Domain 2 – Asset Security

  1. Data owner
  2. Data custodian
  3. Classification
  4. Categorization
  5. Quality Control
  6. Quality Assurance
  7. Data Verification
  8. Data Validation

 

  • Accountability – Who did what, when
  • Senior Managementt must support the program
  • Data classification policy – ensure all departments are classifying documents consistently
  • Try to keep classification simple
    • Internal, Confidential, Secret
  • Periodically update classification
  • Destroy documents that are no longer applicable to company / should be declassified
  • Owner should be assigned to all data
    • Owner defines criticality, sensitivity
    • Owner determines how long to keep data
    • Owner defines Need to Know

 

Classification

  • Involves Marking and Labeling
  • People use Marking, Machines use labeling

Data Classification

  • Take into account Sensitivity and Criticality– Confidentiality vs Timing
  • Applies to Electronic and Hard Copy
  • Defines how long data should be kept around

Data Classification Policy

  1. Who has access to data
    • Clerks – add accounting entries but can’t authorize new users

    • HR Manager – See pay grades, home addresses for all employees

    • Hiring Manager – see pay grades, home address for direct employees

  2. How is data secured

    • Do users have update capabilities

  3. Retention – How long to keep data around?
    • SOX – 7 years
    • Clinical Trials – 35 years
    • Medical Records – Death + 2 years
    • Financial Services Records – Life of Company
  4. How to dispose
    • General Disposal
    • Cross Cut
    • Physical Destruction
  5. Data Encryption
    • Data Owner may have a say
    • Company policy may override
  6. Appropriate use of data
    • Who can see what
    • Need to know
    • Least Privilege
  7. When to declassify
    • At what point is data no longer ‘sensitive’

 

Sample Government Sensitivity with possible controls

Sensitivity Control Requried
Unclassified None
Sensitive Filing Cabinet
Confidential Filing Cabinet with Lock
Secret Safe
Top Secret Vault

Classification Commercial

  • Public
  • Company Confidential
  • Company Restricted
  • Private

The term “sensitive information” might mean something different in one organization when compared to what it means for the CISSP exam. For the exam, remember that “sensitive information” refers to any information that isn’t public or unclassified.

 

Data Owner decides data classification, which should be reviewed annually.

Asset Management

  • Asset that you own, assets that you possess
  • Many times starts with Spreadsheets
  • Configuration Management moved beyond spreadsheets – adds relationships
  • ITAM – Information Technology Asset Management
  • Full Life Cycle – From procurement to disposition
  • Physical, Contractual, Financial

Information Owner

  • Determine impact of data on organization
  • Understand replacement cost
  • Who has need for information
  • Know when information is not needed and can be destroyed
  • Owner must document
  • Intellectual Property rights, copyright, trade secret
  • Statutory / non-statutory obligations ( is it PCI )
  • Agreement with users on use
  • Other items of Data Classification Policy
  • Typically CEO, President, Department Head
  • Could be liable for negligence if they fail to perform due diligence

Data Custodian

  • Relate to managing the data
  • Must follow the Data policy guidelines
  • Ensure data is accessible to proper users
  • Backup and archiving
  • Documentation
  • Audits for data integrity

System Owner

  • Owns the system that processes the data
  • Develops system security plan
  • Ensures the system is deployed and operating according to security plan
  • Ensures users receive appropriate training or are instructed according to AUP
  • Update policy when significant change

Administrator

  • Grant access to personnel
  • Utilize principle of least privilege

Data Processes

  • Data Quality – Effort should be exerted to maintain data quality at all aspects of processing
  • Quality Control – Internal standards established to monitor quality
  • Quality Assurance – Assessment of quality based on external standards
  • Data Verification – Completeness, Correctness, compliance of a dataset
  • Data Validation – Evaluating if data quality goals have been achieved
    • Clarification/Example – Verification determines if the entry is accurate data, Validation confirms if the data makes sense.  For instance, a journal entry of $1,000,000 is an accurate number that would pass verification, but not likely an accurate payment for monthly electricity which would fail validation.
  • Data Documentation – File names should be descriptive.  Parameters of data such as units of measure, formats, definitions.
  • MetaData – author, date created and date modified and file size are all examples

Data Standards

Example – AAA is a ‘standard’ battery size

Company Data Standard for Latitude

  • Name – Latitude
  • Code Name – cor_lat_meas
  • Format – CHAR(16)
  • Definition – Coordinate Latitude is the angle between the plane of the reference ellipsoid’s equator and a normal to the ellipsoid surface. It is formatted by direction, degrees, minutes, decimal seconds (60 24 32.56 N). This item is analogous to the ‘Y’ value of a rectangular coordinate system.
  • FGDC Alias – Y Coordinate
  • FGDC Definition – This is the Y Coordinate value or northing for a coordinate set.

Needs for Data Standards can be shown with how date is recorded.  Which of the following should be used?

  • April 2, 1974
  • 04-02-74
  • 04/02/1974
  • 4/2/74
  • 19740402
  • 2 April 1974

International standards may need to be taken into considerstaion

  • 04021974 – is this April 2 or February 4?

 

Data Life Cycle Control

  • Should include periodic Snapshots – consistent with Recovery Point Objective (RPO)

Data Modeling

  • Who is it for
  • How will database facilitate delivery
  • Who cares about it, how do they get to it
  • How is the data stored and in what form
  • Retention, Decommission
  • Try to keep as simple as possible

Conceptual Design

  • Concepts to be stored
  • Relationships
  • Diagram
  • Design should be consistent with criticality of data/application or the asset value.

Data Remanence

  • 200 Secondhand Hard Drives on eBay
  • 78 percent had data that could be recovered
  • 67 percent had personal data  could be used for identity theft and fraud
  • 11 percent had company data – emails, spreadsheets, customer information
  • Only 10 percent had data completely erased

 

 

 

Passphrase

  • Long enough to be hard to guess
  • Not a famous quotation from literature, holy books, et cetera
  • Hard to guess by intuition—even by someone who knows the user well
  • Easy to remember and type accurately
  • Not reused between sites, applications and other different sources.

 

  • Sample “FormlicensureapplicationthroughNMLS”