Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
|
Asset |
Anything of value to an organization such as their people, partners, facilities, reputation, and information |
|
|
The Information Life Cycle |
Aquisition, Use, Archival, and Disposal. |
|
|
During the aquisition phase what are the 2 ways a company aquire data? |
They can create it from scratch or copy it from somewhere else. |
|
|
Use - Info Life Cycle |
Presents the most challenges in terms of CIA triangle. Use Phases must be mapped to appropriate internal policies, regulations and laws. |
|
|
Archival - Info Life Cycle |
Phases where we are considering getting rid of the information but we may have regulatory or industry huifelines that require the information to be held for a specific time period. |
|
|
Backup vs Archive |
Backup is made up of current data for the purpose of recovering from the loss of original data. While archive is data that is no longer in use but is kept for some point in the future. |
|
|
Disposal - Info Life Cycle |
This involves properly getting rid of the data. The two most things to consider are: ensuring the data truly gets destroyed and that it gets destroyed in accordance with the proper regulations and laws. |
|
|
What are 4 common commercial data classification levels? |
Confidential, Private, Sensitive, and Public |
|
|
Example of public classification. |
Any disclosure is not warranted but this would not cause an adverse impact to the company or its personnel. |
|
|
Example of sensitive classification. |
Requires special precautions to ensure the integrity and confidentiality of the data. Such as financial information, project details, and profit earnings. |
|
|
Example of private classification |
Personal information for use within a company. Unauthorized disclosure could adversely affect personally of the company. Examples are HR information, medical information, and work history. |
|
|
Example of confidentiality of data. |
For use within the company only. Data is example from Freedom of Information Act and other laws and regulations. Examples include trade secrets, programming code, healthcare, information that keeps the company competitive. |
|
|
What is Unclassified info? |
Data is not sensitive or classified. Examples are computer manuals, warranty info, recruiting information. |
|
|
What is Sensitive but Unclassified info? |
Minor secret, if disclose it may not cause major damage. Examples include medical data, answers to test scores. |
|
|
What is Secret classification? |
If disclose it could cause serious damage to national security. Examples are deployment plans for troops, unit readiness. |
|
|
What is Top Secret classification? |
If disclosed, it could cause grave damage to national security. Examples include blueprints of new weapons, spy satelilites information, espionage data. |
|
|
What are a few classification controls? |
Marking, labeling, and handling procedures, strict access control for all users levels, encryption of data, auditing and monitoring access, separation of duties, period reviews, backup n recovery procedures, change control process, and proper disposal. |
|
|
Name the Executive Team |
Ceo, Cfo, CIO that reports to them |
|
|
What are the duties of Chief Privacy Officer? |
Newer position that ensures customer, company, employee data has policy that explains how it collects, protects, or gives out data to 3rd parties. |
|
|
Chief Security Officer |
Responsible for understanding the risk involve with a company and lowing it to an acceptable level. |
|
|
Data Owner |
Usually a member of management who is in charge of a specific business unit and ultimately responsible for the protection and use of a data subset. |
|
|
Data Custodian |
Responsible for maintaining and protecting the data such as implementing security on controls, backing up data, periodically performing data Intergrity checks. |
|
|
Security Administrator |
Responsible for setting up security network devices such as firewalls, ids, ips, and antimalware. |
|
|
User |
Any individual who uses the data in the course of work. |
|
|
Auditor |
Checks to make everyone is doing his or her job and ensures the correct security controls are in place. |
|
|
What are the three parts of Data retention? |
What data do we retain, how long do we retain it and where and what format do we retain data. |
|
|
What is an e-discovery? |
When a court makes a require for an organization to produce electronically stored information pertinent in to a legal proceeding. |
|
|
What Nist document talks about sanitizing data? |
NIST 800-88 Guidelines for Media Sanitation |
|
|
Data Ramanence Approaches |
Overwriting at least 7 times, Degaussing with magnetic erasing data, Encryption then properly and securely delete the keys, Physical destruction of data |
|
|
What is the best way to combat data Ramanence? |
Physical destroying data by shredding, fire, or expose to chemicals. |
|
|
How to secure data at rest? |
Encryption and whole-disk encryption for portable computing devices. |
|
|
How to secure data in motion? |
Using Encryption methods such as TLS (Transport Layer Security) and IPSec are good for transit data. VPN is good solution for tunneling users from home. |
|
|
How to secure data in use? |
This is when data is on your screen or stored on devices such as RAM, memory caches or CPU registers. To secure you must prevent side channel attack exploits such as the Heartbleed bug of 2014. Whole-memory encryption is also a solution. |
|
|
Should all media be clearly marked and logged? |
Yes. |
|
|
What is sanitized media? |
Media that has been erased but is only acceptable when media will be reused in the same physical environment. |
|
|
What are some media controls that can help to secure disk drives, USB, thumb drives, laptops, dvds, cds, and serves blades? |
Tracking ownership at any moment, access control, knowing the number and backup versions, changes made to the device, ensuring environment conditions don't impact media ensuring media integrity, inventory the data, use secure disposal activities, internal and external labeling. |
|
|
3 requirements for Data Leakage |
It has to involve data that is Sensitive, it has to be to an unauthorized system or individual, to an external party outside of the company. |
|
|
What should you understand to prevent data leakage? |
How data flows, data inventoryed showing what data is important and what's not, the data protection strategy ie data life cycle or backup recovery process etc, network dlp, endpoint dlp, hybrid dlp |
