upto 50% Off Upgrade your Skills with our Special Offers! JOIN NOW X

Domain 2: Asset Security

‘Asset’ as specified by Google is “a useful or valuable thing or person”. In context to this, an asset in an organization can be information, equipment or facilities that have great value. Protecting assets is an important component of security programs and the second domain of the CISSP exam throws light on this. ‘Asset Security’ deals with the following sections:

  1. Identify and classify information and assets

Financial details, password files, credit card information, a company’s financial information, upcoming projects are all examples of different kinds of information. While some information is public and can be viewed by all, some of this information needs to be classified so that only individuals with appropriate clearance can view it.

Classification of information enables organizations to achieve the core Information security goals of confidentiality, integrity, and availability.  Before classifying the data, the security professional needs to determine:

  1. who has access to the data
  2. how the data is secured
  3. how long the data will be retained
  4. what method needs to be used to dispose of the data
  5. does the data need to be encrypted
  6. what is the appropriate use of the data

Classification of data varies between government/military sectors and the commercial sector. One example of commercial sector classification is listed below:

  1. Private(Private data is information such as ‘social security numbers’, bank account numbers)
  2. The company restricted(Information that can be viewed only by a small group of employees)
  3. Company confidential(Information that can be viewed by all employees but not for public use)
  4. Public(Information that can be viewed by all)

The military classification of data is listed below:

  1. Top Secret
  2. Secret
  3. Confidential
  4. Sensitive but Unclassified or SBU
  5. Unclassified (Reference: https://resources.infosecinstitute.com/cissp-domain-2-asset-security/)
  1. Protect privacy

In the social media age, “data privacy” is a topic of great debate since information is strewn all over and using them, retaining them and eventually destroying them are critical issues.

“Data privacy” has its history dating back to the 1300s and has been constantly evolving since then in two major worlds namely the US and the European Union. In 2012, the European Union’s data protection directive was reformed by strengthening the data protection rules. These are a few salient points under the new rules:

  1. Collection of personal data should be kept to a bare minimum
  2. The EU’s Single market dimension should be strengthened by removing administrative hurdles
  3. Personal data retained by law enforcement should also be protected
  4. When data is transferred outside the EU, the procedures must be streamlined completely

In tune with the last point, the EU has made it clear that the data that travels outside the EU must be protected. The United States takes on data privacy is slightly different from the EU. While both of them value “data privacy” to the core and since their approaches are different, they have formed the “Safe Harbor” framework. The “Safe Harbor” program is developed by the US Department of Commerce in consultation with Federal Data Protection and Information Commissioner of Switzerland.

One of the features of the “Safe Harbor” program ensures that only organizations in the US that are in the “Safe Harbor” list can receive data from the EU. Other rules and regulations ensure maximum privacy for personal data.

  1. Ensure appropriate asset retention

The data retention policy is the way in which data is stored, retained and later destroyed. In order to ensure appropriate data retention, it is generally recommended that all the stakeholders in an organization be completely involved in the asset retention policies. In addition to this, the following eight steps regulate the retention of data and assets:

  1. Understand the business needs of the organization
  2. classify data
  3. determine retention periods
  4. draft record retention policies
  5. Justify the record retention policy
  6. Train staff
  7. Retention policies should be audited
  8. Reviewing the policies regularly
  9. Record retention policy must be documented

Every organization needs to classify its data so that one can determine its retention period. While those in the ‘junk mail’ category can be deleted immediately, there are others that might need a longer retention period.

Each organization should draft their record retention periods by working with security professionals. The staff should also be trained to handle the different records as well. Once this is done, the retention policies should be audited and the policies must be reviewed regularly.

  1. Determine data security controls

This section deals with recommendations that should be followed when the following conditions are present:

“data in rest” and “data in transit”.

“Data in rest” is when data is stored on different mediums such as backup tapes, offsite storage and password files. These mediums contain highly sensitive information and it is imperative that they are protected and not altered in any way. This can be accomplished by using compliant encryption tools and algorithms, using a secure password management tool and storing the removable media in a secured and locked location.

“Data in motion” is the data that is in transit. This data has to be secured as well since the “data in motion” can be snooped and sniffed. This is accomplished by encrypting the data which is transmitted. “Data in motion” can be encrypted via link encryption and/or end-to-end encryption.

  1. Establish information and asset handling requirements

Physical and information assets have to be labeled clearly so that they can be handled easily. Assets can also be marked as ‘Top Secret’, ‘Secret’ or ‘public’ and subjects will have corresponding clearances to view them.

Organizations should have procedures related to

  1. marking(as an example, media containing a label stating whether it is encrypted or not)
  2. handling(who can access the asset)
  3. storing(where is the sensitive data stored)
  4. destroying of sensitive information(and how are we going to destroy it, once its purpose is over)

This enables physical and information assets to be handled properly.

We saw CISSP’s second domain, ‘Asset Security’ in this post. We will see the third domain ‘Security Architecture and Engineering’ in the next post.

AUTHOR
Jayanthi Manikandan ( )
Cyber Security Analyst
Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train.
TOP