You are on page 1of 1

Benefits of Data Standards (134) Baselines (154) Standards Selection (158 - 185

)
Increased data sharing Select based on the data classification of the data stored/handled NIST – National Institute of Standards and Technology
- Which parts of enterprise can be protected by the same NIST SP 800 series - address computer security in a variety of
Considerations (134) baseline? areas
Borders - Should baseline be applied throughout whole 800-14 NIST SP – GAPP for securing information technology
Encryption enterprise? systems
- At what security level should baseline aim? 800-18 NIST – How to develop security plans
How will the controls be determined? 800-27 NIST SP - Baseline for achieving security, five lifecycle
Data Modeling (135) Baseline – Starting point that can be tailored to an organization planning phases (defined in 800-14), 33 IT security principles
Smallest bits of information the Db will hold – granularity
for a minimum security standard. Common security configurations, - Initiation
When do we replace – then think about next one
Use Group Policies to check and enforce compliance - Development/Acquisition
CRITICAL = AVAILABILITY
- Implementation
Data Remanence (140) Scoping and Tailoring (157) - Operation/Maintenance
Residual physical representation of data that has been in some - Disposal
Narrows the focus and of the architecture to ensure that
way erased. PaaS deals with it best in Cloud 800-88 - NIST guidelines for sanitation and disposition, prevents
appropriate risks are identified and addressed.
Remanence - Residual data left on media after erase attempts data remanence
Scoping – reviewing baseline security controls and selecting only
Remove unwanted remnant data from magnetic tapes 800-122 - NIST Special Publication – defines PII as any
those controls that apply to the IT system you’re trying to protect.
- Physical destruction information that can be used to trace a person identity such as
Tailoring – modifying the list of security controls within a baseline
- Degaussing SSN, name, DOB, place of birth, mother’s maiden name
so that they align with the mission of the organization.
- Overwriting 800-137 - build/implement info security continuous monitoring
Supplementation – adding assessment procedures or
- NOT Reformatting program: define, establish, implement, analyze and report,
assessment details to adequately meet the risk management
Sanitizing – Series of processes that removes data, ensures data 800-145 - cloud computing
needs of the organization.
is unrecoverable by any means. Removing a computer from FIPS – Federal Information Processing Standards; official series of
service and disposed of. All storage media removed or destroyed. publications relating to standards and guidelines adopted under the
Degaussing – AC erasure; alternating magnetic fields , DC Link vs. End to End Encryption (174) FISMA, Federal Information Security Management Act of 2002.
erasure; unidirectional magnetic field or permanent magnet, can Link - is usually point to point EVERYTHING ENCRYPTED
FIPS 199 – Standards for categorizing information and information
erase tapes “Black pipe, black oil, black ping pong balls” all data is encrypted,
systems.
Erasing – deletion of files or media, removes link to file, least normally did by service providers
FIPS 200 – minimum security requirements for Federal information
effective End to End – You can see ALL BUT PAYLOAD, normally done by
and information systems
Overwriting/wiping/shredding – overwrites with pattern, may users DOD 8510.01 – establishes DIACAP
miss YOU CAN LAYER THESE ENCRYPTION TYPES ISO 15288 – International systems engineering standard covering
Zero fill – wipe a drive and fill with zeros Email is not secured unless encrypted processes and life cycle stages
Clearing – Prepping media for reuse at same level. Removal of NETSCAPE INVENTED SSL, SSLv3 still used - Agreement
sensitive data from storage devices in such a way that the data USE TLSv1.2 now for test - Organization Project-enabling
may not be reconstructed using normal system functions or PGP = GnuPG (GNP)– not rely on open - Technical Management
utilities. May be recoverable with special lab equipment. Data just S/MIME – secure email - Technical
overwritten. Nice to Know
Purging– More intense than clearing. Media can be reused in Classifying Costs – cost are not a factor in classifying data but Nice to Know
lower systems. Removal of sensitive data with the intent that the are in controls COPPA – California Online Privacy Protection Act, operators of
data cannot be reconstructed by any known technique. FTP and Telnet are unencrypted! SFTP and SSH provide commercial websites post a privacy policy if collecting personal
Destruction – Incineration, crushing, shredding, and disintegration encryption to protect data and credentials that are used to log in information on CA residents
are stages of this Record Retention Policies – how long data retained and Curie Temperature – Critical point where a material’s intrinsic
Encrypt data is a good way to secure files sent through the maintained magnetic alignment changes direction.
internet Removable Media – use strong encryption, like AES256, to Dar – Data at rest; inactive data that is physically stored, not RAM,
SSD Data Destruction (142) ensure loss of media does not result in data breach biggest threat is a data breach, full disk encryption protects it
- NIST says to “disintegrate” Personnel Retention – Deals with the knowledge that employees (Microsoft Bitlocker and Microsoft EFS, which use AES, are apps)
- SSD drives cannot be degaussed, space sectors, bad gain while employed. DLP – Data Loss/Leakage Prevention, use labels to determine the
sectors, and wear space/leveling may hide Record Retention – retaining and maintaining information for as appropriate control to apply to data. Won’t modify labels in real-
nonaddressable data, encrypt is the solution long as it’s needed time.
- Erase encryption key to be unreadable Label Data – to make sure data is identifiable by its classification ECM – Enterprise Content Management; centrally managed and
- Crypto erase, sanitization, targeted overwrite (best) level. Some label all media that contains data to prevent reuse of controlled
Buy high quality media – value of data exceeds cost of media Public media for sensitive data. Non-disclosure Agreement – legal agreement that prevents
Sanitation is business normal, not destruction for costs reasons Data in RAM is Data in use. employees from sharing proprietary information
Reuse - Downgrading equipment for reuse will probably be more CIS – Center for Internet Security; creates list of security controls PCI-DSS – Payment and Card Industry – Security Standards
expensive than buying new for OS, mobile, server, and network devices Council; credit cards, provides a set of security controls /standards
Metadata – helps to label data and prevent loss before it leaves Watermark – embedded data to help ID owner of a file, digitally
the organization, label data and can be used to indicate ownership.
Data mart - metadata is stored in a more secure container