Identify and classify assets (CAP 5)
Defining sensitive data
Personally identifiable information (PII)
Protected Health Information (PHI)
proprietary data (any data that helps an organization mantain a competitive edge)
Defining data classification
Top secret, secret,confidential, unclassified (or confidential, private, sensitive, public)
Defining asset classifications
Determining data security controls (requirements + controls)
Understaning data states
Handling information and assets
Data protection methods
data at rest
data in transit
data in use
marking sensitive data and assets
handling sensitive information and assets
storing sensitive data (encryption - the value of the data is often greater than the support that holds it)
destroying sensitive data
eliminating data remanence (remaining part of data after it's been erased)
erasing
clearing (es overwriting)
purging (stronger cleaning)
degaussing (for magnetic disks)
destruction
ensuring appropriate asset retention
protecting data with symmetric encryption
protecting data with transport encryption
AES
Triple DES
Blowfish
https (tls)
VPN
SSH
Determining ownership
data owners (responsible for data, es:ceo)
asset owners (responsible for ensuring that data processed on the system is secure)
business/mission owners (responsible for ensuring tht systems provide value to the organization)
data processors (person whch processes personal data on behalf of data controller)
administrators (grant appropriate access to personnel)
custodians (ensures that data are properly stored and protected)
users (a user is a person who accesses data to accomplish work tasks)
protecting owners
Using security baselines
scoping and tailoring
selecting standards