Summary

Asset security focuses on collecting, handling, and protecting information throughout its lifecycle. This includes sensitive information stored or processed on computing systems or transferred over a network and the assets used in these processes. Sensitive information is any information that an organization keeps private and can include multiple levels of

classifications. Proper destruction methods ensure that data can’t be retrieved after destruction.

Data protection methods include digital rights management (DRM) and using cloud access security brokers (CASBs) when using cloud resources. DRM methods attempt to protect copyrighted materials. A CASB is software placed logically between users and cloudbased resources. It can ensure that cloud resources have the same protections as resources within a network. Entities that must comply with the EU GDPR use additional data protection methods such as pseudonymization, tokenization, and anonymization.

Personnel can fulfill many different roles when handling data. Data owners are ultimately responsible for classifying, labeling, and protecting data. System owners are responsible for the systems that process the data. The GDPR defines data controllers, data processors, and data custodians. Data controllers decide what data to process and how to process it. A data controller can hire a third party to process data, and in this context, the third party is the data processor. Data processors have a responsibility to protect the privacy of the data and not use it for any purpose other than directed by the data controller. A custodian is delegated day-to-day responsibilities for properly storing and protecting data.

Security baselines provide a set of security controls that an organization can implement as a secure starting point. Some publications (such as NIST SP 800-53B) identify security control baselines. However, these baselines don’t apply equally to all organizations. Instead, organizations use scoping and tailoring techniques to identify the security controls to implement after selecting baselines. Additionally, organizations ensure that they implement security controls mandated by external standards that apply to their organization.

Exam Essentials

Understand the importance of data and asset classifications.   Data owners are responsible for defining data and asset classifications and ensuring that data and systems are properly marked. Additionally, data owners define requirements to protect data at different classifications, such as encrypting sensitive data at rest and in transit. Data classifications are typically defined within security policies or data policies.

Define PII and PHI.   Personally identifiable information (PII) is any information that can identify an individual. Protected health information (PHI) is any health-related information that can be related to a specific person. Many laws and regulations mandate the protection of PII and PHI.

212  Chapter 5  ■  Protecting Security of Assets

Know how to manage sensitive information.   Sensitive information is any type of classified information, and proper management helps prevent unauthorized disclosure resulting in a loss of confidentiality. Proper management includes marking, handling, storing, and destroying sensitive information. The two areas where organizations often miss the mark are adequately protecting backup media holding sensitive information and sanitizing media or equipment when it is at the end of its lifecycle.

Describe the three data states.   The three data states are at rest, in transit, and in use. Data at rest is any data stored on media such as hard drives or external media. Data in transit is any data transmitted over a network. Encryption methods protect data at rest and in transit. Data in use refers to data in memory and used by an application. Applications should flush memory buffers to remove data after it is no longer needed.

Define DLP.   Data loss prevention (DLP) systems detect and block data exfiltration attempts by scanning unencrypted files and looking for keywords and data patterns. Network-based systems (including cloud-based systems) scan files before they leave the network. Endpoint-based systems prevent users from copying or printing some files.

Compare data destruction methods.   Erasing a file doesn’t delete it. Clearing media overwrites it with characters or bits. Purging repeats the clearing process multiple times and removes data so that the media can be reused. Degaussing removes data from tapes and magnetic hard disk drives, but it does not affect optical media or SSDs. Destruction methods include incineration, crushing, shredding, and disintegration.

Describe data remanence.   Data remanence is the data that remains on media after it should have been removed. Hard disk drives sometimes retain residual magnetic flux that can be read with advanced tools. Advanced tools can read slack space on a disk, which is unused space in clusters. Erasing data on a disk leaves data remanence.

Understand record retention policies.   Record retention policies ensure that data is kept in a usable state while it is needed and destroyed when it is no longer needed. Many laws and regulations mandate keeping data for a specific amount of time, but in the absence of formal regulations, organizations specify the retention period within a policy. Audit trail data needs to be kept long enough to reconstruct past incidents, but the organization must identify how far back they want to investigate. A current trend in many organizations is to reduce legal liabilities by implementing short retention policies with email.

Know the difference between EOL and EOS.   End-of-life (EOL) is the date announced by a vendor when sales of a product stop. However, the vendor still supports the product after EOL. End-of-support (EOS) identifies the date when a vendor will no longer support a product.

Explain DRM.   Digital rights management (DRM) methods provide copyright protection for copyrighted works. The purpose is to prevent the unauthorized use, modification, and distribution of copyrighted works.

Explain CASB.   A cloud access security broker (CASB) is placed logically between users and cloud resources. It can apply internal security controls to cloud resources. The CASB component can be placed on-premises or in the cloud.

Define pseudonymization.   Pseudonymization is the process of replacing some data elements with pseudonyms or aliases. It removes privacy data so that a dataset can be shared. However, the original data remains available in a separate dataset.

Define tokenization.   Tokenization replaces data elements with a string of characters or a token. Credit card processors replace credit card data with a token, and a third party holds the mapping to the original data and the token.

Define anonymization.   Anonymization replaces privacy data with useful but inaccurate data. The dataset can be shared and used for analysis purposes, but anonymization removes individual identities. Anonymization is permanent.

Know the responsibilities of data roles.   The data owner is the person responsible for classifying, labeling, and protecting data. System owners are responsible for the systems that process the data. Business and mission owners own the processes and ensure that the systems provide value to the organization. Data controllers decide what data to process and how to process it. Data processors are often the third-party entities that process data for an organization at the direction of the data controller. Administrators grant access to data based on guidelines provided by the data owners. A user, or subject, accesses data while performing work tasks. A custodian has day-to-day responsibilities for protecting and storing data.

Know about security control baselines.   Security control baselines provide a listing of controls that an organization can apply as a baseline. Not all baselines apply to all organizations. Organizations apply scoping and tailoring techniques to adapt a baseline to their needs.

Written Lab

1.Describe sensitive data.

2.Identify the difference between EOL and EOS.

3.Identify common uses of pseudonymization, tokenization, and anonymization.

4.Describe the difference between scoping and tailoring.

214  Chapter 5  ■  Protecting Security of Assets

Review Questions

1.Which of the following provides the best protection against the loss of confidentiality for sensitive data?

A.Data labels

B.Data classifications

C.Data handling

D.Data degaussing methods

2.Administrators regularly back up data on all the servers within your organization. They annotate an archive copy with the server it came from and the date it was created, and transfer it to an unstaffed storage warehouse. Later, they discover that someone leaked sensitive emails sent between executives on the internet. Security personnel discovered some archive tapes are missing, and these tapes probably included the leaked emails. Of the following choices, what would have prevented this loss without sacrificing security?

A.Mark the media kept off site.

B.Don’t store data off site.

C.Destroy the backups off site.

D.Use a secure off-site storage facility.

3.Administrators have been using tapes to back up servers in your organization. However, the organization is converting to a different backup system, storing backups on disk drives. What is the final stage in the lifecycle of tapes used as backup media?

A.Degaussing

B.Destruction

C.Declassification

D.Retention

4.You are updating your organization’s data policy, and you want to identify the responsibilities of various roles. Which one of the following data roles is responsible for classifying data?

A.Controller

B.Custodian

C.Owner

D.User

5.You are tasked with updating your organization’s data policy, and you need to identify the responsibilities of different roles. Which data role is responsible for implementing the protections defined by the security policy?

A.Data custodian

B.Data user

C.Data processor

D.Data controller

6.A company maintains an e-commerce server used to sell digital products via the internet. When a customer makes a purchase, the server stores the following information on the buyer: name, physical address, email address, and credit card data. You’re hired as an outside consultant and advise them to change their practices. Which of the following can the company implement to avoid an apparent vulnerability?

A.Anonymization

B.Pseudonymization

C.Move the company location

D.Collection limitation

7.You are performing an annual review of your company’s data policy, and you come across some confusing statements related to security labeling. Which of the following could you insert to describe security labeling accurately?

A.Security labeling is only required on digital media.

B.Security labeling identifies the classification of data.

C.Security labeling is only required for hardware assets.

D.Security labeling is never used for nonsensitive data.

8.A database file includes personally identifiable information (PII) on several individuals, including Karen C. Park. Which of the following is the best identifier for the record on Karen C. Park?

A.Data controller

B.Data subject

C.Data processor

D.Data subject

9.Administrators regularly back up all the email servers within your company, and they routinely purge on-site emails older than six months to comply with the organization’s security policy. They keep a copy of the backups on site and send a copy to one of the company warehouses for long-term storage. Later, they discover that someone leaked sensitive emails sent between executives over three years ago. Of the following choices, what policy was ignored and allowed this data breach?

A.Media destruction

B.Record retention

C.Configuration management

D.Versioning

216  Chapter 5  ■  Protecting Security of Assets

10.An executive is reviewing governance and compliance issues and ensuring the security or data policy addresses them. Which of the following security controls is most likely driven by a legal requirement?

A.Data remanence

B.Record destruction

C.Data user role

D.Data retention

11.Your organization is donating several computers to a local school. Some of these computers include solid-state drives (SSDs). Which of the following choices is the most reliable method of destroying data on these SSDs?

A.Erasing

B.Degaussing

C.Deleting

D.Purging

12.A technician is about to remove disk drives from several computers. His supervisor told him to ensure that the disk drives do not hold any sensitive data. Which of the following methods will meet the supervisor’s requirements?

A.Overwriting the disks multiple times

B.Formatting the disks

C.Degaussing the disks

D.Defragmenting the disks

13.The IT department is updating the budget for the following year, and they want to include enough money for a hardware refresh for some older systems. Unfortunately, there is a limited budget. Which of the following should be a top priority?

A.Systems with an end-of-life (EOL) date that occurs in the following year

B.Systems used for data loss prevention

C.Systems used to process sensitive data

D.Systems with an end-of-support (EOS) date that occurs in the following year

14.Developers created an application that routinely processes sensitive data. The data is encrypted and stored in a database. When the application processes the data, it retrieves it from the databases, decrypts it for use, and stores it in memory. Which of the following methods can protect the data in memory after the application uses it?

A.Encrypt it with asymmetric encryption.

B.Encrypt it in the database.

C.Implement data loss prevention.

D.Purge memory buffers.

15.Your organization’s security policy mandates the use of symmetric encryption for sensitive data stored on servers. Which one of the following guidelines are they implementing?

A.Protecting data at rest

B.Protecting data in transit

C.Protecting data in use

D.Protecting the data lifecycle

16.An administrator is planning to deploy a database server and wants to ensure it is secure. She reviews a list of baseline security controls and identifies the security controls that apply to this database server. What is this called?

A.Tokenization

B.Scoping

C.Standards selection

D.Imaging

17.An organization is planning to deploy an e-commerce site hosted on a web farm. IT administrators have identified a list of security controls they say will provide the best protection for this project. Management is now reviewing the list and removing any security controls that do not align with the organization’s mission. What is this called?

A.Tailoring

B.Sanitizing

C.Asset classification

D.Minimization

18.An organization is planning to use a cloud provider to store some data. Management wants to ensure that all data-based security policies implemented in the organization’s internal network can also be implemented in the cloud. Which of the following will support this goal?

A.CASB

B.DLP

C.DRM

D.EOL

19.Management is concerned that users may be inadvertently transmitting sensitive data outside the organization. They want to implement a method to detect and prevent this from happening. Which of the following can detect outgoing, sensitive data based on specific data patterns and is the best choice to meet these requirements?

A.Antimalware software

B.Data loss prevention systems

C.Security information and event management systems

D.Intrusion prevention systems

218  Chapter 5  ■  Protecting Security of Assets

20.A software developer created an application and wants to protect it with DRM technologies. Which of the following is she most likely to include? (Choose three.)

A.Virtual licensing

B.Persistent online authentication

C.Automatic expiration

D.Continuous audit trail