Saturday, February 27, 2021 2:39 PM

Domain 2: Asset Security

• Identify and Classification of Assets
• Classification
o The First step in asset security is identifying and classifying information & Assets
o Ensure information is marked in such a way that only those with an appropriate level of clearance can have access to
the information.
o The Purpose of Asset classification is to ensure that assets are properly identified and protected throughout their
lifecycle.
• Asset classification informs handling instructions, control decisions, and audit scope & regulatory compliance
activities.
• Information assets are generally classified by content.
• Infrastructure and physical assets are generally classified by the criticality of the services they provide.
o The individual who owns the data should decide on the data classification i.e Data Owner should review the data
classification annually.
o Two factors to be considered while the classification of the data
• Critical of data ( Availability )
▪ Categorize the data/deals with impact.
▪ Define the time-sensitivity of data.
• Sensitivity of data ( Disclosure )
▪ The amount of damage that would be done should the information be disclosed
o Based on the asset value towards the organization, categorize them in ways Top secret, secret, Confidential.
o Data classification may assist an organization in reducing costs for protecting data.

• Data classification is all about analyzing the data that the organization has, in whatever form, determining its
importance and value, and then assigning it to a category or classification level.

• Classification deals with Access

• Categorization deals with Impact
• Sensitivity - Classify the data / deals with access / confidentiality
• Criticality - categorize the data/deals with the impact
• Sensitivity describes the amount of damage that would be done should the information be disclosed,
• Criticality describes the time-sensitivity of the date, this is usually driven by an understanding of how much revenue a
specific asset generates, and without that asset, there will be lost revenue.

• Data classification considerations: please remember the below for exam point of view
o The value of the data to the organization, which can change over time
o The level of damage that could be caused if the data were compromised, corrupted, or damaged
o Legal, regulatory, or other responsibilities to protect the data
o Industry and the purpose/mission which the organization operates

• Data classification policy - factors to be considered

o Who will have access to the data
• Define the roles of people who can access the data
o How the data is secured
• Determine whether the data is generally available or, by default, off-limits
o How long the data is to be retained - defined by the Data owner
• Data owners need to know the regulatory requirements for their data, and if requirements do not exist, they
should base the retention period on the needs of the business.
o What method(s) should be used to dispose of the data
o Whether the data needs to be encrypted - ex PCI/DSS regulatory data needs to be encrypted
•
CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 1
 • Data owners will have to decide whether their data needs to be encrypted
o The appropriate use of the data
• This aspect of the policy defines whether data is for use within the company, is restricted for use by only
selected roles, or can be made public to anyone outside the organization.

• Purpose of Asset Classification

o Inventory management plays a very important role in an asset classification system.
o Maintains the inventory of the assets & their associated values.
o Ensure that information assets receive an appropriate level of protection.
o Provide security classifications that will indicate the need and priorities for security protection.
o Minimize the risk of unauthorized information alteration
o Avoid unauthorized disclosure
o Maintain competitive edge
o Protect legal tactics.
o Comply with privacy laws, regulations & industry standards.

• Asset Classification Process

1. Identify the asset
2. Determine who is accountable/responsible for the integrity of the asset
3. Establish ownership of the asset
4. Place a value on the asset
5. Prepare a schema (structure) for classifying your assets
6. Implement the classification schema

• Type of Classification ( EXAM QUESTION)

o Military
• Top Secret ,Secret ,Confidential ,Unclassified
o Commercial (Organization)
• Private, Company Restricted, Company Confidential, Public

• Type of Classification Level

o Top Secret
○ Data that is defined as being very sensitive, possibly related to privacy, bank accounts, or credit card
information.
o Company Restricted
○ Data that is restricted to properly authorized employees.
o Company Confidential:
○ Data that can be viewed by many employees but is not for general use.
o Public
○ Data that can be viewed or used by employees or the general public.

o These are the steps involved to do this properly:

1. Identify and locate assets, including information.
o Valuable asset needs to be identified to protect them accordingly.
o E.g. Information assets, Software assets, Physical assets.
2. Classify based on value.
o Process is to determine ownership to establish accountability
o The owners are always in the best position to understand the value of what they own; therefore, it is up to
the owners to classify assets.
o The process of understanding the value of an asset is very appropriately called asset valuation.
3. Protect based on classification.
o Protect the assets based on their classification levels
Establish the minimum Security baseline for each classification level that exits.

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 2

 o Establish the minimum Security baseline for each classification level that exits.
Categorization
○ The process of determining the impact of the loss of confidentiality, integrity, availability of the
information to an organization.
○ Categorization deals with Impact Criticality - categorize the data/deals with the impact
○ It's a part of companies overall risk management strategy

• Classification Benefits
• Awareness among employees and customers of the organization’s commitment to protecting information.
• Identification of critical information.
• Identification of vulnerability to modification.

• Issue Related to Classification

• Human error.
• Proper classification is dependent on the ability and knowledge of the classifier.
• Requires awareness of regulations and customer and business expectations.
• Requires consistent classification method—often the decisions can be somewhat arbitrary.
• Needs clear labeling of all classified items.
• Must include manner for declassifying and destroying material in the classification process.

• Based on Value
o Assets and resources, imply value to an organization and, therefore, must be protected based on the value that it
represents to the organization.
o Value can be expressed in terms of quantitative Qualitative asset valuation implies that value is expressed in terms
of numbers
o Actual value of assets becomes very important in understanding how to protect those assets because the value will
always dictate the level of security required.

• Protection of the value of asset & information

o Identifying and classifying assets and information will allow organizations to determine and achieve the protection
requirements for the information

• Classification and Categorization are used to help standardize the protection baselines for information systems and
the level of suitability and trust an employee may need to access information.

• Common classes of Sensitive Data/information include:

o Personally identifiable information (PII) uniquely identifies individuals.
o Protected health information (PHI) includes individual health records.
o Proprietary information which contains trade secrets.

• Classification Procedure
1. Define classification levels.
2. Specify the criteria that will determine how data is classified.
3. Identify data owners who will be responsible for classifying data.
4. Identify the data custodian who will be responsible for maintaining data and it security level.
5. Indicate the security controls, or protection mechanisms, required for each classification level
6. Document any exceptions to the previous classification issues.
7. Indicate the methods that can be used to transfer custody of the information to a different data owner.
8. Create a procedure to periodically review the classification and ownership.
Communicate any changes to the data custodian.
9. Indicate procedures for declassifying the data.

• Information and Asset Ownership

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 3

• Information and Asset Ownership
○ Compliance requirements will treat personal information as data that requires protection at every step of its lifecycle, from
collection to processing, to storage, to archiving, and to destruction.
○ Protection of data requires the clear distinction of roles, accountabilities, and responsibilities to be identified and defined

• Data Subject
○ Individual who is the subject of personal data

• Data Owner
○ Accountable for determining the value of the data.
○ Data owners also are accountable for defining policies for access of the data and clearly defining and
communicating the responsibilities for such protection to other entities including stewards, Custodians, and
processors.

• Data Controller
○ An entity that collects or creates PII. The data owner/controller is legally responsible
○ for the protection of the PII in their control and liable for any unauthorized release of PII.
○ Ostensibly, the owner/controller is an organization; the legal entity that legitimately owns the data.

• Data Steward
○ Data stewards are commonly responsible for data content, context, and associated business rules within the
organization.
○ Data protection officer is data steward
○ data steward is concerned with the meaning of data and the correct usage of data.
• Data Processor
○ Any entity, working on behalf or at the behest of the data controller, that processes PII. Under most PII-
related laws, “processing” can include absolutely anything that can be done with data: creating, storing,
sending, computing, compiling, copying, destroying, and so forth.
○ While the data processor does have to comply with applicable PII law, it is the data owner/controller that
remains legally liable for any unauthorized disclosure of PII even if the processor is proven to be
negligent/malicious.

• Data Custodian
○ The person/role within the organization who usually manages the data on a day-to-day basis on
○ behalf of the data owner/controller.
○ This is often a database manager or administrator; other roles that might be considered data custodians
could be system administrators or anyone with privileged access to the system or data set.

• Difference Between Data Owner/Controller and Data Custodian/Processor

o Data owner and the Data custodian accountable for the protection of what they own based on the value of
that asset to the organization.
o The controller will act as the owner and, therefore, becomes accountable for the protection based on
expectations related to legislation and regulations.

• Protect Privacy
• Privacy
o Right of the individual to control their Personal Data
o Data collection should be restricted.
Data owners have a responsibility to respect and enforce privacy principles.

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 4

 o Data owners have a responsibility to respect and enforce privacy principles.
o Data processes should ensure enforcement of privacy and data integrity.
o Data remanence techniques should be used to permanently delete data.
• Data Location
The main compliance concerns with transborder data flows include whether the laws in the jurisdiction where the
data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether
the laws at the destination present 18 additional risks or benefits
Technical, physical and administrative safeguards, such as access controls, often apply. For example, European data
protection laws may impose additional obligations on the handling and processing of data transferred to the U.S.
These concerns can be alleviated if the cloud provider has some reliable means to ensure that an organization’s
data is stored and processed only within specific jurisdictions.
•

• OECD Privacy Principles = Must know each feature

o Collection Limitation Principle
• There should be limits to the collection of personal data, and any such data should be obtained by lawful and
fair means and, where appropriate, with the knowledge or consent of the data subject.
o Data Quality Principle
• Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for
those purposes, should be accurate, complete, and kept up to date
o Purpose Specification Principle
• The purpose for which personal data is collected should be specified during the time of data collection.
o Use Limitation Principle
• Personal data should not be disclosed, made available, or otherwise used for purposes other than those
specified except with the consent of the data subject or by the authority of law.
o Security Safeguard Principle
• Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized
access, destruction, use, modification, or disclosure of data.
o Openness Principle
• There should be a general policy of openness about developments, practices, and policies with respect to
personal data.
o Individual Participation Principle
• An individual should have the right

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 5

 • An individual should have the right
a) To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating
to him
b) To have communicated to him, data relating to him
c) To be given reasons if a request made and, if denied, be able to challenge such denial
d) To challenge data relating to him and, if the challenge is successful to have the data erased, rectified,
completed, or amended
o Accountability Principle
• A data controller should be accountable for complying with measures that give effect to the principles stated
above.

• Privacy Threshold Assessment

o The purpose of the Privacy Threshold Assessment (PTA) is to identify PII (Personally Identifiable Information) that
has been acquired by the organization and to determine how to appropriately treat the data.
o PTAs generally include the following information:
• Description of the system
• What PII, if any, is collected or used
• From who is the PII collected and why
• Archiving requirements
• Protection requirements (regulatory, contractual, ethical)

• Privacy Impact Assessment

o is a decision-making tool used to identify and mitigate privacy risks at the beginning of and
throughout the development life cycle of a program or system
o PIAs generally include the following information:
• Description of the system
• What PII, if any, is collected or used
• Why it is being collected
• From whom is the PII is collected
• Privacy requirements (regulatory, contractual, ethical)
• How it will be used, accessed, secured, shared
❖ For questions and more clarity refer Data Privacy Exam Dose Link

• Regulation
o PIPEDA
• Personal Information Protection and Electronic Documents Act.
• Used In Canada
• Penalties need to be remember
o GDPR (https://www.nibusinessinfo.co.uk/content/data-protection-principles-under-gdpr)
• General Data Protection Regulation
• Principles set out obligations for businesses and organizations that collect, process and store
individuals' personal data. Data Breach notification: within 72 hours.
• Used in EU. Right to Erasure: All users have the “Right to be forgotten”
• Six Privacy Principle (LPD ASI)
1. Lawfulness, fairness, Transparency
2. Purpose Limitation
3. Data Minimization
4. Accuracy
5. Storage Limitation

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 6

 5. Storage Limitation
6. Integrity and Confidentiality
7. accountability
o Binding corporate rules
▪ You can make a restricted transfer if both you and the receiver have signed up to a group document called binding
corporate rules (BCRs).
▪ BCRs are an internal code of conduct operating within a multinational group, which applies to restricted transfers of
personal data from the group's EEA entities to non-EEA group entities
▪ This may be a corporate group or a group of undertakings or enterprises engaged in a joint economic activity, such as
franchises or joint ventures.
▪ You must submit BCRs for approval to an EEA supervisory authority in an EEA country where one of the companies
is based
▪ One or two other supervisory authorities will be involved in the review and approval of BCRs (depending on how many
EEA countries you are making restricted transfers from). These will be supervisory authorities where other companies
signing up to those BCRs are located.
▪ The concept of using BCRs to provide adequate safeguards for making restricted transfers was developed by the
Article 29 Working Party in a series of working documents

o International transfers At a glance

• The GDPR primarily applies to controllers and processors located in the European Economic Area (the EEA)
with some exceptions.
• Individuals risk losing the protection of the GDPR if their data is transferred outside of the EEA. On that basis,
the GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights
of the individuals in respect of their personal data is protected in another way, or one of a limited number of
exceptions applies.
• A transfer of personal data outside the protection of the GDPR (which we refer to as a ‘restricted transfer’),
most often involves a transfer from inside the EEA to a country outside the EEA.
• If you wish to do so, you should answer the following questions, until you reach a provision that permits your
restricted transfer:
• Data protection impact assessments- A Data Protection Impact Assessment (DPIA) is a process to help you
identify and minimize the data protection risks of a project.
• Your DPIA must: describe the nature, scope, context, and purposes of the processing; assess necessity,
proportionality, and compliance measures; identify and assess risks to individuals; and identify any
additional measures to mitigate those risks.
• To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals.
The high risk could result from either a high probability of some harm, or a lower possibility of serious harm
Contracts
• At a glance Whenever a controller uses a processor, it needs to have a written contract in place.
• The contract is important so that both parties understand their responsibilities and liabilities.
• The GDPR sets out what needs to be included in the contract.
• In the future, standard contract clauses may be provided by the European Commission or the ICO and may
form part of certification schemes. However, at the moment no standard clauses have been drafted.
• Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide
‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects
protected.
• In the future, using a processor which adheres to an approved code of conduct or certification scheme may
help controllers to satisfy this requirement – though again, no such schemes are currently available.
• Processors must only act on the documented instructions of a controller. They will however have some
direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
o US Privacy Laws
HIPPA Health Insurance Portability and Accountability Act of 1996
GLBA Gramm-Leach-Bliley Act of 1999

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 7

 FERPA Family Educational Rights and Privacy Act
COPPA Children's Online Privacy Protection Act of 1998
APEC Asia–Pacific Economic Cooperation
OECD Organization for Economic Co-operation and Development

Data sovereignty refers to legislation that covers information that is subject to the laws of the country in which
the information is located or stored
• Destroyed after its purpose is completed.
o US (Data Owner & Data Custodian)

• Appropriate Asset Retention

o End of Life Policies Process
a. General Availability / Sale Date (GA)
b. End of Life / End of Sale (EOL or EOS)
c. End of Development (EOD)
d. End of Service Life / End of Support (EOSL)
•

• Retention
o Data retention, which is sometimes also referred to as records retention, is defined as the continued and long-term
storage of valuable assets.
o Companies are required to comply with legal and regulatory legislation in retaining assets, especially information
and records.

• Assets/Data Lifecycle
o To protect assets properly, one must understand the asset lifecycle and apply protection mechanisms throughout
the phases of the asset lifecycle.
o The lifecycle of data is depicted as having six phases: create, store, use, share, archive, and destroy. (CS US AD)

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 8

• Archive
▪ Archiving is the process of securely storing unaltered data for later potential retrieval.
▪ Backup and replication are the process of making copies of data to ensure recoverability.

o Retention
• Retention is a protocol (set of rules) within an organization that dictates types of unaltered data that
must be kept and for how long.
• Legal and regulatory requirements must be considered.
• A data retention policy can help to ensure that outdated data is purged, removing potential
additional costs for discovery.
• Many organizations have aggressive retention policies to both reduce the cost of storage and limit the
amount of data that is kept on hand and discoverable.
• A well-documented policy for the retention of data is a minimum but necessary component of
regulatory compliance.
• Data retention policies are not designed to destroy incriminating data, and legal requirements for data
retention must still be met.
• The data retention policy should address what data to keep, where to keep it, how to store it, and for
how long to keep it. The policy is not concerned with “for whom” the data is kept.
o

• Legal Holding
o A legal hold is a requirement for an organization to preserve all forms of relevant information when
litigation, audit, or government investigation is reasonably anticipated.
o The objective is to avoid evidence spoliation.
o A legal hold supersedes organizational retention policies.
o eDiscovery (also called electronic discovery) refers to any process in which electronic data is sought,
located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.

• Data Quality Standards

o Characteristics

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 9

• Processing Data
o Quality Control ( QC )
• Introduce several controls and control standards, process the data
according to these controls.
• Assessment of quality based on internal standards
o Quality Assurance ( QA )
• Assessment of quality based on standards external to the process and involves reviewing of the
activities and quality control processes.
• there are two things to remember
▪ Preventing - error while processing data
▪ Correcting - error while processing data

• Configuration Management Database (CMDB)

o A logical entity with key integration points supports and enables processes in service delivery, service
support, IT asset management, and other IT disciplines
o Software Licensing - Original copies of licensed software must be controlled by the organization to prevent
copyright infringement.
o All software copies should be managed by a software or media librarian, conduct inventory scans of
installed software.

• Data Security Controls

• Data Standard
o Describe objects, features, or items that are collected, automated or affected by
activities or the functions of organizations.
o Benefits of Data Standard
• More Efficient data management
• Increased data sharing
• High-Quality data
• Improved data Consistency
• Increased data Integrity
• A better understanding of data
• Improved documentation of information resources

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 10

 • Improved documentation of information resources
o During Implementation of data, standards consider the below
• International Laws---->National--->Regional--->Local Laws

• Data Remanence ( VERY IMP TOPIC FOR EXAM )

o Data Remanence is defined as the residual data remaining on some sort of object after the data has been deleted or erased.
o The problem related to data remanence is that there may some physical characteristics of that data remaining on the media even
after we’ve tried to securely erase it.
o Data remaining on media that use magnetic technologies, such as HDDs, become an issue if the value of the data that was stored on
that media is high.
o Secure method of addressing Data Remanence
o Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of
effort.
o Type of Media Sanitization Types
o Clearing
• Is defined as the removal of sensitive data from storage devices, using methods that provide assurance that the data may
be reconstructed using the most known data recovery techniques.
• It’s a least secure
• It is typical to use random passes of 0 and 1 combinations, not patterns, to overwrite
• Maybe recoverable with special lab equipment. Data just overwritten.
• Overwriting
• Zeroization (S/W Overwrite)
• One common method used to address data remanence is to overwrite the storage media with new data. We can overwrite with zeroes or
ones.
• This is sometimes called wiping. The simplest overwrite technique is to write zeroes over the existing data and depending on the sensitivity
of the data, this might need to be done several times.
o Purging
• Purging sometimes referred to as Advance SANITIZING is the removal of sensitive data from media with the intent that the
sensitive data cannot be reconstructed by any known technique.
• More intense than clearing. Media can be reused in lower systems.
• Data erasing
• Degaussing
• Technique uses a degausser that erases the information on the magnetic media by applying a varying magnetic field to the
media to erase the information that was stored using magnetic technology.
• The media is saturated with a magnetic field that erases all of the information.
• AC erasure; alternating magnetic fields, DC erasure; unidirectional magnetic field or permanent magnet, can erase tapes.
o Destruction
▪ The destruction method should be driven by the value of the sensitive data that is residing on the media.
▪ Destruction of the media is the best method as it destroys the media and also the data that is on it.
o Crypto-shredding
▪ It's also called crypto erasure
▪ Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys
▪ Used in cloud

o Clearing and Purging of writeable Electronic Storage Media should be performed using tools
o Destruction techniques should be used when Clearing and Purging are not effective (e.g. single-write media or media that is permanently write
protected).
o While most devices support some form of Clear, not all devices have a reliable Purge mechanism. For moderate confidentiality data, the
media owner may choose to accept the risk of applying Clear techniques to the media, acknowledging that some data may be able to be
retrieved by someone with the time, knowledge, and skills to do so.
o Purge (and Clear, where applicable) may be more appropriate than Destroy when factoring in environmental concerns, the desire to reuse
the media (either within the organization or by selling or donating the media), the cost of a media or media device, or difficulties in
physically

o Clearing ( least secure) - Data unreadable

o Purging/Sanitizing - Data erasing / Data Remova
o Destruction ( most secure ) - Disk destruction

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 11

• Baseline
o A baseline is a consistent reference point.
o Baselines are minimum security needs to be implemented in the organization,
o Baselines provide a definition of the minimum level of protection that is required to protect valuable assets
o Common security configurations, Use Group Policies to check and enforce compliance.
o On top of the baselines, we build standards, procedures, and controls.
o Catalogs of baseline safeguards could be obtained from
• International and national standard organizations
• Industry sector standards or recommendations
• Some other company, preferably with similar business objectives
o Consideration
• Which parts of the enterprise or system can be protected by the same baseline?
• Should the same baseline be applied to the whole enterprise?
• At what security level should the baseline aim?
• How will the controls forming the baseline be determined?
o Scoping and Tailoring
• Scoping - Which portion of the standard will be employed
o limiting general baseline recommendations by removing those that do not apply
o taking a broader standard and trimming out the irrelevant or otherwise unwanted parts
• Tailoring - Customization of the standards to fit the organization
o altering baselines recommendations to apply more specifically
• First Scope and then Tailor to suit the org requirement.
• Information asset protection standards is to balance the value of the information with the cost of protecting it.
• Asset inventories and classification standards will help you determine the right security controls

• Data States
o Three areas of data that must be considered in securing. Implement different types of security at all types of data.
• Data at Rest
▪ Data stored on media in any type of form. It is at rest because it is not being transmitted or processed in any way.
( Persistent Storage e.g. disk, tape)
▪ When data is at rest malicious users may
• Gain unauthorized physical or logical access to a device
• Transfer information from the device to an attacker’s system
• Perform other actions that jeopardize the confidentiality of the information on a device
▪ Data at Rest - Recommendations - Compliance - FIPS and AES.
▪ DAR Protection

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 12

 ▪ DAR Protection
• TPM - Chip integrated with Computers HD that provide a crypto processor
 It provide device authentication = very important
a) Generate, store, and limit the use of cryptographic keys.
b) Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is
burned into itself.
c) Help ensure platform integrity by taking and storing security measurements
• SED - Self Encryption Drive - Encryption key is included but should be stored separately & update regularly.
▪ Removable media should be labeled, When unattended, the removable media should be stored in a secured and
locked location. Document the physical location of removable media.
• Data in Use (CPU processing or in RAM)
▪ Data that is being processed by applications or processes.
▪ It might also be in the process of being viewed by users accessing it through various endpoints or applications
▪ Digital Asset Management (DAM) & Data Leakage Prevention (DLP) - Effective when Data in Use
▪ When Data in Use encryption will not work, The alternate solutions are Masking, Obfuscation, Anonymization,
and Tokenization.
▪ Pseudonymization techniques which involve replacing actual data with pseudonyms
• Pseudonymization makes personal data processing easier, reducing the risk of exposing sensitive data to unauthorized personnel and
employees.
• Type of Pseudonymization
 Scrambling
 Encryption
 Tokenization
 Data blurring

• Obfuscation Type /Masking

o Masking is less secure than encryption.
o Static masking - When data is not in use, Ex: Allowing a customer service representative limited access to account data. Data at Rest,
used in a non-production environment.
o Dynamic masking - Data at Use, Creating a test environment for a new application.
▪ Data Anonymization
o Anonymization is the process of removing identifiers in order to prevent identification of individuals or sensitive information.

• Data in Transit ( Transmission )

○ Data that moves, usually across networks, is said to be data in motion, or in transit.
○ Prevent the contents of the message from being revealed even if the message itself was intercepted in Transit.
○ Two Types of encryptions while data Transit
• Link Encryption - Performed by Service Provider
• Link encryption encrypts all of the data along with the communications path, done by the Service Provider.
• Link encryption is more secure then end to end
• In the case of Link encryption, a Symmetric key is used provided they are the same service provider and Diffie–Hellman
• Each hop has to decrypt the headers, if a node is compromised then the traffic passing through that node is considered
compromised as well.
• Key Distribution and management are complex. Each hop must receive a key and when the key changes this needs to be
changed at each hop.
• Tunnel mode of VPN
• End to End Encryption - Performed by Consumer
• The data are encrypted at the start of the communications channel or before and remain encrypted until decrypted at the
remote end. Although data remains encrypted when passed through a network, routing information remains visible.

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 13

 remote end. Although data remains encrypted when passed through a network, routing information remains visible.
• It is possible to combine both types of encryption. Which is Performed by the end-user. End to end is easier ( ex:
Data/WhatsApp ) Link is between the routers ( Ex: MPLS network /VPN), by end of the day they both use a common
algorithm.
• Transport mode of VPN

HTTP - Use HTTPS/TLS/SSL offered Integrity & confidentiality

E-mail - Use SMIME/PGP - Pretty Good Privacy
S/MIME offers C, I, Authenticity and nonrepudiation

• Data Security in Cloud

o Protecting data moving to and from the cloud -- SSL/TLS/IPsec
o Protecting Data in the cloud -- Encryption
o Detecting of data migration to the cloud -- DAM and DLP
o Data Dispersion
• Data is replicated across multiple physical locations in the cloud for high availability
o Data Fragmentation
• Splitting the data into smaller fragments or Shards and distributing them across a large set of machines.
• Information and Asset Handling Requirements
• The first step in protecting information system data is to identify and categorize the types of data is present.
• The next step is to label, mark or otherwise classify the types of data to ensure the proper level of protection is employed.
• Labels
o Labels are used to identify assets so users can apply the appropriate handling standard.
o Labeling is influenced by the intended audience
o Labels can be digital, print, audio, or visual
• Noted on or in a document
• Written on or attached to media
o There are two types of labeling - Physical ( Physically attached), Logical ( Logical labeling), DLP will inspect
the label content based on the data label.
o Labeling and marking are the same. Although marking and labeling are similar and may seem synonymous, labeling can be thought of as the mechanism you use to
mark your data.
Labeling what the classification is
o Marking as nothing the handling instructions on the asset based on the classification (how the asset should be protected based on its
classification).
o The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational
information systems, to enable information system-based enforcement of information security policies. (NIST SP 800-53 R4)
o The term security marking refers to the association of security attributes with objects in a human-readable form, to enable
organizational process-based enforcement of information security policies. (NIST SP 800-53 R4)
• Marking
o Storage media should have a physical label identifying it
o Indicate if the media is encrypted
o Point of contact and retention period information should be available.
o When media is found of discovered without a label, it should be labeled at the highest level of sensitivity until the analysis
reveals otherwise
o Organizations should have policies in place regarding the marking and labeling of media based on its classification.
o Storage media should have a physical label identifying the sensitivity of the information contained.
o The label should indicate if the media is encrypted.
o The label may also contain information regarding a point of contact and a retention period.
o When media is found or discovered without a label, it should be immediately labeled at the highest level of sensitivity
until the appropriate analysis reveals otherwise
• Media
o Media storing sensitive information requires physical and logical controls
o Media lacks the means for digital accountability when the data is not encrypted, For this reason, extensive care must be
taken when handling sensitive data
o Logical and physical controls, such as marking, handling, storing, and declassification, provide methods for the secure
handling of sensitive media containing sensitive information.
• Guidelines
o The asset owner must document the security classification of the asset, as well as indicate who is the asset custodian
(usually some part of the IT department).

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 14

 (usually some part of the IT department).
o The asset owner needs to advise the asset custodian and IT security team of the security classification of the asset so that
appropriate controls can be applied.
o Make sure that all hard copies of an asset that is internal, sensitive, confidential, or otherwise restricted are clearly labeled
according to their security classification.
o If the hard copy is bound, it should have an appropriate sensitivity label on the front cover, rear cover, and title page as
appropriate.
o The cover sheet for fax should also include the relevant classification label if the material is sensitive in any way.
o Any electronic communication for sensitive information must also have the proper classification level, including at the top
or end of an email.
• Handling
o Inform custodians and users how to interact with information assets.
o Handling standards are generally related to classification, data state, and legal or regulatory requirements
o The first step in protecting information system data is to identify and categorize the types of data is present.
o The next step is to label, mark or otherwise classify the types of data to ensure the proper level of protection is employed.
o Storing Sensitive media should not be left tying about where a passerby could access it, whenever possible, backup media
should be encrypted and stored in a secure manner.
o Destruction: Media that is no longer needed or is defective should be destroyed rather than simply disposed of. Record of
the destruction should be used that corresponding to any logs used for handling media.
o Record Retention
• Organizations may have to keep certain records for a period as specified by industry standards or in accordance with laws
and regulations
• Security practitioners should ensure that accurate records are maintained by the organization regarding the location and
types of records stored.
• Record retention policies are used to indicate how long an organization must maintain information and assets
o Data handling procedures, keep the following in mind:
• Cost: There is a cost associated with acquiring and protecting data.
• Ownership and Custodianship: Specify who is the data owner and who is the data custodian.
• Privacy: Consider guidelines for what information is considered private, and how that information will be stored, managed,
and used.
• Liability: Does the data or loss of the data present any liability issues? Can protection be gained with banners informing
users of the importance of protecting the data? Can end-user agreements be stipulated? Is the data licensed or licensable?
• Sensitivity: If there is sensitive data, perform a risk analysis to determine appropriate processes for access.
• Existing Law and Policy Requirements: Be aware of the laws and regulations surrounding the data you have acquired
-------------------------------------------------------------------------------------------------------------------------------------------------------

CBK Notes

• A data policy that defines strategic long-term goals and provides guiding principles for data management in all aspects of a project, agency, or organization.
• A data policy that defines strategic long-term goals and provides guiding principles for data management in all aspects of a project, agency, or
organization.
• Clearly defined roles and responsibilities for those associated with the data, in particular of data providers, data owners, and custodians
• Clear and documented published data that is available and useable to users, with consistent delivery procedures.
• Data owners generally have legal rights over the data, along with copyright and intellectual property rights
• Custodianship is generally best handled by a single role or entity that is most familiar with a dataset‘s content and associated management criteria
• Quality, as applied to data, has been defined as fitness for use or potential use
• Documentation is the key to good data quality. Without good documentation, it is difficult for users to determine the fitness for use of the data and difficult for
custodians to know what and by whom data quality checks have been carried out
• Data modeling is the methodology that identifies the path to meet user requirements.
• Efforts should be made by the security practitioner to stay current on new threats so that a database and its data are not put at risk.
• Security involves the system, processes, and procedures that protect a database from unintended activity.
• Minimizing negative impact on an enterprise and the need for a sound basis in decision making are the fundamental reasons enterprises implement a risk
management process for their IT systems
• Media storing sensitive information requires physical and logical controls. The security professional must continually bear in mind that media lacks the means for
digital accountability when the data is not encrypted
• The need for media marking typically is strongest in organizations where sensitive IP and confidential data must be stored and shared amongst multiple people
• Policies and procedures describing the proper handling of sensitive media should be promulgated
• Sensitive media should not be left lying about where a passerby could access it
• Media that is no longer needed or is defective should be destroyed rather than simply disposed
• A periodic review of retained records is necessary to reduce the volume of information stored and ensure that only relevant information is preserved

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 15

• A periodic review of retained records is necessary to reduce the volume of information stored and ensure that only relevant information is preserved
• The security professional needs to be aware of developments locally, nationally, and internationally that could potentially have an impact on the issues
surrounding data protection, user privacy, and data retention
• SSDs have a unique set of challenges that require a specialized set of data destruction techniques. Unlike HDDs, overwriting is not effective for SSDs
• Due to the unique complexities of SSDs, the best data destruction method is, in fact, a combination of all these techniques – crypto-erase, sanitization, and
targeted overwrite passes
• The use of cloud-based storage today also presents a data remanence challenge for the security practitioner
• Classification is concerned primarily with access, while categorization is primarily concerned with the impact
• Categorization is the process of determining the impact of the loss of confidentiality, integrity, or availability of information to an organization
• Categorization is the process of determining the impact of the loss of confidentiality, integrity, or availability of information to an organization
• Classification and categorization are used to help standardize the defense baselines for information systems and the level of suitability and trust an employee may
need to access information.
• Proper data classification also helps the organization comply with pertinent laws and regulations.
• All software copies should be managed by a software or media librarian who is responsible for maintaining control over software assets, both physically and as
information assets
• The security practitioner should guide the organization so that it understands the importance of training employees as soon as the record retention policy is
adopted
• The security practitioner should conduct periodic audits to ensure that records are being retained and destroyed appropriately.
• Because link encryption also encrypts the routing information, it provides traffic confidentiality better than end-to-end encryption.
• Data controller determines the need and how the data will be processed.
• Data processor is a separate legal entity processing data for the controller.
• Cloud providers are generally considered data processors, as are market research firms, payroll companies, accountants
• Data stewards establish internal and external data access requirements for data in their functional area
• Asset disposal policy should differentiate between assets being reused within the organization and those to be repurposed outside of the organization
• Data sovereignty refers to legislation that covers information that is subject to the laws of the country in which the information is located or stored
• Government and law enforcement access to information in the United States may have special considerations based on industry
• The best practices in data protection and privacy begin with establishing governance for collection limitation
• This privacy principle, collection limitation, is addressed in every major privacy framework
• Data subjects must be able to have knowledge about or give consent for the data being collected
• The purpose of the data collection, meaning how the data will be used and why the data is needed, should be disclosed.
• Archival storage will enable an organization to follow the guidance through a hierarchal storage approach to records management
• Record retention requirements should also be complemented with de-identification and obfuscation processes
• HSM may also be used to support the archiving process, where more robust storage is available for long-term storage
• Data loss prevention (DLP) systems are aided by using digital markings, as sensitive information can be more easily identified before it leaks out of an organization.
• The proper acquisition, inventorying, monitoring, and security management of assets in organizations around the world is a significant undertaking.
• The choice of standards or frameworks and the individual security controls put in place to protect confidentiality, integrity, and availability of assets will also differ
from one organization to the next
• The process for asset management will include multiple stakeholders within the organization, so roles and responsibilities must be clearly documented, and people
should be trained adequately
• Link encryption offers a couple of advantages:
• Less human error because the process of encryption is automatic.
• Traffic analysis tools are circumvented, and attackers are thwarted because a continuous communications link with an unvarying level of traffic maintains the
encryption protections.
• The following are some leading security protocols used to protect data in transit:
• Web access: HTTPS
• File transfer: FTPS, SFTP, SCP, WebDAV over HTTPS
• Remote shell: SSH2 terminal
• Remote desktop: radmin, RDP
• Wireless connection: WPA2

CISSP-Domain 2-Asset Security Ver 1.1 June 2021 Page 16