SlideShare a Scribd company logo

L2 - Protecting Security of Assets_.pptx

Download as PPTX, PDF
R
RebeccaMunasheChimhe

This document discusses protecting the security of assets and information. It covers identifying and classifying sensitive data and assets, determining appropriate security controls, and establishing ownership roles and responsibilities. The goal is to properly handle information throughout its lifecycle to prevent unauthorized disclosure and data breaches. Key steps include marking, handling, storing, and destroying assets based on their classification.

Technology
1 of 37
CUIT420: CYBER SECURITY MS CHIMHENO rchimheno@cut.ac.zw Office: E-12 L2 – PROTECTING SECURITY OF ASSETS
LEARNING OUTCOMES At the end of this lecture students should be able to:  Identify and classify information and assets  Protect privacy  Explain data security controls  Establish information and asset handling requirements
 The Asset Security domain focuses on collecting, handling, and protecting information throughout its lifecycle.  A primary step in this domain is classifying information based on its value to the organization.  All follow-on actions vary depending on the classification. For example, highly classified data requires stringent security controls. In contrast, unclassified data uses fewer security controls. INTRODUCTION
IDENTIFY AND CLASSIFY ASSETS
 One of the first steps in asset security is identifying and classifying information and assets.  In this context, assets include sensitive data, the hardware used to process it, and the media used to hold it.  Organizations often include classification definitions within a security policy.  Personnel then label assets appropriately based on the security policy requirements. IDENTIFY AND CLASSIFY ASSETS
 Steps to Identifying and classifying assets: 1) Defining Sensitive Data 2) Defining Data Classifications 3) Defining Asset Classifications 4) Determining Data Security Controls 5) Understanding Data States 6) Handling Information Assets 7) Data Protection Method IDENTIFY AND CLASSIFY ASSETS
 Sensitive data is any information that isn’t public or unclassified.  It can include confidential, proprietary, protected, or any other type of data that an organization needs to protect due to its value to the organization, or to comply with existing laws and regulations. 1. DEFINING SENSITIVE DATA
 Types of Sensitive Data Personally identifiable information (PII) is any information that can identify an individual. - National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122 provides a more formal definition: Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, 1. DEFINING SENSITIVE DATA
 Types of Sensitive Data Protected health information (PHI) is any health-related information that can be related to a specific person - Health information means any information, whether oral or recorded in any form or medium, that— (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual (HIPAA) 1. DEFINING SENSITIVE DATA
 Types of Sensitive Data Proprietary data refers to any data that helps an organization maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets. If competitors are able to access the proprietary data, it can seriously affect the primary mission of an organization. 1. DEFINING SENSITIVE DATA
 Organizations typically include data classifications in their security policy, or in a separate data policy.  A data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.  The policy identifies classification labels used within the organization.  It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification. 2. DEFINING DATA CLASSIFICATIONS
2. DEFINING DATA CLASSIFICATIONS
 Organizations typically include data classifications in their security policy, or in a separate data policy.  A data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.  The policy identifies classification labels used within the organization.  It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification. 2. DEFINING DATA CLASSIFICATIONS
 Asset classifications should match the data classifications.  In other words, if a computer is processing top secret data, the computer should also be classified as a top secret asset.  Similarly, if media such as internal or external drives holds top secret data, the media should also be classified as top secret.  It is common to use clear marking on the hardware assets so that personnel are reminded of data that can be 3. DEFINING ASSET CLASSIFICATIONS
 After defining data and asset classifications, it’s important to define the security requirements and identify security controls to implement those security requirements.  Imagine that an organization has decided on data labels of Confidential/Proprietary, Private, Sensitive, and Public as described previously.  Management then decides on a data security policy dictating the use of specific security controls to protect data in these categories.  The policy will likely address data stored in files, in databases, on servers including email servers, on user systems, sent via email, and stored in the cloud. 4. DETERMINING DATA SECURITY CONTROLS
4. DETERMINING DATA SECURITY CONTROLS
 It’s important to protect data in all data states , including while it is at rest, in motion, and in use.  Data at Rest - Data at rest is any data stored on media such as hard drives, external USB drives, storage area networks (SANs), and backup tapes.  Data in Transit - Data in transit (sometimes called data in motion) is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public networks such as the internet.  Data in Use - Data in use refers to data in memory or temporary storage buffers, while an application is using it. Because an application can’t process encrypted data, it must decrypt it in 5. UNDERSTANDING DATA STATES
 A key goal of managing sensitive data is to prevent data breaches.  A data breach is any event in which an unauthorized entity can view or access sensitive data.  If you pay attention to the news, you probably hear about data breaches quite often. 6. HANDLING INFORMATION AND ASSETS
 Basic steps to limit data breaches  Marking Sensitive Data and Assets - Marking (often called labeling) information ensures that users can easily identify the classification level of any data  Handling Sensitive Information and Assets - Handling refers to the secure transportation of media through its lifetime. Personnel handle data differently based on its value and classification, and as you’d expect, highly classified information needs much greater protection. Many times, people get accustomed to handling sensitive information and become lackadaisical with protecting it.  Storing Sensitive Data - Sensitive data should be stored in such a way that it protected against any type of loss. The obvious protection is encryption. If sensitive data is stored on physical media such as portable disk drives or backup tapes, personnel should follow basic physical security practices to 6. HANDLING INFORMATION AND ASSETS
 Basic steps to limit data breaches  Destroying Sensitive Data - When an organization no longer needs sensitive data, personnel should destroy it. Proper destruction ensures that it cannot fall into the wrong hands and result in unauthorized disclosure. Highly classified data requires different steps to destroy it than data classified at a lower level.  Eliminating Data Remanence - Data remanence is the data that remains on media after the data was supposedly erased. It typically refers to data on a hard drive as residual magnetic flux.  One way to remove data remanence is with a degausser. A degausser generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives. Degaussers using power will reliably rewrite these magnetic fields and remove data remanence. However, they are only effective on magnetic media. 6. HANDLING INFORMATION AND ASSETS
 Basic steps to limit data breaches Ensuring Appropriate Asset Retention - Retention requirements apply data or records, media holding sensitive data, systems that process sensitive data, and personnel who have access to sensitive data. Record retention and media retention is the most important element of asset retention. Record retention involves retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed 6. HANDLING INFORMATION AND ASSETS
 One of the primary methods of protecting the confidentiality of data is encryption  Symmetric encryption uses the same key to encrypt and decrypt data  Advanced Encryption Standard  Triple DES  Blowfish  Transport encryption methods encrypt data before it is transmitted, providing protection of data in transit. The primary risk of sending unencrypted data over a network is a sniffing attack.  Organizations often enable remote access solutions such as virtual private networks (VPNs). 7. DATA PROTECTION METHODS
DETERMINING OWNERSHIP
 Many people within an organization manage, handle, and use data, and they have different requirements based on their roles  One of the most important concepts here is ensuring that personnel know who owns information and assets.  The owners have a primary responsibility of protecting the data and assets. DETERMINING OWNERSHIP
 Data Owner – o data owner is the person who has ultimate organizational responsibility for data. o The owner is typically the chief operating officer (CEO), president, or a department head o Data owners identify the classification of data and ensure that it is labeled properly. o They also ensure that it has adequate security controls based on the classification and the organization’s security policy DETERMINING OWNERSHIP
 Asset Owner – o The asset owner (or system owner) is the person who owns the asset or system that processes sensitive data. o Develops and maintains a system security plan in coordination with information owners, the system administrator, and functional end users o The system owner is typically the same person as the data owner, but it can sometimes be someone different, such as a different department head o The system owner is responsible for ensuring that data processed on the system remains secure. This includes identifying the highest level of data that the system processes DETERMINING OWNERSHIP
 Business/Mission Owner – o The business/mission owner role is viewed differently in different organizations o a program manager or an information system owner and as such, the responsibilities of the business/mission owner can overlap with the responsibilities of the system owner or be the same role. o Business owners might own processes that use systems managed by other entities o business owners are responsible for ensuring that systems provide value to the organization. This sounds obvious. o However, IT departments sometimes become overzealous and implement security controls without considering the impact on the business or its DETERMINING OWNERSHIP
 Data Processors – o Generically, a data processor is any system used to process data. o a data processor is “a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.” o In this context, the data controller is the person or entity that controls processing of the data. DETERMINING OWNERSHIP
 Pseudonymization – o Two technical security controls that organizations can implement are encryption and pseudonymization. o A pseudonym is an alias o Pseudonymization refers to the process of using pseudonyms to represent other data. o It can be done to prevent the data from directly identifying an entity, such as a person. DETERMINING OWNERSHIP
Anonymization – oAnonymization is the process of removing all relevant data so that it is impossible to identify the original subject or person. DETERMINING OWNERSHIP
 Administrators – o A data administrator is responsible for granting appropriate access to personnel. o They don’t necessarily have full administrator rights and privileges, but they do have the ability to assign permissions. o Administrators assign permissions based on the principles of least privilege and the need to know, granting users access to only what they need for their job. o Administrators typically assign permissions using a Role Based Access Control model DETERMINING OWNERSHIP
 Custodians – o Data owners often delegate day-to-day tasks to a custodian. A custodian helps protect the integrity and security of data by ensuring that it is properly stored and protected. o For example, custodians would ensure that the data is backed up in accordance with a backup policy. o If administrators have configured auditing on the data, custodians would also maintain these logs. DETERMINING OWNERSHIP
 Users – o A user is any person who accesses data via a computing system to accomplish work tasks. o Users have access to only the data they need to perform their work tasks. You can also think of users as employees or end users. DETERMINING OWNERSHIP
PROTECTING PRIVACY
 Organizations have an obligation to protect data that they collect and maintain especially both PII and PHI data.  Many laws and regulations mandate the protection of privacy data, and organizations have an obligation to learn which laws and regulations apply to them. Additionally, organizations need to ensure that their practices comply with these laws and regulations.  It’s common for organizations to use an online privacy policy on their websites PROTECTING PRIVACY
 When protecting privacy, an organization will typically use several different security controls.  Selecting the proper security controls can be a daunting task, especially for new organizations.  However, using security baselines and identifying relevant standards makes the task a little easier.  Baselines provide a starting point and ensure a minimum security standard. PROTECTING PRIVACY
 Asset security focuses on collecting, handling, and protecting information throughout its lifecycle.  Sensitive information is any information that an organization keeps private and can include multiple levels of classifications  Organizations take specific steps to mark, handle, store, and destroy sensitive information and hardware assets, and these steps help prevent the loss of confidentiality due to unauthorized disclosure.  Personnel can fulfill many different roles when handling data.  Security baselines provide a set of security controls that an organization can implement as a secure starting point. CONCLUSION

Recommended

Data Security
Data SecurityData Security
Data Security
ankita_kashyap
 
CISSP Certification-Asset Security
CISSP Certification-Asset SecurityCISSP Certification-Asset Security
CISSP Certification-Asset Security
Hamed Moghaddam
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
DR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptxDR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptx
AdityaMishra105898
 
Discovery of rest at data
Discovery of rest at dataDiscovery of rest at data
Discovery of rest at data
Sanjeev Solanki
 
Data Security.docx
Data Security.docxData Security.docx
Data Security.docx
dwesr1
 
Encrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdfEncrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdf
alexguzman510050
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 

Recommended

Data Security
Data SecurityData Security
Data Security
ankita_kashyap
 
CISSP Certification-Asset Security
CISSP Certification-Asset SecurityCISSP Certification-Asset Security
CISSP Certification-Asset Security
Hamed Moghaddam
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
DR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptxDR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptx
AdityaMishra105898
 
Discovery of rest at data
Discovery of rest at dataDiscovery of rest at data
Discovery of rest at data
Sanjeev Solanki
 
Data Security.docx
Data Security.docxData Security.docx
Data Security.docx
dwesr1
 
Encrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdfEncrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdf
alexguzman510050
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
Atlantic Training, LLC.
 
Compliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporatesCompliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporates
e-Safe Systems
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
Alexander Decker
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
Alexander Decker
 
A Review Study on the Privacy Preserving Data Mining Techniques and Approaches
A Review Study on the Privacy Preserving Data Mining Techniques and ApproachesA Review Study on the Privacy Preserving Data Mining Techniques and Approaches
A Review Study on the Privacy Preserving Data Mining Techniques and Approaches
14894
 
Compliance to privacy act and mandatory data breach reporting for schools
Compliance to privacy act and mandatory data breach reporting for schoolsCompliance to privacy act and mandatory data breach reporting for schools
Compliance to privacy act and mandatory data breach reporting for schools
e-Safe Systems
 
Data security
Data securityData security
Data security
AbdulBasit938
 
Information security
Information securityInformation security
Information security
Sanjay Tiwari
 
Discovery of rest at data
Discovery of rest at dataDiscovery of rest at data
Discovery of rest at data
Sanjeev Solanki
 
PACE-IT, Security+ 4.4: Controls to Ensure Data Security
PACE-IT, Security+ 4.4: Controls to Ensure Data SecurityPACE-IT, Security+ 4.4: Controls to Ensure Data Security
PACE-IT, Security+ 4.4: Controls to Ensure Data Security
Pace IT at Edmonds Community College
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Microsoft Azure Information Protection
Microsoft Azure Information Protection Microsoft Azure Information Protection
Microsoft Azure Information Protection
Syed Sabhi Haider
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
How Data Loss Prevention Works.pdf
How Data Loss Prevention Works.pdfHow Data Loss Prevention Works.pdf
How Data Loss Prevention Works.pdf
Fast Digital Technology
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
IRJET Journal
 
DG for Fed
DG for FedDG for Fed
DG for FedGreg Cranley
 
Exemplo de política BYOD
Exemplo de política BYODExemplo de política BYOD
Exemplo de política BYOD
Fernando Palma
 
Trusted information protection
Trusted information protection Trusted information protection
Trusted information protection
Pablo Junco
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docx
rtodd599
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 

More Related Content

Similar to L2 - Protecting Security of Assets_.pptx

Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
Atlantic Training, LLC.
 
Compliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporatesCompliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporates
e-Safe Systems
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
Alexander Decker
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
Alexander Decker
 
A Review Study on the Privacy Preserving Data Mining Techniques and Approaches
A Review Study on the Privacy Preserving Data Mining Techniques and ApproachesA Review Study on the Privacy Preserving Data Mining Techniques and Approaches
A Review Study on the Privacy Preserving Data Mining Techniques and Approaches
14894
 
Compliance to privacy act and mandatory data breach reporting for schools
Compliance to privacy act and mandatory data breach reporting for schoolsCompliance to privacy act and mandatory data breach reporting for schools
Compliance to privacy act and mandatory data breach reporting for schools
e-Safe Systems
 
Data security
Data securityData security
Data security
AbdulBasit938
 
Information security
Information securityInformation security
Information security
Sanjay Tiwari
 
Discovery of rest at data
Discovery of rest at dataDiscovery of rest at data
Discovery of rest at data
Sanjeev Solanki
 
PACE-IT, Security+ 4.4: Controls to Ensure Data Security
PACE-IT, Security+ 4.4: Controls to Ensure Data SecurityPACE-IT, Security+ 4.4: Controls to Ensure Data Security
PACE-IT, Security+ 4.4: Controls to Ensure Data Security
Pace IT at Edmonds Community College
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Microsoft Azure Information Protection
Microsoft Azure Information Protection Microsoft Azure Information Protection
Microsoft Azure Information Protection
Syed Sabhi Haider
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
How Data Loss Prevention Works.pdf
How Data Loss Prevention Works.pdfHow Data Loss Prevention Works.pdf
How Data Loss Prevention Works.pdf
Fast Digital Technology
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
IRJET Journal
 
Exemplo de política BYOD
Exemplo de política BYODExemplo de política BYOD
Exemplo de política BYOD
Fernando Palma
 
Trusted information protection
Trusted information protection Trusted information protection
Trusted information protection
Pablo Junco
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docx
rtodd599
 

Similar to L2 - Protecting Security of Assets_.pptx (20)

Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
 
Compliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporatesCompliance to privacy act and mandatory data breach reporting for corporates
Compliance to privacy act and mandatory data breach reporting for corporates
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
A Review Study on the Privacy Preserving Data Mining Techniques and Approaches
A Review Study on the Privacy Preserving Data Mining Techniques and ApproachesA Review Study on the Privacy Preserving Data Mining Techniques and Approaches
A Review Study on the Privacy Preserving Data Mining Techniques and Approaches
 
Compliance to privacy act and mandatory data breach reporting for schools
Compliance to privacy act and mandatory data breach reporting for schoolsCompliance to privacy act and mandatory data breach reporting for schools
Compliance to privacy act and mandatory data breach reporting for schools
 
Data security
Data securityData security
Data security
 
Information security
Information securityInformation security
Information security
 
Discovery of rest at data
Discovery of rest at dataDiscovery of rest at data
Discovery of rest at data
 
PACE-IT, Security+ 4.4: Controls to Ensure Data Security
PACE-IT, Security+ 4.4: Controls to Ensure Data SecurityPACE-IT, Security+ 4.4: Controls to Ensure Data Security
PACE-IT, Security+ 4.4: Controls to Ensure Data Security
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Microsoft Azure Information Protection
Microsoft Azure Information Protection Microsoft Azure Information Protection
Microsoft Azure Information Protection
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
How Data Loss Prevention Works.pdf
How Data Loss Prevention Works.pdfHow Data Loss Prevention Works.pdf
How Data Loss Prevention Works.pdf
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
DG for Fed
DG for FedDG for Fed
DG for Fed
 
Exemplo de política BYOD
Exemplo de política BYODExemplo de política BYOD
Exemplo de política BYOD
 
Trusted information protection
Trusted information protection Trusted information protection
Trusted information protection
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docx
 

Recently uploaded

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 

Recently uploaded (20)

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 

L2 - Protecting Security of Assets_.pptx

  • 1. CUIT420: CYBER SECURITY MS CHIMHENO rchimheno@cut.ac.zw Office: E-12 L2 – PROTECTING SECURITY OF ASSETS
  • 2. LEARNING OUTCOMES At the end of this lecture students should be able to:  Identify and classify information and assets  Protect privacy  Explain data security controls  Establish information and asset handling requirements
  • 3.  The Asset Security domain focuses on collecting, handling, and protecting information throughout its lifecycle.  A primary step in this domain is classifying information based on its value to the organization.  All follow-on actions vary depending on the classification. For example, highly classified data requires stringent security controls. In contrast, unclassified data uses fewer security controls. INTRODUCTION
  • 5.  One of the first steps in asset security is identifying and classifying information and assets.  In this context, assets include sensitive data, the hardware used to process it, and the media used to hold it.  Organizations often include classification definitions within a security policy.  Personnel then label assets appropriately based on the security policy requirements. IDENTIFY AND CLASSIFY ASSETS
  • 6.  Steps to Identifying and classifying assets: 1) Defining Sensitive Data 2) Defining Data Classifications 3) Defining Asset Classifications 4) Determining Data Security Controls 5) Understanding Data States 6) Handling Information Assets 7) Data Protection Method IDENTIFY AND CLASSIFY ASSETS
  • 7.  Sensitive data is any information that isn’t public or unclassified.  It can include confidential, proprietary, protected, or any other type of data that an organization needs to protect due to its value to the organization, or to comply with existing laws and regulations. 1. DEFINING SENSITIVE DATA
  • 8.  Types of Sensitive Data Personally identifiable information (PII) is any information that can identify an individual. - National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122 provides a more formal definition: Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, 1. DEFINING SENSITIVE DATA
  • 9.  Types of Sensitive Data Protected health information (PHI) is any health-related information that can be related to a specific person - Health information means any information, whether oral or recorded in any form or medium, that— (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual (HIPAA) 1. DEFINING SENSITIVE DATA
  • 10.  Types of Sensitive Data Proprietary data refers to any data that helps an organization maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets. If competitors are able to access the proprietary data, it can seriously affect the primary mission of an organization. 1. DEFINING SENSITIVE DATA
  • 11.  Organizations typically include data classifications in their security policy, or in a separate data policy.  A data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.  The policy identifies classification labels used within the organization.  It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification. 2. DEFINING DATA CLASSIFICATIONS
  • 12. 2. DEFINING DATA CLASSIFICATIONS
  • 13.  Organizations typically include data classifications in their security policy, or in a separate data policy.  A data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.  The policy identifies classification labels used within the organization.  It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification. 2. DEFINING DATA CLASSIFICATIONS
  • 14.  Asset classifications should match the data classifications.  In other words, if a computer is processing top secret data, the computer should also be classified as a top secret asset.  Similarly, if media such as internal or external drives holds top secret data, the media should also be classified as top secret.  It is common to use clear marking on the hardware assets so that personnel are reminded of data that can be 3. DEFINING ASSET CLASSIFICATIONS
  • 15.  After defining data and asset classifications, it’s important to define the security requirements and identify security controls to implement those security requirements.  Imagine that an organization has decided on data labels of Confidential/Proprietary, Private, Sensitive, and Public as described previously.  Management then decides on a data security policy dictating the use of specific security controls to protect data in these categories.  The policy will likely address data stored in files, in databases, on servers including email servers, on user systems, sent via email, and stored in the cloud. 4. DETERMINING DATA SECURITY CONTROLS
  • 16. 4. DETERMINING DATA SECURITY CONTROLS
  • 17.  It’s important to protect data in all data states , including while it is at rest, in motion, and in use.  Data at Rest - Data at rest is any data stored on media such as hard drives, external USB drives, storage area networks (SANs), and backup tapes.  Data in Transit - Data in transit (sometimes called data in motion) is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public networks such as the internet.  Data in Use - Data in use refers to data in memory or temporary storage buffers, while an application is using it. Because an application can’t process encrypted data, it must decrypt it in 5. UNDERSTANDING DATA STATES
  • 18.  A key goal of managing sensitive data is to prevent data breaches.  A data breach is any event in which an unauthorized entity can view or access sensitive data.  If you pay attention to the news, you probably hear about data breaches quite often. 6. HANDLING INFORMATION AND ASSETS
  • 19.  Basic steps to limit data breaches  Marking Sensitive Data and Assets - Marking (often called labeling) information ensures that users can easily identify the classification level of any data  Handling Sensitive Information and Assets - Handling refers to the secure transportation of media through its lifetime. Personnel handle data differently based on its value and classification, and as you’d expect, highly classified information needs much greater protection. Many times, people get accustomed to handling sensitive information and become lackadaisical with protecting it.  Storing Sensitive Data - Sensitive data should be stored in such a way that it protected against any type of loss. The obvious protection is encryption. If sensitive data is stored on physical media such as portable disk drives or backup tapes, personnel should follow basic physical security practices to 6. HANDLING INFORMATION AND ASSETS
  • 20.  Basic steps to limit data breaches  Destroying Sensitive Data - When an organization no longer needs sensitive data, personnel should destroy it. Proper destruction ensures that it cannot fall into the wrong hands and result in unauthorized disclosure. Highly classified data requires different steps to destroy it than data classified at a lower level.  Eliminating Data Remanence - Data remanence is the data that remains on media after the data was supposedly erased. It typically refers to data on a hard drive as residual magnetic flux.  One way to remove data remanence is with a degausser. A degausser generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives. Degaussers using power will reliably rewrite these magnetic fields and remove data remanence. However, they are only effective on magnetic media. 6. HANDLING INFORMATION AND ASSETS
  • 21.  Basic steps to limit data breaches Ensuring Appropriate Asset Retention - Retention requirements apply data or records, media holding sensitive data, systems that process sensitive data, and personnel who have access to sensitive data. Record retention and media retention is the most important element of asset retention. Record retention involves retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed 6. HANDLING INFORMATION AND ASSETS
  • 22.  One of the primary methods of protecting the confidentiality of data is encryption  Symmetric encryption uses the same key to encrypt and decrypt data  Advanced Encryption Standard  Triple DES  Blowfish  Transport encryption methods encrypt data before it is transmitted, providing protection of data in transit. The primary risk of sending unencrypted data over a network is a sniffing attack.  Organizations often enable remote access solutions such as virtual private networks (VPNs). 7. DATA PROTECTION METHODS
  • 24.  Many people within an organization manage, handle, and use data, and they have different requirements based on their roles  One of the most important concepts here is ensuring that personnel know who owns information and assets.  The owners have a primary responsibility of protecting the data and assets. DETERMINING OWNERSHIP
  • 25.  Data Owner – o data owner is the person who has ultimate organizational responsibility for data. o The owner is typically the chief operating officer (CEO), president, or a department head o Data owners identify the classification of data and ensure that it is labeled properly. o They also ensure that it has adequate security controls based on the classification and the organization’s security policy DETERMINING OWNERSHIP
  • 26.  Asset Owner – o The asset owner (or system owner) is the person who owns the asset or system that processes sensitive data. o Develops and maintains a system security plan in coordination with information owners, the system administrator, and functional end users o The system owner is typically the same person as the data owner, but it can sometimes be someone different, such as a different department head o The system owner is responsible for ensuring that data processed on the system remains secure. This includes identifying the highest level of data that the system processes DETERMINING OWNERSHIP
  • 27.  Business/Mission Owner – o The business/mission owner role is viewed differently in different organizations o a program manager or an information system owner and as such, the responsibilities of the business/mission owner can overlap with the responsibilities of the system owner or be the same role. o Business owners might own processes that use systems managed by other entities o business owners are responsible for ensuring that systems provide value to the organization. This sounds obvious. o However, IT departments sometimes become overzealous and implement security controls without considering the impact on the business or its DETERMINING OWNERSHIP
  • 28.  Data Processors – o Generically, a data processor is any system used to process data. o a data processor is “a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.” o In this context, the data controller is the person or entity that controls processing of the data. DETERMINING OWNERSHIP
  • 29.  Pseudonymization – o Two technical security controls that organizations can implement are encryption and pseudonymization. o A pseudonym is an alias o Pseudonymization refers to the process of using pseudonyms to represent other data. o It can be done to prevent the data from directly identifying an entity, such as a person. DETERMINING OWNERSHIP
  • 30. Anonymization – oAnonymization is the process of removing all relevant data so that it is impossible to identify the original subject or person. DETERMINING OWNERSHIP
  • 31.  Administrators – o A data administrator is responsible for granting appropriate access to personnel. o They don’t necessarily have full administrator rights and privileges, but they do have the ability to assign permissions. o Administrators assign permissions based on the principles of least privilege and the need to know, granting users access to only what they need for their job. o Administrators typically assign permissions using a Role Based Access Control model DETERMINING OWNERSHIP
  • 32.  Custodians – o Data owners often delegate day-to-day tasks to a custodian. A custodian helps protect the integrity and security of data by ensuring that it is properly stored and protected. o For example, custodians would ensure that the data is backed up in accordance with a backup policy. o If administrators have configured auditing on the data, custodians would also maintain these logs. DETERMINING OWNERSHIP
  • 33.  Users – o A user is any person who accesses data via a computing system to accomplish work tasks. o Users have access to only the data they need to perform their work tasks. You can also think of users as employees or end users. DETERMINING OWNERSHIP
  • 35.  Organizations have an obligation to protect data that they collect and maintain especially both PII and PHI data.  Many laws and regulations mandate the protection of privacy data, and organizations have an obligation to learn which laws and regulations apply to them. Additionally, organizations need to ensure that their practices comply with these laws and regulations.  It’s common for organizations to use an online privacy policy on their websites PROTECTING PRIVACY
  • 36.  When protecting privacy, an organization will typically use several different security controls.  Selecting the proper security controls can be a daunting task, especially for new organizations.  However, using security baselines and identifying relevant standards makes the task a little easier.  Baselines provide a starting point and ensure a minimum security standard. PROTECTING PRIVACY
  • 37.  Asset security focuses on collecting, handling, and protecting information throughout its lifecycle.  Sensitive information is any information that an organization keeps private and can include multiple levels of classifications  Organizations take specific steps to mark, handle, store, and destroy sensitive information and hardware assets, and these steps help prevent the loss of confidentiality due to unauthorized disclosure.  Personnel can fulfill many different roles when handling data.  Security baselines provide a set of security controls that an organization can implement as a secure starting point. CONCLUSION

Editor's Notes

  1. organizations have a responsibility to protect PII. This includes PII related to employees and customers. Many laws require organizations to notify individuals if a data breach results in a compromise of PII.
  2. Health Insurance Portability and Accountability Act (HIPAA) Some people think that only medical care providers such as doctors and hospitals need to protect PHI. However, HIPAA defines PHI much more broadly. Any employer that provides, or supplements, healthcare policies collects and handles
  3. Although copyrights, patents, and trade secret laws provide a level of protection for proprietary data, this isn’t always enough. Many criminals don’t pay attention to copyrights, patents, and laws. Similarly, foreign entities have stolen a significant amount of proprietary data
  4. As an example, government data classifications include top secret, secret, confidential, and unclassified. Anything above unclassified is sensitive Data, but clearly, these have different values.
  5. Confidential or Proprietary The confidential or proprietary label typically refers to the highest level of classified data. In this context, a data breach would cause exceptionally grave damage to the mission of the organization. As an example, attackers have repeatedly attacked Sony, stealing more than 100 terabytes of data including full-length versions of unreleased movies. These quickly showed up on file-sharing sites and security experts estimate that people downloaded these movies up to a million times. With pirated versions of the movies available, many people skipped seeing them when Sony ultimately released them. This directly affected their bottom line. The movies were proprietary and the organization might have considered it as exceptionally grave damage. In retrospect, they may choose to label movies as confidential or proprietary and use the strongest access controls to protect them. Private The private label refers to data that should stay private within the organization but doesn’t meet the definition of confidential or proprietary data. In this context, a data breach would cause serious damage to the mission of the organization. Many organizations label PII and PHI data as private. It’s also common to label internal employee data and some financial data as private. As an example, the payroll department of a company would have access to payroll data, but this data is not available to regular employees. Sensitive Sensitive data is similar to confidential data. In this context, a data breach would cause damage to the mission of the organization. As an example, information technology (IT) personnel within an organization might have extensive data about the internal network including the layout, devices, operating systems, software, Internet Protocol (IP) addresses, and more. If attackers have easy access to this data, it makes it much easier for them to launch attacks. Management may decide they don’t want this information available to the public, so they might label it as sensitive Public Public data is similar to unclassified data. It includes information posted in websites, brochures, or any other public source. Although an organization doesn’t protect the confidentiality of public data, it does take steps to protect its integrity. For example, anyone canview public data posted on a website. However, an organization doesn’t want attackers to modify this data so it takes steps to protect it.
  6. For example, if a computer is used to process top secret data, the computer and the monitor will have clear and prominent labels reminding users of the classification of data that can be processed on the computer
  7. For this example, we’re limiting the type of data to only email. The organization has defined how it wants to protect email in each of the data categories. They decided that any email in the Public category doesn’t need to be encrypted. However, email in all other categories (Confidential/Proprietary, Private, Sensitive, and Public) must be encrypted when being sent (data in transit) and while stored on an email server (data at rest). Encryption converts cleartext data into scrambled ciphertext and makes it more difficult to read. Using strong encryption methods such as Advanced Encryption Standard with 256-bit cryptography keys (AES 256) makes it almost impossible for unauthorized personnel to read the text. THE Table shows other security requirements for email that management defined in their data security policy. Notice that data in the highest level of classification category (Confidential/Proprietary) has the most security requirements defined in the security policy. Additionally, identity and access management (IAM) security controls help ensure that only authorized personnel can access resources.
  8. SSDs use integrated circuitry instead of magnetic flux on spinning platters. Because of this, degaussing SSDs won’t remove data. However, even when using other methods to remove data from SSDs, data remnants often remain.
  9. As an example, consider a web server used for e-commerce that interacts with a back-end database server. A software development department might perform database development and database administration for the database and the database server, but the IT department maintains the web server. In this case, the software development DH is the system owner for the database server, and the IT DH is the system owner for the web server. However, it’s more common for one person (such as a single department head) to control both servers, and this one person would be the system owner for both systems.
  10. Business owners might own processes that use systems managed by other entities. As an example, the sales department could be the business owner but the IT department and the software development department could be the system owners for systems used in sales processes.
  11. As an example, a company that collects personal information on employees for payroll is a data controller. If they pass this information to a third-party company to process payroll, the payroll company is the data processor. In this example, the payroll company (the data processor) must not use the data for anything other than processing payroll at the direction of the data controller
  12. Instead of including personal information such as the patient’s name, address, and phone number, it could just refer to the patient as Patient 23456 in the medical record. The doctor’s office still needs this personal information, and it could be held in another database linking it to the patient pseudonym (Patient 23456).