Friday, October 7, 2016

Asset Security

Asset Security

Information Life Cycle

  1.     Acquisition
  2.     Use
  3.     Archival
  4.     Disposal
   
Information Classification
Classification Levels - Commercial Business - highest to lowest


  1.     Confidential
  2.     Private
  3.     Sensitive
  4.     Public
   
Classification Levels - Militarty purpose - highest to lowest
  1.     Top Secret
  2.     Secret
  3.     Confidential
  4.     Sensitive but unclassified
  5.     Unclassified
   
Classification Controls
Layers of Responsibility

  1.     Executive Management
  2.     CEO
  3.     CFO
  4.     CIO
  5.     CPO
  6.     CSO/CISO
  7.     Data Owner
  8.     Data Custodian
  9.     System Owner
  10.     Security Administrator
  11.     Supervisor
  12.     Change Control Analyst
  13.     Data Analyst
  14.     User
  15.     Auditor
   
Retention Policies

How ?
  1.     Taxonomy
  2.     Classification
  3.     Normalization
  4.     Indexing
   
How Long ?
  1.     Business Documents - 7 years
  2.     Invoices - 5 years
  3.     Accounts payable and receivable - 7 years
  4.     Human Resource Files - 7 years (Hired and Leave) or 3 years (candidates not hired)
  5.     Tax records - 4 years after the taxes are paid
  6.     Legal correspondence - Permanently
   
What Data ?
    e-Discovery
  1.         Identification
  2.         Preservation
  3.         Collection
  4.         Processing
  5.         Review
  6.         Analysis
  7.         Production
  8.         Presentation
   
Protecting Privacy
Data Owners    
Data Processers    
Data Remanence
  1.         Overwriting
  2.         Degaussing
  3.         Encryption
  4.         Physical Destruction
    Limits on Collection
   
Protecting Assets
    Data Security Controls
  1.         Data at Rest
  2.         Data in Motion
  3.         Data in Use
    Media Controls
  1.         Tracking
  2.         Effectively implementing access controls
  3.         Tracking the number and location of backup versions
  4.         Documenting the history of changes on media
  5.         Ensuring environmental conditions do not endanger media
  6.         Ensuring media integrity
  7.         Inventoring the media on a scheduled basis
  8.         Carrying out secure disposal activities
  9.         Internal and external labeling
       
Data Leakage
Date Leak Prevention

    General Approaches to DLP
  1.         Data Inventories
  2.         Data Flows
   
    Data Protection Strategy
  1.         Backup and recovery
  2.         Data life cycle
  3.         Physical Security
  4.         Security Culture
  5.         Privacy   
  6.         Organizational change
       
    Implementation, Testing, and Tuning
  1.         Sensitive data awareness
  2.         Policy Engine
  3.         Interoperability
  4.         Accuracy
   
    DLP Resiliency
       
  1.     Network DLP
  2.     Endpoint DLP
  3.     Hybrid DLP

Protecting Other Assets
  1.     Protecting Mobile Devices
  2.     Paper Records
  3.     Safes