Assets are either physical or information
- information assets are typically the most valuable
Reputation is also an asset
- Create
- Store/Classification
- Use
- Share
- Archive
- Destroy
In order to protect information assets, you need an information asset list.
- Always Start with an information asset list
- You always need to have management support when creating an Information Asset List
The ITAM is managing the life cycle of these assets (IT Asset Manager) Need to have:
- name of asset
- owner of the asset (typically the owner or stakeholders of an organization)
- custodian of the asset (person who is managing the file)
- Classification of the asset
Verify with your legal department how long log files should be kept for an organization (these are also needed for asset management)
The information owner should classify the data
- must be written on the asset information itself. This is known as Labeling
- Labeling schemes are known as Classifications
- Data Loss Prevention (DLP) software won't work unless you have labeling installed
Two major types of Classifications, Private and Government.
- Top Secret: Grave damage
- Secret: Serious Damage
- Confidential: Some Damage
- Unclassified: No Damage
- Confidential: Do not provide to the outside of the organization
- Personal: Think PII
- Private: Should be safeguarded and protected
- Trade Secret: Intellectual Property
- Client Confidential: Client's PII
- Public: Ok to be known outside the organization
- Mandatory Access Control. Most restrictive,
- Discretionary Access Control. flexible, allows the data owner to pick who has access. Time Consuming
- Attribute-Based Access Control. based on an object's attributes, subject, enviromental conditions, and pre-configured policies. Not optimal if subjects and objects are not maintained
- Role-Based Access Control. Simple, flexible, and customizable. Do not have to create access for each subject.
As a security auditor or security assessor, you are not the person classifying the data
- you just enforce it
- and implement the proper controls
- Identify the minimum private information
- define how long it will be kept
- define how its protected.
Two Major Privacy Laws in the United States
- HIPPA: Medical Information
- COPA: California Online Privacy Protection Act. must have a privacy policy
- GDPR: European Privacy Laws, establishes commissions, right to be forgotten.
- Data Processor: works on behalf of the data controller
- Data Controller:
- Data Transfer: Outside the EU
- Notification of a data breech must happen within 72 hours.
Private Data is owned by the person the data is about Consider Ethics and Legal Restrictions when collecting personal data Only collect information that is relevant to your business
Retention: Act of storing a business asset
Retention Policies need to be written
- consider legal requirements
- consider how to dispose of these assets later
- Every organization needs an information retention policy.
- Examine compliance and use the policy to avoid issues
- See Sans Data Retention Policy for an example
- How long you retain data depends on storage available, along with laws and regulations
When Storing Data (such as tapes)
- keep an inventory
- consider environmental variables (temperature, humidity)
- keep it locked up and control physical access
- Look for electrical and magnetic sources that can corrupt data
Use hardware for as long as possible
Personal Retention (Remember people are an asset)
- rotation of duties. Keeps people from being burned out. Also prevents fraud and adds in a check of that persons work
- Have a way to transfer operational knowledge in case of loss of the employee
- Segment proprietary information so one person doesn't know it all
- Use Non Disclosure Agreements. (Sybex book made mention that Non-Competes can be hard to enforce)
Data Security Control Implementation
- Data Loss Prevention
- Limit use of thumb drives
- Sans Data Security
- Use approved drive encryption
Continuous Monitoring
- Configuration Management
- Control Processes
- Security Impact Analysis
- Assessment of Selected Security
- Security Status Report
- Active Involvement of Asset Owners
Cloud Access Security Broker
- extend on premise controls or transfer controls to the various cloud environments
- acts as a go between your onsite and cloud provider
- Provides:
- Control and Monitoring
- Compliance Management
- Data Security
- Threat Protection
Salami Slices- gathering data or stealing in small increments. Think the movie Office Space where they were stealing 1/100ths of a penny
- also a series of minor attacks that together turn into a larger attack.
Power Grid Issues
- Total Failure (Blackout)
- Reduced Voltage (Brownout)
- Sags, Spikes, and Surges
- Electromagnetic Interference (EMI)
Tailoring: Modifying the list of security controls within a baseline to align with the mission of the organization