Chapter 5: Protecting Security of Assets

Classifying and Labeling Assets Defining sensitive data Defining classifications Defining data security requirements Understanding data states Managing sensitive data Protecting confidentiality with cryptography

Defining Sensitive Data Personally identifiable information (PII) NIST SP Protected health information (PHI) HIPAA Proprietary data Credit Card Mobile Payments (MCX or Apple-Pay)

Defining Classifications 1/2 Government/military Top secret Secret Confidential Unclassified Nongovernment Classes 3, 2, 1, 0

Defining Classifications 2/2 Civilian Confidential or proprietary Private Sensitive Public

Defining Data Security Requirements Encrypt everything Consider the value of data Use labels and enforcement Use data loss prevention (DLP) Set requirements for Communications Storage Backups

Understanding Data States Data at rest Data in motion Data in use Encryption Authentication Authorization

Managing Sensitive Data Marking sensitive data Handling sensitive data Storing sensitive data Destroying sensitive data Erasing, clearing, purging, declassification Sanitization, degaussing, destruction Retaining assets

Protecting Confidentiality with Cryptography Protecting data with symmetric encryption AES Triple DES Blowfish Protecting data with transport encryption TLS VPN IPSec SSH

Identifying Data Roles Data owners System owners Business/mission owners Data processors Administrators Custodians Users

Protecting Privacy Using security baselines – NIST SP Scoping and tailoring Selecting standards