‘Asset’ as specified by Google is “a useful or valuable thing or person”. In context to this, an asset in an organization can be information, equipment or facilities that have great value. Protecting assets is an important component of security programs and the second domain of the CISSP exam throws light on this. ‘Asset Security’ deals with the following sections:
Financial details, password files, credit card information, a company’s financial information, upcoming projects are all examples of different kinds of information. While some information is public and can be viewed by all, some of this information needs to be classified so that only individuals with appropriate clearance can view it.
Classification of information enables organizations to achieve the core Information security goals of confidentiality, integrity, and availability. Before classifying the data, the security professional needs to determine:
Classification of data varies between government/military sectors and the commercial sector. One example of commercial sector classification is listed below:
The military classification of data is listed below:
In the social media age, “data privacy” is a topic of great debate since information is strewn all over and using them, retaining them and eventually destroying them are critical issues.
“Data privacy” has its history dating back to the 1300s and has been constantly evolving since then in two major worlds namely the US and the European Union. In 2012, the European Union’s data protection directive was reformed by strengthening the data protection rules. These are a few salient points under the new rules:
In tune with the last point, the EU has made it clear that the data that travels outside the EU must be protected. The United States takes on data privacy is slightly different from the EU. While both of them value “data privacy” to the core and since their approaches are different, they have formed the “Safe Harbor” framework. The “Safe Harbor” program is developed by the US Department of Commerce in consultation with Federal Data Protection and Information Commissioner of Switzerland.
One of the features of the “Safe Harbor” program ensures that only organizations in the US that are in the “Safe Harbor” list can receive data from the EU. Other rules and regulations ensure maximum privacy for personal data.
The data retention policy is the way in which data is stored, retained and later destroyed. In order to ensure appropriate data retention, it is generally recommended that all the stakeholders in an organization be completely involved in the asset retention policies. In addition to this, the following eight steps regulate the retention of data and assets:
Every organization needs to classify its data so that one can determine its retention period. While those in the ‘junk mail’ category can be deleted immediately, there are others that might need a longer retention period.
Each organization should draft their record retention periods by working with security professionals. The staff should also be trained to handle the different records as well. Once this is done, the retention policies should be audited and the policies must be reviewed regularly.
This section deals with recommendations that should be followed when the following conditions are present:
“data in rest” and “data in transit”.
“Data in rest” is when data is stored on different mediums such as backup tapes, offsite storage and password files. These mediums contain highly sensitive information and it is imperative that they are protected and not altered in any way. This can be accomplished by using compliant encryption tools and algorithms, using a secure password management tool and storing the removable media in a secured and locked location.
“Data in motion” is the data that is in transit. This data has to be secured as well since the “data in motion” can be snooped and sniffed. This is accomplished by encrypting the data which is transmitted. “Data in motion” can be encrypted via link encryption and/or end-to-end encryption.
Physical and information assets have to be labeled clearly so that they can be handled easily. Assets can also be marked as ‘Top Secret’, ‘Secret’ or ‘public’ and subjects will have corresponding clearances to view them.
Organizations should have procedures related to
This enables physical and information assets to be handled properly.
We saw CISSP’s second domain, ‘Asset Security’ in this post. We will see the third domain ‘Security Architecture and Engineering’ in the next post.