Please enable JavaScript.

Coggle requires JavaScript to display documents.

Asset Security, Data Remanence & Retention, Baselines & Best…

- - - - Secret: unauthorized disclosure can cause serious damage to national sec
      - Confidential : unauthorized disclosure can cause damage to national sec
      - Top Secret: highest lvl of info classification
        unauthorized disclosure can cause exceptionally grave damage to national sec
      - SBU : unauthorized disclosure does not cause damage to national sec
      - Unclassified : info designated as neither sensitive nor classified- pub release does not cause violate confidentiality
      - Approp protections can be applied based on sensitivity of info & potential impact of loss- org often classify data in diff lvls
    - - What sys contains high data
      - What sys could allow access to high data? FW routers etc
      - What is your most crit data: PII, Credit card, financial info, healthcare data
      - Identify "High" sys & data - compromise means "sever or catastrophic adverse effect on org ops, org assets or individual
    - - Age : how current is info, does or needs data that is 5yrs old? is real time info more imp to your org than info recd last week
      - Useful life : at what time data in your sys not worth protecting ? how often do we continue protecting outdated info?
      - Value : what is the info worth to the company. what if it is loss or compromised
      - personal association: media records, case files & personnel files
    - - Management can approve distribution of classified info outside of the org, possibly in conjunction with a NDA agreement
      - Such doc prvnt org that work together from capitalizing on info they share for mutual benefit
      - court orders or other legal mandates, such as FOI request (freedom if info act), can req release of info that would otherwise remain protected
    - - cardholder data CHD associated with PCI
      - personally identifiable infor (PII)
      - Data classification based on presence of or impact on regulated data
      - protected health info (PHI) related to health info associated with HIPAA
  - - - System owner
        
        Responsibilities
        Dev sys sec plan in coordination with info owner,sys admin,info sys sec officer & functional end user
        Maintains the sys sec plan & ensure that sys is deployed & operated according to agreed upon sec req
        
        Updates the sys sec plan whenerv significant change occurs
        Assists in identification, implementation & assessment of sec cntrl
        
        According to NIST SP 800-18 system owner is
        responsible for overall procurement, dev, integration , modif, or operation & maintenance of info system
      - Business/Mission owner
        
        High ranking officials provide adequate funding manpower to implement, maintain & enforce the prof policy when needed
        
        Oversee an audit prog & receive periodic reports of violations
        
        Ultimately responsible for success of org
      - Custodians
        
        person who provides hands-on mgmt of data as directed by data owner- simply implements the decision abt data that owner determines
        
        Tasks: patching of OS,app, perf backup & restoration
        
        sysadmin ,dbadmin may be assigned the role of custodian
      - Users
        
        Those individuals who hv been granted access to & leverage data suring course of their job function
        
        Operating within bounds of acceptable use policies also helps to ensure data sec is maintained
        
        Responsibilities:
        They must not share UID & pass with others
        They must follow proper procedu to protect info under their care
        Use company asset only for company related activities
        Responsible to report sec incident that they are aware of
      - Data Info Owner:
        
        Captain goes down with the ship - reflects ultimate reposn captain has for safety & operation of everyone & everything aboard the ship
        
        Data owners hv same responsibility towards business/stakeholders they must take measures to adequate protect info & nw from all significant threats
        
        member of mgmt responsible for ensuring appropriate protection of specific data
        
        Accountable for mishandling of data. Accountable if a compromise, loss abuse occurs
        
        Responsibilities : assigning classification to info under their care,
        ensuring proper sec controls are in place to protect info for which they are accountable
        regularly reviewing who hv access under their care
        serving as main point of contact to approve who hv access to data or info under their care
      - Data controllers & processors
        
        Data processors are 3rd party comp that access an org sensitive data: outsourced payroll comp
        
        It is always data cntrl responsible in relation to data subj, even if DC hv engaged DP. therefore it is DC bears the legal responsibility that DP actually implements the necessary sec measures
        
        Data controller is the org that creates/manage sensitive data:
        Salary data managed by HR dept
- - - - Two common options for device that contain unencrypted data
      - ATA Secure erase : easier/cheaper more thorough than os lvl sectr by sectr- RISK : physical damage prevents full erase
      - Physically destroy the device: more expensive but secure
      - Use encryption: never store unencrypted data on device
- - - - Popular as general sec framework
      - 27002 conveys best practices, but does not provides a means to determine whether each of those practices is applicable to the org
      - 27001 on the other hand dictates that RA be performed to determin which controls should be implemented - 27005 goes in much detail about RA process alluded in 27001
      - Previosuly know as BS 7799 has been adopted as ISO 27001/2
      - approach offered by 27000 series doc is that there are specific req that must be met , which means org can be ISO 27001 cert
      - This is becoming fairly common seal of approval for service providers wanting to demonstrate their attention to security deal