CISSP Domain 2 Review – Asset Security

This post serves as a review for the domain 2 of the CISSP. This domain covers asset security.

Before we start, here is a list that will help you navigate through the different sections of this domain review:

Concepts

  • Data policy : Should be part of the overall risk management program.
  • Data governance : Oversees the development of common data definitions, standards, requirements and processes.
  • Data quality
    • Integrity and reliability of data.
      • Quality Control
      • Quality Assurance.
    • Aims to reduce :
      • Errors of commission : Mistakes/Inaccurate transcription.
      • Errors of omission : Something that had been left out.
  • Data documentation :
    • Why?
      • Allows longevity and reuse of data.
      • Users can understand content, context and limits of data.
      • Easier discovery of data.
      • Data interoperability and exchange of data.
    • How?
      • Metadata.
      • Readme file.
      • File contents : File names, header area,…
  • Data organization
    • 2 Types of data:
      • Unstructured : Lacks any formal data model.
      • Structured : Organized (Example : In a relational database)
    • Data Schema : A blueprint of how a database is constructed.
    • Data classification : Based on sensitivity. (Ex: Confidential, Sensitive, Private, Public). (See item 4).
    • Data categorization :
      • Based on the potential impact to the organization.
      • FIPS 199 : Standards for Security Categorization of Federal Information and Information Systems.

Classify Assets

  • Based on the level of sensitivity.
  • Criteria can include:
    • The types of data the asset handles.
    • The processes the asset accomplishes
  • Data classification policy. It should specify :
    • Who can access the data
    • How should it be secured
    • For how long (Retention)
    • How to dispose of it
  • Example of classification, in military : Top Secret, Secret, Confidential, Unclassified.

Data Lifecycle

Create, store, use, share, archive, destroy.

Privacy

  • Laws:
    • EU GDPR
      • EU-US Privacy Shield List (US Department of Commerce).
    • APEC CBPR
    • Canada PIPEDA
    • US :
      • There is no overarching privacy law. Only sector-specific:
        • Privacy Act : Applicable only to US federal government agencies.
        • GLBA : Gramm-Leach-Bliley Act (For financial institutions).
        • COPPA : Children’s Online Privacy Protection Act (For online services directed to children under 13 years of age).
        • FERPA : Family Educational Rights and Privacy Act (Protect the privacy of student education records).
        • HIPPA : Health Insurance Portability and Accountability Act (For protecting sensitive patient health information).
  • Roles:
    • Data Owner
      • Accountable.
      • They can grant or deny access to the data.
      • Generally, this is a senior manager.
      • Responsible for classifying data.
    • Data Steward
      • They are responsible for data content and context. Their main goal is data quality.
    • Data Custodian
      • They maintain data, secure it and make sure its available for authorized users.
    • Data Subject
      • For personal data, it is the person to which this data relates.
    • Data User
      • It is the person who is accessing the data as part of their day-to-day job.
    • Data Controller
      • A person or a business who determines how data should be processed. They are accountable.
    • Data Processor
      • Process data on behalf of a data controller (Example: Cloud service providers).

Data Retention

  • How long should data be stored.
  • Retention requirements should be expressed in a retention policy.
  • Legal and compliance requirements need to be evaluated first with regard to data retention.

Data States

  • At rest : Databases, data warehouses.
  • In motion : data in transmission through a network.
  • In use : Computer RAM, CPU cache or CPU registers.

Data Security Controls

  • Security Control Frameworks:
    • ISO 27001, ISO 27002
    • NIST SP 800-53
    • CSIS 20 Critical Security Controls
    • COBIT
    • COSO
    • FISMA
    • FedRAMP (For Cloud Service Providers).
    • DoD Instruction 8510.01
  • Control Types
    • Technical : Using computer capabilities and automation to implement safeguards.
    • Administrative : Policies, procedures, standards and guidelines…
    • Physical : CCTV, Intrusion Detection, security guard…
  • Controls can be deterrent, preventative, detective, corrective, compensating or recovery.
  • Controls can be common, system-specific or hybrid.
  • Establishing a security control baseline.
    • Examples : Cisco Validated Design Program, Microsoft Security Compliance Toolkit 1.0, CIS Benchmarks,…
  • Scoping, tailoring, supplementation
    • Scoping : Choose only the security controls that are applicable.
    • Tailoring : Modify the applicable controls to meet the specific needs.
    • Scoping and tailoring decisions must be well-documented.
    • Supplementation : When additional security controls are needed.

Asset Handling Requirements

  • Marking and Labeling
  • Handling : Should cover access, transfer and storage of sensitive data.
  • De-identification
  • Obfuscation
  • Anonymization
  • Data Tokenization
  • Obfuscation

Data Remanence

Data remanence occurs when data destruction efforts were not sufficient.

Guidelines and standards:

  • NSA/CSS Policy Manual 9-12
  • NIST SP 800-88 “Guidelines for Media Sanitization”.

Techniques used for media sanitization:

  • Clearing
    • The least effective method.
    • Media is formatted or overwritten once.
    • Data can be recovered.
  • Purging
    • Data may never be recovered.
    • Overwriting multiple time, degaussing (Only for magnetic media like HDD or tapes), crypto-shredding.
  • Destruction
    • The most effective method.
    • Media is destroyed.
    • Examples include incineration and disk shredding.
    • Drilling a hole in the media is not a good way to destroy it. Data can still be recovered.

We have now gone through all items that are covered in the domain 2 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *