Professional Documents
Culture Documents
Isc2 Acceleratedcissp 2018 2 1 2 Asset Security
Isc2 Acceleratedcissp 2018 2 1 2 Asset Security
Isc2 Acceleratedcissp 2018 2 1 2 Asset Security
Asset Security
1. Data Classification
Who should decide on data classification? The individual who owns the data
should decide on the classification, and it should be reviewed at a minimum
annually.
2. Asset Classification
Equipment Lifecycle:
1. Define Requirements
2. Acquire & Implement
3. Operations & Maintenance
4. Disposal & Decommission
===============================================================================
A data policy defines the goals for data management. A data policy:
The policy and process used to provide access to data based on a legal
request must be designed and implemented so that they do not violate access
controls and / or any existing policies, ensuring that only the data subject to
the request is made available, and not exposing any unrelated data.
===============================================================================
Determine who has a need for the data and under what circumstances the data
should be released
Adherence to appropriate and relevant data policy and data ownership guidelines
Purging - The removal of sensitive data from a system or storage device with the
intent that the data cannot be reconstructed by any known technique
Techniques:
Overwriting - one or more streams of 1's & 0's in a "random" pattern one or
more times
encryption
SSD vs HDD
Cloud data - encrypt data while in storage and use ==> upon exit
http://www.oecdprivacy.org/
===============================================================================
===============================================================================
a. at rest (storage)
b. in motion (transit / on the wire)
c. in use (application)
Link encryption encrypts all the data along a specific communication path, as in
a satellite link, T3 line, or telephone circuit. Not only is the user
information encrypted, but the header, trailers, addresses, and routing data
that are part of the packets are also encrypted. The only traffic not encrypted
is the data link control messaging information, which includes instructions and
parameters that the different link devices use to synchronize communication
methods. Link encryption provides protection against packet sniffers and
eavesdroppers.
NIST - http://csrc.nist.gov/index.html
https://nvd.nist.gov/ncp/repository
https://ec.europa.eu/digital-single-market/en/policies/cybersecurity
http://www.enisa.europa.eu
https://www.iso.org/home.html
International Telecommunication Union-Telecommunication (ITU-T)
Standardization - https://www.itu.int/en/ITU-T/Pages/default.aspx
defines a security baseline against which network operators can assess their
network and information security status in terms of readiness and ability to
collaborate with other entities to counteract information security threats.
http://www.itu.int/rec/T-REC-X/e
www.itu.int/rec/T-REC-X.1205-200804-I/en
3 categories:
a. Basic (1-6)
b. Foundational (7-16)
c. Organizational (17-20)
a. at rest (storage) -
encryption
obfuscation / tokenization
archive / dispose / destruct
mobile device protection
physical media control
b. in motion (transit) -
encryption
perimeter security
web content filtering
network traffic monitoring
VPN's
c. in use (application) -
encryption
user monitoring
workstation restrictions
application controls (whitelist / blacklist)
data labeling
===============================================================================
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mls-ov.html
Storing - Encrypt
Retention Periods - Clearly defined & documented | ONLY keep data for as long
as retention period | Different data = different retention periods
1. Data Inventory -
2. Securing Data -
3. Audit -