PHYSICAL SECURITY
Chapter 5 Protecting Security of Assets
Identify and Classify Assets
Defining Sensitive Data
Defining Classifications
Determining Data Security Controls
Understanding Data States
Handling Information and Assets
Data Protection Methods
Determining Ownership
Data Processors
Using Security Baselines
overview
Defining Sensitive Data
Personally Identifiable Information (PII)
NIST SP 800-122
Protected Health Information (PHI)
HIPAA
Proprietary Data
Defining Classifications 1/3
Government/Military
Top Secret
Secret
Confidential
Unclassified
For Official Use Only (FOUO)
Sensitive but Unclassified (SBU)
Non-government
Class 3, 2, 1, 0
Defining Classifications 2/3
Defining Classifications 3/3
Civilian
Confidential or Proprietary
Private
Sensitive
Public
Defining Asset Classifications
Asset classification should match system classifications for use/access
Determining Data Security Controls
Define a policy for all forms and locations of data
Encrypt all the things
Consider the value of data
Use labels and enforcement
Use data loss prevention (DLP)
Set requirements for:
Communications, Storage, and Backups
Understanding Data States
Data at rest
Data in motion
Data in use
Encryption
Authentication
Authorization
Handling Information and Assets 1/4
Marking Sensitive Data and Assets
Physical and logical labeling
Assists with DLP and human handling
Address downgrading
Handling Sensitive Information and Assets
Be aware of common loss of control situations, such as backups and cloud storage
Handling Information and Assets 2/4
Storing Sensitive Data
Use storage encryption
Manage the environment
Provide quality storage devices for long term retention
Destroying Sensitive Data
NIST SP 800-88r1, “Guidelines for Media Sanitization”
Handling Information and Assets 3/4
Eliminating Data Remanence
HDD vs. SSD/flash
Sanitization
Erasing
Clearing
Purging
Degaussing
Destruction
Declassification
Handling Information and Assets 4/4
Ensuring Appropriate Asset Retention
Record retention
Media, system retention
Employees and NDAs
A necessary element of a security policy
Data Protection Methods
Protecting Data with Symmetric Encryption
AES
Triple DES
Blowfish
Protecting Data with Transport Encryption
TLS
VPN
IPSec
SSH
Determining Ownership 1/4
Data Owners
Asset Owners/System Owners
Business/Mission Owners
Data Processors (next slide)
Determining Ownership 2/4
Data Processors
The person or entity that controls processing of the data
GDPR
EU-US Privacy Shield
Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; Recourse, Enforcement, and Liability
Determining Ownership 3/4
Pseudonymization
Artificial identifiers
Anonymization
Inferencing
Data masking and randomization
Administrators
Determining Ownership 4/4
Custodians
Users
Protecting Privacy
HIPAA
California Online Privacy Protection Act of 2003 (CalOPPA)
Personal Information Protection and Electronic Documents Act (Canada)
GDPR
NIST SP 800-53
Scoping
Selecting controls that specifically apply to the protected target
Tailoring
Adjust security control baseline to align with organization mission
Selecting Standards
Contractual vs. regulation/legislation
Using Security Baselines
Conclusion
Read the Exam Essentials
Review the Chapter
Perform the Written Labs
Answer the Review Questions