Please enable JavaScript.
Coggle requires JavaScript to display documents.
Identify and classify assets (CAP 5) (Handling information and assets…
Identify and classify assets (CAP 5)
Defining sensitive data
Personally identifiable information (PII)
Protected Health Information (PHI)
proprietary data (any data that helps an organization mantain a competitive edge)
Defining data classification
Top secret, secret,confidential, unclassified (or confidential, private, sensitive, public)
Defining asset classifications
Determining data security controls (requirements + controls)
Understaning data states
data at rest
data in transit
data in use
Handling information and assets
marking sensitive data and assets
handling sensitive information and assets
storing sensitive data (encryption - the value of the data is often greater than the support that holds it)
destroying sensitive data
eliminating data remanence (remaining part of data after it's been erased)
erasing
clearing (es overwriting)
purging (stronger cleaning)
degaussing (for magnetic disks)
destruction
ensuring appropriate asset retention
Data protection methods
protecting data with symmetric encryption
AES
Triple DES
Blowfish
protecting data with transport encryption
https (tls)
VPN
SSH
Determining ownership
data owners (responsible for data, es:ceo)
asset owners (responsible for ensuring that data processed on the system is secure)
business/mission owners (responsible for ensuring tht systems provide value to the organization)
data processors (person whch processes personal data on behalf of data controller)
administrators (grant appropriate access to personnel)
custodians (ensures that data are properly stored and protected)
users (a user is a person who accesses data to accomplish work tasks)
protecting owners
Using security baselines
scoping and tailoring
selecting standards