Domain 2 - Asset Security Flashcards Preview

CISSP > Domain 2 - Asset Security > Flashcards

Flashcards in Domain 2 - Asset Security Deck (23):
1

Assigning labels to data within an organization. It also identifies the value of data and is critical to protect confidentiality and integrity. This ultimately drives what controls we put in place.

Data Classification

2

Government Data Classification Levels

Top Secret, Secret, Confidential, Unclassified

3

Commercial Data Classification Levels

Confidential, Private, Sensitive and Public

4

Responsible for defining data classifications and ensuring systems and data are properly marked.

Data Owner

5

Person who owns the system that processes sensitive data. Typically the same person as data owner

System Owner

6

Person who assigns permissions based on the principle of least privilege and the need to know.

Data Administrator

7

They help protect the integrity and security of data by ensuring it is properly stored and protected.

Data Custodian

8

Any person who accesses data via a computing system to accomplish work tasks.

Users

9

Any information that can identify an individual.

Personally Identifiable Information (PII)

10

Any health related info that can be related to a specific person.

Protected Health Information (PHI)

11

Data that remains on a hard drive as residual magnetic flux.

Data remanence

12

Simply performing a delete operation against a file, a selection of files, or the entire media.

Erasing

13

A process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools.

Clearing, or overwriting

14

An intense form of clearing that prepares media for reuse in less secure environments.

Purging

15

Involves any process that purges media or a system in preparation for reuse in an unclassified environment.

Declassification

16

A combination of processes that removes data from a system or from media.

Sanitization

17

Process to create a strong magnetic field that erases data on some media.

Degaussing

18

The final stage in the life cycle of media and is the most secure method of sanitizing media.

Destruction

19

Process includes marking, handling, storing and destroying sensitive information.

Managing sensitive information

20

They provide a listing of controls that an organization can apply as a baseline for security.

Security Control Baselines

21

Run by US Dept of Commerce. The goal is to prevent unauthorized disclosure of information, handled by data processors, and transmitted between data processors and the data controller.

Safe Harbor principles

22

Safe Harbor principles

• Notice: An organization must inform individuals about the purposes for which it collects and uses information about them.
• Choice: An organization must offer individuals the opportunity to opt out.
• Onward transfer: Organizations can only transfer data to other than organizations that comply with the Notice and Choice principles.
• Security: Organizations must take reasonable precautions to protect data.
• Data integrity: Organizations may not use information for purposes other than what they stated in the Notice principle and users selected in the Choice principle. Additionally, organizations should take steps to ensure the data is reliable.
• Access: Individuals must have access to personal information an organization holds about them. Individuals also have the ability to correct, amend, or delete information, when it is inaccurate.
• Enforcement: Organizations must implement mechanisms to assure compliance with the principles.

23

A process of identifying and documenting hardware components, software and the associated settings. The goal is to move beyond the original design to a hardened, operationally sound system.

Configuration Management. Config management also includes Change management and Patch management.