Identify and classify assets (CAP 5)

Defining sensitive data

Personally identifiable information (PII)

Protected Health Information (PHI)

proprietary data (any data that helps an organization mantain a competitive edge)

Defining data classification

Top secret, secret,confidential, unclassified (or confidential, private, sensitive, public)

Defining asset classifications

Determining data security controls (requirements + controls)

Understaning data states

Handling information and assets

Data protection methods

data at rest

data in transit

data in use

marking sensitive data and assets

handling sensitive information and assets

storing sensitive data (encryption - the value of the data is often greater than the support that holds it)

destroying sensitive data

eliminating data remanence (remaining part of data after it's been erased)

erasing

clearing (es overwriting)

purging (stronger cleaning)

degaussing (for magnetic disks)

destruction

ensuring appropriate asset retention

protecting data with symmetric encryption

protecting data with transport encryption

AES

Triple DES

Blowfish

https (tls)

VPN

SSH

Determining ownership

data owners (responsible for data, es:ceo)

asset owners (responsible for ensuring that data processed on the system is secure)

business/mission owners (responsible for ensuring tht systems provide value to the organization)

data processors (person whch processes personal data on behalf of data controller)

administrators (grant appropriate access to personnel)

custodians (ensures that data are properly stored and protected)

users (a user is a person who accesses data to accomplish work tasks)

protecting owners

Using security baselines

scoping and tailoring

selecting standards