Professional Documents
Culture Documents
Isc2 Cissp 2 6 1 Data Security Controls & Compliance Requirements
Isc2 Cissp 2 6 1 Data Security Controls & Compliance Requirements
Objectives:
Understand and apply the recommended guidance pertinent to how to align data
security controls & compliance requirements through your daily practice as an
information security professional.
External Resources:
=====================================================
a. at rest (storage)
b. in motion (transit / on the wire)
c. in use (application)
Link encryption encrypts all the data along a specific communication path, as
in a satellite link, T3 line, or telephone circuit. Not only is the user
information encrypted, but the header, trailers, addresses, and routing data
that are part of the packets are also encrypted. The only traffic not encrypted
is the data link control messaging information, which includes instructions
and parameters that the different link devices use to synchronize communication
methods. Link encryption provides protection against packet sniffers and
eavesdroppers.
NIST - http://csrc.nist.gov/index.html
National Checklist Program Repository (NCP) - defined by SP 800-70, is the U.S.
government repository of publicly available security checklists (or benchmarks)
that provide detailed low level guidance on setting the security configuration
of operating systems and applications
https://nvd.nist.gov/ncp/repository
https://ec.europa.eu/digital-single-market/en/policies/cybersecurity
http://www.enisa.europa.eu
https://www.iso.org/home.html
http://www.itu.int/rec/T-REC-X/e
www.itu.int/rec/T-REC-X.1205-200804-I/en
3 categories:
a. Basic (1-6)
b. Foundational (7-16)
c. Organizational (17-20)
4. Data protection methods (e.g., Digital Rights Management (DRM), Data Loss
Prevention (DLP), Cloud Access Security Broker (CASB))
DRM represents the controls by which you can prevent someone from copying or
printing or editing or otherwise making available your privileged information to
other people.
Data Loss Prevention (DLP) - Enables businesses to detect data loss, as well as
prevent the illicit transfer of data outside the organization and the unwanted
destruction of sensitive or personally identifiable data (PII).
It is also used to help organizations with data security and ensure they comply
with regulations like the California Consumer Privacy Act (CCPA), EU General Data
Protection Regulation (GDPR), and Health Insurance Portability and
Accountability Act (HIPAA).
NOTE: The terms "data loss" and "data leakage prevention" are often used
interchangeably, but DLP security enables organizations to defend themselves
against both.
b. in motion (transit) -
encryption
perimeter security
web content filtering
network traffic monitoring
VPN's
c. in use (application) -
encryption
user monitoring
workstation restrictions
application controls (whitelist / blacklist)
data labeling