Chapter 5: Assets PDF
Document Details
Uploaded by PlentifulMonkey
Universidad Autónoma de Nuevo León
Tags
Summary
This document details concepts related to data security and asset protection. It discusses the importance of data subjects, risk management, data retention, and the data life cycle, covering different aspects like classification, controls and cryptography. It's relevant to professions dealing with data management and security.
Full Transcript
Chapter 5: Assets 245 best ways to address this issue are through training and auditing. On the one hand, data processors must be properly trained to handle their duties and responsibilities. On the...
Chapter 5: Assets 245 best ways to address this issue are through training and auditing. On the one hand, data processors must be properly trained to handle their duties and responsibilities. On the other hand, there must be routine inspections to ensure their behavior complies with all applicable laws, regulations, and policies. Data Subjects All personal data concerns a real individual. The person about whom the data is con- cerned is the data subject. While data subjects are seldom involved in the organizational PART II data life cycle, we all have a solemn duty to protect them and their privacy as we use their data for our own purposes. Respect for the data subjects is foundational to ensuring the protection and privacy of their data. Chapter Review Protecting assets, particularly information, is critical to any organization and must be incorporated into the comprehensive risk management process described in Chapter 2. This protection will probably require different controls at different phases in the data life cycle, so it is important to consider phase-specific risks when selecting controls. Rather than trying to protect all information equally, our organizations need classification stan- dards that help us identify, handle, and protect data according to its sensitivity and criti- cality. We must also consider the roles played by various people in the organization. From the senior executives to the newest and most junior member of the team, everyone who interacts with our information has (and should understand) specific responsibilities with regard to protecting our assets. A key responsibility is the protection of privacy of personal information. For various legal, regulatory, and operational reasons, we want to limit how long we hold on to personal information. There is no one-size-fits-all approach to data retention, so it is incumbent on the organization’s leadership to consider a multitude of factors when developing privacy and data retention policies. These policies, in turn, should drive risk- based controls, baselines, and standards applied to the protection of our data. A key element in applying controls needs to be the proper use of strong cryptography. Quick Review Data goes through a life cycle that starts with its acquisition and ends with its disposal. Each phase of the data life cycle requires different considerations when assessing risks and selecting controls. New information is prepared for use by adding metadata, including classification labels. CISSP All-in-One Exam Guide 246 Ensuring the consistency of data must be a deliberate process in organizations that use data replication. Cryptography can be an effective control at all phases of the data life cycle. The data retention policy drives the timeframe at which data transitions from the archival phase to the disposal phase of its life cycle. Information classification corresponds to the information’s value to the organization. Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed. Senior executives are ultimately responsible to the shareholders for the successes and failures of their corporations, including security issues. The data owner is the manager in charge of a specific business unit and is ultimately responsible for the protection and use of a specific subset of information. Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels. The data retention policy must consider legal, regulatory, and operational requirements. The data retention policy should address what data is to be retained, where, how, and for how long. Electronic discovery (e-discovery) is the process of producing for a court or external attorney all electronically stored information (ESI) pertinent to a legal proceeding. Normal deletion of a file does not permanently remove it from media. NIST SP 800-88, Revision 1, Guidelines for Media Sanitization, describes the best practices for combating data remanence. Overwriting data entails replacing the 1’s and 0’s that represent it on storage media with random or fixed patterns of 1’s and 0’s to render the original data unrecoverable. Degaussing is the process of removing or reducing the magnetic field patterns on conventional disk drives or tapes. Privacy pertains to personal information, both from your employees and your customers. Generally speaking, organizations should collect the least amount of private personal data required for the performance of their business functions. Mobile devices are easily lost or stolen and should proactively be configured to mitigate the risks of data loss or leakage. Paper products oftentimes contain information that deserves controls commensurate to the sensitivity and criticality of that information.
