CISSP Domain 2 - Asset Security InfosecTrain .pdf
0 likes107 views
The document outlines data and asset classification as part of CISSP domain 2, detailing various security classifications such as confidential and unclassified and emphasizing the importance of data lifecycle management. It covers data handling, retention requirements, and compliance with legal standards, highlighting practices for protecting sensitive information. Additionally, it discusses asset management, encompassing the ownership and responsibility for safeguarding data and resources.
CISSP Domain 2 - Asset Security InfosecTrain .pdf
- 2. Data Classi๏ฌcation Asset Classi๏ฌcation 2.1 IDENTIFYING AND CLASSIFYING INFORMATION AND ASSETS CISSP DOMAIN 2 For Official Use Only (FOUO): Limited distribution, official use Sensitive But Unclassi๏ฌed (SBU): Sensitive, not national security classi๏ฌed Top Secret: Highest security level, severe damage Secret: Highly sensitive information, signi๏ฌcant harm Con๏ฌdential: Restricted access information, moderate harm Unclassi๏ฌed: Tangible Assets: Physical items, visible and measurable Intangible Assets: Non-physical, intellectual property, reputation Critical Assets: Essential for operations, high importance Non-critical Assets: Low importance, not vital www.infosectrain.com
- 3. www.infosectrain.com 2.2 ESTABLISHING INFORMATION AND ASSET HANDLING REQUIREMENTS CISSP DOMAIN 2 Data Maintenance Data Loss Prevention (DLP) Marking Sensitive Data and Assets Handling Sensitive Information and Assets Data Collection Limitation Data Location Storing Sensitive Data Data Destruction Importance: Ensures data security throughout its lifecycle Best Practices: Regular updates, backups, and audits Importance: Prevents unauthorized data leaks Techniques: Monitoring, encryption, access control Importance: Identi๏ฌes and protects critical data Classi๏ฌcation: Con๏ฌdential, Public, etc. Procedures: Guidelines for secure management Access Control: Role-based restrictions Purpose: Collect necessary data only Minimization Principles: Reduces risk exposure Residency: Compliance with data storage regulations Cloud vs. On-premises: Balances ๏ฌexibility and security Secure Storage: Physical and digital protection Encryption: Ensures con๏ฌdentiality Methods: Shredding, wiping Compliance: Meets legal standards
- 4. www.infosectrain.com Information and Asset Ownership Asset Management Asset Inventory Hardware Assets: Servers, Workstations, Networking Equipment Software Assets: Operating Systems, Applications Intangible Assets: Intellectual Property, Digital Assets Physical Controls: Locks, Security Cameras, Access Control Systems Technical Controls: Encryption, Access Controls, Firewalls Administrative Controls: Policies, Procedures, Training Procurement: Secure acquisition of assets Maintenance: Regular updates, patches, and repairs Disposal: Secure destruction or recycling of assets Identi๏ฌcation and Classi๏ฌcation Protection and Controls Lifecycle Management CISSP DOMAIN 2 2.3 PROVISION RESOURCES SECURELY Understanding who owns data and assets De๏ฌnition and Importance Ensuring accountability and responsibility for data protection Asset Classi๏ฌcation: Public, Private, Con๏ฌdential, Sensitive Tagging and Labeling: Physical and digital marking of assets
- 5. www.infosectrain.com 2.4 MANAGE DATA LIFECYCLE CISSP DOMAIN 2 Data Location: Physical/logical storage locations Data Collection: Gather information systematically Data Roles Data Destruction Data Remanence: Residual data after deletion Data Maintenance: Keep data accurate and up-to-date Data Retention: Determine how long to keep data Owners: Responsible for data governance and policies Controllers: Decide how and why data is processed Custodians: Ensure safe custody and storage of data Processors: Process data as instructed by controllers Users and Data Subjects: Access and use data; individuals whose data is processed Clearing: Overwriting data Purging: Making data unrecoverable Degaussing: Erasing magnetic ๏ฌelds Destruction: Physically destroying media Overview: Final data disposal Methods of Sanitization
- 6. www.infosectrain.com 2.5 ENSURING APPROPRIATE DATA AND ASSET RETENTION CISSP DOMAIN 2 Retention Requirements Other Signi๏ฌcant Terms Record Retention Legal and Regulatory Compliance GDPR, HIPAA, SOX Business Policies Data Classi๏ฌcation Retention Periods Data Storage Solutions Disposal and Destruction End-of-Life (EOL): No longer manufactured or sold End-of-Support (EOS): No more updates or technical support End-of-Service-Life (EOSL): Complete end of any support and updates Company-speci๏ฌc data retention policies Alignment with business objectives Sensitive Data Non-Sensitive Data Determining timeframes for retaining records Legal and operational factors Physical and digital storage Security measures for data protection Secure disposal methods Compliance with regulations
- 7. www.infosectrain.com Scoping Tailoring Data actively being processed Security Measures Data States Standards Selection Scoping and Tailoring 2.6 DETERMINE DATA SECURITY CONTROLS AND COMPLIANCE REQUIREMENTS CISSP DOMAIN 2 In Use In Transit At Rest Access controls, data masking, endpoint security, application security Data moving across networks Security Measures Encryption protocols, secure tunneling, network security, secure email/๏ฌle transfer Data stored on devices Security Measures Encryption, physical security, access control lists, regular backups Identify relevant systems Understand compliance requirements Assess impact and criticality Modify baseline controls Consider organizational context Ensure practicality and effectiveness Relevance: Select appropriate standards (ISO/IEC 27001, NIST SP 800-53, PCI DSS) Coverage: Comprehensive security aspects Compliance: Legal and regulatory requirements Integration: Align with existing policies
- 8. To Get More Insights Through Our FREE FOUND THIS USEFUL? Courses | Workshops | eBooks | Checklists | Mock Tests LIKE FOLLOW SHARE