CISSP Domain 2: Asset Security - Core Principles for Protecting Data
- 2. Data Classification Asset Classification 2.1 IDENTIFYING AND CLASSIFYING INFORMATION AND ASSETS CISSP DOMAIN 2 For Official Use Only (FOUO): Limited distribution, official use Sensitive But Unclassified (SBU): Sensitive, not national security classified Top Secret: Highest security level, severe damage Secret: Highly sensitive information, significant harm Confidential: Restricted access information, moderate harm Unclassified: Tangible Assets: Physical items, visible and measurable Intangible Assets: Non-physical, intellectual property, reputation Critical Assets: Essential for operations, high importance Non-critical Assets: Low importance, not vital www.infosectrain.com
- 3. www.infosectrain.com 2.2 ESTABLISHING INFORMATION AND ASSET HANDLING REQUIREMENTS CISSP DOMAIN 2 Data Maintenance Data Loss Prevention (DLP) Marking Sensitive Data and Assets Handling Sensitive Information and Assets Data Collection Limitation Data Location Storing Sensitive Data Data Destruction Importance: Ensures data security throughout its lifecycle Best Practices: Regular updates, backups, and audits Importance: Prevents unauthorized data leaks Techniques: Monitoring, encryption, access control Importance: Identifies and protects critical data Classification: Confidential, Public, etc. Procedures: Guidelines for secure management Access Control: Role-based restrictions Purpose: Collect necessary data only Minimization Principles: Reduces risk exposure Residency: Compliance with data storage regulations Cloud vs. On-premises: Balances flexibility and security Secure Storage: Physical and digital protection Encryption: Ensures confidentiality Methods: Shredding, wiping Compliance: Meets legal standards
- 4. www.infosectrain.com Information and Asset Ownership Asset Management Asset Inventory Hardware Assets: Servers, Workstations, Networking Equipment Software Assets: Operating Systems, Applications Intangible Assets: Intellectual Property, Digital Assets Physical Controls: Locks, Security Cameras, Access Control Systems Technical Controls: Encryption, Access Controls, Firewalls Administrative Controls: Policies, Procedures, Training Procurement: Secure acquisition of assets Maintenance: Regular updates, patches, and repairs Disposal: Secure destruction or recycling of assets Identification and Classification Protection and Controls Lifecycle Management CISSP DOMAIN 2 2.3 PROVISION RESOURCES SECURELY Understanding who owns data and assets Definition and Importance Ensuring accountability and responsibility for data protection Asset Classification: Public, Private, Confidential, Sensitive Tagging and Labeling: Physical and digital marking of assets
- 5. www.infosectrain.com 2.4 MANAGE DATA LIFECYCLE CISSP DOMAIN 2 Data Location: Physical/logical storage locations Data Collection: Gather information systematically Data Roles Data Destruction Data Remanence: Residual data after deletion Data Maintenance: Keep data accurate and up-to-date Data Retention: Determine how long to keep data Owners: Responsible for data governance and policies Controllers: Decide how and why data is processed Custodians: Ensure safe custody and storage of data Processors: Process data as instructed by controllers Users and Data Subjects: Access and use data; individuals whose data is processed Clearing: Overwriting data Purging: Making data unrecoverable Degaussing: Erasing magnetic fields Destruction: Physically destroying media Overview: Final data disposal Methods of Sanitization
- 6. www.infosectrain.com 2.5 ENSURING APPROPRIATE DATA AND ASSET RETENTION CISSP DOMAIN 2 Retention Requirements Other Significant Terms Record Retention Legal and Regulatory Compliance GDPR, HIPAA, SOX Business Policies Data Classification Retention Periods Data Storage Solutions Disposal and Destruction End-of-Life (EOL): No longer manufactured or sold End-of-Support (EOS): No more updates or technical support End-of-Service-Life (EOSL): Complete end of any support and updates Company-specific data retention policies Alignment with business objectives Sensitive Data Non-Sensitive Data Determining timeframes for retaining records Legal and operational factors Physical and digital storage Security measures for data protection Secure disposal methods Compliance with regulations
- 7. www.infosectrain.com Scoping Tailoring Data actively being processed Security Measures Data States Standards Selection Scoping and Tailoring 2.6 DETERMINE DATA SECURITY CONTROLS AND COMPLIANCE REQUIREMENTS CISSP DOMAIN 2 In Use In Transit At Rest Access controls, data masking, endpoint security, application security Data moving across networks Security Measures Encryption protocols, secure tunneling, network security, secure email/file transfer Data stored on devices Security Measures Encryption, physical security, access control lists, regular backups Identify relevant systems Understand compliance requirements Assess impact and criticality Modify baseline controls Consider organizational context Ensure practicality and effectiveness Relevance: Select appropriate standards (ISO/IEC 27001, NIST SP 800-53, PCI DSS) Coverage: Comprehensive security aspects Compliance: Legal and regulatory requirements Integration: Align with existing policies
- 8. To Get More Insights Through Our FREE FOUND THIS USEFUL? Courses | Workshops | eBooks | Checklists | Mock Tests LIKE FOLLOW SHARE