Chapter 4
IN THIS CHAPTER
Identifying and classifying information and assets
Establishing information and asset handling requirements
Provisioning resources securely
Managing the data life cycle
Ensuring appropriate asset retention
Determining data security controls and compliance requirements
The Asset Security domain addresses the collection, classification, handling, and protection of information assets throughout the information life cycle, as well as the management of physical and virtual assets such as servers, endpoints, and network devices. Essential concepts within this domain include data ownership, privacy, data security controls, and support. This domain represents 10 percent of the CISSP certification exam.
Identify and Classify Information and Assets
Information and information systems are valuable business assets that require protection from cybersecurity threats. The appropriate level of protection is determined by the value of the information and any applicable regulations with which the organization must comply.
This section covers Objective 2.1 of the Asset Security domain in the CISSP Exam Outline (May 1, 2021).
Asset management is generally an IT function used to track many sorts of assets, including
· Servers: From both operational and security perspectives, organizations must know the state and location of every physical server in their digital estate (including on-premises data centers, server closets, and colocation facilities) so they can be actively monitored, properly updated, and securely operated.
· Virtual machines and containers: Unlike physical servers, virtual machines and containers are harder to manage as assets because they’re abstract, dynamic (hundreds or thousands of virtual machines and containers can be provisioned and deprovisioned on demand, particularly in a highly orchestrated microservices architecture), and ephemeral (containers are often provisioned for a specific purpose and may be very short-lived, from a few minutes to milliseconds — just long enough to execute a service or process).
· User endpoints: Most breaches today begin on a compromised end-user desktop or laptop. Keeping track of all your end-user desktops and laptops is critical to help ensure that they’re properly maintained and that appropriate security controls — such as security updates, extended detection and response (XDR), virtual private network (VPN) software, and digital certificates — are properly installed and configured.
· Mobile devices: The proliferation of mobile devices — including smartphones, tablets, and wearables — has created a massive attack surface that organizations must address. Maintaining an accurate inventory of mobile devices can be particularly challenging due to the number and numerous types of devices, the prevalence of “bring your own device” (BYOD) policies, and the lack of mobile device management (MDM) software in many organizations. MDM software enables organizations to keep track of their mobile devices and enforce policies, such as requiring a passcode or biometric lock. Other key MDM software capabilities include preventing rooted or jailbroken devices from connecting to the network, containerizing (or isolating) company applications and data, and remote wiping to delete company applications and data securely if a device is lost or stolen or when an employee or contractor leaves the company.
· Internet of Things (IoT) devices: Devices such as surveillance cameras, smart assistants, door actuators, temperature sensors, building management systems, and security systems that don’t necessarily have a human-machine interface (HMI) often run on internal data networks. Many of these devices may be easily overlooked in an organization’s vulnerability management program. These devices may also be installed or deployed with default passwords or settings by staff members who aren’t focused on security, such as maintenance personnel or field technicians. As a result, attackers can often break into an organization through one of these devices. For instance, IP cameras and home routers were targeted and compromised by the Mirai botnet in 2016 and used to launch a significant DDoS attack on Dyn.
· Network devices: Switches, routers, firewalls, and other network devices have their own security configurations and operating systems that must be kept up to date. These devices are increasingly being deployed in public and private clouds as virtual appliances that must also be accounted for and managed properly.
· Network information: Network information is another asset that organizations must manage. Examples include Internet Protocol address space, autonomous system numbers (ASNs), domain names, telecommunications circuits, and direct inward dialing (DID) numbers.
· Operating systems: Keeping track of the various operating systems in use throughout your organization — including servers, desktops, laptops, mobile devices, hypervisors, network devices and tools, security appliances and tools, industrial control systems (ICS), and medical devices — is critical to ensure that all systems are kept current with security updates and compliant with licensing requirements and to help identify systems that may be affected by a new zero-day vulnerability.
· Software applications: Maintaining an accurate inventory of all your software applications is critical to ensure that all of them are kept current with security updates and compliant with licensing requirements and to help identify systems that may be affected by a new zero-day vulnerability.
· Information: Although ransomware and cryptomining attacks have been getting lots of media attention over the past few years, information theft remains the primary motivation for attackers, and data is still a valuable asset. Knowing what information you have — such as financial data, personally identifiable information, protected health information, and intellectual property — as well as its classification level (discussed later in the “Data classification” section of this chapter), everywhere that it’s accessed and stored (including user endpoints, mobile devices, servers, databases, cloud storage, and backups), is critical to ensure that you can protect your data appropriately and completely. Many regulations specify safe-harbor provisions in the event of a data breach if an organization can prove that any exfiltrated data was encrypted properly.
Additionally, data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR; discussed in Chapter 3) codify a person’s right to be forgotten. This right requires an organization to delete all of a person’s private data except under limited circumstances, if formally requested to do so by that person. Having a complete inventory of your information assets helps ensure that you can comply with such requests in a timely and accurate manner.
· Personnel: Although maintaining an inventory of your organization’s personnel isn’t necessarily a security responsibility, this information does provide important input for several security functions. Your incident response, business continuity, and disaster recovery plans (discussed in Chapter 9), for example, all define specific roles and responsibilities for personnel within your organization. Identity and access management (discussed in Chapter 7) requires user accounts to be bound to authorized personnel. Information security awareness and training (discussed in Chapter 3) requires personnel rosters to ensure full participation. Finally, personnel safety and security (discussed in Chapter 9) requires accurate knowledge of who is in a building, for example, in the event of a fire that requires evacuation. Sources for personnel lists might include your human resources department, company directories, organizational charts, and department rosters.
· User accounts: As discussed in the personnel item, user accounts must be associated with authorized personnel to ensure effective identity and access management (see Chapter 7). Knowing which personnel have left an organization or no longer require access to systems and networks is critical so that accounts can be properly disabled, deprovisioned, and deleted.
· Facilities: Security personnel should have a complete list of all facilities, work centers, business locations, and so on to facilitate activities such as ensuring that all facilities are adequately monitored and protected. Chapter 5 includes a deep dive into facility security, and Chapter 9 discusses physical security.
· Service providers: Every service provider that manages or processes information of any kind must be included in your service inventory and evaluated periodically. Third-party risk management (TPRM), also known as supply-chain risk management (SCRM), is covered in Chapter 3.
Discrepancies in the tracking of any of these categories of assets can weaken your cybersecurity posture. If the complete inventory of servers or endpoint computers is unknown, for example, some systems may not be configured properly or patched with the latest security patches. Cybercriminal organizations that are intent on breaking into such an environment can identify these weak points quickly and successfully attack the organization.
It takes only one unpatched system or device, or one user account, to give an attacker an easy way into the environment.
Data classification
A data classification scheme helps an organization assign a value to its information assets based on its sensitivity to loss or disclosure and its criticality to the organization’s mission or purpose. The scheme also helps the organization determine the appropriate level of protection. Additionally, data classification schemes may be required for regulatory or other legal compliance. System and site classification schemes determine the level and type of protection for information systems and the facilities where they reside and personnel work.
Applying a single protection standard uniformly across all an organization’s assets is neither practical nor desirable. In such a case, noncritical assets are overprotected, or critical assets are underprotected. In the words of former U.S. national security adviser McGeorge “Mac” Bundy, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.”
An organization’s employees also need to understand the classification schema being used, proper classification of information assets, handling and safeguarding requirements, and proper destruction or disposal procedures.
Commercial data classification
Commercial data classification schemes are typically implemented to protect information with monetary or intrinsic value, comply with applicable laws, protect privacy, and limit liability. Criteria by which commercial data is classified include
· Value: The most common classification criterion in commercial organizations, based on monetary or some other value.
· Age/useful life: Information that loses value over time, becomes obsolete or irrelevant, or becomes common/public knowledge.
· Regulatory requirements: Sensitive or personal information, such as medical records subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) or consumer data subject to the EU’s General Data Protection Regulation (GDPR), may have legal requirements for protection. Classification of such information may be based not only on compliance, but also on liability limits. Read Chapter 3 to learn more about data protection and privacy regulations.
Descriptive labels (such as “Confidential and Proprietary” and “Internal Use Only”) are often applied to company information. The organizational requirements for protecting information labeled as such, however, aren’t always formally defined. Organizations should formally identify standard classification levels and specific requirements for labeling, handling, storage, and destruction/disposal. Figure 4-1 shows an example of a label on a hard-copy document.
Photo courtesy of authors
FIGURE 4-1: Example document marking.
Government data classification
Government data classification schemes are generally implemented to
· Protect national interests or security
· Comply with applicable laws
· Protect privacy
Within each classification level, certain safeguards are required to access, use, handle, reproduce, transport, and destroy classified information. In addition to having an appropriate clearance level at or above the level of information being processed, people must have a need to know before they can access the information. Need to know is defined as requiring the information to perform an assigned job function.
A common system used within the U.S. Department of Defense consists of five broad categories for information classification:
· Unclassified: The lowest government data classification level is Unclassified. Unclassified information isn’t sensitive, and unauthorized disclosure won’t cause any harm to national security. Unclassified information may include information that was once classified at a higher level but has since been declassified by an appropriate authority. Unclassified information isn’t automatically releasable to the public and may include additional modifiers such as For Official Use Only or For Internal Use Only.
· Sensitive but Unclassified (SBU): Sensitive but Unclassified information is a common modifier of unclassified information. It generally includes information of a private or personal nature. Examples include test questions, disciplinary proceedings, and medical records.
· Confidential: Confidential information is information that, if compromised, could damage national security. Confidential information is the lowest level of classified government information.
· Secret: Secret information is information that, if compromised, could seriously damage national security. Secret information must normally be accounted for throughout its life cycle, all the way to its destruction.
· Top Secret: Top Secret information is information that, if compromised, could gravely damage national security. This information may require additional safeguards, such as special designations and handling restrictions.
A person must have both the appropriate clearance level and need to know to gain access to classified information.
Data handling
Along with the classification levels described in the preceding sections, the classification of a file or database means little unless people know what is required for the different classification levels. For this reason, data classification policies should also describe how data is to be handled and protected at each level of classification. Data classification handling guidelines typically include numerous use cases, such as
· Storing on a server
· Storing on a desktop or laptop
· Storing on a mobile device
· Sending via email
· Sending via instant message
· Storing in a cloud service
· Copying to a USB external storage device
· Printing
· Storing hard copy
· Sending via Fax
· Shipping hard copy or electronic copy via courier
Generally, the higher the classification level, the more restrictions are placed on any of these activities. And when the data is in electronic form, encryption is often required to further protect the most sensitive information.
Table 4-1 shows a typical data handling policy. This example is depicted in abbreviated form for illustration purposes. An actual handling policy would include more detail regarding permitted and forbidden actions.
TABLE 4-1 Typical Data Handling Guidelines
|
Action |
Public |
Confidential |
Restricted |
Secret |
|
Server storage |
Permitted |
Permitted |
Encryption required |
Encryption required |
|
Endpoint storage |
Permitted |
Encryption required |
Encryption required |
Not permitted |
|
Mobile device storage |
Permitted |
Encryption required |
Encryption required |
Not permitted |
|
Sending via email |
Permitted |
Permitted |
Encryption required |
Not permitted |
|
Sending via instant message |
Permitted |
Encryption required |
Encryption required |
Not permitted |
|
Sending via fax |
Permitted |
Attended fax only |
Attended fax only |
Not permitted |
|
Shipping via courier |
Permitted |
Permitted |
Double-sealed |
Double-sealed |
|
Cloud storage |
Permitted |
Permitted |
Permitted |
Permitted by exception only |
|
USB external storage |
Permitted |
Encryption required |
Not permitted |
Not permitted |
|
Printing |
Permitted |
Attended printing only |
Attended printing only |
Not permitted |
|
Hard-copy storage |
Permitted |
Locked drawer or cabinet |
Double-locked |
Double-locked |
Asset classification
Data classification is related to the identification of the sensitivity or criticality of data and proper procedures for handling that data. Asset classification, however, also applies to the information systems that store, process, and transmit this information. Better organizations go beyond data classification by implementing system classification. The two approaches are distinctly related: Systems that store or process data at higher classification levels should be protected better than systems that don’t store or process data at higher classification levels.
This practice has been around for quite a long time. Under the Payment Card Industry Data Security Standards (PCI DSS), for example, systems that are in scope are required to have additional safeguards that an organization may not implement on its other systems. Organizations often place these systems in separate networks that have stricter network-level access controls.
Organizations can go still further with data and asset classification by implementing a facilities classification scheme that stipulates mandatory protection for various facilities, based on location, activities, and the presence of classified assets and data. Table 4-2 illustrates an example facilities classification policy.
TABLE 4-2 Example Facilities Classification Policy
|
Control |
Sales Office |
Processing or Development Center |
Data Center |
|
Fencing |
Not required |
Not required |
6-foot chain-link fence |
|
Video surveillance |
Not required |
Reception, ingress, and egress points |
Reception, ingress and egress points; all internal corridors |
|
Video recording |
Not required |
Motion sensor, 30-day retention |
Full recording, 90-day retention |
|
Key card control |
Main entrance |
All entrances |
All entrances and zones |
|
Security guard |
Not required |
Reception 5x10 |
Reception and patrol 7x24 |
|
Visitor control |
Visitor log |
Visitor log and proof of ID |
Visitor log, relinquish ID, appointment only |
|
Company signage |
Permitted |
Permitted |
Not permitted |
|
Parking |
Open |
Permit required |
Permit required, key card access |
|
Risk and hazards assessment |
Not required |
Initial |
Annual |
Establish Information and Asset Handling Requirements
Establishing information and system asset processes and reliable inventories is a means to an end. That end is determining how those assets are to be handled and used. Handling requirements fall into two broad categories:
· Information assets: Structured and unstructured information needs to be classified according to the organization’s data classification rules (discussed in the preceding section). These rules also include data retention and policies that determine what users are permitted to do with information and who has access to it in the first place.
· Information systems: This broad category includes servers, endpoints, network devices, and mobile devices. From a security perspective, the imperatives here include system and device hardening (discussed in Chapter 5), patch management (also discussed in Chapter 5), and other operational processes and procedures.
This section covers Objective 2.2 of the Asset Security domain in the CISSP Exam Outline (May 1, 2021).
Sensitive information such as financial records, employee data, and information about customers must be clearly marked, properly handled and stored, and appropriately destroyed per established organizational policies, standards, and procedures:
· Marking: How an organization identifies sensitive information, whether electronic or hard copy. A marking might read Confidential, for example (as discussed earlier in this chapter). The method for marking will vary, depending on the type of data we’re talking about. Electronic documents might have a marking in the margin at the footer of every page. When an application displays sensitive data, the application itself may inform the user of the classification of the data being displayed.
· Handling: The organization should have established procedures for handling sensitive information. These procedures detail how employees can transport, transmit, and use such information, as well as any applicable restrictions.
· Storage and backup: As with handling, the organization must have procedures and requirements specifying how sensitive information must be stored and backed up and how backup media must be protected.
· Destruction: Sooner or later, an organization must destroy a document that contains sensitive information. The organization must have a data retention schedule and procedures detailing how to destroy sensitive information that has been previously retained, regardless of whether the data is in hard-copy form or saved as an electronic file.
Similarly, information systems and network devices must be designed, implemented, and operated securely according to their classifications. Activities include
· Architecture and design: Overall and detailed architecture and design standards ensure that all information systems will be implemented and operated securely and that the overall environment will be resistant to attack.
· Patch and configuration management: This category includes policies and procedures regarding the initial configuration of systems and schedules/procedures for applying security patches.
· Hardening: This category refers to the architecture, design, and configuration of a system or device that makes it more resistant to attack and abuse.
· Security event monitoring: Many systems and devices are configured to transmit security-related events to a centralized security event and information management system, so that security operations personnel are aware of events that could be signs of an attack.
· Resilience: Related to business continuity and disaster recovery planning requirements, resilience is a characteristic of a system that determines its ability to continue operating despite various destructive events.
DETERMINING APPROPRIATE HANDLING REQUIREMENTS
You may be wondering, “How do I determine what constitutes appropriate handling requirements for each classification level?” You have two main ways to figure out the answer:
· Applicable laws, regulations, and standards: Often, regulations and standards such as the EU’s GDPR, the U.S. Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), the Gramm-Leach-Bliley Act (GLBA), and PCI DSS contain specific requirements for handling sensitive information.
· Risk assessment: As described in Chapter 3, a risk assessment identifies relevant threats and vulnerabilities and establishes controls to mitigate risks. Some of these controls may take the form of data handling policies and requirements that would become a part of an organization’s asset classification program.
Provision Resources Securely
The secure provisioning of resources involves intentionality. Business rules and policies stipulate how information systems and information assets are to be acquired, protected, used, and discarded when no longer needed. From an information security perspective, the intention of these policies and rules ensures the confidentiality, integrity, and availability of these assets, protecting them from accidental or intentional disclosure, harm, and destruction.
This section covers Objective 2.3 of the Asset Security domain in the CISSP Exam Outline (May 1, 2021).
Better organizations have formal architecture and design standards to ensure consistency in their systems and operations. Further, formal operations procedures reduce errors and configurations that could make systems easier to attack and compromise.
Information and asset ownership
Within an organization, owners and custodians of systems, data, and the business or mission (specifically, a line of business or mission aspect) are implicitly or explicitly assigned.
Organizations should explicitly define owners and custodians of sensitive assets to avoid confusion or ambiguity regarding roles, responsibilities, and accountability.
An owner is typically assigned at an executive or senior management level within an organization, such as a department head, director, or vice president. An owner doesn’t legally own the asset assigned to them; the owner is ultimately responsible for safeguarding designated assets and may have fiduciary responsibility or be held personally liable for negligence in protecting these assets under the concept of due care. For more on due care, read Chapter 3.
Typical responsibilities of an owner may include
· Determining classification levels for assigned assets
· Determining policy for access to the asset
· Maintaining inventories and accounting for assigned assets
· Periodically reviewing classification levels of assigned assets for possible downgrading, destruction, or disposal
· Delegating day-to-day responsibility (but not accountability) and functions to a custodian
A custodian is a person who has day-to-day responsibility for protecting and managing assigned assets. IT systems administrators or network administrators often fill this role. Typical responsibilities may include
· Performing regular backups and restoring systems and/or data, when necessary
· Ensuring that appropriate permissions are properly implemented on systems, directories, and files, and that they provide sufficient protection for the asset
· Ensuring that IT systems are adequately protected with system hardening and other safeguards
· Assigning new users to appropriate permission groups and revoking user privileges when required
· Maintaining classified documents or other materials in a vault or secure file room
The distinction between owners and custodians, particularly regarding their responsibilities, is an essential concept in information security management. The data owner has ultimate responsibility for the security of the data, whereas the data custodian is responsible for day-to-day security administration.
Asset inventory
An accurate inventory of system and information assets is key to effective security. An old saying in our business is, “You cannot protect what you do not know about.” Although this saying may sound almost smart-alecky, it’s a fundamental truth in cybersecurity. Only identified and known information assets can be adequately and appropriately protected, including information as well as information systems and even facilities. Having an up-to-date and accurate asset inventory (for information as well as information systems) is a prerequisite for many other security activities and operations, such as patch management and data retention. An inaccurate or incomplete asset inventory will result in blind spots where assets may not be adequately protected and may provide an entry point for attackers.
Generally, many tools in use will contribute to a complete picture of asset inventory, including
· Security scanning tools: Scan networks and identify vulnerabilities are useful for contributing to an asset database
· System management tools: Manage the configuration of systems and devices; these tools have databases representing all of the systems they manage
· Data discovery tools: Scan systems’ stored data to contribute to the overall information asset database
None of the various types of tools has what is considered to be a complete master list of assets. Instead, organizations that deploy an asset management system will integrate other tools into the asset management tool and apply business rules for naming, reconciliation, and asset review to ensure that the list is as complete as possible.
Asset inventory isn’t just about knowing the numbers of servers and laptops or walking into a data center to count the power cords. Although some types of inventory are easy to see and understand, others are less so. We can think of assets in two broad categories:
· Tangible: Servers, desktop and laptop computers, mobile devices, IoT devices, network devices, work facilities, data centers, employees, contractors, and service providers
· Intangible: Virtual machines, containers, information, intellectual property, personally identifiable information (PII), user accounts, and domains
Organizations need to keep their inventories of all types of assets up to date. A breach is a terrible time to figure out what assets exist in a specific place or other context.
Asset management
Simply put, asset management is a life-cycle process that formally manages the information, software, hardware, and other types of assets and maintains an up-to-date inventory. As we stated at the start of this chapter, the accuracy of asset inventories is critical to the effectiveness of cybersecurity safeguards.
Better IT and security organizations establish formal asset management programs with tools and processes to keep track of hardware, software, and information assets. This task is usually easier said than done, however. Generally, an accurate asset inventory results from the merging of data from various tools. An accurate inventory of servers and endpoints, for example, often relies on information feeds from tools used to configure servers and endpoints, security scanning tools, and other tools that manage various aspects of those systems. Often, each of these tools has a slightly different list of assets; analysts need to compare these lists periodically to ensure that actions are taken to ensure complete coverage so that some assets don’t go astray.
We often say that effective cybersecurity relies on good IT service management. Asset management is a prime example of this type of management — and perhaps the most important example of all.
Manage Data Life Cycle
Data life-cycle management is a set of processes and procedures used to track all the data in an organization, whether that data is in electronic or paper form. Like asset management, data management doesn’t just happen magically; instead, data management must be established as a formal activity with roles and responsibilities assigned to key personnel.
This section covers Objective 2.4 of the Asset Security domain in the CISSP Exam Outline (May 1, 2021).
The purpose of data management is to ensure that all the data residing in an organization is known, properly managed, adequately protected, properly used, and discarded when it’s no longer needed — all in compliance with internal policy as well as applicable standards, laws, and regulations.
Data management generally relies on a central store of information about data in the organization, which we might call a data catalog. This catalog could reside in a simple worksheet or be managed in a purpose-built application. Activities to keep the data catalog up to date include interviews with application and system owners and periodic scans of data stores.
Many organizations do little or nothing regarding big-picture data management. This situation is changing, however, with the advent of sweeping privacy laws around the world. The penalties exacted by many of these laws are frighteningly large, prompting organizations to (finally) establish data management processes. These privacy protection laws and regulations exist at continental (such as the European Union), country (or federal), state, and local levels throughout the world, as well as in various industries. Privacy protection laws are among some of the most stringent laws enacted, and legal requirements vary greatly. These laws also commonly limit the collection, use, and retention of personal data and transborder information flows (or export) of personal data. Privacy laws are discussed in Chapter 3.
Data roles
As with any other sensitive data, organizations must assign data owners and custodians (or processors) who are ultimately responsible for safeguarding personal data and for the secure collection, processing, and use of the data. Anyone within an organization who has access to personal data in any capacity must be thoroughly familiar with established procedures for collecting, handling, and safeguarding such information throughout its entire life cycle. These procedures include retention and destruction of private data and technical issues such as data remanence. Concerning the complete life cycle of data in an organization, the roles for managing data include
· Owner: Usually a business owner, typically a department head, who uses data to support one or more principal business processes.
· Controller: An organization (or a part of an organization) that determines the processing performed on a set of data.
· Custodian: Typically, an IT department that manages data at the technology level, in information systems, applications, database management systems, storage systems, and so on.
· Processor: An organization (or a part of an organization) that processes data as directed by (and on behalf of) a controller.
· User: A human who accesses and perhaps manipulates data, including adding, changing, and removing it.
· Subject: A more inclusive role than user, including not only human data users, but also machine users. In other words, a subject accessing a particular data set could be a human user or an autonomous program.
The terms controller and processor have gained prominence in recent years, as they are principal terms defined in the GDPR and other privacy laws.
Data collection
Data collection describes any means through which an organization acquires data, particularly about a person. Generally, data collection is concerned with human interaction when someone is typing personal information into a web form or filling out a hard-copy form.
Data collection has also attracted more attention with the passage of many new privacy laws. Often, organizations are required to disclose their privacy policy at the point of data collection and provide users an opportunity to opt in or out of the privacy policy.
Data location
Increasingly, laws, standards, and other legal mandates include stipulations regarding the locations where various types of data may be processed and stored. Some privacy laws require information about a country’s citizens to reside within the country, for example. Organizations need to be aware of location-specific requirements and include steps in their asset management processes to identify and confirm the physical location of assets, as well as to conduct regular reviews to confirm that asset locations comply with regulatory requirements. Chapter 3 discusses privacy in greater detail.
Data maintenance
Data maintenance refers to any activity in which data is being reviewed, updated, corrected, or discarded. This activity can be human-driven, as when a user or specialist examines data (one record at a time or in bulk) and makes necessary changes, or it can be machine-assisted or entirely autonomous, as when a software program makes needed changes.
The concept of integrity should come to mind when you consider data maintenance activities. The human- and machine-driven activities concerned with maintaining and updating data should include safeguards to ensure that these activities preserve and improve the integrity and accuracy of that data.
Data retention
Most organizations are bound by various laws, regulations, and standards to collect and store certain information and keep it for specified periods. An organization must be aware of legal requirements and ensure that it complies with all applicable regulations and standards.
Records-retention policies should cover all physical records, as well as all electronic records that may be located on file servers or in document management systems, databases, email systems, archives, and records management systems. These records also include paper copies and backup media stored at offsite facilities.
Organizations that want to retain information longer than required by law should formally and firmly establish why such information should be kept longer. Nowadays, just having information can be a liability, so keeping sensitive information longer should be the exception rather than the rule. Organizations should consider the risks associated with extending retention beyond legal requirements when retention decisions are made.
Data retention applies equally to the minimum and the maximum periods that data may be retained in an organization. Retaining data longer than necessary (or permitted by law) increases an organization’s liability, particularly where sensitive information is concerned. PCI DSS, for example, requires that credit card data be retained for as short a period as possible and that certain items, such as magnetic-stripe data and personal identification numbers, not be retained at all, whereas log data must be retained for at least one year to aid in possible security investigations.
At the opposite end of the records-retention spectrum, many organizations now destroy records (including backup media) as soon as legally permissible to limit the scope and cost of any future discovery requests or litigation. Before implementing any draconian retention policies that severely restrict your organization’s retention periods, you should fully understand the negative implications of a policy for your disaster recovery capabilities. Also, consult your organization’s legal counsel to ensure that you’re in full compliance with all applicable laws and regulations.
Although extremely short retention policies and practices may be prudent for limiting future discovery requests or litigation, they’re illegal for limiting pending discovery requests or litigation. In such cases, don’t destroy pertinent records; if you do, you’ll go to jail. You go directly to jail, you don’t pass Go, you don’t collect $200, and (oh, yeah) you don’t pass the CISSP exam — or even remain eligible for CISSP certification!
Data remanence
Data remanence refers to residual data that remains on storage media or in memory after a file or data has been deleted or erased. Data remanence occurs because standard delete routines mark deleted data as storage or memory space that’s available to be overwritten. To eliminate data remanence, the storage media and memory must be properly wiped, degaussed, encrypted, or physically (and completely) destroyed. Object reuse refers to an object (such as memory space in a program or a storage block on media) that may present a risk of data remanence if it isn’t properly cleared.
Data destruction
Data destruction refers to various techniques used to remove data from a system or a data storage medium. Organizations destroy data for a variety of reasons, including data retention (when specific records or even an entire database are removed according to the data retention schedule), the retirement of computers and storage systems, the discarding of older storage media, and the migration of data from on-premises systems to cloud-based systems.
Various techniques for destroying data are employed to ensure that no one can reconstruct that data. A good example is the common situation in which an organization discards older desktops and servers, and that equipment is later sold or donated to a charitable organization. IT departments need to make sure that there’s no way for company information to be reconstructed later. The techniques used include overwriting, degaussing, and shredding.
Ensure Appropriate Asset Retention
IT departments pay attention to the vintage of their computing and network hardware, as well as the operating systems and applications that run on them. As a crucial part of overall asset management, tracking hardware and software versions is used for long-term planning to ensure that organizations avoid situations in which production hardware and software are no longer supported by their manufacturers. Technical debt is a term that describes an organization’s continued use of unsupported software and hardware.
This section covers Objective 2.5 of the Asset Security domain in the CISSP Exam Outline (May 1, 2021).
End of life
Hardware and software vendors typically publish a support schedule. Organizations pay close attention to end-of-life (EOL) dates and plan upgrades or migrations to newer products to safely avoid running production applications on EOL systems. But despite their best efforts, many organizations find themselves marooned on EOL hardware or software for a variety of reasons:
· The software or hardware vendor is out of business, and no newer replacement is available.
· The cost of upgrading to newer hardware or software is prohibitive.
· Software applications aren’t supported in newer versions of operating systems.
· External equipment, such as medical laboratory equipment or manufacturing equipment, runs only on now-unsupported operating systems or hardware.
Organizations that find themselves in EOL situations can often enact other safeguards, such as more extreme isolation of unsupported systems or increased security monitoring.
End of support
End of support (EOS) refers to a state in which a manufacturer no longer provides technical support for specific hardware or software products. Product manufacturers generally publish an EOL or EOS schedule, often years in advance, so that organizations can include upgrades and migrations in their long-term strategic planning. The migration of a complex software application can require months of planning and months of migration work; hence, learning about EOS on short notice generally isn’t helpful.
EOS is often a contentious topic between manufacturers and their customers. Sometimes, customers view vendors’ announcements of EOS as being a thinly veiled scheme for selling expensive upgrades to boost their bottom line. Pragmatically, however, it can be costly for a manufacturer to support many versions of products, each with specific components and technologies. It can be impractical to support old versions of hardware when their chipsets are no longer available, and old versions of software often contain older components, themselves reaching EOS from their producers.
Determine Data Security Controls and Compliance Requirements
Information security is so-called because its mission is protecting important information. A detailed inventory of the information stored and processed by an organization is critical so that that the cybersecurity function can fulfill the task of protecting all of the information properly.
This section covers Objective 2.6 of the Asset Security domain in the CISSP Exam Outline (May 1, 2021).
Determining measures to protect information is a top-down activity, beginning with the organization’s determining which laws, regulations, standards, and requirements apply to specific business processes, information systems, and data. Although this undertaking may sound like a complex one, without it, the organization is flying blind at best, without a clear picture of what it should be doing to protect information.
Data states
Inventorying data requires more than just counting databases and files in file storage systems. Let’s take a step back and consider that data exists in many states in an environment, including
· Creation: Data is created by an end-user, an incoming data feed, or an application. Data needs to be classified at this time, based on its criticality and sensitivity, and a data owner (usually but not always the creator) needs to be assigned. Data may exist in many forms such as in documents, spreadsheets, email and text messages, database records, forms, images, presentations (including videoconferences), and printed documents.
· Distribution (data in motion): Data may be distributed or retrieved internally within an organization or transmitted to external recipients. Distribution may be manual (such as via courier) or electronic (typically, over a network). Data in motion is vulnerable to compromise, so appropriate safeguards must be implemented based on the classification of the data. Encryption may be required to send specific sensitive data over a public network, for example. In such cases, appropriate encryption standards must be established. Data loss prevention (DLP) technologies may also be used to prevent accidental or intentional unauthorized distribution of sensitive data.
· Use (data in use): This stage refers to data that has been accessed by an end user or application and is being actively used (read, analyzed, modified, updated, or duplicated) by that user or application. Data in use must be accessed only on systems that are authorized for the classification level of the data and only by users and applications that have appropriate permissions (clearance) and purpose (need to know).
· Transport (data in transit): This stage refers to data storage media, including hard drives, backup tape, and paper records being physically transported from one location to another. Many organizations store backup media in a secure offsite storage facility.
· Maintenance (data at rest): Any time between the creation and disposition of data when it isn’t in motion or in use, data is maintained at rest. Maintenance includes the storage (on media such as a hard drive, removable USB thumb drive, backup magnetic tape, or paper) and filing (such as in a directory and file structure) of data. Classification levels of data should be routinely reviewed (typically, by the data owner) to determine whether a classification level needs to be upgraded (not common) or downgraded. Appropriate safeguards must be implemented and audited regularly to ensure
· Confidentiality (and privacy): System, directory, and file permissions and encryption, for example
· Integrity: Baselines, cryptographic hashes, cyclic redundancy checks, and file locking (to prevent or control modification of data by multiple simultaneous users), for example
· Availability: Database and file clustering (to eliminate single points of failure), backups, and real-time replication (to prevent data loss), for example
· Disposal: When data no longer has any value or is no longer useful to the organization, it needs to be destroyed properly per corporate retention and destruction policies, as well as any applicable laws and regulations. Certain sensitive data may require a final disposition determination by the data owner and may require specific destruction procedures (such as witnesses, logging, shredding, or degaussing).
Data that has merely been deleted has not been destroyed properly. It’s merely data at rest waiting to be overwritten — or inconveniently discovered by an unauthorized and potentially malicious third party!
Data remanence refers to data that still exists on storage media or in memory after the data has been deleted.
Scoping and tailoring
Because different parts of an organization and its underlying IT systems store and process various data sets, it doesn’t make sense for an organization to establish a single set of controls and impose them on all systems. As in an oversimplified data classification program and its resulting overprotection or underprotection of data, organizations often divide themselves into logical zones and then specify which controls and sets of controls are applied to these zones.
Another approach is to tailor controls and sets of controls to different IT systems and parts of the organization. Controls on password strength, for example, can have categories applied to systems with varying security levels or classifications.
Both approaches for applying a complex control environment to a complex IT environment are valid because they’re really just different ways of achieving the same objective: applying the right level of control to various systems and environments based on the information they store and process or on other criteria.
Standards selection
Several excellent control frameworks are available for security professionals’ use. In no circumstances is it necessary to start from scratch. Instead, the best approach is to start with one of several industry-leading control frameworks and then add or remove individual controls to suit the organization’s needs.
Numerous security control frameworks and standards include asset management as a critical function. Examples include
· Center for Internet Security (CIS)Controls v8: Controls 1 and 2 address Inventory and Control of Enterprise Assets and Inventory and Control of Software Assets, respectively.
· International Organization for Standardization (ISO) 27002, Information technology — Security techniques — Code of practice for information security controls: Section 8 addresses asset management, including responsibility for assets, information classification, and media handling.
· U.S. National Institute of Standards and Technologies (NIST)Special Publication (SP) 800-53R5, Security and Privacy Controls for Information Systems and Organizations: Section PE-20 covers asset monitoring and tracking.
· NIST SP1800-5, IT Asset Management: This extensive publication is devoted entirely to the topic of IT asset management, including approach, architecture, security characteristics, and how-to guides.
No matter how control frameworks are organized, they will always include asset management. Without effective asset management, few other security activities can protect an organization effectively. Again, you can’t protect the assets you don’t know about. Chapter 3 contains additional content on control frameworks.
Data protection methods
Information security is about data protection at its core, ensuring data confidentiality, integrity, and availability (CIA). Several methods are used to protect data, depending on the context of data storage and use. These methods are described in the following sections, and most are explored in more detail throughout this entire book.
Digital rights management (DRM)
Digital rights management (DRM) refers to a wide variety of techniques used to enforce the use, modification, and distribution of information and software. For years, software programs have employed license keys and other safeguards to prevent software piracy. More recently, various means are used to control the use and distribution of sensitive or valuable information. Mechanisms such as copy protection and integrated access controls are used to prevent the illicit distribution and use of digital files and documents.
In the context of protecting documents, the ultimate objective of DRM is to permit only specific people to open and read a document and to cause the expiration and destruction of documents that exceed their intended storage life. Such controls may be more difficult to enforce when documents are out of the physical control of the originator or owner.
Data loss prevention (DLP)
Data loss prevention (DLP) refers to various tools and techniques employed to provide visibility into various forms of data storage, transmission, and use. DLP tools can also block certain actions when those actions violate company policy. DLP generally takes two forms:
· Static: Tools are used to scan data stores to detect the presence of various types of information. Reports and metrics are produced, and data analysts can take action when they determine that data is being stored improperly (such as a payroll extract residing on a widely readable file share).
· Dynamic: Tools are integrated into storage systems, email programs, firewalls, and other systems and are used to detect the transmission of various types of information. Dynamic DLP systems are configured to log events that violate policy, issue warnings to users who attempt to transmit data that violates policy, and even prevent the actions that users or systems are attempting.
Organizations should initially configure dynamic DLP systems in learn mode to better understand data use. Only after valid uses of data transmissions are thoroughly understood should a DLP system be configured to prevent actions prohibited by policy.
Cloud access security broker (CASB)
A cloud access security broker, generally referred to as CASB (pronounced KAS-bee), is a network device or endpoint agent configured to control users’ access to cloud services. More than a web content filter or firewall that simply blocks users from accessing certain websites, a CASB has more intelligence and directs users away from unsupported sites to company-sanctioned cloud services. If a user attempts to store company documents on a personal Box.com cloud drive, for example, a CASB will display a page that informs the user that only OneDrive may be used to store company data.
As with firewalls, web content filters, intrusion prevention systems (IPS), and DLP systems, organizations are advised to implement a CASB in learn mode first to better understand valid data use before configuring the CASB to intervene and block activities.
Cryptography
Cryptography plays a critical role in data protection, whether we’re talking about data in motion through a network or at rest on a server, workstation, or storage device. Cryptography is all about hiding data in plain sight. In some situations, people may be able to access sensitive data; cryptography denies them access unless they possess an encryption key and the decryption method. Cryptography is explored in detail in Chapter 5.
Access controls
One of the first functions and still a function of prime importance, data security relies heavily on access controls that determine who and what can access important information. Access controls and access management are explored in detail in Chapter 7.
Privacy controls
Data that includes information about specific people may fall under the scope of privacy laws, which require the implementation of controls to enforce citizens’ privacy preferences. Additional controls may include anonymization, pseudonymization, processing opt-in and opt-out requests, and removing data when requested by data subjects. Privacy is explored in detail in Chapter 3.