SlideShare a Scribd company logo

CISSP - Chapter 2 - Asset Security

Download as PPTX, PDF
K
Karthikeyan Dhayalan

The document discusses information life cycle and asset security. It covers the following key points: 1. Information goes through a 4 phase life cycle of acquisition, use, archival, and disposal. Controls are needed at each phase to protect the information. 2. Data classification and categorization help determine the appropriate security controls for different types of sensitive data based on their value, sensitivity, and criticality. 3. Roles such as data owner, data custodian, and system owner are defined along with their responsibilities to ensure proper management and protection of data throughout its life cycle.

Education
1 of 59
Downloaded 957 times
1
2
Most read
3
4
5
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Most read
59
Asset Security
Information Life Cycle • Data that is combined to form meaning • Information has worth to the organization • Information is either created or copied (predominantly copied) • 4 Phase life cycle • Acquisition • Use • Archival • Disposal
Information Life Cycle Acquisition •Copying or created •System data and business process data are attached •Information is indexed •Access control on data access implemented •Roll-back capability to be provided Use •Presents the most challenge in protection •Controls to ensure Internal consistencies Archival •Important to decide on the needs for backup and how they are protected •Need to decide on the retention period Disposal •Two key aspects •Data is indeed destroyed •It is destroyed correctly •How and where is stored is critical for destruction Data Backup Data Archive • Copy of current data set that is used as backup if loss of the original data set • It becomes less useful over time • Copy of data set that is no longer in use, but retained for use later • Data from original location is destroyed
Understanding Sensitive Data • The First step in Asset security is to classify and label the asset • What is Sensitive Data? • Any information that is not public or unclassified • Any type of data that an organization has value upon and shall protect or comply with law and regulations • Personally Identifiable Information • Any information that can identify an individual • Race, name, SSN, date, place of birth, biometric, medical, financial, employment information • Protected Health Information • An health related information that can be related to an individual • Oral or written information created or received by health care related entities • Relates to past, present or future medical information of an individual • Proprietary Data • Any data that helps an organization to maintain a competitive edge • If lost, it can seriously affect the primary mission of an organization
Information Classification • Refers to the practice of differentiating between different types of information assets and providing some guidance as to how they must be protected • It is an ongoing process and not one-time effort • Important metadata item that should be attached to all information is ~ classification level • The classification level should be always attached throughout the lifecycle of the information
Information Classification • Classification • Identifies the value of the data to the organization • It also identifies how data owners can determine the proper classification, and personnel should protect data based on classification • Classification authority is the one who applies the original classification to the sensitive data • Categorization • Process of determining the impact due to the loss of CIA of information to an organization • Classification and categorization help to set baselines for information systems
Information Classification • Information is classified by Sensitivity, criticality or both • Sensitivity: • Loss to an organization if the information is released to unauthorized entities • Organizations can loose trust and spend expensive response efforts in remediation • Criticality • Indicator of how the loss will impact the fundamental business process of the organization • It is that which is required for the organization to continue business
Information Classification • Primary Purpose: • Helps indicate the level of confidentiality, integrity and availability protection that is needed for each type of data • Helps ensure data is protected in a most cost effective manner • Each classification should have separate handling requirements and procedures
Classification Guidelines • When classifying data, take into consideration • Who has access to data • How the data is secured • How long the data is retained • What methods used to dispose the data • Whether the data needs to be encrypted • What use of the data is appropriate • Keep the classification small • Classification should not be restrictive and detail oriented (either) • Each classification should be unique and separate from others; no overlap effects • Should outline how information is controlled and handled through its life cycle
Classification Procedure 1. Define Classification Levels 2. Criteria of classification levels 3. Data owners who will be responsible for Classification 4. Data custodians who will be responsible for maintaining data 5. Security controls for each classification level 6. Exception documentation to previous classification issues 7. Methods to transfer data ownership 8. Procedure to periodically review the classification and ownership 9. Declassification procedures 10. Classification awareness to all employees
Data Policy • Defines strategic long term goals for data management across all aspects of project or enterprise • High level principles that establish a guiding framework for data management • It should be flexible and dynamic • Should be readily adaptable for unforeseen circumstances, changing projects, potentially opportunistic partnerships while still maintaining its guiding strategic focus
Data Policy Definition considerations • Cost of providing access to data vs cost of providing the data Cost • Who owns the data and who maintains the data Ownership & Custodianship • What data is private, what data is made public Privacy • How protected the organization is from legal recourse Liability • What type of data is in question; what is the impact, type and level of threat, vulnerability for the data Sensitivity • May have impact on enterprise data policy Existing Law and Policy Requirements • Consideration should be given to legal request for data and policies that may need to be put in places Policy & Process
Roles and Responsibilities • Objectives of defining roles and responsibilities • Clearly define roles associated with functions • Establish data ownership through out the life cycle of the data • Instill data accountability • Ensure adequate, agreed-upon data quality and meta data metrics are maintained on a continuous basis
Data Owner • Key aspect of good data management involves identification of information owner • Individual or group that created, acquired or purchased information that supports the mission of the organization • Has legal rights over the data • Ownership implies the right to exploit the data as well as the right to destroy it
Data Owner - Responsibilities • Determine the impact the information has on the organization • Understand the replacement cost of the information • Establish the rules of appropriate use and protection of information • Decide who has access to the information and what privilege • Know when the information is inaccurate or no longer needed and should be destroyed • Provide input to system owners regarding security requirements and controls for the information system that hold the data • Assist in identification and assessment of common security controls • Delegates day-to-day maintenance to the data custodian
Data Owner - Responsibilities • Data Owner shall establish and document the following • The ownership, IP rights and copyrights for their data • The statutory and non-statutory requirements relevant to their business to ensure the data is compliant • The policies for data security, disclosure, pricing and dissemination • Contracts with users and customers on conditions of use, before the data is released
Data Custodian • Data custodian ensures important data sets are developed, maintained and are accessible within their defined specifications. • Best handled by entity that is most familiar with a datasets content and its management criteria • Responsibilities include • Adherence to data owner guidelines • Ensure access to appropriate users and maintaining appropriate level of security • Dataset maintenance, including data storage and archival • Dataset documentation, including changes to documentation • Quality Assurance and validation to assure ongoing data integrity
System Owner • A person who owns the system processing sensitive information • One system may have multiple information owners • Responsibilities • Develop a system security plan in coordination with Information owners • Maintain the plan and ensure it operates according to the agreed security requirements • Ensure system users and support personal get security training • Update the plan whenever major change happens • Assist in identification, implementation and assessment of common security controls
Other Roles • Security Administrator: • Responsible for maintaining specific security devices • Creating new user accounts, implementing new security software, testing security patches • Has the main focus of keeping the network secure; network administrator has main focus on keep the IT running • Supervisor • Ultimately responsible for all actions of the users under them • Responsible for making sure access changes are done for user accounts as and when there is change in user role
Other Roles • Data Analyst: • Ensures data is stored in a way that makes more sense to the company • Responsible for architecting a new system that will hold company information or advice in purchase of a product • Works with data owners to help ensure that the structures setup support business objectives • Change Control Analyst • Responsible for approving or rejecting requests to make changes to the IT environment • Makes sure certain changes do not introduce new vulnerabilities, it has been tested, and it is properly rolled out
Other roles • Data processor is an individual or organization that processes personal data solely on behalf of data controller • Data Controller is an entity that controls processing of personal data • Users are those who access data to accomplish work tasks. They should have access to only the data they need to perform their work
Data Quality • Data Quality determines the fitness for use or potential use of data • 2 factors considered for setting data quality expectations are • Frequency of Incorrect data fields or errors • Significance of error within a data field • Errors are more likely be determined when expectations are clearly documented • 2 Keys to improve data quality are • Prevention • Correction • Documentation is key to good data quality • Two types of data documentation • Records what data checks have been done and what changes have been made and by whom • Metadata that records information at the dataset level
Data Quality • Data Quality is assessed by applying Verification and validation procedures • Helps ensure data is valid and reliable Verification Process of checking the completeness, correctness and compliance of a dataset to ensure the data is what it claims to be Checks that the digitized data matches the source data Can be done by personnel who are less familiar with the data Validation Evaluates verified data to determine if data quality goals have been achieved and the reasons for deviation It follows data verification Checks that the data makes sense Requires in-depth knowledge about the data and should be conducted by experienced personnel
Data Quality Quality Control Assessment of data quality based on Internal standards, processes, and procedures established to control and monitor quality Quality control procedures monitor and evaluate the resulting products Quality Assurance Assessment of quality based on standards external to the process and involves reviewing of activities and QC processes to ensure final product meets predetermined quality standard Maintains quality through-out all stages of data development
Quality Control and Assurance • QA/QC are designed to prevent data contamination due to two fundamental types of errors • Errors of omission • Insufficient documentation of legitimate data values • They are harder to detect and correct • Can be revealed by rigorous QC procedures • Errors of commission • Caused by data entry, transcription or malfunctioning equipment • This is common, fairly easy to identify and effectively reduced by QA measures in data acquisition process as well as QC procedures after the data has been acquired
Stage of Data Management Process • Capture/Collect • Digitization • Storage • Analysis • Presentation • Use
Data Documentation • It is critical to ensure datasets are useable well into the future • The first step in data management process is to enter data into a electronic system • Objectives of Data documentation are • Ensure the longevity of the data and their re-use for multiple purposes • Ensures data users understand the context and limitations of datasets • Facilitate discovery of datasets • Facilitate interoperability of datasets and data exchange
Dataset titles and filenames • Titles and filenames should be descriptive • Should reflect the contents of the file and include enough information to uniquely identify the data file • Filename should be provided in the first line of the header rows in the file itself • Names should only contain numbers, letters, dashes and underscore • Lowercase is, less software and platform dependent, and hence is preferable • File name should not be more than 64 characters • Versioning and file creation date will help user know if they are using the correct file
Metadata • Definition: Set of data that gives information about other data • Three types of metadata: • Descriptive metadata: • Describes a resource for discovery and identification • title, keyword, tag, author • Structural metadata: • Facilitates navigation and presentation of electronic information; provides information about internal structure; binds related files • TOC, index, chapters, title page • Administrative metadata: • Provides information to help manage a resource • Filetype, who created, when it was created
Data Standard • Rules by which data are described and recorded • When adopting a standard adopt a minimally complex standard that addresses the largest audience • Benefits of data standard • More efficient data management • Increased data sharing • Higher data quality • Improved data consistency • Increased data integration • Better understanding of the data • Improved documentation of information resoruces
Data Lifecycle Control • Data management includes • Data specification and modeling • Database maintenance and security • Ongoing Audit • Archiving
Data Specification and Modelling • Successful database planning requires thorough user requirements analysis and followed by data modeling • Data modelling is the methodology that identifies the path to meet user requirements • Data modelling should be iterative and interactive • Data model consists of written documentation of the concepts to be stored in the database, their relationships, and diagram showing those concepts and their relationships • Data model is the tool to help the design and program teams understand the nature of information to be stored • Data model helps in communication between data content experts specifying what the databases need to do and database developers who are building the database
Database maintenance • Technology obsolescence is a significant cause for information loss • Major changes to hardware/software should be noticed and data should be migrated to newer platforms • Data should be stored in formats that are independent of specific platform or software • Versioning should be used in multi-user environments • Database management requires day-to-day system administration
Data Audit • Data audit process involves: • Identifying the information needs of the organization and assigning a level of strategic importance • Identifying the resources and services currently provided to meet those needs • Benefits of data audit are: • Awareness of data holdings • Promote capacity planning • Facilitate data sharing and reuse • Monitor data holding and avoid data leaks • Recognition of data management practices • Promote efficient use of resources and improved workflows • Increase ability to manage risks • Enable the development/refinement of data strategy
Data Retention • Data Retention Guidelines • Involve all stake holders in the process of aligning the business and legal requirements for the data retention policies • Establish common objectives for supporting archiving and data retention best practices • Monitor, review and update documented data retention policies and archiving procedures. • Data retention policy should • Outline the classification of records • Retention and destruction schedules • Parties responsible for retention and destruction • Procedures used for destruction • Training • Policy should answer the following questions • What data is stored? • How long is it stored? • Where is it stored?
Data Retention • For retained data to be useful, it should be accessible. Consider following issues for data accessibility • Taxonomy: • Scheme for classifying the data; could be functional, chronological, or combination of categories • Classification: • Sensitivity determines the controls we put in place during the lifecycle of the data • Normalization: • Data comes in many formats; storing the data in original format may render it inaccessible later in time; its prudent to tag data sets to ensure search ability and accessibility • Indexing: • Indexing archived data for future searches;
e-Discovery • Process of producing for a court or external attorney all ESI (Electronically Stored Information) pertinent to a legal proceeding • 8 Step Electronic Discovery Reference Model (EDRM) Identification Preservation Collection Process Review Analyze Production Presentation
Managing Sensitive Data • Marking (Labeling) • Ensures users can easily identify the classification of the data • It also includes digital marks or labels • Asset handling different classification of data, should be marked with the top most classification it handles • When media is found without label, it should be labeled with the highest level of sensitivity until appropriate analysis is done. • Handling • Refers to secure transport of media through its lifetime • Policies and procedures should be in place to ensure people understand how to handle sensitive data • Encryption is the obvious choice for protecting sensitive data at rest.
Data at rest • Three broad categories of encrypting tools for the data at rest • Self-encrypting USB Drives: • USB drives embed encryption algorithms within the Hard-drive • Everything in the drive is automatically encrypted • Files moving out of the drive are in decrypted state • Media Encryption Software: • Software used to encrypted the media • Flexibility of software allows encrypting various storage media types • Has the same problem as above, files outside the drive remain un-encrypted • File Encryption Software • Allows greater flexibility in encrypting specific files • Since encryption is applied at file level, it stays encrypted irrespective of the media it is stored.
Data in Transit • Mechanism to prevent content of the message is protected even if the message itself is intercepted. • Link encryption • Performed by service providers • Encrypts all data, including routing data, along a communications path • Communications nodes need to decrypt data in order to continue routing • It provides traffic confidentiality better than end-to-end encryption • Prevents inference attack • End to End Encryption • Generally performed by end user • Encrypted at the start of the communication channel • Routing information remains visible
Data in Use • Data residing in primary storage devices ~ Volatile memory (registers, memory cache, RAM) • Data in use generally cannot be protected by encryption • Attacks • Side Channel Attack: exploits information flow that is the electronic byproduct of a process (like encryption) • Data in use can be protected by • Ensuring software is tested against these attacks • Secure development process
Data Remanence • Data remanence is the data that remains in the hard drive as residual magnetic flux or after erasing • Data remanence in HDD is caused by the failure of the method used to clean the HDD • Commonly used method to address data remanence are • Erasing • Simple deletion process; does not remove the files, but only removes the catalog reference • Anyone can typically retrieve the data using widely available tools
Data Remanence • Clearing (overwriting/wiping/shredding) • Process of preparing media for reuse with assurance that cleared data cannot be retrieved using traditional recovery means • Unclassified data is written over all addressable locations on the media • Data recovery requires special laboratory techniques • Some media types don’t respond well to clearing • Purging • More intense form of clearing – repeats the clearing process multiple times • Provides assurance that data cannot be recovered using any known means • It can be combined with other means like degaussing to completely remove data
Data Remanence • Declassification • Any process that purges media or system in order for reuse in unclassified environment • Sanitization • Combination of process that ensures data is removed from the system • It ensures data cannot be recovered by any means • Includes ensuring non-volatile memory is erased, external drives removed and sanitized • Degaussing • Generates heavy magnetic fields which realign the magnetic fields in magnetic media, only effective on magnetic media (does not affect, CD/DVD/SSD) AC erasure – medium is degaussed by applying alternating field that is reduced in amplitude over time DC erasure – medium is saturated by applying a unidirectional field
Asset Management • Asset management is the foundation for Information Security • Inventory management deals with what assets are there, where they reside and who owns them • Configuration management adds a relationship dynamic relating the other items in the inventory • IT Asset Management (ITAM) introduces financial aspects of the asset – cost, value and contractual status • ITAM also refers to full lifecycle management of the asset • ITAM is designed to manage the physical, contractual and financial aspects of the asset
Asset Management Enablers • A single, centralized, relational repository • Organizational alignment and defined process • Scalable technologies and infrastructure
Equipment Lifecycle • All equipment's have a useful life; they get depreciated over time or when they are no longer capable of performing its tasks • Common Lifecycle tasks • Defining Requirements • Ensure relevant security requirements are included • Ensure appropriate costs have been allocated for security • Ensure new equipment requirements fits into the organizational security architecture • Acquiring and Implementing • Validate security features are included as specified • Ensure additional security configurations are applied • Ensure security certification or accreditation process is followed • Ensure equipment is inventoried
Equipment Lifecycle • Operations and Maintenance • Ensure security features remain operational • Ensure appropriate support is available for security related concerns • Validate and verify inventories • Ensure changes to configuration of system are reviewed • Review equipment for vulnerability • Disposal and Decommission • Ensure secure erasure/ destruction or recycle • Ensure inventories are accurately updated to reflect the status of decommissioned equipment • Guiding principle for media erasure is to ensure that the enemies cost of recovering the data should be higher than the value of the data
Media Destruction • Specific destruction techniques include • Physically breaking the media apart • Chemically altering the media into non readable state • Phase transition • For magnetic media, raising its temperature above the Curie temperature • Crypto-erasure can be used in SSDs to sanitize the data
Safes Wall safe Embedded into wall and easily hidden Floor safe Embedded into floor and easily hidden Chests Stand-alone safes Depositories Safes with slots that all valuables to be easily slipped in Vaults Large enough to provide walk-in access
Data Leakage Prevention • Comprises actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data • DLP is concerned with external parties • DLP should be integrated as part of Risk Management Approach • DLP technology determination aspects • Sensitive data awareness • Policy engine • Interoperability • Accuracy (most critical)
DLP Approach Data Inventory • Identify the data • Classify the data Data Flows • Plot the data flow over the lifecycle Data Protection Strategy • Perform Risk Assessment • Determine the DLP Solution Implementation, Testing and Tuning • Test for false positive, false negative • Misuse cases prioritization and testing
Data Protection Strategy Considerations • Backup and recovery • Data life cycle • Physical security • Security culture • Privacy • Organizational change
Network DLP • Applies DLP to data in motion • Normally implemented as dedicated appliances at perimeter • Drawback: • It will not protect data on devices that are not on the organization network • Does not have capability to decrypt encrypted tunnels • High cost forces organizations to deploy only at network choke points instead of throughout the network
Endpoint DLP • Applies DLP to data in use and data in rest • An agent is installed on end-systems • Allows more degree of protection than NDLP • Drawback: • Complexity • Agent management • Cost could be much higher than the NDLP • Unaware to data-in-motion protection violations
Hybrid DLP • Deploy both EDLP and NDLP • Costliest and most complex approach • Offers the best coverage and protection
Mobile Device Protection • Mechanisms to protect mobile devices are • Inventory all mobile devices ~ identification • Harden the mobile OS • Password protect the BIOS • Register the device with vendor and get notified if the device is submitted for repair • Do not check-in as luggage in airport • Do not leave the device unattended • Engrave identification mark • Use slot lock • Backup data at regular intervals • Encrypt • Enable remote wiping
Baselining / Scoping / Tailoring • Baseline provides a starting point and ensure a minimum security standard • Scoping refers to reviewing baseline security controls and choosing only those controls that apply to the IT system to be protected • Tailoring refers to modifying the list of security controls within a baseline so that they align with the business mission • Supplementation involves adding assessment procedures to adequately meet the risk management needs of the organization
Karthikeyan Dhayalan MD & Chief Security Partner www.cyintegriti.com

More Related Content

PPTX
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
PPTX
CISSP - Security Assessment
Karthikeyan Dhayalan
 
PPTX
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
PPTX
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
CISSP - Security Assessment
Karthikeyan Dhayalan
 
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 

What's hot (20)

PPTX
CISSP - Software Development Security
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
PPTX
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
PDF
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
PPTX
Chapter 1 Personal security
Karthikeyan Dhayalan
 
PPTX
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
PDF
1. Security and Risk Management
Sam Bowne
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PDF
Security Awareness Training
Daniel P Wallace
 
PDF
1. Security and Risk Management
Sam Bowne
 
PPT
Building An Information Security Awareness Program
Bill Gardner
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Cissp- Security and Risk Management
Hamed Moghaddam
 
PPTX
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
PPTX
Incident response
Anshul Gupta
 
PDF
Introduction: CISSP Certification
Sam Bowne
 
PPTX
Data Loss Prevention
dj1arry
 
PPT
It Policies
James Sutter
 
PPTX
HITRUST Certification
ControlCase
 
PPTX
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
CISSP - Software Development Security
Karthikeyan Dhayalan
 
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
Chapter 1 Personal security
Karthikeyan Dhayalan
 
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
1. Security and Risk Management
Sam Bowne
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Security Awareness Training
Daniel P Wallace
 
1. Security and Risk Management
Sam Bowne
 
Building An Information Security Awareness Program
Bill Gardner
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Cissp- Security and Risk Management
Hamed Moghaddam
 
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
Incident response
Anshul Gupta
 
Introduction: CISSP Certification
Sam Bowne
 
Data Loss Prevention
dj1arry
 
It Policies
James Sutter
 
HITRUST Certification
ControlCase
 
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
Ad

Similar to CISSP - Chapter 2 - Asset Security (20)

PPTX
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
PPTX
CISSP Domain 02 Asset Securitycissp.pptx
gealehegn
 
PPTX
CISSP-Asset Security -Domain 2 Overview-Edited.pptx
macraaiclass
 
PPTX
CISSP Certification-Asset Security
Hamed Moghaddam
 
PPT
Lecture Data Classification And Data Loss Prevention
Nicholas Davis
 
PPT
Data Classification And Loss Prevention
Nicholas Davis
 
PPT
Lecture data classification_and_data_loss_prevention
Nicholas Davis
 
PDF
How to Build and Implement your Company's Information Security Program
Financial Poise
 
PPTX
Electronic data & record management
GreenLeafInst
 
PPT
Security Management Practices
amiable_indian
 
PPTX
Introduction to Network Security
John Ely Masculino
 
PPTX
Cybertopicsecurity_3
Anne Starr
 
PPTX
Computer security concepts
Prachi Gulihar
 
PPTX
Data Management - NA CACS 2009
CISA1567
 
PPT
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
 
PPT
Testing
lorenceman
 
PPTX
gkknwqeq3232,sqSecurity essentials domain 3
Anne Starr
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
PDF
Solutions for privacy, disclosure and encryption
Trend Micro
 
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
CISSP Domain 02 Asset Securitycissp.pptx
gealehegn
 
CISSP-Asset Security -Domain 2 Overview-Edited.pptx
macraaiclass
 
CISSP Certification-Asset Security
Hamed Moghaddam
 
Lecture Data Classification And Data Loss Prevention
Nicholas Davis
 
Data Classification And Loss Prevention
Nicholas Davis
 
Lecture data classification_and_data_loss_prevention
Nicholas Davis
 
How to Build and Implement your Company's Information Security Program
Financial Poise
 
Electronic data & record management
GreenLeafInst
 
Security Management Practices
amiable_indian
 
Introduction to Network Security
John Ely Masculino
 
Cybertopicsecurity_3
Anne Starr
 
Computer security concepts
Prachi Gulihar
 
Data Management - NA CACS 2009
CISA1567
 
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
 
Testing
lorenceman
 
gkknwqeq3232,sqSecurity essentials domain 3
Anne Starr
 
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
Solutions for privacy, disclosure and encryption
Trend Micro
 
Ad

Recently uploaded (20)

PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Open folder Downloads.pdf yes yes ges yes
JaybeeMacadangdang
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
master seminar digital applications in india
ananyaray35
 
Pre independence Education in Inndia.pdf
goofy5603
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Open folder Downloads.pdf yes yes ges yes
JaybeeMacadangdang
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
master seminar digital applications in india
ananyaray35
 

CISSP - Chapter 2 - Asset Security

  • 2. Information Life Cycle • Data that is combined to form meaning • Information has worth to the organization • Information is either created or copied (predominantly copied) • 4 Phase life cycle • Acquisition • Use • Archival • Disposal
  • 3. Information Life Cycle Acquisition •Copying or created •System data and business process data are attached •Information is indexed •Access control on data access implemented •Roll-back capability to be provided Use •Presents the most challenge in protection •Controls to ensure Internal consistencies Archival •Important to decide on the needs for backup and how they are protected •Need to decide on the retention period Disposal •Two key aspects •Data is indeed destroyed •It is destroyed correctly •How and where is stored is critical for destruction Data Backup Data Archive • Copy of current data set that is used as backup if loss of the original data set • It becomes less useful over time • Copy of data set that is no longer in use, but retained for use later • Data from original location is destroyed
  • 4. Understanding Sensitive Data • The First step in Asset security is to classify and label the asset • What is Sensitive Data? • Any information that is not public or unclassified • Any type of data that an organization has value upon and shall protect or comply with law and regulations • Personally Identifiable Information • Any information that can identify an individual • Race, name, SSN, date, place of birth, biometric, medical, financial, employment information • Protected Health Information • An health related information that can be related to an individual • Oral or written information created or received by health care related entities • Relates to past, present or future medical information of an individual • Proprietary Data • Any data that helps an organization to maintain a competitive edge • If lost, it can seriously affect the primary mission of an organization
  • 5. Information Classification • Refers to the practice of differentiating between different types of information assets and providing some guidance as to how they must be protected • It is an ongoing process and not one-time effort • Important metadata item that should be attached to all information is ~ classification level • The classification level should be always attached throughout the lifecycle of the information
  • 6. Information Classification • Classification • Identifies the value of the data to the organization • It also identifies how data owners can determine the proper classification, and personnel should protect data based on classification • Classification authority is the one who applies the original classification to the sensitive data • Categorization • Process of determining the impact due to the loss of CIA of information to an organization • Classification and categorization help to set baselines for information systems
  • 7. Information Classification • Information is classified by Sensitivity, criticality or both • Sensitivity: • Loss to an organization if the information is released to unauthorized entities • Organizations can loose trust and spend expensive response efforts in remediation • Criticality • Indicator of how the loss will impact the fundamental business process of the organization • It is that which is required for the organization to continue business
  • 8. Information Classification • Primary Purpose: • Helps indicate the level of confidentiality, integrity and availability protection that is needed for each type of data • Helps ensure data is protected in a most cost effective manner • Each classification should have separate handling requirements and procedures
  • 9. Classification Guidelines • When classifying data, take into consideration • Who has access to data • How the data is secured • How long the data is retained • What methods used to dispose the data • Whether the data needs to be encrypted • What use of the data is appropriate • Keep the classification small • Classification should not be restrictive and detail oriented (either) • Each classification should be unique and separate from others; no overlap effects • Should outline how information is controlled and handled through its life cycle
  • 10. Classification Procedure 1. Define Classification Levels 2. Criteria of classification levels 3. Data owners who will be responsible for Classification 4. Data custodians who will be responsible for maintaining data 5. Security controls for each classification level 6. Exception documentation to previous classification issues 7. Methods to transfer data ownership 8. Procedure to periodically review the classification and ownership 9. Declassification procedures 10. Classification awareness to all employees
  • 11. Data Policy • Defines strategic long term goals for data management across all aspects of project or enterprise • High level principles that establish a guiding framework for data management • It should be flexible and dynamic • Should be readily adaptable for unforeseen circumstances, changing projects, potentially opportunistic partnerships while still maintaining its guiding strategic focus
  • 12. Data Policy Definition considerations • Cost of providing access to data vs cost of providing the data Cost • Who owns the data and who maintains the data Ownership & Custodianship • What data is private, what data is made public Privacy • How protected the organization is from legal recourse Liability • What type of data is in question; what is the impact, type and level of threat, vulnerability for the data Sensitivity • May have impact on enterprise data policy Existing Law and Policy Requirements • Consideration should be given to legal request for data and policies that may need to be put in places Policy & Process
  • 13. Roles and Responsibilities • Objectives of defining roles and responsibilities • Clearly define roles associated with functions • Establish data ownership through out the life cycle of the data • Instill data accountability • Ensure adequate, agreed-upon data quality and meta data metrics are maintained on a continuous basis
  • 14. Data Owner • Key aspect of good data management involves identification of information owner • Individual or group that created, acquired or purchased information that supports the mission of the organization • Has legal rights over the data • Ownership implies the right to exploit the data as well as the right to destroy it
  • 15. Data Owner - Responsibilities • Determine the impact the information has on the organization • Understand the replacement cost of the information • Establish the rules of appropriate use and protection of information • Decide who has access to the information and what privilege • Know when the information is inaccurate or no longer needed and should be destroyed • Provide input to system owners regarding security requirements and controls for the information system that hold the data • Assist in identification and assessment of common security controls • Delegates day-to-day maintenance to the data custodian
  • 16. Data Owner - Responsibilities • Data Owner shall establish and document the following • The ownership, IP rights and copyrights for their data • The statutory and non-statutory requirements relevant to their business to ensure the data is compliant • The policies for data security, disclosure, pricing and dissemination • Contracts with users and customers on conditions of use, before the data is released
  • 17. Data Custodian • Data custodian ensures important data sets are developed, maintained and are accessible within their defined specifications. • Best handled by entity that is most familiar with a datasets content and its management criteria • Responsibilities include • Adherence to data owner guidelines • Ensure access to appropriate users and maintaining appropriate level of security • Dataset maintenance, including data storage and archival • Dataset documentation, including changes to documentation • Quality Assurance and validation to assure ongoing data integrity
  • 18. System Owner • A person who owns the system processing sensitive information • One system may have multiple information owners • Responsibilities • Develop a system security plan in coordination with Information owners • Maintain the plan and ensure it operates according to the agreed security requirements • Ensure system users and support personal get security training • Update the plan whenever major change happens • Assist in identification, implementation and assessment of common security controls
  • 19. Other Roles • Security Administrator: • Responsible for maintaining specific security devices • Creating new user accounts, implementing new security software, testing security patches • Has the main focus of keeping the network secure; network administrator has main focus on keep the IT running • Supervisor • Ultimately responsible for all actions of the users under them • Responsible for making sure access changes are done for user accounts as and when there is change in user role
  • 20. Other Roles • Data Analyst: • Ensures data is stored in a way that makes more sense to the company • Responsible for architecting a new system that will hold company information or advice in purchase of a product • Works with data owners to help ensure that the structures setup support business objectives • Change Control Analyst • Responsible for approving or rejecting requests to make changes to the IT environment • Makes sure certain changes do not introduce new vulnerabilities, it has been tested, and it is properly rolled out
  • 21. Other roles • Data processor is an individual or organization that processes personal data solely on behalf of data controller • Data Controller is an entity that controls processing of personal data • Users are those who access data to accomplish work tasks. They should have access to only the data they need to perform their work
  • 22. Data Quality • Data Quality determines the fitness for use or potential use of data • 2 factors considered for setting data quality expectations are • Frequency of Incorrect data fields or errors • Significance of error within a data field • Errors are more likely be determined when expectations are clearly documented • 2 Keys to improve data quality are • Prevention • Correction • Documentation is key to good data quality • Two types of data documentation • Records what data checks have been done and what changes have been made and by whom • Metadata that records information at the dataset level
  • 23. Data Quality • Data Quality is assessed by applying Verification and validation procedures • Helps ensure data is valid and reliable Verification Process of checking the completeness, correctness and compliance of a dataset to ensure the data is what it claims to be Checks that the digitized data matches the source data Can be done by personnel who are less familiar with the data Validation Evaluates verified data to determine if data quality goals have been achieved and the reasons for deviation It follows data verification Checks that the data makes sense Requires in-depth knowledge about the data and should be conducted by experienced personnel
  • 24. Data Quality Quality Control Assessment of data quality based on Internal standards, processes, and procedures established to control and monitor quality Quality control procedures monitor and evaluate the resulting products Quality Assurance Assessment of quality based on standards external to the process and involves reviewing of activities and QC processes to ensure final product meets predetermined quality standard Maintains quality through-out all stages of data development
  • 25. Quality Control and Assurance • QA/QC are designed to prevent data contamination due to two fundamental types of errors • Errors of omission • Insufficient documentation of legitimate data values • They are harder to detect and correct • Can be revealed by rigorous QC procedures • Errors of commission • Caused by data entry, transcription or malfunctioning equipment • This is common, fairly easy to identify and effectively reduced by QA measures in data acquisition process as well as QC procedures after the data has been acquired
  • 26. Stage of Data Management Process • Capture/Collect • Digitization • Storage • Analysis • Presentation • Use
  • 27. Data Documentation • It is critical to ensure datasets are useable well into the future • The first step in data management process is to enter data into a electronic system • Objectives of Data documentation are • Ensure the longevity of the data and their re-use for multiple purposes • Ensures data users understand the context and limitations of datasets • Facilitate discovery of datasets • Facilitate interoperability of datasets and data exchange
  • 28. Dataset titles and filenames • Titles and filenames should be descriptive • Should reflect the contents of the file and include enough information to uniquely identify the data file • Filename should be provided in the first line of the header rows in the file itself • Names should only contain numbers, letters, dashes and underscore • Lowercase is, less software and platform dependent, and hence is preferable • File name should not be more than 64 characters • Versioning and file creation date will help user know if they are using the correct file
  • 29. Metadata • Definition: Set of data that gives information about other data • Three types of metadata: • Descriptive metadata: • Describes a resource for discovery and identification • title, keyword, tag, author • Structural metadata: • Facilitates navigation and presentation of electronic information; provides information about internal structure; binds related files • TOC, index, chapters, title page • Administrative metadata: • Provides information to help manage a resource • Filetype, who created, when it was created
  • 30. Data Standard • Rules by which data are described and recorded • When adopting a standard adopt a minimally complex standard that addresses the largest audience • Benefits of data standard • More efficient data management • Increased data sharing • Higher data quality • Improved data consistency • Increased data integration • Better understanding of the data • Improved documentation of information resoruces
  • 31. Data Lifecycle Control • Data management includes • Data specification and modeling • Database maintenance and security • Ongoing Audit • Archiving
  • 32. Data Specification and Modelling • Successful database planning requires thorough user requirements analysis and followed by data modeling • Data modelling is the methodology that identifies the path to meet user requirements • Data modelling should be iterative and interactive • Data model consists of written documentation of the concepts to be stored in the database, their relationships, and diagram showing those concepts and their relationships • Data model is the tool to help the design and program teams understand the nature of information to be stored • Data model helps in communication between data content experts specifying what the databases need to do and database developers who are building the database
  • 33. Database maintenance • Technology obsolescence is a significant cause for information loss • Major changes to hardware/software should be noticed and data should be migrated to newer platforms • Data should be stored in formats that are independent of specific platform or software • Versioning should be used in multi-user environments • Database management requires day-to-day system administration
  • 34. Data Audit • Data audit process involves: • Identifying the information needs of the organization and assigning a level of strategic importance • Identifying the resources and services currently provided to meet those needs • Benefits of data audit are: • Awareness of data holdings • Promote capacity planning • Facilitate data sharing and reuse • Monitor data holding and avoid data leaks • Recognition of data management practices • Promote efficient use of resources and improved workflows • Increase ability to manage risks • Enable the development/refinement of data strategy
  • 35. Data Retention • Data Retention Guidelines • Involve all stake holders in the process of aligning the business and legal requirements for the data retention policies • Establish common objectives for supporting archiving and data retention best practices • Monitor, review and update documented data retention policies and archiving procedures. • Data retention policy should • Outline the classification of records • Retention and destruction schedules • Parties responsible for retention and destruction • Procedures used for destruction • Training • Policy should answer the following questions • What data is stored? • How long is it stored? • Where is it stored?
  • 36. Data Retention • For retained data to be useful, it should be accessible. Consider following issues for data accessibility • Taxonomy: • Scheme for classifying the data; could be functional, chronological, or combination of categories • Classification: • Sensitivity determines the controls we put in place during the lifecycle of the data • Normalization: • Data comes in many formats; storing the data in original format may render it inaccessible later in time; its prudent to tag data sets to ensure search ability and accessibility • Indexing: • Indexing archived data for future searches;
  • 37. e-Discovery • Process of producing for a court or external attorney all ESI (Electronically Stored Information) pertinent to a legal proceeding • 8 Step Electronic Discovery Reference Model (EDRM) Identification Preservation Collection Process Review Analyze Production Presentation
  • 38. Managing Sensitive Data • Marking (Labeling) • Ensures users can easily identify the classification of the data • It also includes digital marks or labels • Asset handling different classification of data, should be marked with the top most classification it handles • When media is found without label, it should be labeled with the highest level of sensitivity until appropriate analysis is done. • Handling • Refers to secure transport of media through its lifetime • Policies and procedures should be in place to ensure people understand how to handle sensitive data • Encryption is the obvious choice for protecting sensitive data at rest.
  • 39. Data at rest • Three broad categories of encrypting tools for the data at rest • Self-encrypting USB Drives: • USB drives embed encryption algorithms within the Hard-drive • Everything in the drive is automatically encrypted • Files moving out of the drive are in decrypted state • Media Encryption Software: • Software used to encrypted the media • Flexibility of software allows encrypting various storage media types • Has the same problem as above, files outside the drive remain un-encrypted • File Encryption Software • Allows greater flexibility in encrypting specific files • Since encryption is applied at file level, it stays encrypted irrespective of the media it is stored.
  • 40. Data in Transit • Mechanism to prevent content of the message is protected even if the message itself is intercepted. • Link encryption • Performed by service providers • Encrypts all data, including routing data, along a communications path • Communications nodes need to decrypt data in order to continue routing • It provides traffic confidentiality better than end-to-end encryption • Prevents inference attack • End to End Encryption • Generally performed by end user • Encrypted at the start of the communication channel • Routing information remains visible
  • 41. Data in Use • Data residing in primary storage devices ~ Volatile memory (registers, memory cache, RAM) • Data in use generally cannot be protected by encryption • Attacks • Side Channel Attack: exploits information flow that is the electronic byproduct of a process (like encryption) • Data in use can be protected by • Ensuring software is tested against these attacks • Secure development process
  • 42. Data Remanence • Data remanence is the data that remains in the hard drive as residual magnetic flux or after erasing • Data remanence in HDD is caused by the failure of the method used to clean the HDD • Commonly used method to address data remanence are • Erasing • Simple deletion process; does not remove the files, but only removes the catalog reference • Anyone can typically retrieve the data using widely available tools
  • 43. Data Remanence • Clearing (overwriting/wiping/shredding) • Process of preparing media for reuse with assurance that cleared data cannot be retrieved using traditional recovery means • Unclassified data is written over all addressable locations on the media • Data recovery requires special laboratory techniques • Some media types don’t respond well to clearing • Purging • More intense form of clearing – repeats the clearing process multiple times • Provides assurance that data cannot be recovered using any known means • It can be combined with other means like degaussing to completely remove data
  • 44. Data Remanence • Declassification • Any process that purges media or system in order for reuse in unclassified environment • Sanitization • Combination of process that ensures data is removed from the system • It ensures data cannot be recovered by any means • Includes ensuring non-volatile memory is erased, external drives removed and sanitized • Degaussing • Generates heavy magnetic fields which realign the magnetic fields in magnetic media, only effective on magnetic media (does not affect, CD/DVD/SSD) AC erasure – medium is degaussed by applying alternating field that is reduced in amplitude over time DC erasure – medium is saturated by applying a unidirectional field
  • 45. Asset Management • Asset management is the foundation for Information Security • Inventory management deals with what assets are there, where they reside and who owns them • Configuration management adds a relationship dynamic relating the other items in the inventory • IT Asset Management (ITAM) introduces financial aspects of the asset – cost, value and contractual status • ITAM also refers to full lifecycle management of the asset • ITAM is designed to manage the physical, contractual and financial aspects of the asset
  • 46. Asset Management Enablers • A single, centralized, relational repository • Organizational alignment and defined process • Scalable technologies and infrastructure
  • 47. Equipment Lifecycle • All equipment's have a useful life; they get depreciated over time or when they are no longer capable of performing its tasks • Common Lifecycle tasks • Defining Requirements • Ensure relevant security requirements are included • Ensure appropriate costs have been allocated for security • Ensure new equipment requirements fits into the organizational security architecture • Acquiring and Implementing • Validate security features are included as specified • Ensure additional security configurations are applied • Ensure security certification or accreditation process is followed • Ensure equipment is inventoried
  • 48. Equipment Lifecycle • Operations and Maintenance • Ensure security features remain operational • Ensure appropriate support is available for security related concerns • Validate and verify inventories • Ensure changes to configuration of system are reviewed • Review equipment for vulnerability • Disposal and Decommission • Ensure secure erasure/ destruction or recycle • Ensure inventories are accurately updated to reflect the status of decommissioned equipment • Guiding principle for media erasure is to ensure that the enemies cost of recovering the data should be higher than the value of the data
  • 49. Media Destruction • Specific destruction techniques include • Physically breaking the media apart • Chemically altering the media into non readable state • Phase transition • For magnetic media, raising its temperature above the Curie temperature • Crypto-erasure can be used in SSDs to sanitize the data
  • 50. Safes Wall safe Embedded into wall and easily hidden Floor safe Embedded into floor and easily hidden Chests Stand-alone safes Depositories Safes with slots that all valuables to be easily slipped in Vaults Large enough to provide walk-in access
  • 51. Data Leakage Prevention • Comprises actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data • DLP is concerned with external parties • DLP should be integrated as part of Risk Management Approach • DLP technology determination aspects • Sensitive data awareness • Policy engine • Interoperability • Accuracy (most critical)
  • 52. DLP Approach Data Inventory • Identify the data • Classify the data Data Flows • Plot the data flow over the lifecycle Data Protection Strategy • Perform Risk Assessment • Determine the DLP Solution Implementation, Testing and Tuning • Test for false positive, false negative • Misuse cases prioritization and testing
  • 53. Data Protection Strategy Considerations • Backup and recovery • Data life cycle • Physical security • Security culture • Privacy • Organizational change
  • 54. Network DLP • Applies DLP to data in motion • Normally implemented as dedicated appliances at perimeter • Drawback: • It will not protect data on devices that are not on the organization network • Does not have capability to decrypt encrypted tunnels • High cost forces organizations to deploy only at network choke points instead of throughout the network
  • 55. Endpoint DLP • Applies DLP to data in use and data in rest • An agent is installed on end-systems • Allows more degree of protection than NDLP • Drawback: • Complexity • Agent management • Cost could be much higher than the NDLP • Unaware to data-in-motion protection violations
  • 56. Hybrid DLP • Deploy both EDLP and NDLP • Costliest and most complex approach • Offers the best coverage and protection
  • 57. Mobile Device Protection • Mechanisms to protect mobile devices are • Inventory all mobile devices ~ identification • Harden the mobile OS • Password protect the BIOS • Register the device with vendor and get notified if the device is submitted for repair • Do not check-in as luggage in airport • Do not leave the device unattended • Engrave identification mark • Use slot lock • Backup data at regular intervals • Encrypt • Enable remote wiping
  • 58. Baselining / Scoping / Tailoring • Baseline provides a starting point and ensure a minimum security standard • Scoping refers to reviewing baseline security controls and choosing only those controls that apply to the IT system to be protected • Tailoring refers to modifying the list of security controls within a baseline so that they align with the business mission • Supplementation involves adding assessment procedures to adequately meet the risk management needs of the organization
  • 59. Karthikeyan Dhayalan MD & Chief Security Partner www.cyintegriti.com

Editor's Notes

  • #3: How presentation will benefit audience: Adult learners are more interested in a subject if they know how or why it is important to them. Presenter’s level of expertise in the subject: Briefly state your credentials in this area, or explain why participants should listen to you.