DAN CISSP NOTES - 2018

Paper Records
Here are some principles to consider when protecting paper
records:
• Educate your staff on proper handling of paper records.
• Minimize the use of paper records.
• Ensure workspaces are kept tidy.
• Lock away all sensitive paperwork as soon as you are done
with it.
• Prohibit taking sensitive paperwork home.
• Label all paperwork with its classification level.
• Conduct random searches of employees’ bags as they leave
the office to ensure sensitive materials are not being taken
home.
If a safe has a thermal relocking function, when a certain
temperature is met (possibly from drilling), an extra lock is
implemented to ensure the valuables are properly protected.
Data Leakage
Data Leak Prevention (DLP)
Data leak prevention (DLP) comprises the actions that
organizations take to prevent unauthorized external parties
from gaining access to sensitive data.
That definition has some key terms. First, the data has to be
considered sensitive (not all data will be protected). Second,
DLP is concerned with external parties. If somebody in the
accounting department gains access to internal R&D data, that
is a problem, but technically it is not considered a data leak.
DLP policy server to update policies and report events.
that is difficult for attackers to exploit.)
Hybrid DLP deploys both NDLP and EDLP.
15
Obviously, this approach is the costliest and most complex.
Watermarking
Watermarking is the practice of embedding an image or pattern
in paper that isn’t readily perceivable. It is often used with
currency to thwart counterfeiting attempts.

• Destroy unneeded sensitive papers using a crosscut
shredder. For very sensitive papers, consider burning them
instead.
Safes
The types of safes an organization can choose from are:
• Wall safe Embedded into the wall and easily hidden.
• Floor safe Embedded into the floor and easily hidden
• Chests Stand-alone safes.
• Depositories Safes with slots, which allow the valuables to be
easily slipped in.
• Vaults Safes that are large enough to provide walk-in access
If a safe has a combination lock, it should be changed
periodically, and only a small subset of people should have
access to the combination or key.
The safe should be in a visible location, so anyone who is
interacting with the safe can be seen.
If the safe has a passive relocking function, it can detect when
someone attempts to tamper with it.
Way to Domain#3
Finally, the external party gaining access to our sensitive data
must be unauthorized to do so. If former business partners
have some of our sensitive data that they were authorized to
get at the time they were employed, then that is not considered
a leak either.
General Approaches to DLP
There is no one-size-fits-all approach to DLP, but there are
tried-and-true principles that can be helpful.
One important principle is the integration of DLP with our risk
management processes.
DLP products has two main approaches:
Network DLP applies data protection policies to data in motion.
NDLP products are normally implemented as appliances that
are deployed at the perimeter of an organization’s networks.
Endpoint DLP applies protection policies to data at rest and
data in use.
EDLP is implemented in software running on each protected
endpoint (usually called a DLP agent, communicates with the
Advance and Protect The Profession