The document outlines the objectives and practices related to asset security, focusing on the classification, management, and protection of data within an organization. It highlights the importance of defining roles and responsibilities for data ownership, ensuring data quality, and implementing security controls to protect data throughout its lifecycle. Additionally, it addresses guidelines for data access, sharing, retention, and compliance with relevant privacy laws and standards.

1. OLAJIDE KUKU
CISSP - ASSET SECURITY

2. ASSET SECURITY
Objectives of Domain:
 Classification of information and supporting assets.
 Determine and maintain ownership.
 Protect privacy and ensure appropriate retention.
 Determine data security controls.
 Establish handling requirements.

3. ASSET SECURITY
DATA MANAGEMENT:
Determine and Maintain Ownership
 Data policy.
 Roles and Responsibility
 Data ownership
 Data custodianship
 Data quality

4. ASSET SECURITY
Data Policy
 Sound data policy that defines long-term strategic goals for data management across
the enterprise is required.
 Such policy must consider:
 Ownership and custodianship
 Privacy
 Liability
 Sensitivity
 Existing laws and policy requirements
 Policy and process

5. ASSET SECURITY
Roles and Responsibilities
 For data management goals to be met, all requirements must be understood by all
stakeholders.
 All roles and responsibilities must be clearly defined.
 Data ownership must be established.
 Instill data accountability
 Data quality and metadata metrics are maintained on a continuous basis.

6. ASSET SECURITY
Data Ownership
 An individual in the organization must be responsible for data.
 Such individual must be capable of determining the impact of the data on the mission of the organization.
 Understand the replacement cost of data (if replacement is possible).
 Determine who need the data, both inside and outside organization.
 Know when data is no longer needed and should be destroyed.
 Know the intellectual property rights and copyright regime of data.
 Know policies regarding data security, disclosure control, release, pricing, and dissemination.
 Compliance obligations, statutory and non-statutory.
 Must be familiar with agreements for use by users and customers.

7. ASSET SECURITY
Data Custodianship
 Data custodians must ensure that important datasets are developed, maintained and are
accessible. For example, a DBA.
 Adhere to appropriate and relevant data policy and ownership guidelines.
 Ensure accessibility to appropriate users, while appropriate security levels to datasets are
maintained.
 Ensure dataset maintenance, including but not limited to storage and archiving.
 Dataset documentation, including updates to documentation.
 Assurance of quality and validation and periodic audits to ensure integrity.

8. ASSET SECURITY
Data Quality
 Quality of data is analogous to fitness for use or potential use.
 Stages of data management must all ensure quality:
 Capture and recording
 Manipulation prior to digitization
 Identification of the collection
 Digitization
 Documentation
 Storage and archiving
 Presentation (paper and electronic publications, Web-enabled databases, etc.)
 Using the data (analysis and manipulation).

9. ASSET SECURITY
Data Quality
 Data quality standards my be available for:
 Accuracy
 Precision
 Resolution
 Reliability
 Repeatability
 Reproducibility
 Currency
 Relevance
 Ability to audit
 Completeness
 Timeliness

10. ASSET SECURITY
Data Documentation & Organization
 Documented for use now and into the future.
 Data longevity is roughly proportional to its comprehensiveness in documentation.
 Objectives of data documentation:
 Ensures its longevity and reuse for multiple purposes.
 Ensures that users understand the content, context, and limitations.
 Facilitates the discovery of datasets
 Facilitates the interoperability of datasets and data exchange.
 Metadata is data about data and provides information on the identification, quality, spatial
context, data attributes, and distribution of datasets using common terminology.

11. ASSET SECURITY
Data Standards
 Data lifecycle control – complete lifecycle must be well managed.
 Data specification and modeling – thorough user requirements must be gathered and also
well modeled.
 Database maintenance – effective maintenance cannot be over-emphasized.
 Data audit – good data management requires ongoing audit.
 Audit must identify information needs of the organization
 Uncover duplications, inefficiencies, and areas of over-provision.
 Recognize effective data management practices.

12. ASSET SECURITY
Longevity & Use
 Data security – involves system, processes, and procedures that protect a database from
unintended use. Security must be implemented in layers. Risk assessment of database be
periodically performed.
 Comprehensive strategies must be employed to ensure data security.

13. ASSET SECURITY
Data Security
 Comprehensive strategies must be employed to ensure data security.
 Security involves systems, processes, and procedures that protect a database from
unintended activity.
 Unintended activity include misuse, malicious attacks, inadvertent mistakes, and access by
individuals or processes, whether authorized or not.
 Defense in-depth approach must be considered for data protection.

14. ASSET SECURITY
Data Access, Sharing, & Dissemination
 Data and information must be readily accessible to all authorized users.
 Many issues to address include:
 Relevant data policies and data ownership established to determine issues of access and use.
 Format appropriate for end-users.
 Various levels of differentiated access needed and deemed appropriate.
 Cost of providing data versus cost of providing access to data.
 Issues of private and public domain in the context of data being collected.
 Liability issues including accuracy, recommended use, and use restrictions, etc.
 A carefully worded disclaimer statement should be included in the metadata to free the provider or anyone associated with the dataset
of any legal responsibility for misuse or inaccuracies in the data.
 Jurisdictional issues regarding where data is at rest, in transit, or where it I being consumed.
 Intentional obfuscation of detail to protect sensitive data.

15. ASSET SECURITY
Data Publishing
 When publishing data, attention must be paid in all aspects including the clarity, sensitivity,
labels, etc.
 Media storing sensitive information requires physical and logical controls.
 Policies must be in place regarding marking of media.
 Storage media must have a physical label identifying the sensitivity of information contained.
 Only designated personnel must have access to sensitive media.
 Sensitive media must be stored in a security container.
 Media no longer needed must be destroyed rather than simply disposing of.
 Information retention policies must clearly define periods of retention, taking into account
laws and regulatory/compliance requirements.

16. ASSET SECURITY
Information Classification & Supporting Assets
Data Classification:
Different organizations create and maintain different types of data. To effectively provide the
required security for such data, without overspending time and money, it is important to
understand each data type and its importance to the organization. Not forgetting the impact on
the organization should such data be compromised!
Hence the need for classification.

17. ASSET SECURITY
Data Classification -
 Scope (value, age)
 Classification Controls (responsibility to define security level for classification &
declassification, etc.)
 Assurance (Identify the right protection mechanism)
 Marking and labeling

18. ASSET SECURITY
Data/Information Classification –
 Private Business vs. Govt./Military
 To address different security concerns, private sector businesses and the military
adopt different data classification schemes.

19. ASSET SECURITY
Data Classification –
 Private Business
 Confidential
 Private
 Sensitive
 Public
 Govt./Military
 Top secret
 Secret
 Confidential
 Sensitive but Unclassified
 Unclassified

20. ASSET SECURITY
Data Classification Criteria–
 Age of data
 Data owners or manipulators
 Data storage location
 Impact of data on national security
 Encryption status of data
 Monetary value of data
 Regulatory laws required for specific data
 Repercussions if data was altered or corrupted
 Repercussions if data was leaked or disclosed
 Separation of duties status of the data
 Usefulness of data
 Etc., etc.

21. ASSET SECURITY
Asset Management
 Software licensing.
 Equipment lifecycle

22. ASSET SECURITY
Privacy Protection
 Privacy laws can be traced as far back as 1361 in England to arrest the peeping toms and
eavesdroppers.
 Various countries enacted their individual laws thereafter.
 Modern privacy benchmark can be found in the 1948 Universal Declaration of Human Rights
which protects territorial and communications privacy.
 U.S. – EU Safe harbor Framework is an example of data protection agreement between both
sides of the Atlantic.

23. ASSET SECURITY
Appropriate Retention
 Media.
 Hardware.
 Personnel

24. ASSET SECURITY
Company “X” Data Retention Policy
 Key principles
 Data must be stored securely and appropriately with regard to sensitivity and confidentiality.
 Data must be retained for only as long as necessary, etc., etc.
 Storage
 Use secure data centers for storage.
 Only authorized personnel are required to have access to data, etc., etc.
 Retention
 Follow required laws and regulations for data retention. For example, The Data Protection Act stipulates that personal data processed
for any purpose “shall not be kept for longer than necessary for that purpose”. The maximum number of years of retention is regarded
as 5 years.
 Destruction and disposal
 Follow procedures for destruction and disposal.
 NIST SP 800-88 Revision 1 stipulates guidelines for Media Sanitization.

25. ASSET SECURITY
Determine Data Security Controls Information States:
 Processing
 When data is run through a computer and actions are performed on such data by the machines
 Data can be changed while being processed in many ways
 Transmission
 Data moving across a network (wired or wireless)
 Several security issues abound
 Different data require different protection
 Storage
 Data on hard drives, USB-base devices, portable devices, and other media.

26. ASSET SECURITY
Data at Rest, in Transit, & Baselines
 Data at rest can be protected through the use of cryptographic algorithms, among other
mechanisms.
 Modern cryptography helps to provide secure and confidential methods to transmit date and
also facilitate the verification of the integrity of the message.
 Certain fundamental security elements form a baseline for information protection (p. 228-
230)

27. ASSET SECURITY
Scoping & Tailoring
 Standards and guidelines are developed after extensive consultation with numerous
stakeholders. Such move helps to avoid unnecessary and costly duplication.
 Scoping guidelines provide organizations with specific terms and conditions regarding
application and implementation of individual security controls. Scoping allows organizations
to review baseline security controls and select those that apply to the IT systems in need of
protection.
 Tailoring provides organizations the flexibility needed to avoid approaches or initiatives that
are needless to their specific environment. Tailoring allows organizations to modify security
controls within a baseline that align with the mission of the organization.

28. ASSET SECURITY
Standards Selection
 Security professional must be familiar with a plethora of standard and the entities
responsible for them.
 Common among them are ISO, ITU, IETF, etc., etc.

29. ASSET SECURITY
United States Resources
 US DOD
 NSA
 NIST and its Publications
 FIPS
 Etc., etc

30. ASSET SECURITY
International Resources
 Cybersecurity strategy of the EU
 European Network and Information Security Agency (ENISA)

31. ASSET SECURITY
National Cyber Security Framework Manual
 Provides detailed information and in-depth frameworks for understanding the various facets of
National Cyber Security.

32. ASSET SECURITY
Framework for Improving Critical Infrastructure Cybersecurity
 Released by NIST on February 12, 2014, this framework a common taxonomy (method
of classification) and mechanism for organizations to:
 Describe their current cybersecurity posture
 Describe their target state for cybersecurity
 Identify and prioritize opportunities for improvement within the context of a continuous and
repeatable process
 Assess progress toward the target state
 Communicate among internal and external stakeholders about cybersecurity risk.

33. GOOD LUCK!