Domain 2: Asset Security
Data Security Controls
When preparing for your CISSP exam, the primary areas to focus on include Marking, Labeling, Handling, and Classification, with Classification taking precedence.
- Security Control Baseline: This is a standard set of controls that an organization can implement as a foundational security measure. For example, a company may use a set of security control baselines for data handling that includes principles of access control, data encryption, and regular security audits.
- Data Handling: This pertains to effective management and control of data, adopting a systematic chain of custody. Picture it as shopping, you wouldn't open boxes without understanding their content or source.
- Data Destruction: This involves securely eliminating unclassified data using methods such as erasing, clearing, and overwriting when the data is no longer in use.
- Record Retention: Be mindful of specific policies stipulating the retention period for records. For instance, if a record has a life span of 1 year, it must be securely eliminated once it outlives this period.
- Tape Backup Security: While this may surface as a legacy topic, the concept is important. Establishing a secure facility and correctly labeling tapes ensures a universal understanding of data classification.
Data Destruction Methods
- Erasing: This is an action performed to remove a file or a group of files, or media. However, this method isn't the most secure as it leaves residual files that can potentially be recovered by data recovery tools.
- Clearing (Overwriting): This method prepares the media for reuse, making sure that data cannot be recovered with regular recovery tools.
- Purging: This is a more rigorous form of clearing, ensuring media is safe for reuse even in less secure environments.
The US government doesn't recognize purging or clearing as acceptable methods for reusing media classified as top secret.
- Degaussing: This technique uses a strong magnetic field to erase data on certain media.
- Destruction: This is the final and most secure stage of sanitizing media. Methods of destruction include incinerating, crushing, shredding, and dissolving.
For the exam, understand the legal implications of retaining data longer than necessary.
Data Classification
When discussing data protection, it's essential to note that confidentiality is frequently maintained through encryption. For an in-depth understanding of this, please refer to Chapter 3 - Cryptography Drill-down.
Understanding the different levels of data classification is crucial. Here, I'll breakdown the classification system and provide examples for each category:
|
Data Class
|
Government Label
|
Public Label
|
Example
|
|---|---|---|---|
|
Class 0
|
Unclassified
|
Public
|
Weather forecasts, Public demographic data
|
|
Class 1
|
Confidential
|
Sensitive
|
Internal policy documents, Employee data
|
|
Class 2
|
Secret
|
Private
|
Business strategies, Undisclosed financials
|
|
Class 3
|
Top Secret
|
Confidential/Proprietary
|
Boeing's proprietary information about jets
|
Each class represents an increasing level of sensitivity and potential harm if improperly disclosed. Understanding these classifications is crucial for effectively managing and protecting data.
Also consider sensitive but unclassified data, covered more in Domain 3 (link)
Asset Classifications & Defining Sensitive Data
- Asset Classifications: Assets should typically be classified in a manner that aligns with data classifications. This ensures a consistent level of protection across all types of assets within an organization.
- Defining Sensitive Data: Sensitive data generally falls into two categories, which you should be familiar with. Sensitive data is Non-Public or Unclassified Data: This refers to any information that isn't readily available to the public or doesn't fall under the unclassified category.
- Personally Identifiable Information (PII): This refers to any information that can identify an individual, such as name, Social Security Number (SSN), date and place of birth, biometric records, etc.
- Protected Health Information (PHI): This type of data refers to any health-related information that can be tied to a specific person. It is protected under the Health Insurance Portability and Accountability Act (HIPAA). For more information on HIPAA, please refer to Domain 1 [provide link here].
Data Ownership Roles
-
Data Owner: Typically, a member of senior management is assigned this role. While they may delegate daily operations, they can't abdicate overall responsibility. They are the decision-makers regarding the necessary controls for the data.
-
Data Custodian: This role is usually assigned to a member of the IT department. Their primary responsibility is to implement the data controls defined by the data owner. While they don't decide what controls are needed, they ensure these controls are in place.
The Data Owner determines what needs to happen, and the Data Custodian is responsible for making it happen.
Additional Roles in Data Security
Besides the roles of data owner and data custodian, there are several other roles essential to data security. These include:
- Data Administrators: These individuals are responsible for granting appropriate access to personnel. This is often carried out via Role-Based Access Control (RBAC), a method of restricting network access based on the roles of individual users within an organization. This approach allows users to have access rights only to the information they need to perform their jobs.
- Users: These are individuals who access data via a computing system to accomplish work tasks. They could be employees, contractors, or even customers, depending on the context.
- Business/Mission Owners: This role can sometimes overlap with the system owner role. The business/mission owner is typically a high-level executive who has financial and operational responsibility for specific information assets that support key organizational missions or business functions. They are accountable for aligning security controls with the organization's risk tolerance level and ensuring that risks are appropriately managed.
- Asset Owners: These individuals or entities own the assets or systems that process sensitive data. They are responsible for the security plans associated with those assets. This might include physical assets like hardware, or it could refer to software and data assets.
Understanding the interplay between these roles is a critical aspect of managing and securing data within an organization.
GDPR Terms and Requirements
When preparing for your CISSP exam, it's essential to familiarize yourself with terms and requirements associated with the General Data Protection Regulation (GDPR). Here are a few key roles and concepts:
-
Data Processor: A data processor is a natural or legal person, public authority, agency, or other body that processes personal data solely on behalf of the data controller. It can be an individual, a government body, or an organization. For example, a cloud service provider storing personal data on behalf of a client could be considered a data processor.
-
Data Controller: The data controller is the person or entity that determines the purposes and means of processing personal data. For example, a retail company that collects and manages customer data for its marketing campaigns would be a data controller.
-
Data Transfer: GDPR restricts data transfers to countries outside of the European Union to ensure that the level of protection of individuals afforded by GDPR is not undermined. For example, if a German company has a subsidiary in a country outside the EU and wants to share customer data with it, they must ensure that the transfer complies with GDPR's data transfer rules, which may involve using specific legal mechanisms like Standard Contractual Clauses or ensuring the receiving country has an adequacy decision from the EU Commission.
Reducing GDPR Exposure
- Anonymization: This is the process of stripping all identifying information from data, making it impossible to link the data back to the original subject or person. For example, IP addresses can be logged as 150.150.150.X, removing the final octet to prevent identification. If anonymization is executed correctly, GDPR no longer applies to the anonymized data. However, remember that this method is only beneficial if you don't need the identifying information. It could complicate matters such as banning individuals who are abusing your service.
- Pseudonymization: This method involves using pseudonyms or aliases to represent the data. While this method may still require adherence to GDPR (though the requirements are lessened), there have been instances where pseudonymization has been reverse-engineered, resulting in non-compliance with GDPR. Therefore, pseudonymization should be carefully executed to ensure robust data protection.
GDPR requires notification of a data breach within 72 hours of becoming aware of the breach.