Features
Features:

Product Tour >

Edraw AI >

Paid Plans:

Individuals >

Business >

Eduaction >
Resources
Blog

History

How-tos & Tips

Discovery

Biography

Business Analysis

Examples

AI concept Map

Free AI Mind Map Generator

Onenote Mind Map

Bcg Matrix Examples

Nike Marketing Strategy

Unilever SWOT Analysis

Make Mind Maps in Google Docs

Guide

FAQs

What's New

Resource Center
Templates
All Templates

Brain Storming Templates

Strategy and Planning Templates

Project Management Templates

Product Management Templates

Human Resources Templates

Agile Workflow Templates

Marketing Templates

Education Templates

Fun and Games Templates

User Gallery
Download
Pricing
Enterprise

MindMap Gallery CISSP-2-Asset Security

CISSP-2-Asset Security

CISSP-Information System Security Professional Certification Mind Map, the main contents include learning objectives, data management, data life cycle control, information classification and asset management, privacy protection and security control.

Edited at 2021-11-10 11:57:01

PlotWizard

Recent works View more works>>

CISSP-2-Asset Security

PlotWizard

Recent works View more works>>

Recommended to you
Outline

Asset security

learning target

Classify information and related assets

Determine and maintain owner responsibilities and authorities

privacy protection

Ensure appropriate data retention

Identify data security controls

Establishing data processing requirements

Data management

Data Management Best Practices Reference

Develop a data strategy and clarify strategic goals and principles for data management

Clearly define data roles and responsibilities, including data providers, owners and managers

Data quality control process in the data management process to confirm and verify the accuracy of the data

Documentation of data management and description of metadata within each dataset

Plan and define the database based on user needs and data usage

Information system infrastructure, data storage, data backup, and update strategies for the data itself

Continuous data auditing to provide management effectiveness and data integrity of data and assets

Continuously implement layered data security controls to protect data security

Clearly define data access standards and provide comprehensive control over data access

Data Policy

Data strategy sets long-term strategic goals for data management for an enterprise or project

Data strategy is a set of high-level principles that provide a guiding framework for data management

Data strategy is used to solve some strategic issues, such as data access and related legal issues, Data management issues, data management responsibilities, data access and other issues;

Issues security personnel need to consider when developing a data strategy include

cost

Ownership and management rights

privacy

responsibility

sensitivity

Legal and strategic requirements

Strategy and Process

Data roles and responsibilities

Define all data roles

Establish full life cycle data ownership

Establishing data traceability step by step

Ensure data quality and metadata indicators are maintained above a basic level

Data ownership (Ownership)

Information life cycle: creation, use, storage, transmission, change, destruction, etc.

Once information is created, ownership responsibilities must be clear. Typically the person who created, purchased, or obtained the information;

Owner responsibilities typically include:

Define the impact of information on the organization's mission;

Understand the replacement costs of information;

Determine who on the organization's intranet needs information and in what environment the information should be released

Know when data is no longer accurate or needed and should be destroyed

The data owner usually has legal rights to the data, including intellectual property rights and copyrights, etc.

Relevant policies should be established and documented

Data Ownership, Intellectual Property, Copyright

Business-related legal obligations and illegal obligations to ensure data compliance

Data security, anti-leakage control, data release, price, and dissemination related strategies

Before data is released, sign a memorandum and authorization agreement with users or customers to clarify the conditions for use.

Data Custodianship

The responsibilities of the data manager mainly include:

Follow data policy and data ownership guidelines

Ensure access to appropriate users and maintain appropriate levels of data security

Basic data set maintenance, including but not limited to data storage and archiving

Documentation of data sets, including updates to documents

Ensure data quality and validation of data sets, including periodic audits to ensure data integrity

Roles related to data management authority positions include:

Project Manager, Data Manager, GIS Manager, IT Specialist, Database administrator, application developer, data collection or acquisition

Data Quality

process

Data quality principles should be applied throughout the data management life cycle, starting with data collection. Loss of data quality at any stage will lead to reduced data availability.

Acquire data and record data collection time

Data operations before digitization (including label preparation, data classification copy, etc.)

Identification and recording of data samples

Digitization of data

Documentation of data (capturing and recording metadata)

Data storage and archiving

Data publishing and dissemination (including paper and electronic publishing, web-accessible databases, etc.)

Using data (data operations and data analysis, etc.)

control

Quality Control is based on internal standards, processes and procedures to control and monitor quality QC is controlled based on data product results;

Quality Assurance is based on external standards to check data activities and quality control processes to ensure that the final product meets quality requirements; QA provides guarantee throughout the data life cycle;

Two elements of data quality expectations:

1. Frequency of incorrect data recording

2. The Importance of Errors in Data Recording

Two processes of data quality control

Verification: Check whether it matches the source data, ensure accuracy, etc. Can often be performed by someone less familiar with the data

Validation: evaluate whether the data quality goals are met, and the reasons for any deviations that have occurred, usually by a professional

promote

Prevention: Error prevention is mainly in the stages of data collection and data entry into the database

Correction: an essential means

Documentation: Integrated into database design, 1. Ensure that each record is checked, as well as any changes to the record; 2. Metadata records

Data life cycle control

Data life cycle

Data definition, data modeling, data processing, database maintenance and data security

Continuous data auditing to monitor data usage and data validity

Archiving to ensure maintenance effectiveness, including regular snapshots, allowing rollback to previous versions in the event of data or backup corruption

Data storage and archiving

Resolved data saving issues

Factors considered include: server hardware and software, network infrastructure, Data set size and format, database maintenance and updates, database backup and recovery needs.

Data archiving is data that will no longer be used frequently The process of moving to a separate storage device for long-term preservation

Data Security

Threats to data security include: abuse, malicious attacks, unintentional errors, Unauthorized access, theft or damage to physical equipment, natural disasters, etc.;

Adopt a layered security architecture and a defense-in-depth architecture

Uninterruptible power supply, server mirroring (redundancy), backup, backup integrity testing

Physical access control, network access control, firewalls, sensitive data encryption

Software patch updates, incident response, disaster recovery plans, etc.

Adopt a risk management-based approach

risk assessment

Risk reduction

Evaluation and Assessment

Data publishing (Publishing)

Marking, processing, storage and destruction of sensitive data: traditional data classification based on confidentiality, modern classification based on confidentiality, integrity and availability

Media: Requires physical and logical control

Marking: The storage medium needs to be marked with a sensitivity label to clarify whether it is encrypted, contacts, storage time, etc.;

Processing: Only authorized persons can access data, and relevant policies, processes, and steps must be defined

Storage: Backup media for sensitive data should be stored encrypted and sealed in secure containers. Strictly restrict access to sensitive media.

Destruction: Establish destruction records and implement reuse control

Record retention: Data is generally retained in accordance with industry standards or legal and regulatory requirements. Periodic inspection.

Data retention (Retention)

Develop data retention policies based on business requirements and legal requirements

Steps to define a data retention policy

Assess statutory requirements, regulatory obligations, business needs

Classification of records

Determine retention period and destruction method

Develop a data retention policy

Staff training

Conduct data retention checks and audits

Regularly update strategies

Documented policies, procedures, training, audits, etc.

How to do data retention

Taxonomy classification

Make a data classification plan, involving various categories, including function, time, organization, etc.

Classification

Processing according to data sensitivity level

Normalization (Normalization)

Develop a standard schema to make data easily retrieval.

Indexingindex

Establish data index to facilitate query of archived data

What data is retained

Decisions to retain data must be deliberate, specific and enforceable.

We only want to retain the data we decide to retain and then make sure we can enforce the retention.

e-Discovery electronic discovery

Discovery of electronically stored information (ESI), electronic discovery

The Electronic Discovery Reference Model (EDRM) Electronic Discovery Reference Model

IdentificationIdentification

PreservationSave

This data is saved to ensure that it is not destroyed accidentally or routinely while complying with the order.

Collection

Processing

Process to ensure that both data and metadata are in the correct format.

ReviewReview

Review data to ensure it is relevant

AnalysisAnalysis

Production

Produce the final dataset to those who need it

PresentationSubmit

Report data to external audiences to prove or disprove claims.

Data residual (Remanance)

Clearing: Cannot be recovered through general system or software recovery tools. Special laboratory tools (digital forensic tools) can be used for recovery.

Overwriting Overwriting: Use a program to write to media to overwrite the original data, Usually three passes (>6 passes)

Purging Eradication: no technology can restore

Destruction Destruction: The storage media is damaged to the point that it cannot be read by conventional devices and used to the point of unavailability

Media Destruction: Physically destroy media, Completely destroy storage media, the safest method

Chemically rendering the medium unusable and irreversible (such as incineration or corrosion)

Physically disintegrating a medium (e.g. crushing) shred

Form transformation (liquefying or vaporizing solid hard drives)

For magnetic media, increase the temperature beyond the Curie temperature

Degaussing Degaussing: Use strong magnetic or electromagnetic fields to eliminate magnetic media Data from (Magnetic Media)

The disk is scrapped after degaussing

Tapes can be reused after degaussing

Sanitizing (equivalent to purging in some contexts)

Deletion and formatting: are the least secure methods. (Not even Clearing, ordinary software tools can restore it)

Encryption: encrypting data It is not readable without the corresponding key

Cloud storage data security and data residue issues: using data encryption

Life cycle security control

definition

Security control measures accompanying the data change process

Obtain

Two ways to obtain: copy and create

Before the data can be used, metadata design and matching must be carried out. This information is then indexed for easy search and assigned to one or more datastores

Control Strategy

Encrypt credit card numbers and PII personally identifiable information when stored

Set strict data access policies for sensitive information

Set data rollback strategies to restore data to its previous state

Try to ensure that measures are in place during the acquisition phase rather than controlling afterward.

use

definition

Users with different access levels can read and modify data.

The three CIA characteristics of protecting data at this stage are extremely challenging

Should ensure that only the right people modify data in an authorized manner

Ensure internal consistency

Ensure operations that modify data are repeatable

Have automatic mechanisms to resolve inconsistencies (such as rollback mechanisms), Prevent data inconsistency caused by sudden power outage, etc.

The use and aggregation of information will trigger changes in information classification and classification.

Archive

definition

Information is archived when it is no longer in routine use

Have an appropriate data retention policy in place

Prevent data modification and unauthorized access from being discovered for long periods of time.

Backup data protection

Safe physical location

data encryption

Data retention period

Too short, the data may still be useful

If the data operation fails or is attacked, Need to recover data

eDiscovery

Too long, which wastes data storage costs and increases corresponding responsibilities.

The difference between backup and archive

A data backup is a copy of the currently used data set, Used to recover from loss of original data. Backing up data often becomes less useful as it gets older.

Data archives are copies of data sets that are no longer used, But when needed save it for future use. When data is archived, it is usually removed from its original location, This way the storage space is available for the data being used.

Disposal processing (disposal)

definition

When the data is no longer used and it is properly destroyed.

Main points

Data is indeed destroyed

The copy is also destroyed

was destroyed correctly

Data recovery costs more than the data itself is worth

Information classification and asset management

Information classification (Classification)

Classification classification, In accordance with sensitivity (confidentiality breached), Such as confidential, sensitive In order of importance (impact of usability loss)

government or military

Top secret

If leaked, it could cause serious damage to national security.

New weapons blueprints • Spy satellite information, spy data

Secret

If leaked, it could cause serious damage to national security.

Force Deployment Plan: Force Readiness Information

Confidential

For internal company use only

Data exempt from disclosure under the Freedom of Information Act or other laws and regulations

Unauthorized disclosures can severely impact a company.

Sensitive but unclassified (SBU)

Little secret. •If leaked, no serious damage may be caused.

Medical Data Test, Score Answers

Unclassified

The data is not sensitive or unclassified.

Computer Manuals and Warranty Information Job Postings

Business

Confidential

For internal company use only

Data exempt from disclosure under the Freedom of Information Act or other laws and regulations

Unauthorized disclosures can severely impact a company.

Trade secrets • Healthcare information • Programming code • Information to keep companies competitive

Private

Personal information used within the company.

Unauthorized disclosure may adversely affect people or the company.

Work History•Human Resources Information•Medical Information

Sensitive

Special precautions are required to ensure the integrity and confidentiality of data and prevent unauthorized modification or deletion

Requires higher than ordinary guarantees of accuracy and completeness.

Example: Financial information • Project details, profit returns and forecasts

Public

Disclosure is unwelcome but will not adversely affect the company or people.

hierarchical control

The selection of control categories depends on the security needs of the management group and security team for the corresponding category of information.

Strict and granular access control for all sensitive data and programs

Encrypt data while storing and transmitting

Auditing and monitoring (determine what level of auditing is required and how long logs are retained)

Segregation of duties (judgment that two or more people must be involved in accessing sensitive information, Prevent fraud; define procedures)

Periodic review (review of classification levels, data and procedures, etc., ensuring they remain aligned with business needs; Data or applications may also need to be reclassified)

Backup and recovery procedures (definition)

Change Control Procedure (Definition)

Physical Security Protection (Definition)

Information flow channels (where sensitive data resides and how it travels across the network)

Proper data processing procedures such as shredding, degaussing, etc. (Definition)

Tags, identifiers and handlers Marking (on the storage medium), Labeling (in the system), And handling procedures

data classification process

1. Define the classification level.

2. Specify the criteria that will determine the classification of the data

3. Identify the data owner responsible for data classification.

4. Identify the data custodian responsible for maintaining the data and its level of security.

5. Indicates the security controls or protection mechanisms required at each classification level.

6. Document any anomalies from previous classification problems.

7. Indicates the methods that can be used to transfer custody of information to a different data owner.

8. Create a process to regularly review classification and ownership and any changes to data hosting will be disseminated.

9. Display program reclassifies data.

10. Integrate these issues into security awareness programs

levels of responsibility

Senior managers understand the company’s vision and business goals

The next level down are functional managers, whose members understand how their respective departments work, What role does the individual play within the company and how security directly impacts their department.

The next level down are operations managers and employees. These layers are closer to the actual operations of the company. They know detailed technical and procedural requirements for the system, as well as information on how to use the system.

Employees at these layers understand the security mechanisms integrated into the system, How to configure them, and how they impact daily productivity.

At each level, the best security measures should be entered, Procedures and selected controls to ensure that the agreed level of security provides the necessary protection

NOTE: Senior management has ultimate responsibility for organizational security

Data management role

Board of Directors, Security Officers of the Board of Directors, Data Owners, Data Hosts, System Owners, Security Administrator, Security Analyst, Application Owner, Director (User Management), Change Control Analyst, Data Analyst, Process, Solution Provider, User, Product Line Manager

Executive ManagementExecutive Management

CEOCEO

Responsible for ensuring that the organization exercises due care and due diligence in relation to information security

CFOChief Financial Officer

This person is responsible for forecasting and budgeting, as well as reporting to the Securities and Exchange Commission (SEC) and the process for submitting quarterly and annual financial statements to stakeholders.

cIO chief information officer

Responsible for the strategic use and management of information systems and technology within the organization

CPOChief Privacy Officer

Responsible for ensuring customer, company and employee data remains secure, Keep companies out of criminal and civil courts and hopefully out of the headlines.

CSOChief Security Officer

Responsible for understanding the risks faced by the company and reducing these risks to acceptable levels.

The creation of this role is a sign of the security industry's "win" column, Because it means security is ultimately viewed as a business issue.

The CSO's job is to ensure that the business is not disrupted in any way by security issues. This goes beyond IT boundaries and involves business processes, Legal issues, business issues, revenue generation and reputation protection.

CISO reports directly to CSO

CISOs should have more IT professional background, His business scope is narrower than that of CSO

Data ownerData owner

Typically a manager, responsible for a specific business unit and ultimately responsible for protecting and using a specific subset of information.

The data owner has the responsibility of data due care, will therefore be responsible for any acts of negligence, Causing damage or leakage of data

Responsible for determining data classification

Responsible for ensuring necessary security controls are in place, Define security requirements for each classification and backup requirement,

Approve access to data

Deal with violations of data security policies

Assigned responsibility for routine maintenance Data Keeper of Data Protection Mechanism

Data Custodian

Responsible for maintaining and protecting data.

Implement and maintain security controls;

Perform regular data backups;

Regularly verify data integrity;

Restore data from backup media;

record keeping activities;

Implement company safety policies, requirements of standards and guidelines, Relating to information security and data protection.

System OwnerSystem Owner

Responsible for one or more systems, each of which can hold and process data owned by different data owners.

Responsible for integrating security considerations into application and system procurement decisions and development projects.

Responsible for ensuring that necessary controls, password management, remote access controls, operating system configuration, etc. provide adequate security.

Ensure systems are properly assessed for vulnerabilities,

Report any systems to the incident response team and data owners.

Security Administrator Security Administrator

Responsible for implementing and maintaining specific security network equipment and software within the enterprise.

Pay attention to distinguishing the responsibilities of security administrators and network administrators

Security administrators pay attention to network security

Network administrators are concerned with keeping the network continuously available.

The security administrator is responsible for creating new system user accounts, Implement new security software, Test security patches and components, and issue new passwords.

Security administrators must ensure that users are Access permissions support policy and data owner directives.

Supervisor

also called user manager

Ultimately responsible for all user activity and any assets created and owned by those users

Change Control Analyst Change Control Analyst

Responsible for approving or denying requests to make changes to networks, systems or software.

Ensure that the change does not introduce any vulnerabilities, that it has been properly tested, and that it is implemented correctly.

Need to understand how changes impact security, interoperability, performance, and productivity.

Data Analyst Data Analyst

Responsible for ensuring data is stored in a way that makes the most sense for the company and meets the job needs of those who need to access it

Make sure the architecture you build is consistent with your company's business goals.

user

Users must have the necessary level of access to the data.

Perform operational security procedures to ensure data confidentiality, integrity and availability

Auditor

It’s about checking regularly that everyone is doing what they’re supposed to be doing, and ensuring that the correct controls are in place and are being maintained safely.

Asset Management Concept

Inventory Management: Mainly maintains the status of software and hardware assets;

Configuration Management Configuration Management: Added dynamic relationships

Configuration management can be based on configuration items (CI) Establish categories, components, upstream and downstream, parent-child relationships, etc.

Perform change control based on configuration items and monitor the status of configuration items

Configuration Management Database (CMDB): A database that centrally manages all asset configuration information

IT Asset Management Asset Management

Added financial perspective of assets: cost, value, contract status

Full lifecycle management of assets: from procurement to retirement

Comprehensive management of physics, finance and contracts

Asset Management and Information Security

Asset management is the basis for information security implementation. Insight into information security incidents is impossible without asset management.

Asset management drives access control construction, Such as NAC network access control

Software License Management: prevent infringement, Security administrators should assist in implementing controls, and check regularly

Equipment life cycle security management

Requirements definition phase: Define security requirements, whether security costs are appropriate, and whether security architecture is met

Acquisition and implementation phase: verification of security features, security configuration, security certification and approval, and equipment storage

Operation and maintenance phase: configuration inspection, vulnerability assessment, change control

Abolition phase: data security, configuration library update

Privacy Protection and Security Control

Legal requirements related to privacy protection

Basic requirements for privacy protection

fair and legal access; For original purposes only; Appropriate information, information that does not exceed the target;

Accurate and up-to-date; The subject is accessible; Keep safe; delete when purpose fulfilled

In 2012, the EU issued more comprehensive data protection guidelines

The European Union and the U.S. Department of Commerce signed the "Safe Harbor" agreement, Resolve inconsistencies between the parties

2018.5 GDPR

data ownerdata owner

Indirectly or directly determines who has access to specific data.

Data Processers Data Processors

The key issue regarding privacy is that these individuals understand the boundaries of what is acceptable behavior, and knowing what to do when data is accidentally or intentionally processed in a manner inconsistent with applicable policies.

Must clarify one's obligations and responsibilities

There must be routine inspections to ensure they are acting in compliance with all applicable laws, regulations and policies.

Limits on Collection limit collection

Countries have enacted relevant laws

In addition to applicable laws and regulations, the types of personal data collected by the organization, As well as its life cycle considerations, there must be a clearly written policy.

Data security control

Data at Rest (static data)

Protection for stored data, including backup tapes, Offsite storage, password files and other sensitive data

risk

Malicious users may obtain sensitive information through physical or logical access to storage devices

Recommended countermeasures

Develop and test a data recovery plan

Removable devices and media must be encrypted, Including laptops, tablets, smartphones, and wearable devices

Choose appropriate encryption tools and algorithms, such as AES encryption

Create secure passwords

Use password and key management tools

Removable media should be labeled

Removable media should be kept in a secure location

Record the location of removable media and track it

Data at Transit (dynamic data)

For the protection of transmitted data, mainly through encryption methods, Prevent interception, such as link encryption and end-to-end encryption

risk

Malicious users may intercept or monitor clear text data in transit

Recommended countermeasures

Confidential data must be encrypted when transmitted over any network, including transmission between intranets

When data can be accessed via the Web, a secure encryption protocol must be used, such as TLS1.2/1.3

Email transmission must use PGP or S/MIME. And encrypt the data through encryption software as an attachment

Non-Web data should use application-level encryption

When application-level encryption is not possible, IPsec encryption or SSH encryption should be used

Communication between applications and databases should be encrypted

Sensitive data transferred between devices should be encrypted

DLP (Data Leak/Loss Prevention) data leakage prevention

definition

A set of technologies aimed at preventing the leakage of sensitive corporate information

Advantages of deploying DLP

Protect critical business data and intellectual property;

strengthen compliance;

Reduce the risk of data breach;

Increase training and awareness

Improve business processes;

Optimize disk space and network bandwidth;

Detect rogue/malware

Three key goals

Locate and catalog sensitive information stored across the enterprise;

Monitor and control the movement of sensitive information across the enterprise;

Monitor and control the movement of sensitive information from end-user systems;

Classification, storage location and transmission path of organizational sensitive information

Organizations often fail to recognize the type and location of information they process, When purchasing a DLP solution, you must first understand the types of sensitive data and inter-system and system-to-user data flow;

Classifications can include attributes categories, Such as private data, financial data and intellectual property, etc.;

Once the data has been appropriately identified and classified, Deeper analysis process to help with primary data and location of critical data paths;

You need to pay attention to the life cycle of enterprise data and understand data processing, Maintenance, storage and disposal can reveal deeper data storage and transmission paths;

Data at Rest static data

Find and identify specific file types, Identify and record the location where information is stored;

Once found, DLP opens and identifies the contents of the file;

DLP uses crawler systems; crawlers

Data in Motion (Network) dynamic data

DLP solution

1. Passively monitor network traffic;

2. Identify the correct data traffic captured;

3. Assemble the collected data;

4. Perform file reconstruction in the data stream;

5. Perform the same analysis on static data and confirm that any part of the file content is restricted by its rules.

To monitor enterprise network data movement, DLP solutions use special network equipment or built-in technology to selectively capture and analyze network traffic;

Deep packet inspection (DPI) technology, as the core capability of DLP, DPI can read the packet payload content beyond the basic header information

DPI technology allows DLP to detect in-transit of data and determine content, source and destination;

DLP has the ability to handle encrypted data (e.g. with encryption keys), Or decrypt before detection and continue encryption after detection is completed;

Data in Use (End Point)Data in Use

Monitor data movement actions taken by end users on their workstations

Use Agent to complete tasks

Steganography and watermarking technology

watermark

Steganography is an information hiding technology that hides large amounts of information in pictures and video files;

Information hiding includes covert channels, hiding text on Web pages, hiding visible files, and empty passwords;

Security baselines, scope and tailoring

Establish minimal safeguards for the system

Enterprises can customize security baselines based on their own circumstances

Scoping and Tailoring Range and clipping

Focus on the key points of the security architecture through scope definition and tailoring methods

Flexibly apply various standards and baselines according to the needs of the enterprise

Protect other assets

Protect mobile devices

• Inventory all mobile devices, including serial numbers so they can be properly identified, If they are stolen then restored. Harden the operating system by applying baseline security configurations.

• Password protect BIOS for laptops.

•Register all devices with respective vendors and submit reports to vendors in the event of device theft. If a stolen device is sent for repair after it is stolen, it will be flagged by the supplier if you have a theft report.

•Carry it with you when flying, do not check it in checked baggage

• Never leave your mobile device unattended and keep it in an inconspicuous carrying situation.

•Encrypt all data on your device

• Use the slot lock to connect a laptop with the cable

Hard copy documents

Educate employees on the proper handling of paper documents.

Minimize the use of paper records.

Make sure your work area is kept tidy, And conduct regular audits to ensure that sensitive documents are not exposed.

Lock up all sensitive files.

Doing sensitive paperwork at home is prohibited.

Identifies the classification level of all files. Ideally, its owner's Name and disposition (e.g., retention) instructions.

Conduct random searches when employees leave the office, to ensure sensitive materials are not taken home.

Destroy excess sensitive documents using a paper shredder. For very sensitive files, consider burning them.