Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain 2 – Asset Security

Published byEsther Hodges Modified over 6 years ago

Similar presentations

Presentation on theme: "Domain 2 – Asset Security"— Presentation transcript:

1 Domain 2 – Asset Security
Information and asset classification – know all layers of public and government data classification (confidential, private, etc.) Ownership (data owners, system owners) Protect privacy Appropriate retention – a few questions on data destruction Data security controls – You will see questions regarding shipping and Chain of Custody Handling requirements (markings, labels, storage)

2 Information Classification - Public
Private – data that is defined as private (SSN, bank accounts, credit cards) Company restricted – Data that is restricted to a subset of employees. Company confidential – Data that can be viewed by all employees but is not for general use. Public – Data that can be viewed or used by employees or the general public.

3 Information Classification - Government
Top Secret – Disclosure of top secret data would cause severe damage to national security Secret – Disclosure of secret data would cause serious damage to national security. This data is considered less sensitive than data classified as top secret. Confidential – Confidential data is usually data that is exempt from disclosure under laws such as the Freedom of information act but is not classified as national security data. Sensitive but unclassified – SBU data is data that is not considered vital to national security, but its disclosure would do some harm. Many agencies classify data they collect from citizens as SBU. Unclassified – Data that has no classification or is not sensitive.

4 Data Ownership Data Owner – Usually a member of Senior Management. After all, senior management is responsible for the asset and, if it is compromised, can be held responsible. The data owner can delegate some data-to-day duties but cannot delegate total responsibility; Senior Management is ultimately responsible. Data Custodian – This is usually someone in IT. The data custodian does not decide what controls are needed, but he or she does implement controls on behalf of the data owner. Other responsibilities include the day-to-day management of the asset. Controlling access, adding and removing privileges for individual users, and ensuring that the proper controls have been implemented are all part of the data custodian’s duties.

5 Data Security Controls - Marking
Storage media should have a physical label identifying the sensitivity of the information contained. Labels should indicate whether the data is encrypted. Media found unlabeled should immediately be labeled with the highest level of sensitivity until appropriate analysis is done.

6 Data Security Controls - Handling
Only designated personnel should have access to sensitive media. Individuals responsible for managing sensitive media should be promulgated. Important that logs and other records are used to track the activities of individuals handling backup data. Manual processes, such as access logs, are necessary to compensate for the lack of automated controls regarding access to sensitive media.

7 Data Security Controls - Storing
Sensitive media should not be left lying about where a passerby could access it. Backup media should be encrypted whenever possible and stored in a security container, such as a safe or strong box. Storing encrypted backup media at an off-site location should be considered for disaster recovery purposes.

8 Data Security Controls - Destruction
Media that is no longer needed or is defective should be destroyed rather than simply disposed of. A record of destruction should be used that corresponds to any logs used for handling media. Security practitioners should implement object reuse controls for any media in question is unknown rather than simply recycling it. Record Retention – Data and information should only be kept only as long as it is required. Data Remanence – residual physical representation of data Purge – ensure total removal – data cannot be recovered Clearing – Removes data but not 100%, lab techniques required for recovery

Download ppt "Domain 2 – Asset Security"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/2015 1.

Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
Data Protection.

Data Protection.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Access Control Methodologies

Access Control Methodologies
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Auditing Computer Systems

Auditing Computer Systems
Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.
CASH HANDLING Training Presentation

CASH HANDLING Training Presentation
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Department of Commerce Records Management Training.

Department of Commerce Records Management Training.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
1 25 October 2012 - EPFL Conference Data Protection in Intergovernmental Organizations Workshop 7 February 2013 K. Ernst S. Lüders C. Viala.

1 25 October EPFL Conference Data Protection in Intergovernmental Organizations Workshop 7 February 2013 K. Ernst S. Lüders C. Viala.

Similar presentations

Ads by Google