Domain 2 – Asset Security Information and asset classification – know all layers of public and government data classification (confidential, private, etc.) Ownership (data owners, system owners) Protect privacy Appropriate retention – a few questions on data destruction Data security controls – You will see questions regarding shipping and Chain of Custody Handling requirements (markings, labels, storage)
Information Classification - Public Private – data that is defined as private (SSN, bank accounts, credit cards) Company restricted – Data that is restricted to a subset of employees. Company confidential – Data that can be viewed by all employees but is not for general use. Public – Data that can be viewed or used by employees or the general public.
Information Classification - Government Top Secret – Disclosure of top secret data would cause severe damage to national security Secret – Disclosure of secret data would cause serious damage to national security. This data is considered less sensitive than data classified as top secret. Confidential – Confidential data is usually data that is exempt from disclosure under laws such as the Freedom of information act but is not classified as national security data. Sensitive but unclassified – SBU data is data that is not considered vital to national security, but its disclosure would do some harm. Many agencies classify data they collect from citizens as SBU. Unclassified – Data that has no classification or is not sensitive.
Data Ownership Data Owner – Usually a member of Senior Management. After all, senior management is responsible for the asset and, if it is compromised, can be held responsible. The data owner can delegate some data-to-day duties but cannot delegate total responsibility; Senior Management is ultimately responsible. Data Custodian – This is usually someone in IT. The data custodian does not decide what controls are needed, but he or she does implement controls on behalf of the data owner. Other responsibilities include the day-to-day management of the asset. Controlling access, adding and removing privileges for individual users, and ensuring that the proper controls have been implemented are all part of the data custodian’s duties.
Data Security Controls - Marking Storage media should have a physical label identifying the sensitivity of the information contained. Labels should indicate whether the data is encrypted. Media found unlabeled should immediately be labeled with the highest level of sensitivity until appropriate analysis is done.
Data Security Controls - Handling Only designated personnel should have access to sensitive media. Individuals responsible for managing sensitive media should be promulgated. Important that logs and other records are used to track the activities of individuals handling backup data. Manual processes, such as access logs, are necessary to compensate for the lack of automated controls regarding access to sensitive media.
Data Security Controls - Storing Sensitive media should not be left lying about where a passerby could access it. Backup media should be encrypted whenever possible and stored in a security container, such as a safe or strong box. Storing encrypted backup media at an off-site location should be considered for disaster recovery purposes.
Data Security Controls - Destruction Media that is no longer needed or is defective should be destroyed rather than simply disposed of. A record of destruction should be used that corresponds to any logs used for handling media. Security practitioners should implement object reuse controls for any media in question is unknown rather than simply recycling it. Record Retention – Data and information should only be kept only as long as it is required. Data Remanence – residual physical representation of data Purge – ensure total removal – data cannot be recovered Clearing – Removes data but not 100%, lab techniques required for recovery