Information Life Cycle
- Acquisition
- Use
- Archival
- Disposal
Information Classification
Classification Levels - Commercial Business - highest to lowest
- Confidential
- Private
- Sensitive
- Public
Classification Levels - Militarty purpose - highest to lowest
- Top Secret
- Secret
- Confidential
- Sensitive but unclassified
- Unclassified
Classification Controls
Layers of Responsibility
- Executive Management
- CEO
- CFO
- CIO
- CPO
- CSO/CISO
- Data Owner
- Data Custodian
- System Owner
- Security Administrator
- Supervisor
- Change Control Analyst
- Data Analyst
- User
- Auditor
Retention Policies
How ?
- Taxonomy
- Classification
- Normalization
- Indexing
How Long ?
- Business Documents - 7 years
- Invoices - 5 years
- Accounts payable and receivable - 7 years
- Human Resource Files - 7 years (Hired and Leave) or 3 years (candidates not hired)
- Tax records - 4 years after the taxes are paid
- Legal correspondence - Permanently
What Data ?
e-Discovery
- Identification
- Preservation
- Collection
- Processing
- Review
- Analysis
- Production
- Presentation
Protecting Privacy
Data Owners
Data Processers
Data Remanence
- Overwriting
- Degaussing
- Encryption
- Physical Destruction
Protecting Assets
Data Security Controls
- Data at Rest
- Data in Motion
- Data in Use
- Tracking
- Effectively implementing access controls
- Tracking the number and location of backup versions
- Documenting the history of changes on media
- Ensuring environmental conditions do not endanger media
- Ensuring media integrity
- Inventoring the media on a scheduled basis
- Carrying out secure disposal activities
- Internal and external labeling
Data Leakage
Date Leak Prevention
General Approaches to DLP
- Data Inventories
- Data Flows
Data Protection Strategy
- Backup and recovery
- Data life cycle
- Physical Security
- Security Culture
- Privacy
- Organizational change
Implementation, Testing, and Tuning
- Sensitive data awareness
- Policy Engine
- Interoperability
- Accuracy
DLP Resiliency
- Network DLP
- Endpoint DLP
- Hybrid DLP
Protecting Other Assets
- Protecting Mobile Devices
- Paper Records
- Safes