Scribd Logo
Upload

Welcome to Scribd!

  • CISSP Domain 2 v2 Complete

    Uploaded by

    Jeff Edstrom
    61 views29 pages

    Original Title

    CISSP-Domain-2-v2-Complete

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    61 views29 pages

    CISSP Domain 2 v2 Complete

    Uploaded by

    Jeff Edstrom

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    Certified

    Information
    Systems
    Security
    CISSP ® Professional

    Domain 2
    (©) Copyright ThorTeaches 2018 -
    1
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

     Welcome to the second CBK Domain.


     Information and asset classification
     Ownership (Data owners, System owners, Data
    custodians)
     Protect privacy
     Appropriate retention
     Data security controls
     Handling requirements (e.g. markings, labels, storage)
    (©) Copyright ThorTeaches 2018 -
    2
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data classification video:


     https://www.cybrary.it/video/part-03-classification/

    (©) Copyright ThorTeaches 2018 -


    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data Classification
    Policies:
     Labels.
     Clearance.

    Shon Harris,
    (©) Copyright ThorTeaches 2018 -
    Pages 197 3
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data Classification Policies:


     Formal Access Approval
     Need to know
     Least privilege

    (©) Copyright ThorTeaches 2018 -


    4
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    States of data video:


    https://www.cybrary.it/video/part-04-states-of-data/

    (©) Copyright ThorTeaches 2018 -


    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Sensitive Information and Media


    Security:
     Sensitive information
     Data has 3 States
     Data at Rest
     Data in Motion
     Data in Use

    Shon Harris, Page


    (©) Copyright ThorTeaches 2018 -
    98 5
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     What would be a COMMON attack on our data at
    rest?
    A. Eavesdropping.
    B. All of these.
    C. Cryptanalysis.
    D. Shoulder surfing.

    (©) Copyright ThorTeaches 2018 -


    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     An attacker has stolen one of our backup tapes. What
    could prevent the data on the tape from being
    accessible?
    A. Proper data retention.
    B. Proper data storage.
    C. Proper data encryption.
    D. Proper data handling.

    (©) Copyright ThorTeaches 2018 -


    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Sensitive information and Media Security:


     Sensitive Information
     Data handling
     Data storage

    Shon Harris,
    (©) Copyright ThorTeaches 2018 -
    Pages 88 6
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Sensitive information and


    Media Security:
     Sensitive information
     Data retention

    Shon Harris, Page


    (©) Copyright ThorTeaches 2018 -
    210 7
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data, system, mission ownership,


    custodians and users:
    Each role has unique roles and responsibilities to keep the data
    safe.
     Mission/business owner.
     Data/information owner.
     System owner.
     Data custodian.
     Users.
     Data controllers and data processors.

    (©) Copyright ThorTeaches 2018 -


    8
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     When assigning sensitivity to our data, which of
    these should NOT be a factor?
    A. Who will have access to the data.
    B. What the data is worth.
    C. How bad a data exposure would be.
    D. How the data will be used.
    (©) Copyright ThorTeaches 2018 -
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Memory and Data Remanence:


     Data Remanence
     Memory
     Cache Memory
     ROM
     PROM (Programmable read only memory)
     EPROM (Erasable programmable read only memory)
     EEPROM (Electrically erasable programmable read only
    memory)
     PLD (Programmable logic devices)
    Shon Harris,
    (©) Copyright ThorTeaches 2018 -
    Pages 215 9
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Memory and Data Remanence:


     RAM
     SRAM and DRAM
     SRAM (Static RAM)
     DRAM (Dynamic RAM)
     SDRAM (Synchronous DRAM)

    (©) Copyright ThorTeaches 2018 -


    10
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     We are wanting to erase EPROM memory to update to
    the latest firmware. How would we do that?
    A. Shine an UV light on the chip.
    B. It can’t be erased once it has been written.
    C. We can use programs to erase the content.
    D. Taking the chip out of the motherboard and
    degauss it.
    (©) Copyright ThorTeaches 2018 -
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     We have many different types of memory. Which type is
    volatile?
    A. DRAM.
    B. Flash Memory.
    C. PROM.
    D. EEPROM.

    (©) Copyright ThorTeaches 2018 -


    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Memory and Data Remanence:


     Firmware and SSD's.
     Firmware.
     Flash memory.
     SSD drives are a combination of EEPROM and
    DRAM
     ATA Secure Erase or/and destruction of SSD drives.

    (©) Copyright ThorTeaches 2018 -


    11
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     Senior leadership has approved the use of flash
    drives. Which type of memory do they use?
    A. SDRAM.
    B. EEPROM.
    C. PROM.
    D. DRAM.
    (©) Copyright ThorTeaches 2018 -
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data Destruction:
     Paper disposal.
     Digital disposal.
     Deleting, formatting and overwriting.

    Shon Harris,
    (©) Copyright ThorTeaches 2018 -
    Pages 196 12
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data Destruction:
     Degaussing destroys magnetic media
     Full physical destruction
     Doing multiple types of data
    destruction

    (©) Copyright ThorTeaches 2018 -


    13
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     Which of these would be something we would
    consider for proper data disposal of SSD drives?
    A. Deleting all files.
    B. Degaussing.
    C. Formatting.
    D. Shredding.
    (©) Copyright ThorTeaches 2018 -
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     We have chosen to use multiple types of data destruction on
    our sensitive data. Why would we do that?
    A. To ensure data is still accessible after the
    destruction.
    B. To make sure we have the old drives available.
    C. To ensure there is no data remanence.
    D. Because it is easier than just a single type of data
    destruction.

    (©) Copyright ThorTeaches 2018 -


    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data Security Controls and Frameworks:


     We use standards, baselines, seeping and tailoring
     Data at rest vs. data in motion
     PCI-DSS, ISO27000, OCTAVE, COBIT or ITIL.
     Scoping
     Tailoring
     Classification
     Accreditation
    Shon Harris,
    (©) Copyright ThorTeaches 2018 -
    Pages 13 14
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data Security Controls and Frameworks:


     Governance standards and control frameworks.
     PCI-DSS
     OCTAVE
     COBIT
     COSO
     ITIL
     FRAP
    Organizations publish their
    (©) Copyright ThorTeaches 2018 -
    own documentation 15
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Data Security Controls and Frameworks:


     Governance standards and control frameworks
     ISO 27000 series
     ISO 27001
     ISO 27002
     ISO 27004
     ISO 27005
     ISO 27799
    (©) Copyright ThorTeaches 2018 -
    16
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    What we covered in the second CBK


    Domain:
     How we classify our data, object labels & subject
    clearance
     The different roles
     The 3 different states of data
     Volatile vs non-volatile memory
     Data remanence
     Data standards and frameworks

    (©) Copyright ThorTeaches 2018 -


    17
    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     What are we trying to get rid of with when we do our
    data disposal?
    A. The data content.
    B. The data in use.
    C. Data remanence.
    D. How long we keep the data.

    (©) Copyright ThorTeaches 2018 -


    CISSP® - Certified Information Systems Security Professional
    DOMAIN 2: Asset Security.

    Question:
     As part of our backup policy we are deciding
    on how long we should keep our backups.
    What should we base that decision on?
    A. 1 month, as long as we have a full backup of
    everything.
    B. All data is required to be kept 1 year.
    C. Forever, we can never get rid of backup data.
    D. As long as it is useful or required, whichever is longer.
    (©) Copyright ThorTeaches 2018 -

    You might also like