Chapter 5: Protecting Security of Assets
Classifying and Labeling Assets Defining sensitive data Defining classifications Defining data security requirements Understanding data states Managing sensitive data Protecting confidentiality with cryptography
Defining Sensitive Data Personally identifiable information (PII) NIST SP Protected health information (PHI) HIPAA Proprietary data Credit Card Mobile Payments (MCX or Apple-Pay)
Defining Classifications 1/2 Government/military Top secret Secret Confidential Unclassified Nongovernment Classes 3, 2, 1, 0
Defining Classifications 2/2 Civilian Confidential or proprietary Private Sensitive Public
Defining Data Security Requirements Encrypt everything Consider the value of data Use labels and enforcement Use data loss prevention (DLP) Set requirements for Communications Storage Backups
Understanding Data States Data at rest Data in motion Data in use Encryption Authentication Authorization
Managing Sensitive Data Marking sensitive data Handling sensitive data Storing sensitive data Destroying sensitive data Erasing, clearing, purging, declassification Sanitization, degaussing, destruction Retaining assets
Protecting Confidentiality with Cryptography Protecting data with symmetric encryption AES Triple DES Blowfish Protecting data with transport encryption TLS VPN IPSec SSH
Identifying Data Roles Data owners System owners Business/mission owners Data processors Administrators Custodians Users
Protecting Privacy Using security baselines – NIST SP Scoping and tailoring Selecting standards