Flashcards in Domain 2 - Asset Security Deck (23):
Assigning labels to data within an organization. It also identifies the value of data and is critical to protect confidentiality and integrity. This ultimately drives what controls we put in place.
Government Data Classification Levels
Top Secret, Secret, Confidential, Unclassified
Commercial Data Classification Levels
Confidential, Private, Sensitive and Public
Responsible for defining data classifications and ensuring systems and data are properly marked.
Person who owns the system that processes sensitive data. Typically the same person as data owner
Person who assigns permissions based on the principle of least privilege and the need to know.
They help protect the integrity and security of data by ensuring it is properly stored and protected.
Any person who accesses data via a computing system to accomplish work tasks.
Any information that can identify an individual.
Personally Identifiable Information (PII)
Any health related info that can be related to a specific person.
Protected Health Information (PHI)
Data that remains on a hard drive as residual magnetic flux.
Simply performing a delete operation against a file, a selection of files, or the entire media.
A process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools.
Clearing, or overwriting
An intense form of clearing that prepares media for reuse in less secure environments.
Involves any process that purges media or a system in preparation for reuse in an unclassified environment.
A combination of processes that removes data from a system or from media.
Process to create a strong magnetic field that erases data on some media.
The final stage in the life cycle of media and is the most secure method of sanitizing media.
Process includes marking, handling, storing and destroying sensitive information.
Managing sensitive information
They provide a listing of controls that an organization can apply as a baseline for security.
Security Control Baselines
Run by US Dept of Commerce. The goal is to prevent unauthorized disclosure of information, handled by data processors, and transmitted between data processors and the data controller.
Safe Harbor principles
Safe Harbor principles
• Notice: An organization must inform individuals about the purposes for which it collects and uses information about them.
• Choice: An organization must offer individuals the opportunity to opt out.
• Onward transfer: Organizations can only transfer data to other than organizations that comply with the Notice and Choice principles.
• Security: Organizations must take reasonable precautions to protect data.
• Data integrity: Organizations may not use information for purposes other than what they stated in the Notice principle and users selected in the Choice principle. Additionally, organizations should take steps to ensure the data is reliable.
• Access: Individuals must have access to personal information an organization holds about them. Individuals also have the ability to correct, amend, or delete information, when it is inaccurate.
• Enforcement: Organizations must implement mechanisms to assure compliance with the principles.