Asset Classification MindMap (1 of 1) | CISSP Domain 2

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cisp exam we're going to go through a review of the major topics related to asset classification in domain 2 to understand how they interrelate and to guide your studies this is the only video for domain 2 I've included links to the other mindmap videos for the other domains in the description below these mindmap videos are one part of our complete cisp Master [Music] Class asset classification is fundamentally about ensuring that assets receive the appropriate level of protection what is an asset

an asset is anything of value to the organization people buildings equipment software data intellectual property are all assets among many other things in security we often just speak of data classification we should be talking about asset classification which encompasses data classification and clearly implies that we should be classifying all the assets of the organization and protecting them appropriately the first step in the asset classification process is creating and maintaining an asset inventory a catalog a listing of all the assets from across the organization for every single asset there should be a clearly defined owner it

is critical to determine who the asset owner is as the owner is accountable for the protection of an asset the owner is best positioned to determine how valuable an asset is to the organization and thus what classification the assets should be assigned as I already mentioned and want to emphasize here the reasonably classifi assets is so that we can identify how valuable they are to the organization and therefore the appropriate level of protection required before we can begin classifying anything we first need to define the classification levels the classes and clearly identify who is accountable

and responsible for what all of this should be documented in a data classification policy standards procedures baselines and guidelines should then be created based on the policy procedures will Define step-by-step instructions for classifying data based on the classes defined in the policy baselines will Define minimum security requirements for each class remember that point classification is a system of classes ordered according to value for example public proprietary and confidential would be the three classes that an organization defines with public being the least valuable and confidential being being the most different organizations will choose different classes based

on whatever best suits their needs so don't memorize any particular classification scheme as they vary significantly from organization to organization security labels are the means used to associate a set of security attributes with a specific information object as part of the data structure of that object in other words labels are meant to be read by the system to understand the classification of data and therefore the prote ction required so remember labels are meant to be read by the system and enable system-based enforcement security marking is very similar the means used to associate a set of

security attributes with an object in a human readable form and other words labels are meant to be read by people to understand the classification of data and therefore the protection required so remember markings are meant to be read by humans to enable organizational process-based enforcement of information security policies so people can make decisions and the final major piece here is categorization which is the act of sorting assets into the defined classes categorization is a process of putting assets into different classes how do we go about protecting assets based on their classification we can begin by

having clearly defined roles of who is accountable or responsible for what the data owner also known as the data controller is the most important role as the owner is accountable for the protection of data the owner will Define the classification for data and the owner is then accountable for ensuring the data is a protected accordingly data processors as the name implies are responsible for processing data on behalf of the owners a typical example of a data processor is a cloud service provider they are storing and processing data on behalf of the owner data custodians have

a technical responsibility for the data meaning custodians are responsible for ensuring data security availability capacity that backups are performed and that data can be restored they are responsible for the technical aspects of data data stewards on the other hand have a business responsibility for the data meaning stewards are responsible for ensuring data governance data quality compliance essentially data stewards are employees from the business who are responsible for ensuring the data is useful for business purposes and the data subject is the individual for whom any personal data relates it's data about them we can also think

about how we would protect data based on whether it's at rest on a storage device somewhere or in motion across a network being used archived or even defensively destroyed we'll start with techniques for protecting data at rest one of the major techniques that we use is encryption we use one of the many excellent encryption algorithms which we'll discuss in domain 3 to encipher encrypt the data and turn it into to Cipher text the cipher text is then protected unless an attacker can get their hands on the correct encryption key to decipher the data or they

discover a flaw in the encryption algorithm so encryption is one of the major ways that we encrypt data at rest we can further have strong access controls in place which I will discuss in domain five to ensure that only properly authenticated and authorized individuals have access to the data we can Implement controls like multiactor authentication and have good logging and monitoring in place to make users accountable for what they do with the data to ensure data is is not accidentally lost or destroyed we can have all sorts of different backup data backup and data resiliency

controls which I will discuss in domain 7 the next major grouping of controls that we can look at for protecting data are for data in motion data that is in transit across a network all of these data in motion controls involve encrypting the data in some fashion while it is in transit across potentially insecure networks endtoend encryption means that we encrypt the data portion of a packet right from the sender and the data remains encrypted through all of the nodes the switches routers firewalls Etc that it passes through on the way to its intended recipient

the data is only decrypted once it has reached the recipient the data is never in plain text while in transit it is encrypted and decrypted only at the end points a perfect example of end to end encryption is a VPN a virtual private Network which I'll discuss in domain four the downside of endend to end encryption is that the routing information the source and destination IP addresses for example must be in plain text and visible to anyone so end to end does not provide anonymity link encryption differs significantly in that data is decrypted and then

re-encrypted at every node it passes through from source to destination so the packet including the header is encrypted at the source and then sent to the first node which decrypts the packet looks at the destination address to determine where to send the packet next re-encrypts the packet and forwards it to the next node which then does the same decryption and re-encryption process the advantage of Link encryption is that the routing information is hidden in transit but the huge downside is the data is decrypted at each node link encryption is not the best for protecting data

now let's talk about onion networks this is a really cool idea to provide confidentiality of data and anonimity to make it very difficult to determine who the sender and receivers are while the data is in transit here's how onion networks work the sender will predetermine a series of nodes that a packet is going to pass through on its way to the destination the sender will then encrypt the entire packet multiple times each layer of encryption will use the encryption key of a specific node and thus when the sender sends the packet to the first node

the first node will decrypt the outermost layer of encryption which will reveal the next node to send the packet to the next node receives the packet strips off the next layer of encryption which then again reveals the next node to send the packet to and so on and so on until the packet finally reaches the destination which can finally decrypt the data stored within the innermost packet the big Advantage here is that each node along the way only knows which node the packet came from and the next node but not the ultimate source and destination

and each node has zero access to the encrypted data within the inter most layer a perfect example of an onion network is T the onion router the big downside of course is performance data in use is inherently more vulnerable than data at rest because by definition data in use must be accessible to people and processes to view and edit the data the major controls we put in place to protect data in use are good access controls potentially data loss prevention DLP controls to Monitor and control what a user is doing with the data and if

you want to get really fancy you could potentially use homomorphic encryption but you don't really need to know about for that for the cisp exam data archiving is moving data that is no longer being actively used into a cheaper storage solution for long-term retention from a security perspective we need to ensure that we retain archived data for a sufficient period of time to meet requirements as defined by the data classification policy and continue to protect the data based on its classification just because the data has been archived on a tape somewhere does not not mean

we get to forget about it and forget about protecting it it's worth emphasizing here how long data should be retained we need to ensure data is retained as long as necessary based on compliance Regulatory and contractual requirements but we also want to ensure we don't retain data any longer than necessary I love the expression you don't have to worry about a data breach if you don't have the data so retain the data as long as required based on the policy and then dispose of it which leads us to Data Destruction the final way we protect

data is actually related to how we destroy data when we no longer require it there are laws regulations and contracts that may require us to defensively destroy data which means we must securely destroy the data and render it unrecoverable in a manner that will stand up as reasonable and consistent we can prove the data is unrecoverable that's defensible destruction there are many ways to destroy data and some are much better than others so let's go through three main categories and then specific techniques within each the first and very best category is destruction which means we

physically destroy the media the data is stored on the next best category is known as purging which means using logical or physical techniques to sanitize data thus making it so the data cannot be reconstructed keyword there cannot and finally the worst category is known as clearing which means using logical techniques to sanitize the data thus making it so that the data may not be reconstructed that's not super reassuring right may not be reconstructed okay now let's look at the techniques starting from best to worst the best of course is to physically destroy the media ideally

melt the hard drive burn it to the point where all is left is some smoke and maybe a puddle of metal there is no way you're getting that D data back the next best method is to shred disintegrate or drill a hole in the media these techniques are not nearly as good to it because with the ray tools it is possible to read data even off of little shredded pieces of a hard driver or tape deussing is applying a very strong magnetic field to Magnetic media like hard drives or tapes the strong magnetic field destroys

the data the reason deussing fits between destruction and purging is because it may render the media unusable ever again thus essentially destroying the media crypto shredding is the idea that to destroy the data we encrypt the data with an excellent algorithm like AES with a 256bit key and then we destroy every single copy of the encryption key with the encryption key destroyed we have effectively Crypt shredded the data and made it unrecoverable crypto shredding fits between purging and clearing so as long as the key is never recovered or brute forest or a flaw found in

the algorithm then the data cannot be recovered it has been purged but if any one of those were true if someone found the key if the algorithm was compromised then the data may be recoverable and thus has just been cleared overwriting wiping or eraser all refer to writing all zeros or all ones or some combination to all sectors of a storage device replacing the original data with this overwritten data this process can be done multiple times but even so research has shown that pretty much no matter how many times you overwrite the original data some

of the original data may be recover recoverable thus overwriting or wiping is considered to be a clearing technique and the worst method for destroying data is to format the hard drive this is the worst technique because formatting by default leaves most if not all the existing data on the disk meaning that the data can easily be recovered with the right tools and here is a summary of the different Data Destruction methods and the categories they fit in digital wrs management DRM is technology designed to protect the rights of copyright holders for digital media put overly

simply DRM Technologies encrypt videos music files ebooks Etc which then allows the control of who can do what with the media how many times can a video be played what device can you play music on whether or not you can print a copy of an ebook Etc DRM Technologies allow copyright holders to set and enforce rules on how their content is used somewhat related to DRM is dig watermarks digital watermarks are a way of visibly or invisibly marking the copyright ownership on some digital media digital watermarks can be used to trace unauthorized copies back to

The Source One limitation of digital watermarks versus DRM is that digital watermarks cannot prevent the unauthorized copying of media therefore DRM and digital watermarks are often used together DRM to encrypt and control access to media and digital watermarks to provide traceability data loss prevention DLP Solutions are tools and processes used to ensure that sensitive or critical information is not lost misused or accessed by unauthorized individuals DLP Solutions can help organizations identify Monitor and protect data in use data in motion and data at rest a critical requirement for the use of DLP Solutions is data classification

DLP Solutions can prevent every bit of data from being leaked outside or being misused so it is critical to know what is sensitive data within an organization hence the need for data classification the final thing we need to think about related to asset classification is that we need to periodically review and assess the classes we have created and what classification assets have received laws regulations business requirements all shift over time which may require changing the classes and the classification of assets all right that is an overview of asset classification within domain 2 covering the most

critical Concepts you need to know for the exam like our mindmap videos our cisp Master Class provides all of the study materials you need to confidently pass the cisp exam we provide over 200 super detailed and engaging masterclass videos that teach you all the concepts that we just Breeze through in these mindmap videos additionally our master class includes over 1,00 flashcards our own cisp guide set by gu book practice questions our knowledge assessment system uh personalized review guide uh practice exam and so on and so on put simply our cisp master class includes everything you

need to confidently pass the cisp exam check out our masterclass here at desert.com cisp link is in the description below as [Music] well