • Common Lifecycle tasks • Defining Requirements • Ensure relevant security requirements are included • Ensure appropriate costs have been allocated for security • Ensure new equipment requirements fits into the organizational security architecture • Acquiring and Implementing • Validate security features are included as specified • Ensure additional security configurations are applied • Ensure security certification or accreditation process is followed • Ensure equipment is inventoried
Equipment Lifecycle • Operations and Maintenance • Ensure security features remain operational • Ensure appropriate support is available for security related concerns • Validate and verify inventories • Ensure changes to configuration of system are reviewed • Review equipment for vulnerability • Disposal and Decommission • Ensure secure erasure/ destruction or recycle • Ensure inventories are accurately updated to reflect the status of decommissioned equipment • Guiding principle for media erasure is to ensure that the enemies cost of recovering the data should be higher than the value of the data
Media Destruction • Specific destruction techniques include • Physically breaking the media apart • Chemically altering the media into non readable state • Phase transition • For magnetic media, raising its temperature above the Curie temperature • Crypto-erasure can be used in SSDs to sanitize the data
Safes Wall safe Embedded into wall and easily hidden Floor safe Embedded into floor and easily hidden Chests Stand-alone safes Depositories Safes with slots that all valuables to be easily slipped in Vaults Large enough to provide walk-in access
Data Leakage Prevention • Comprises actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data • DLP is concerned with external parties • DLP should be integrated as part of Risk Management Approach • DLP technology determination aspects • Sensitive data awareness • Policy engine • Interoperability • Accuracy (most critical)
DLP Approach Data Inventory • Identify the data • Classify the data Data Flows • Plot the data flow over the lifecycle Data Protection Strategy • Perform Risk Assessment • Determine the DLP Solution Implementation, Testing and Tuning • Test for false positive, false negative • Misuse cases prioritization and testing
Data Protection Strategy Considerations • Backup and recovery • Data life cycle • Physical security • Security culture • Privacy • Organizational change
Network DLP • Applies DLP to data in motion • Normally implemented as dedicated appliances at perimeter • Drawback: • It will not protect data on devices that are not on the organization network • Does not have capability to decrypt encrypted tunnels • High cost forces organizations to deploy only at network choke points instead of throughout the network
Endpoint DLP • Applies DLP to data in use and data in rest • An agent is installed on end-systems • Allows more degree of protection than NDLP • Drawback: • Complexity • Agent management • Cost could be much higher than the NDLP • Unaware to data-in-motion protection violations
Hybrid DLP • Deploy both EDLP and NDLP • Costliest and most complex approach • Offers the best coverage and protection
Mobile Device Protection • Mechanisms to protect mobile devices are • Inventory all mobile devices ~ identification • Harden the mobile OS • Password protect the BIOS • Register the device with vendor and get notified if the device is submitted for repair • Do not check-in as luggage in airport • Do not leave the device unattended • Engrave identification mark • Use slot lock • Backup data at regular intervals • Encrypt • Enable remote wiping
Baselining / Scoping / Tailoring • Baseline provides a starting point and ensure a minimum security standard • Scoping refers to reviewing baseline security controls and choosing only those controls that apply to the IT system to be protected • Tailoring refers to modifying the list of security controls within a baseline so that they align with the business mission • Supplementation involves adding assessment procedures to adequately meet the risk management needs of the organization
Karthikeyan Dhayalan MD & Chief Security Partner www.cyintegriti.com

Recomendados

CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalKarthikeyan Dhayalan
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 

Recomendados

CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalKarthikeyan Dhayalan
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyKarthikeyan Dhayalan
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdfMAHESHUMANATHGOPALAK
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfshyedshahriar
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cissp combined notes
Cissp combined notesCissp combined notes
Cissp combined notesJoshua Fonseca
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianDoreen Christian
 
Data governance guide
Data governance guideData governance guide
Data governance guideCenapSerdarolu
 

Más contenido relacionado

La actualidad más candente

CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfshyedshahriar
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 

La actualidad más candente (20)

CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranets
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cissp combined notes
Cissp combined notesCissp combined notes
Cissp combined notes
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 

Similar a CISSP - Chapter 2 - Asset Security

Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianDoreen Christian
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
chapter7-220725121544-6a1c05a5.pdf
chapter7-220725121544-6a1c05a5.pdfchapter7-220725121544-6a1c05a5.pdf
chapter7-220725121544-6a1c05a5.pdfMahmoudSOLIMAN380726
 
Chapter 7: Data Security Management
Chapter 7: Data Security ManagementChapter 7: Data Security Management
Chapter 7: Data Security ManagementAhmed Alorage
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...Ray Mcglew
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Data Governance Maturity Levels
Data Governance Maturity LevelsData Governance Maturity Levels
Data Governance Maturity LevelsSowmya Kandregula
 
chapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfchapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfMahmoudSOLIMAN380726
 
Chapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsChapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsAhmed Alorage
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012
Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012
Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012TEST Huddle
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGSri Latha
 
7 principles of data quality management
7 principles of data quality management7 principles of data quality management
7 principles of data quality managementMileyJames
 
Data integrity 03.pptx
Data integrity 03.pptxData integrity 03.pptx
Data integrity 03.pptxAyeCS11
 

Similar a CISSP - Chapter 2 - Asset Security (20)

Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen Christian
 
Data governance guide
Data governance guideData governance guide
Data governance guide
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
 
Data governance guide
Data governance guideData governance guide
Data governance guide
 
chapter7-220725121544-6a1c05a5.pdf
chapter7-220725121544-6a1c05a5.pdfchapter7-220725121544-6a1c05a5.pdf
chapter7-220725121544-6a1c05a5.pdf
 
Chapter 7: Data Security Management
Chapter 7: Data Security ManagementChapter 7: Data Security Management
Chapter 7: Data Security Management
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...
BI: How Can Your High-Performance BI System Meet Expectations When You Feed I...
 
Secuntialesse
SecuntialesseSecuntialesse
Secuntialesse
 
Information security
Information securityInformation security
Information security
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Data Governance Maturity Levels
Data Governance Maturity LevelsData Governance Maturity Levels
Data Governance Maturity Levels
 
IoT and Data Governance
IoT and Data GovernanceIoT and Data Governance
IoT and Data Governance
 
chapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfchapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdf
 
Chapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsChapter 2: Data Management Overviews
Chapter 2: Data Management Overviews
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012
Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012
Ray Scott - Agile Solutions – Leading with Test Data Management - EuroSTAR 2012
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
 
7 principles of data quality management
7 principles of data quality management7 principles of data quality management
7 principles of data quality management
 
Data integrity 03.pptx
Data integrity 03.pptxData integrity 03.pptx
Data integrity 03.pptx
 

Último

Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 

Último (20)

Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 

CISSP - Chapter 2 - Asset Security

  • 2. Information Life Cycle • Data that is combined to form meaning • Information has worth to the organization • Information is either created or copied (predominantly copied) • 4 Phase life cycle • Acquisition • Use • Archival • Disposal
  • 3. Information Life Cycle Acquisition •Copying or created •System data and business process data are attached •Information is indexed •Access control on data access implemented •Roll-back capability to be provided Use •Presents the most challenge in protection •Controls to ensure Internal consistencies Archival •Important to decide on the needs for backup and how they are protected •Need to decide on the retention period Disposal •Two key aspects •Data is indeed destroyed •It is destroyed correctly •How and where is stored is critical for destruction Data Backup Data Archive • Copy of current data set that is used as backup if loss of the original data set • It becomes less useful over time • Copy of data set that is no longer in use, but retained for use later • Data from original location is destroyed
  • 4. Understanding Sensitive Data • The First step in Asset security is to classify and label the asset • What is Sensitive Data? • Any information that is not public or unclassified • Any type of data that an organization has value upon and shall protect or comply with law and regulations • Personally Identifiable Information • Any information that can identify an individual • Race, name, SSN, date, place of birth, biometric, medical, financial, employment information • Protected Health Information • An health related information that can be related to an individual • Oral or written information created or received by health care related entities • Relates to past, present or future medical information of an individual • Proprietary Data • Any data that helps an organization to maintain a competitive edge • If lost, it can seriously affect the primary mission of an organization
  • 5. Information Classification • Refers to the practice of differentiating between different types of information assets and providing some guidance as to how they must be protected • It is an ongoing process and not one-time effort • Important metadata item that should be attached to all information is ~ classification level • The classification level should be always attached throughout the lifecycle of the information
  • 6. Information Classification • Classification • Identifies the value of the data to the organization • It also identifies how data owners can determine the proper classification, and personnel should protect data based on classification • Classification authority is the one who applies the original classification to the sensitive data • Categorization • Process of determining the impact due to the loss of CIA of information to an organization • Classification and categorization help to set baselines for information systems
  • 7. Information Classification • Information is classified by Sensitivity, criticality or both • Sensitivity: • Loss to an organization if the information is released to unauthorized entities • Organizations can loose trust and spend expensive response efforts in remediation • Criticality • Indicator of how the loss will impact the fundamental business process of the organization • It is that which is required for the organization to continue business
  • 8. Information Classification • Primary Purpose: • Helps indicate the level of confidentiality, integrity and availability protection that is needed for each type of data • Helps ensure data is protected in a most cost effective manner • Each classification should have separate handling requirements and procedures
  • 9. Classification Guidelines • When classifying data, take into consideration • Who has access to data • How the data is secured • How long the data is retained • What methods used to dispose the data • Whether the data needs to be encrypted • What use of the data is appropriate • Keep the classification small • Classification should not be restrictive and detail oriented (either) • Each classification should be unique and separate from others; no overlap effects • Should outline how information is controlled and handled through its life cycle
  • 10. Classification Procedure 1. Define Classification Levels 2. Criteria of classification levels 3. Data owners who will be responsible for Classification 4. Data custodians who will be responsible for maintaining data 5. Security controls for each classification level 6. Exception documentation to previous classification issues 7. Methods to transfer data ownership 8. Procedure to periodically review the classification and ownership 9. Declassification procedures 10. Classification awareness to all employees
  • 11. Data Policy • Defines strategic long term goals for data management across all aspects of project or enterprise • High level principles that establish a guiding framework for data management • It should be flexible and dynamic • Should be readily adaptable for unforeseen circumstances, changing projects, potentially opportunistic partnerships while still maintaining its guiding strategic focus
  • 12. Data Policy Definition considerations • Cost of providing access to data vs cost of providing the data Cost • Who owns the data and who maintains the data Ownership & Custodianship • What data is private, what data is made public Privacy • How protected the organization is from legal recourse Liability • What type of data is in question; what is the impact, type and level of threat, vulnerability for the data Sensitivity • May have impact on enterprise data policy Existing Law and Policy Requirements • Consideration should be given to legal request for data and policies that may need to be put in places Policy & Process
  • 13. Roles and Responsibilities • Objectives of defining roles and responsibilities • Clearly define roles associated with functions • Establish data ownership through out the life cycle of the data • Instill data accountability • Ensure adequate, agreed-upon data quality and meta data metrics are maintained on a continuous basis
  • 14. Data Owner • Key aspect of good data management involves identification of information owner • Individual or group that created, acquired or purchased information that supports the mission of the organization • Has legal rights over the data • Ownership implies the right to exploit the data as well as the right to destroy it
  • 15. Data Owner - Responsibilities • Determine the impact the information has on the organization • Understand the replacement cost of the information • Establish the rules of appropriate use and protection of information • Decide who has access to the information and what privilege • Know when the information is inaccurate or no longer needed and should be destroyed • Provide input to system owners regarding security requirements and controls for the information system that hold the data • Assist in identification and assessment of common security controls • Delegates day-to-day maintenance to the data custodian
  • 16. Data Owner - Responsibilities • Data Owner shall establish and document the following • The ownership, IP rights and copyrights for their data • The statutory and non-statutory requirements relevant to their business to ensure the data is compliant • The policies for data security, disclosure, pricing and dissemination • Contracts with users and customers on conditions of use, before the data is released
  • 17. Data Custodian • Data custodian ensures important data sets are developed, maintained and are accessible within their defined specifications. • Best handled by entity that is most familiar with a datasets content and its management criteria • Responsibilities include • Adherence to data owner guidelines • Ensure access to appropriate users and maintaining appropriate level of security • Dataset maintenance, including data storage and archival • Dataset documentation, including changes to documentation • Quality Assurance and validation to assure ongoing data integrity
  • 18. System Owner • A person who owns the system processing sensitive information • One system may have multiple information owners • Responsibilities • Develop a system security plan in coordination with Information owners • Maintain the plan and ensure it operates according to the agreed security requirements • Ensure system users and support personal get security training • Update the plan whenever major change happens • Assist in identification, implementation and assessment of common security controls
  • 19. Other Roles • Security Administrator: • Responsible for maintaining specific security devices • Creating new user accounts, implementing new security software, testing security patches • Has the main focus of keeping the network secure; network administrator has main focus on keep the IT running • Supervisor • Ultimately responsible for all actions of the users under them • Responsible for making sure access changes are done for user accounts as and when there is change in user role
  • 20. Other Roles • Data Analyst: • Ensures data is stored in a way that makes more sense to the company • Responsible for architecting a new system that will hold company information or advice in purchase of a product • Works with data owners to help ensure that the structures setup support business objectives • Change Control Analyst • Responsible for approving or rejecting requests to make changes to the IT environment • Makes sure certain changes do not introduce new vulnerabilities, it has been tested, and it is properly rolled out
  • 21. Other roles • Data processor is an individual or organization that processes personal data solely on behalf of data controller • Data Controller is an entity that controls processing of personal data • Users are those who access data to accomplish work tasks. They should have access to only the data they need to perform their work
  • 22. Data Quality • Data Quality determines the fitness for use or potential use of data • 2 factors considered for setting data quality expectations are • Frequency of Incorrect data fields or errors • Significance of error within a data field • Errors are more likely be determined when expectations are clearly documented • 2 Keys to improve data quality are • Prevention • Correction • Documentation is key to good data quality • Two types of data documentation • Records what data checks have been done and what changes have been made and by whom • Metadata that records information at the dataset level
  • 23. Data Quality • Data Quality is assessed by applying Verification and validation procedures • Helps ensure data is valid and reliable Verification Process of checking the completeness, correctness and compliance of a dataset to ensure the data is what it claims to be Checks that the digitized data matches the source data Can be done by personnel who are less familiar with the data Validation Evaluates verified data to determine if data quality goals have been achieved and the reasons for deviation It follows data verification Checks that the data makes sense Requires in-depth knowledge about the data and should be conducted by experienced personnel
  • 24. Data Quality Quality Control Assessment of data quality based on Internal standards, processes, and procedures established to control and monitor quality Quality control procedures monitor and evaluate the resulting products Quality Assurance Assessment of quality based on standards external to the process and involves reviewing of activities and QC processes to ensure final product meets predetermined quality standard Maintains quality through-out all stages of data development
  • 25. Quality Control and Assurance • QA/QC are designed to prevent data contamination due to two fundamental types of errors • Errors of omission • Insufficient documentation of legitimate data values • They are harder to detect and correct • Can be revealed by rigorous QC procedures • Errors of commission • Caused by data entry, transcription or malfunctioning equipment • This is common, fairly easy to identify and effectively reduced by QA measures in data acquisition process as well as QC procedures after the data has been acquired
  • 26. Stage of Data Management Process • Capture/Collect • Digitization • Storage • Analysis • Presentation • Use
  • 27. Data Documentation • It is critical to ensure datasets are useable well into the future • The first step in data management process is to enter data into a electronic system • Objectives of Data documentation are • Ensure the longevity of the data and their re-use for multiple purposes • Ensures data users understand the context and limitations of datasets • Facilitate discovery of datasets • Facilitate interoperability of datasets and data exchange
  • 28. Dataset titles and filenames • Titles and filenames should be descriptive • Should reflect the contents of the file and include enough information to uniquely identify the data file • Filename should be provided in the first line of the header rows in the file itself • Names should only contain numbers, letters, dashes and underscore • Lowercase is, less software and platform dependent, and hence is preferable • File name should not be more than 64 characters • Versioning and file creation date will help user know if they are using the correct file
  • 29. Metadata • Definition: Set of data that gives information about other data • Three types of metadata: • Descriptive metadata: • Describes a resource for discovery and identification • title, keyword, tag, author • Structural metadata: • Facilitates navigation and presentation of electronic information; provides information about internal structure; binds related files • TOC, index, chapters, title page • Administrative metadata: • Provides information to help manage a resource • Filetype, who created, when it was created
  • 30. Data Standard • Rules by which data are described and recorded • When adopting a standard adopt a minimally complex standard that addresses the largest audience • Benefits of data standard • More efficient data management • Increased data sharing • Higher data quality • Improved data consistency • Increased data integration • Better understanding of the data • Improved documentation of information resoruces
  • 31. Data Lifecycle Control • Data management includes • Data specification and modeling • Database maintenance and security • Ongoing Audit • Archiving
  • 32. Data Specification and Modelling • Successful database planning requires thorough user requirements analysis and followed by data modeling • Data modelling is the methodology that identifies the path to meet user requirements • Data modelling should be iterative and interactive • Data model consists of written documentation of the concepts to be stored in the database, their relationships, and diagram showing those concepts and their relationships • Data model is the tool to help the design and program teams understand the nature of information to be stored • Data model helps in communication between data content experts specifying what the databases need to do and database developers who are building the database
  • 33. Database maintenance • Technology obsolescence is a significant cause for information loss • Major changes to hardware/software should be noticed and data should be migrated to newer platforms • Data should be stored in formats that are independent of specific platform or software • Versioning should be used in multi-user environments • Database management requires day-to-day system administration
  • 34. Data Audit • Data audit process involves: • Identifying the information needs of the organization and assigning a level of strategic importance • Identifying the resources and services currently provided to meet those needs • Benefits of data audit are: • Awareness of data holdings • Promote capacity planning • Facilitate data sharing and reuse • Monitor data holding and avoid data leaks • Recognition of data management practices • Promote efficient use of resources and improved workflows • Increase ability to manage risks • Enable the development/refinement of data strategy
  • 35. Data Retention • Data Retention Guidelines • Involve all stake holders in the process of aligning the business and legal requirements for the data retention policies • Establish common objectives for supporting archiving and data retention best practices • Monitor, review and update documented data retention policies and archiving procedures. • Data retention policy should • Outline the classification of records • Retention and destruction schedules • Parties responsible for retention and destruction • Procedures used for destruction • Training • Policy should answer the following questions • What data is stored? • How long is it stored? • Where is it stored?
  • 36. Data Retention • For retained data to be useful, it should be accessible. Consider following issues for data accessibility • Taxonomy: • Scheme for classifying the data; could be functional, chronological, or combination of categories • Classification: • Sensitivity determines the controls we put in place during the lifecycle of the data • Normalization: • Data comes in many formats; storing the data in original format may render it inaccessible later in time; its prudent to tag data sets to ensure search ability and accessibility • Indexing: • Indexing archived data for future searches;
  • 37. e-Discovery • Process of producing for a court or external attorney all ESI (Electronically Stored Information) pertinent to a legal proceeding • 8 Step Electronic Discovery Reference Model (EDRM) Identification Preservation Collection Process Review Analyze Production Presentation
  • 38. Managing Sensitive Data • Marking (Labeling) • Ensures users can easily identify the classification of the data • It also includes digital marks or labels • Asset handling different classification of data, should be marked with the top most classification it handles • When media is found without label, it should be labeled with the highest level of sensitivity until appropriate analysis is done. • Handling • Refers to secure transport of media through its lifetime • Policies and procedures should be in place to ensure people understand how to handle sensitive data • Encryption is the obvious choice for protecting sensitive data at rest.
  • 39. Data at rest • Three broad categories of encrypting tools for the data at rest • Self-encrypting USB Drives: • USB drives embed encryption algorithms within the Hard-drive • Everything in the drive is automatically encrypted • Files moving out of the drive are in decrypted state • Media Encryption Software: • Software used to encrypted the media • Flexibility of software allows encrypting various storage media types • Has the same problem as above, files outside the drive remain un-encrypted • File Encryption Software • Allows greater flexibility in encrypting specific files • Since encryption is applied at file level, it stays encrypted irrespective of the media it is stored.
  • 40. Data in Transit • Mechanism to prevent content of the message is protected even if the message itself is intercepted. • Link encryption • Performed by service providers • Encrypts all data, including routing data, along a communications path • Communications nodes need to decrypt data in order to continue routing • It provides traffic confidentiality better than end-to-end encryption • Prevents inference attack • End to End Encryption • Generally performed by end user • Encrypted at the start of the communication channel • Routing information remains visible
  • 41. Data in Use • Data residing in primary storage devices ~ Volatile memory (registers, memory cache, RAM) • Data in use generally cannot be protected by encryption • Attacks • Side Channel Attack: exploits information flow that is the electronic byproduct of a process (like encryption) • Data in use can be protected by • Ensuring software is tested against these attacks • Secure development process
  • 42. Data Remanence • Data remanence is the data that remains in the hard drive as residual magnetic flux or after erasing • Data remanence in HDD is caused by the failure of the method used to clean the HDD • Commonly used method to address data remanence are • Erasing • Simple deletion process; does not remove the files, but only removes the catalog reference • Anyone can typically retrieve the data using widely available tools
  • 43. Data Remanence • Clearing (overwriting/wiping/shredding) • Process of preparing media for reuse with assurance that cleared data cannot be retrieved using traditional recovery means • Unclassified data is written over all addressable locations on the media • Data recovery requires special laboratory techniques • Some media types don’t respond well to clearing • Purging • More intense form of clearing – repeats the clearing process multiple times • Provides assurance that data cannot be recovered using any known means • It can be combined with other means like degaussing to completely remove data
  • 44. Data Remanence • Declassification • Any process that purges media or system in order for reuse in unclassified environment • Sanitization • Combination of process that ensures data is removed from the system • It ensures data cannot be recovered by any means • Includes ensuring non-volatile memory is erased, external drives removed and sanitized • Degaussing • Generates heavy magnetic fields which realign the magnetic fields in magnetic media, only effective on magnetic media (does not affect, CD/DVD/SSD) AC erasure – medium is degaussed by applying alternating field that is reduced in amplitude over time DC erasure – medium is saturated by applying a unidirectional field
  • 45. Asset Management • Asset management is the foundation for Information Security • Inventory management deals with what assets are there, where they reside and who owns them • Configuration management adds a relationship dynamic relating the other items in the inventory • IT Asset Management (ITAM) introduces financial aspects of the asset – cost, value and contractual status • ITAM also refers to full lifecycle management of the asset • ITAM is designed to manage the physical, contractual and financial aspects of the asset
  • 46. Asset Management Enablers • A single, centralized, relational repository • Organizational alignment and defined process • Scalable technologies and infrastructure
  • 47. Equipment Lifecycle • All equipment's have a useful life; they get depreciated over time or when they are no longer capable of performing its tasks • Common Lifecycle tasks • Defining Requirements • Ensure relevant security requirements are included • Ensure appropriate costs have been allocated for security • Ensure new equipment requirements fits into the organizational security architecture • Acquiring and Implementing • Validate security features are included as specified • Ensure additional security configurations are applied • Ensure security certification or accreditation process is followed • Ensure equipment is inventoried
  • 48. Equipment Lifecycle • Operations and Maintenance • Ensure security features remain operational • Ensure appropriate support is available for security related concerns • Validate and verify inventories • Ensure changes to configuration of system are reviewed • Review equipment for vulnerability • Disposal and Decommission • Ensure secure erasure/ destruction or recycle • Ensure inventories are accurately updated to reflect the status of decommissioned equipment • Guiding principle for media erasure is to ensure that the enemies cost of recovering the data should be higher than the value of the data
  • 49. Media Destruction • Specific destruction techniques include • Physically breaking the media apart • Chemically altering the media into non readable state • Phase transition • For magnetic media, raising its temperature above the Curie temperature • Crypto-erasure can be used in SSDs to sanitize the data
  • 50. Safes Wall safe Embedded into wall and easily hidden Floor safe Embedded into floor and easily hidden Chests Stand-alone safes Depositories Safes with slots that all valuables to be easily slipped in Vaults Large enough to provide walk-in access
  • 51. Data Leakage Prevention • Comprises actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data • DLP is concerned with external parties • DLP should be integrated as part of Risk Management Approach • DLP technology determination aspects • Sensitive data awareness • Policy engine • Interoperability • Accuracy (most critical)
  • 52. DLP Approach Data Inventory • Identify the data • Classify the data Data Flows • Plot the data flow over the lifecycle Data Protection Strategy • Perform Risk Assessment • Determine the DLP Solution Implementation, Testing and Tuning • Test for false positive, false negative • Misuse cases prioritization and testing
  • 53. Data Protection Strategy Considerations • Backup and recovery • Data life cycle • Physical security • Security culture • Privacy • Organizational change
  • 54. Network DLP • Applies DLP to data in motion • Normally implemented as dedicated appliances at perimeter • Drawback: • It will not protect data on devices that are not on the organization network • Does not have capability to decrypt encrypted tunnels • High cost forces organizations to deploy only at network choke points instead of throughout the network
  • 55. Endpoint DLP • Applies DLP to data in use and data in rest • An agent is installed on end-systems • Allows more degree of protection than NDLP • Drawback: • Complexity • Agent management • Cost could be much higher than the NDLP • Unaware to data-in-motion protection violations
  • 56. Hybrid DLP • Deploy both EDLP and NDLP • Costliest and most complex approach • Offers the best coverage and protection
  • 57. Mobile Device Protection • Mechanisms to protect mobile devices are • Inventory all mobile devices ~ identification • Harden the mobile OS • Password protect the BIOS • Register the device with vendor and get notified if the device is submitted for repair • Do not check-in as luggage in airport • Do not leave the device unattended • Engrave identification mark • Use slot lock • Backup data at regular intervals • Encrypt • Enable remote wiping
  • 58. Baselining / Scoping / Tailoring • Baseline provides a starting point and ensure a minimum security standard • Scoping refers to reviewing baseline security controls and choosing only those controls that apply to the IT system to be protected • Tailoring refers to modifying the list of security controls within a baseline so that they align with the business mission • Supplementation involves adding assessment procedures to adequately meet the risk management needs of the organization
  • 59. Karthikeyan Dhayalan MD & Chief Security Partner www.cyintegriti.com

Notas del editor

  1. How presentation will benefit audience: Adult learners are more interested in a subject if they know how or why it is important to them. Presenter’s level of expertise in the subject: Briefly state your credentials in this area, or explain why participants should listen to you.