DOMAIN 2

Protecting Security of
Assets

CISSP CHAPTER 5
1
Table of Contents

01. Identify & Classify Info 04. Understanding Data

& Assets Roles

02. Establish Info & asset 05. Using Security Baselines

handling requirements

03. Data Protection 06. Summary

Methods

2
Identify & Classify
Info & Assets

3
 Sensitive Data
Info that is not public or unclassified (Need to be protected due to
value to org):

 Confidential

 Proprietary

 Protected

4
 Personally Identifiable Info Protected Health Info

- Info that can identify an Individual - Health-related Info that can be related to an
individual

Proprietary Data

- Data that helps organizations have an

advantage over others

5
 Data Classification
 Included in Security Policies

 Identifies the value of the data to the organization

 critical to protect data confidentiality & integrity.

6
Data Classification – GOVT
Top Secret Secret
● Top secret data is given the highest levels of ● Unauthorized disclosure of secret data could be
protection and access is restricted to persons with a expected to cause serious damage to the national
“need to know.” security that the authority is able to identify or
describe

Confidential
● Confidential is the lowest level of
government classified data.  Its release
would cause some harm to national
security.
Unclassified
● Unclassified is data that has no
classification or is not sensitive.

7
Data Classification – NON-GOVT
Proprietary Private
● data that should stay private within the
● The highest level of classified data & a data breach
would cause exceptionally grave damage to the organization
mission of the organization

Sensitive Public
● Similar to Confidential Data & data breach ● Similar to Unclassified Data. Data which
would cause damage to the mission of the is available to public.
organization

8
 Asset Classification
 Must match Data Classification

 Eg. If media device contains top secret Data, the media

device must be classified as top secret

9
 Data States

At Rest In Use
● Data in Databases, Data
In Transit ● Active Data stored in
Warehouses, Spreadsheets ● A stream of Data moving non-persistent digital
etc. states
through any kind of
● Computer RAM,
network
CPU Caches

10
 Compliance Requirements
 Regulatory compliance requires companies to analyze their
unique requirements and any mandates specific to their industry.

 Info sec practitioner must identify the source of the compliance expectation,
the info to be protected, the level of protection, and the means by which proof
can be supplied to demonstrate the effectiveness of the controls.

11
 Data Security Controls
 Used to safeguard sensitive and important information / have countermeasure
against its unauthorized use.

 Help to counteract, detect, minimize or avoid security risks to computer

systems, data, or another information set. slowing down or stopping any
possible malicious attack on data assets.

12
13
Establishing Info &
Asset Handling
Requirements

14
 Data Maintenance
 Efforts to organize and care for data throughout its lifetime.

 Sensitive data stored on multiple servers and mixed with non-sensitive data ==
Harder to protect it

15
 Data Loss Prevention
 DLP systems attempt to detect and block data exfiltration attempts (scan
unencrypted data looking for keywords and data patterns.)

 2 Types of DLP:
1. Network Based DLP
2. Endpoint Based DLP

16
Marking Sensitive Data & Assets
 Labeling Sensitive Info ensures that personnel can easily recognize the data’s value,
protect them accordingly & ensure its proper availability, confidentiality and integrity.

Handling Sensitive Data & Assets

 Method to provide the same level of protection for the data during transport as it
has when it is stored. Appropriate secure transportation is based obviously on the
value and classification of the information being transferred.

17
 Limit Data Collection
 One way to prevent the loss of data is to simply not collect it.

 If the data doesn’t have a clear purpose for use, don’t collect it and store it.

Data Location
 location of data backups or data copies

 Best practice is to keep a backup copy on site and another backup copy off
site.

18
 Storing Sensitive Data
 Appropriate security(according to their sensitivity) needs to be applied to data
when stored.

 Encryption & backup options, ensure the protection of data against loss due
to theft or compromise.

19
 Destruction of Data
 When data is no longer needed, it must be destroyed in such a way to ensure
there is no data remanence left on electronic media.

 Data Remanence: Remains on media after the data was supposedly erased.
If media includes any type of private and sensitive
data, it is important to eliminate data remanence

 Cryptographic Erasure: destroy the encryption key, or both the encryption

key and decryption key if used.

20
 Common Destruction Methods
Clearing/Overwriting Degaussing
● makes the original data unrecoverable by replacing its ● removes the magnetic field patterns on tapes or disk
memory location with the fixed or random patterns of drives to return them to their original state with data
zeros and ones. wiped and unrecoverable.  

Purging
Destruction
● more intense form of clearing that prepares media for reuse ● final stage in the lifecycle of media and is the most
in less secure environments. secure method of sanitizing media.
● Eg. Shredding, incineration

21
 Ensuring Appropriate Data &
Asset Retention
 Record retention involves retaining and maintaining important information if
it is needed and destroying it when it is no longer needed.

22
Data Protection
Methods

23
Digital Rights Management

24