Exam Essentials: Chapter 5

Posted byChrisPosted inUncategorized

Chapter 5: Protecting Security of Assets

Understand the importance of data & asset classifications

  • Data owners are responsible for defining data and asset classifications and ensuring that data & systems are properly marked.
  • Additionally, data owners define requirements to protect data at different classifications, such as encrypting sensitive data at rest and in transit.
  • Data classifications are typically defined within security policies or data policies.

Know about PII and PHI

  • Personally identifiable information (PII) is any information that can identify an individual.
  • Protected health information (PHI) is any health-related information that can be related to a specific person.
  • Many laws & regulations mandate the protection of PII and PHI.

Know how to manage sensitive information

  • Sensitive information is any type of classified information; proper management helps prevent unauthorised disclosure resulting in a loss of confidentiality.
  • Proper management includes marking, handling, storing and destroying sensitive information.
  • The two areas in which organisations often miss the mark are:
    • adequately protecting backup media holding sensitive information
    • sanitising media or equipment at the end of its lifecycle.

Understand record retention

  • Record retention policies ensure that data is kept in a usable state while it is needed, and destroyed when it is no longer needed.
  • Many laws & organisations mandate keeping data for a specific amount of time, but in the absence of formal regulations, organisations specify the retention period within a policy.
  • Audit trail data needs to be be kept long enough to reconstruct past incidents, but the organisation must identify how far back they want to investigate.
  • A current trend with many organisations is to reduce legal liabilities by implementing short retention policies with email.

Know the difference between different roles

  • The data owner is the person responsible for classifying, labelling & protecting data.
  • System owners are responsible for the systems that process the data.
  • Business & mission owners own the processes & ensure that the systems provide value to the organisation.
  • Data processors are often the third-party entities that process data for an organisation.
  • Administrators grant access to data based on guidelines provided by the data owners.
  • A user accesses data while performing work tasks.
  • A custodian has day-to-day responsibilities for protecting & storing data.

Understand GDPR security controls

  • GDPR mandates protection of privacy data. Two key security controls mentioned in the GDPR are:
    • encryption
    • pseudonymisation (replacing some data elements with pseudonyms, making it more difficult to identify individuals.)

Know about security control baselines

  • Security control baselines provide a listing of controls that an organisation can apply as a baseline.
  • Not all baselines apply to all organisations. However, an organisation can apply scoping & tailoring techniques to adapt a baseline to its needs.

Leave a comment

Design a site like this with WordPress.com
Get started