CISSP - Domain 2: Asset Security
TEMPEST is a specification for techniques used to prevent spying using
electromagnetic emissions
Control Objectives for Information and Related Technology (COBIT) is a framework for
information technology (IT) management and governance. Business Owners is the
data management role tha is most likely to select and apply COBIT to balance the need
for security controls against business requirements. Data owners are more likely
to ask that those responsible for control selection identify a standard to use.
Data processors are required to perform specific actions under regulations like
the EU GDPR. Finally, in many organizations, data stewards are internal roles that
oversee how data is used
Custodians are delegated the role of handling day-to-day tasks by managing and
overseeing how data is handled, stored, and protected. Data processors are systems used to
process data. Business owners are typically project or system owners who are tasked with
making sure systems provide value to their users or customers
The controls implemented from a security baseline should match the data classification
of the data used or stored on the system. Custodians are trusted to ensure the day-to-day
security of the data and should do so by ensuring that the baseline is met and maintained.
Business owners often have a conflict of interest between functionality and data security,
and of course, applying the same controls everywhere is expensive and may not meet
business needs or be a responsible use of resources.
US-EU Privacy Shield compliance helps US companies meet the EU General Data Protection
Regulation
Security baselines provide a starting point to scope and tailor security controls to your
organization’s needs. They aren’t always appropriate to specific organizational needs, they
cannot ensure that systems are always in a secure state, and they do not prevent liability.
But they are a good starting point.
Clearing describes preparing media for reuse. When media is cleared, unclassified data
is written over all addressable locations on the media. Once that’s completed, the media
can be reused. Erasing is the deletion of files or media. Purging is a more intensive form
of clearing for reuse in lower-security areas, and sanitization is a series of processes that
removes data from a system or media while ensuring that the data is unrecoverable by
any means.
Erasing, which describes a typical deletion process in many operating systems,
typically removes only the link to the file and leaves the data that makes up the file
itself. The data will remain in place but not indexed until the space is needed and it is
overwritten.
Scoping involves selecting only the controls that are appropriate for your IT systems,
while tailoring matches your organization’s mission and the controls from a selected
baseline. Baselining is the process of configuring a system or software to match a baseline
or building a baseline itself.
Bitrot describes the slow loss of data on aging media.
Data permanence is a term sometimes used to describe the life span of data and media
A data loss prevention (DLP) system or software is designed to identify labeled data
or data that fits specific patterns and descriptions to help prevent it from leaving the
organization.
Microsoft Group Policy provides the ability to monitor and apply settings in a security
baseline. Manual checks by users and using startup scripts provide fewer reviews
and may be prone to failure, while periodic review of the baseline won’t result in
compliance being checked
A baseline is a set of security configurations that can be adopted and modified to fit
an organization’s security needs. A security policy is written to describe an organization’s
approach to security
The data owner has ultimate responsibility for data belonging to an organization and is
typically the CEO, president, or another senior employee. Business and mission owners typically
own processes or programs. System owners own a system that processes sensitive data.
Data custodians are tasked with the day-to-day application of security controls. Typically,
system administrators are delegated authority by system owners, such as a department
head, and of course they are tasked with providing access to users.
Systems used to process data are data processors. Data owners are typically CEOs or
other very senior staff, custodians are granted rights to perform day-to-day tasks when
handling data, and mission owners are typically program or information system owners.
Administrators have the rights to assign permissions to access and handle data.
Third-party organizations that process personal data on behalf of a data controller are
known as data processors. The organization that they are contracting with would act in
the role of the business or mission owners, and others within Chris’s organization would
have the role of data administrators, granting access as needed to the data based on their
operational procedures and data classification.
The GDPR does include the need to collect information for specified, explicit, and
legitimate purposes; the need to ensure that collection is limited to the information
necessary to achieve the stated purpose; and the need to protect data against accidental
destruction. It does not include a specific requirement to encrypt information at rest.
EU GDPR Principles:
The principle of Data Portability says that the data subject has the right to receive
personal information and to transfer that information to another data controller. The
Principle of Data Integrity states that data should be reliable and that information should
not be used for purposes other than those that users are made aware of by notice and that
they have accepted through choice. Enforcement is aimed at ensuring that compliance with
principles is assured. Onward transfer limits transfers to other organizations that comply
with the principles of notice and choice.
Refer to Risk Management Framework for the below:
The data owner bears responsibility for categorizing information systems and delegates
selection of controls to system owners, while custodians implement the controls. Users
don’t perform any of these actions, while business owners are tasked with ensuring that
systems are fulfilling their business purpose.
The California Online Privacy Protection Act (COPPA) requires that operators of
commercial websites and services post a prominently displayed privacy policy if they
collect personal information on California residents.
The Personal Information Protection and Electronic Documents Act is a CANADIAN privacy
law, while California Civil Code 1798.82 is part of the set of California codes that
requires breach notification
An electronic signature is an electronic symbol attached to a contract or other record,
used by a person with an intent to sign. In contrast, digital signatures guarantee
that an electronic document is authentic.
Which mapping correctly matches data classifications between nongovernment and
government classification schemes?
Top Secret – Confidential/Proprietary
Secret – Private
Confidential – Sensitive
electromagnetic emissions
Control Objectives for Information and Related Technology (COBIT) is a framework for
information technology (IT) management and governance. Business Owners is the
data management role tha is most likely to select and apply COBIT to balance the need
for security controls against business requirements. Data owners are more likely
to ask that those responsible for control selection identify a standard to use.
Data processors are required to perform specific actions under regulations like
the EU GDPR. Finally, in many organizations, data stewards are internal roles that
oversee how data is used
Custodians are delegated the role of handling day-to-day tasks by managing and
overseeing how data is handled, stored, and protected. Data processors are systems used to
process data. Business owners are typically project or system owners who are tasked with
making sure systems provide value to their users or customers
The controls implemented from a security baseline should match the data classification
of the data used or stored on the system. Custodians are trusted to ensure the day-to-day
security of the data and should do so by ensuring that the baseline is met and maintained.
Business owners often have a conflict of interest between functionality and data security,
and of course, applying the same controls everywhere is expensive and may not meet
business needs or be a responsible use of resources.
US-EU Privacy Shield compliance helps US companies meet the EU General Data Protection
Regulation
Security baselines provide a starting point to scope and tailor security controls to your
organization’s needs. They aren’t always appropriate to specific organizational needs, they
cannot ensure that systems are always in a secure state, and they do not prevent liability.
But they are a good starting point.
Clearing describes preparing media for reuse. When media is cleared, unclassified data
is written over all addressable locations on the media. Once that’s completed, the media
can be reused. Erasing is the deletion of files or media. Purging is a more intensive form
of clearing for reuse in lower-security areas, and sanitization is a series of processes that
removes data from a system or media while ensuring that the data is unrecoverable by
any means.
Erasing, which describes a typical deletion process in many operating systems,
typically removes only the link to the file and leaves the data that makes up the file
itself. The data will remain in place but not indexed until the space is needed and it is
overwritten.
Scoping involves selecting only the controls that are appropriate for your IT systems,
while tailoring matches your organization’s mission and the controls from a selected
baseline. Baselining is the process of configuring a system or software to match a baseline
or building a baseline itself.
Bitrot describes the slow loss of data on aging media.
Data permanence is a term sometimes used to describe the life span of data and media
A data loss prevention (DLP) system or software is designed to identify labeled data
or data that fits specific patterns and descriptions to help prevent it from leaving the
organization.
Microsoft Group Policy provides the ability to monitor and apply settings in a security
baseline. Manual checks by users and using startup scripts provide fewer reviews
and may be prone to failure, while periodic review of the baseline won’t result in
compliance being checked
A baseline is a set of security configurations that can be adopted and modified to fit
an organization’s security needs. A security policy is written to describe an organization’s
approach to security
The data owner has ultimate responsibility for data belonging to an organization and is
typically the CEO, president, or another senior employee. Business and mission owners typically
own processes or programs. System owners own a system that processes sensitive data.
Data custodians are tasked with the day-to-day application of security controls. Typically,
system administrators are delegated authority by system owners, such as a department
head, and of course they are tasked with providing access to users.
Systems used to process data are data processors. Data owners are typically CEOs or
other very senior staff, custodians are granted rights to perform day-to-day tasks when
handling data, and mission owners are typically program or information system owners.
Administrators have the rights to assign permissions to access and handle data.
Third-party organizations that process personal data on behalf of a data controller are
known as data processors. The organization that they are contracting with would act in
the role of the business or mission owners, and others within Chris’s organization would
have the role of data administrators, granting access as needed to the data based on their
operational procedures and data classification.
The GDPR does include the need to collect information for specified, explicit, and
legitimate purposes; the need to ensure that collection is limited to the information
necessary to achieve the stated purpose; and the need to protect data against accidental
destruction. It does not include a specific requirement to encrypt information at rest.
EU GDPR Principles:
The principle of Data Portability says that the data subject has the right to receive
personal information and to transfer that information to another data controller. The
Principle of Data Integrity states that data should be reliable and that information should
not be used for purposes other than those that users are made aware of by notice and that
they have accepted through choice. Enforcement is aimed at ensuring that compliance with
principles is assured. Onward transfer limits transfers to other organizations that comply
with the principles of notice and choice.
Refer to Risk Management Framework for the below:
The data owner bears responsibility for categorizing information systems and delegates
selection of controls to system owners, while custodians implement the controls. Users
don’t perform any of these actions, while business owners are tasked with ensuring that
systems are fulfilling their business purpose.
The California Online Privacy Protection Act (COPPA) requires that operators of
commercial websites and services post a prominently displayed privacy policy if they
collect personal information on California residents.
The Personal Information Protection and Electronic Documents Act is a CANADIAN privacy
law, while California Civil Code 1798.82 is part of the set of California codes that
requires breach notification
An electronic signature is an electronic symbol attached to a contract or other record,
used by a person with an intent to sign. In contrast, digital signatures guarantee
that an electronic document is authentic.
Which mapping correctly matches data classifications between nongovernment and
government classification schemes?
Top Secret – Confidential/Proprietary
Secret – Private
Confidential – Sensitive
Comments
Post a Comment