CISSP Domain #2: Asset Security- Part 2
Hey There! We are back with the second blog post to continue with the remaining topics of asset security. In our last blog, we took a quick overview of asset security topics including- Core concepts of Asset Security, Information classification, Data ownership, and Data Retention. Now, in the following blog post, we will cover two key concepts; Protecting the privacy and data security controls. So, let’s begin, shall we?
Protecting Privacy
The heart-wrenching incident that shook the entire globe encouraged many countries to make their much-needed shift toward the security of their system instead of only filling the privacy part. However, the incident of Edward Snowden made organizations to rethink their decision to only considering the security part only. Today, most of the organizations consider both security and privacy in their information system security. The security of the data is highly affected by two things:
Things That Affect The Data Security
- Data owners: Those who legally own the data play a crucial role in privacy protection as they are the only entity who directly or indirectly decide who has access to the data.
- Data remnants: these are the leftover data that remain behind after the big part has been used and if not used properly can threaten privacy. There are several approaches that can be used to tackle-down data remnant:
- Overwriting: using this approach the organization can make the original data uncoverable by replacing the memory location with the temporary or fixed patters of 0’s or 1’s.
- Encryption: this approach makes the data unusable even after the deletion as the attached key to the data can only be used by the owner of the data.
- Degaussing: in this approach, the original data is wiped by removing the disk drive using magnetic fields through the magnetic force.
- Physical destruction: it is achieved when the physical media is destroyed through the shredding process.
Related Post: CISSP Domain #1: Security and Risk Management
The Limitation On The Collection Of Data
The organization should collect at least amount of data as it can be a serious matter of law. In 2014, more than 100 countries have passed the privacy protection law that can directly or indirectly affect the organizations. The policies vary from one country to another for instance; Argentina has the most restrictive policies, whereas China has no privacy restrictions.
Data security controls
Determining the security controls in an organization is a challenging task. To make it easier, the scoping, tailoring and scoping are used to choose the controls. On the top of this, the control determination is highly affected by the situation if the data is in motion, in use or at rest. in order to protect all motions of data the following approaches are used:
Scooping and tailoring
- Drive Encryption
- Media Transportation
- Protecting data in motion
An ideal security baseline for the organization should always be:
- Generic: The generic control can be useful when a new device is introduced into the IT Infrastructure.
- Absolute: these are the security baseline for the devices, operating systems, mobile technologies, appliances and other systems that are commonly used in the IT environment.
As an aspirant, you must know that applications of asset security are implemented worldwide including communities, government bodies, and non-government organizations. However, if you still have any doubts or questions regarding the asset security then, you take the ISC2 Certification Course from ProICT Training. Browse the site to learn more!
Leave a Reply