This post serves as a review for the domain 2 of the CISSP. This domain covers asset security.
Before we start, here is a list that will help you navigate through the different sections of this domain review:
- Data Security Concepts.
- Classify Assets.
- Data Lifecycle.
- Data Retention.
- Data States.
- Security Controls.
- Asset Handling Requirements.
- Data Remanence.
Data Security Concepts
A Data policy should be part of the overall risk management program.
Data governance oversees the development of common data definitions, standards, requirements, and processes.
Data quality reflects the integrity and reliability of data. Quality control and assurance can ensure good data quality. Improving data quality aims to reduce errors of commission (Mistakes, or inacurrate transcription) and errors of omission (Something that had been left out).
Data documentation allows longevity and reuse of data. Through documentation, users can understand, content, context, and limits of data.It also facilitates the exchange of data and enables easier discovery and interoperability of data. Data documentation can be through metadata, readme files, file contents (file names, header area…)…
There are 2 types of data:
- Unstructured: It lacks any formal data model.
- Structured: When data is organized (Example: In a relational database)
Data Schema is a blueprint of how a database is constructed.
Data classification is based on sensitivity. (Ex: Confidential, Sensitive, Private, Public). It allows you to know the value that a piece of data holds to your organization.
Data categorization is based on the potential impact on the organization (FIPS 199: Standards for Security Categorization of Federal Information and Information Systems).
Assets should be classified based on their level of sensitivity. Classification criterias include the classification of data the asset handles, and the processes that the asset accomplishes.
A data classification policy should specify who can access the data, how to secure it, for how long (Retention), and how to dispose of it.
An example of classification, which is an inspiration from the military, is: Top Secret, Secret, Confidential, Unclassified.
It is important to understand the six stages that data goes through during its lifecycle : Create, store, use, share, archive, destroy.
Many countries around the world enforce privacy through law. The most well-known of these is the EU GDPR which I covered in my review of domain 1. It is also important to be familiar with the EU-US Privacy Shield, which allows US companies to meet the requirements of GDPR.
In addition to the EU, other countries have also adopted privacy laws:
- APEC CBPR
- Canada PIPEDA
- US : There is no overarching privacy law in the US. Only laws that apply to specific sectors :
- Privacy Act : Applicable only to US federal government agencies.
- GLBA : Gramm-Leach-Bliley Act (For financial institutions).
- COPPA : Children’s Online Privacy Protection Act (For online services directed to children under 13 years of age).
- FERPA : Family Educational Rights and Privacy Act (Protect the privacy of student education records).
- HIPPA : Health Insurance Portability and Accountability Act (For protecting sensitive patient health information).
Handling data involves many entities, with varying responsibilities. Below are some of the important data roles :
- Data Owner: They are the person who is accountable. Most often, they are from senior management. They can grant or deny access to data, and are responsible for its classification.
- Data Steward : They are responsible for data content and context. Their main goal is data quality.
- Data Custodian : They maintain data, secure it and make sure its available for authorized users.
- Data Subject : For personal data, they are the person to which this data relates. You can encounter this role, most often, in the context of privacy. (For example, they are the person that the PII identifies).
- Data User : They are the person who is accessing the data as part of their day-to-day job.
- Data Controller : A person or a business who determines how to process data. They are accountable for it.
- Data Processor : They process data on behalf of a data controller (Example: Cloud service providers).
The concept of data retention describes how long data should be stored. Retention requirements should be expressed in a retention policy.
It is important to evaluate Legal and compliance requirements first before defining the duration for data retention.
Data can be in either one of the following 3 states:
- At rest : When data is stored (e.g. Databases, data warehouses, files in a hard drive…).
- In motion : When data is in transmission through a network.
- In use : When data is being accessed by a user or a service account. Generally, data in use is located in the Computer RAM, CPU cache or CPU registers).
For identifying security controls to implement for data in your organization, you can refer to well-known frameworks: ISO 27001, ISO 27002, NIST SP 800-53, CSIS 20 Critical Security Controls, COBIT, COSO, FISMA, FedRAMP (For Cloud Service Providers), DoD Instruction 8510.01.
When implementing the above frameworks, there might be some controls that are not applicable to the context of your organization. This is why you should consider scoping, tailoring, and supplementation.
- Scoping : Choose only the security controls that are applicable.
- Tailoring : Modify the applicable controls to meet the specific needs.
- Supplementation : When additional security controls are needed.
It is important to document scoping and tailoring decisiong, and their justification.
There are 3 types of controls :
- Technical : Using computer capabilities and automation to implement safeguards.
- Administrative : Policies, procedures, standards and guidelines…
- Physical : CCTV, Intrusion Detection, security guard…
Controls can be deterrent, preventative, detective, corrective, compensating or recovery. Controls can also be common, system-specific or hybrid.
It is important to establishing a security control baseline. Examples of standards and references that can help you with this include : Cisco Validated Design Program, Microsoft Security Compliance Toolkit 1.0, CIS Benchmarks,…
Asset Handling Requirements
Asset Handling should also cover access, transfer and storage of sensitive data.
Good practices in asset and data handling include :
- Marking and Labeling
- Data Tokenization
Data remanence occurs when data destruction efforts prove to be non-sufficient, and some remains of data may still be recoverable.
There are 3 Techniques for media sanitization:
- Clearing : Media is formatted or overwritten once. This is the least effective method, and you can still recover data if you rely on this technique alone.
- Purging : Overwriting multiple time, degaussing (Only for magnetic media like HDD or tapes), crypto-shredding… By these techniques, you may never recover data.
- Destruction : This is the most effective method, but Media would be entirely destroyed. Examples include incineration and disk shredding. However, drilling a hole in the media is not a good way to destroy it. Data can still be recovered.
Guidelines and standards for Media Sanitization include :
- NSA/CSS Policy Manual 9-12
- NIST SP 800-88 “Guidelines for Media Sanitization”.
We have now gone through all items that domain 2 of the CISSP covers. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.