1. Chapter 5: Protecting Security of Assets

2. Classifying and Labeling Assets Defining sensitive data Defining classifications Defining data security requirements Understanding data states Managing sensitive data Protecting confidentiality with cryptography

3. Defining Sensitive Data Personally identifiable information (PII) NIST SP 800-122 Protected health information (PHI) HIPAA Proprietary data Credit Card Mobile Payments (MCX or Apple-Pay)

4. Defining Classifications 1/2 Government/military Top secret Secret Confidential Unclassified Nongovernment Classes 3, 2, 1, 0

5. Defining Classifications 2/2 Civilian Confidential or proprietary Private Sensitive Public

6. Defining Data Security Requirements Encrypt everything Consider the value of data Use labels and enforcement Use data loss prevention (DLP) Set requirements for Communications Storage Backups

7. Understanding Data States Data at rest Data in motion Data in use Encryption Authentication Authorization

8. Managing Sensitive Data Marking sensitive data Handling sensitive data Storing sensitive data Destroying sensitive data Erasing, clearing, purging, declassification Sanitization, degaussing, destruction Retaining assets

9. Protecting Confidentiality with Cryptography Protecting data with symmetric encryption AES Triple DES Blowfish Protecting data with transport encryption TLS VPN IPSec SSH

10. Identifying Data Roles Data owners System owners Business/mission owners Data processors Administrators Custodians Users

11. Protecting Privacy Using security baselines – NIST SP 800-53 Scoping and tailoring Selecting standards