PHYSICAL SECURITY

profileraj9999
ch05.pptx
Home>Computer Science homework help>PHYSICAL SECURITY

Chapter 5 Protecting Security of Assets

Identify and Classify Assets

Defining Sensitive Data

Defining Classifications

Determining Data Security Controls

Understanding Data States

Handling Information and Assets

Data Protection Methods

Determining Ownership

Data Processors

Using Security Baselines

overview

Defining Sensitive Data

Personally Identifiable Information (PII)

NIST SP 800-122

Protected Health Information (PHI)

HIPAA

Proprietary Data

Defining Classifications 1/3

Government/Military

Top Secret

Secret

Confidential

Unclassified

For Official Use Only (FOUO)

Sensitive but Unclassified (SBU)

Non-government

Class 3, 2, 1, 0

Defining Classifications 2/3

Defining Classifications 3/3

Civilian

Confidential or Proprietary

Private

Sensitive

Public

Defining Asset Classifications

Asset classification should match system classifications for use/access

Determining Data Security Controls

Define a policy for all forms and locations of data

Encrypt all the things

Consider the value of data

Use labels and enforcement

Use data loss prevention (DLP)

Set requirements for:

Communications, Storage, and Backups

Understanding Data States

Data at rest

Data in motion

Data in use

Encryption

Authentication

Authorization

Handling Information and Assets 1/4

Marking Sensitive Data and Assets

Physical and logical labeling

Assists with DLP and human handling

Address downgrading

Handling Sensitive Information and Assets

Be aware of common loss of control situations, such as backups and cloud storage

Handling Information and Assets 2/4

Storing Sensitive Data

Use storage encryption

Manage the environment

Provide quality storage devices for long term retention

Destroying Sensitive Data

NIST SP 800-88r1, “Guidelines for Media Sanitization”

Handling Information and Assets 3/4

Eliminating Data Remanence

HDD vs. SSD/flash

Sanitization

Erasing

Clearing

Purging

Degaussing

Destruction

Declassification

Handling Information and Assets 4/4

Ensuring Appropriate Asset Retention

Record retention

Media, system retention

Employees and NDAs

A necessary element of a security policy

Data Protection Methods

Protecting Data with Symmetric Encryption

AES

Triple DES

Blowfish

Protecting Data with Transport Encryption

TLS

VPN

IPSec

SSH

Determining Ownership 1/4

Data Owners

Asset Owners/System Owners

Business/Mission Owners

Data Processors (next slide)

Determining Ownership 2/4

Data Processors

The person or entity that controls processing of the data

GDPR

EU-US Privacy Shield

Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; Recourse, Enforcement, and Liability

Determining Ownership 3/4

Pseudonymization

Artificial identifiers

Anonymization

Inferencing

Data masking and randomization

Administrators

Determining Ownership 4/4

Custodians

Users

Protecting Privacy

HIPAA

California Online Privacy Protection Act of 2003 (CalOPPA)

Personal Information Protection and Electronic Documents Act (Canada)

GDPR

NIST SP 800-53

Scoping

Selecting controls that specifically apply to the protected target

Tailoring

Adjust security control baseline to align with organization mission

Selecting Standards

Contractual vs. regulation/legislation

Using Security Baselines

Conclusion

Read the Exam Essentials

Review the Chapter

Perform the Written Labs

Answer the Review Questions