Data Handling Requirements
This article will help you answer three main questions:
- How to define data security requirements?
- What are the types of data states?
- Which are the main components of managing sensitive data?
In essence, these questions, along with their accompanying subsections, cover a small portion of one of the CISSP CBK’s domains, namely, the domain entitled Asset Security (Protecting Security of Assets), which consists of the following topics:
- Information and asset classification
- Ownership (e.g. data owners, system owners)
- Protect privacy
- Appropriate retention
- Data security controls
- Handling requirements (e.g. markings, labels, storage) √
For the most part, this article is based on the 7th edition of CISSP Official Study Guide. Note that there are eight slides which appear at different places in the text. Their purpose is twofold:
- To provide you with a summary of the most important elements related to a particular section.
- To allow you to assemble this collection of slides and create a slideshow.
There is also a 10-question CISSP practice exam quiz at the end of this writing. It is on topics belonging to the same domain, and they bear some relation to data handling. You can find their respective answers right after the reference list.
I. How to Define Data Security Requirements?
Every company has unique security requirements. Numerous aspects regarding the CISSP exam are addressed in general terms, and because of that, they may not work that well in the real world. The security and management teams must cooperate to prioritize a company’s security needs, as well as security requirements. Knowing which assets or tenets are most important will definitely solve this predicament. Sometimes, however, it is not that simple to determine which assets require more attention, as far as security requirements are concerned.
One possible solution is to begin such prioritization by the three primary security tenets, namely, confidentiality, integrity, and availability (the CIA triad). The security requirements should be modeled after the organization’s existing security policy. You can see below an example of data security requirements for emails and email attachments.
It is important to remember that “Defining Data Security Requirements” is a step that takes place after “Defining Data Classifications.”
Encryption is one of the most important security controls used to protect data. Even when a device or a USB drive is lost, the data will remain safe if it is encrypted. Besides, in many cases, encryption is legally mandated, thus not only applied on a voluntary basis. Corporate policies should be in line with the latest trends in data encryption, and all employees must strictly follow them.
The trusted platform module (TPM) chip is a relatively new cryptographic hardware processor, which could, in theory, provide a greater level of security than the standard software encryption, because of some system attestation (i.e., “allows one to confirm, authenticate, or prove a system to be in a specific state”), improved form of encryption (“calculating hashed values based on items such as system’s firmware, configuration details, and core components of the operating system as it boots, along with a secret key stored in the TPM”) and possibility of being combined with other forms of data protection (i.e., the layered approach, also known as defense in depth).
Another promising option for a workable data protection technology is self-encrypting hard drives (SEDs). They offer built-in encryption – a feature that may satisfy compliance laws— and the contents of a SED are always encrypted, including the encryption keys, which should be updated regularly, but also stored separately from the data. Plus, such devices are more or less easy to use and do not negatively affect the system performance or user productivity.
Regarding location, encryption can be either:
- Link encryption – all the data in transit is encrypted throughout the entire communication line, and the source/destination details remain secret at all times.
- End to end encryption – under normal circumstances, it is performed by the end user; however, the source/destination details are visible if someone takes action to intercept the traffic.
II. What are the Types of Data States?
Data should be protected at all times. That is to say, in all states, as well – at rest (stored on hard drives, external drives, backup tapes, and storage area networks (SANs)), in use (for instance, temporarily used by applications) or in motion (any data transmitted over networks).
Strong encryption protocols, strong authentication, and authorization controls are the main pillars associated with data protection and protecting data confidentiality. To make a mental note of this rule of thumb, let’s examine the different data states in the context of a company which deals with customer credit card data. Firstly, real-life applications need to isolate customer credit card data and store it on a separate database server (data at rest). Secondly, implementing strong authentication and authorization will avert mishandling of the credit card information on the part of unauthorized entities (data in use). Thirdly, every time a request for a data transfer enters the database server, the requested data must be encrypted via a transport encryption algorithm to secure it before transmitting it (data in transit).
Data at rest may become the subject of attacks such as:
- Pod slurping – surreptitiously downloading and copying data during the so-called cyber exploitation
- USB malware – e.g., USB Switchblade and Hacksaw (Click here for more information)
- Common forms of malware pests – worms, viruses, Trojans, keyloggers, etc.
As to data in transit, many widely-used services such as emails and web browsing are not designed with security in mind. For that reason, they come typically with no encryption and few security controls. Some insecure protocols you can see in the table below:
|FTP – clear text, username, and password|
|Telnet – clear text, username, and password|
|HTTP – clear text|
|SMTP – all data is passed unobscured|
Nowadays employees tend to connect to the Internet via free but untrustworthy Wi-Fi spots located in airports, restaurants, hotels, coffee shops, etc. One can protect data in transit using a Virtual Private Network (VPN). In essence, it creates protected tunnel between connected devices.
Standard email services do not possess any encryption capabilities – most email protocols such as IMAP, POP3, and SMTP relay data in the form of unprotected text – thus exposing data in transit to risks. To protect such emails, one must use email security mechanisms, for example, Secure Multipurpose Internet Mail Extensions (S/MIME), Privacy Enhanced Mail (PEM), and PGP.
III. Managing Data — Marking, Handling, Storing, and Destroying Sensitive Data
There is a stark correlation between managing sensitive data and data breach prevention. In effect, data breaches are among the least wanted security problems when it comes to handling sensitive data.
The Official Guide to CISSP states that “[l]ogical and physical controls, such as marking, handling, storing, and declassification, provide methods for secure handling of sensitive media.”
It is crucial that all classified information assets be marked and labeled in a clear fashion. Unless considering systems using mandatory access control (MAC), the majority of other systems based on discretionary access control (DAC) do not apply labels uniformly or accurately.
Otherwise known as labeling, marking sensitive information is a process in which a mark or a label is placed on different datasets to identify their classification level. By way of illustration, a “Top Secret” label serves to inform a person about the fact that this information is of utmost sensitivity and confidentiality.
Once a data set is marked/labeled, one can easily identify the importance of data itself and take necessary steps to ensure its availability, confidentiality and integrity based on the values determined during the classification phase.
Organizations’ security policy usually includes specific clauses on labeling that indicate the sensitivity of the data contained. Also, these labels will give personnel immediate details on whether the media is encrypted and even who is the point of contact and what is the retention period.
We can use labels even for unclassified equipment and media. By doing so, the chances for errors of omission or mishandling of classified data decrease considerably. Hence, provided that an unmarked media object is found, it is to be instantaneously labeled as “Classified” /or the highest level of sensitivity/ until a thorough analysis proves otherwise.
Marking can take various forms – physical labels for data stored on media or processed on systems (e.g., a backup tape with secret data on it will have a physical label placed on the tape to denote the greater significance of this information).
Digital marking is another type of marking, which includes digital marks or labels of the classification embedded into pages as a watermark or as a header and/or footer. All these digital marks will appear on printouts, and this is undoubtedly a clear benefit of these methods. Another positive aspect when it comes to headers/footers/watermarks is the assertion that they are compatible with the data loss prevention (DLP) systems. Also, a black desktop background with additional markings, such as a title “Proprietary” and a white/orange border may signify that this machine contains proprietary data. Being recognized due to the digital marking, the media object which contains sensitive information is then handled by the appropriate security controls. It is not uncommon for some DLP systems to attach metadata to the documents upon detection of classified data. This is a matter of mere optimization – the metadata tags provide insight into the content of documents, which, in turn, help the DLP system handle them appropriately.
As to the matter of downgrading media on which resides classified data, when this is allowed, the individuals entrusted with this task should abide by the corporate procedures that will securely erase all usable data and then replace the labels. Nevertheless, most of the organizations forbid downgrading media at all and instead their policy usually mandates destroying the media that contain secret data when it reaches the end of its life cycle.
The importance of sensitive information may decrease over time. In these cases, a process entitled “declassification” may prove handy because it will remove the burden to ensure excessive protection for data which is no longer sensitive. By declassifying information, related activities, that is, marking, handling, and storage requirements will most likely be reduced as well.
“Handling refers to the secure transportation of media through its lifetime. Personnel handles data differently based on its value and classification, and as you would expect, highly classified information needs much greater protection,” as explained in the 7th edition of CISSP Official Study Guide.
Media which contain sensitive data should be dealt with by the value and classification of data in question throughout its entire lifetime. Unfortunately, many people develop the habit of getting accustomed to handling sensitive data to such an extent that they treat it on a par with not so sensitive data – for instance, public data. This imprudence, however, may be detrimental to the sensitive data, regarding data security and protection. To illustrate this point, let’s view several real-life accidents that resulted in a backup loss:
- In 2012, the TD Bank misplaced two backup tapes with customer data, which contained unencrypted personal information of more than 267,000 customers.
- The same year, the Cattles Group, which specializes in personal loans and debt recovery, admitted losing two unencrypted backup tapes, containing information about 1.4 million customers.
- Lost backup tapes belonging to the healthcare provider Tricare, which had been entrusted to the care of Science Applications International Corp. (SAIC), a high-tech defense contractor, affected 4.9 million current and former military U.S. soldiers back in 2011.
Recommendations on handling sensitive data:
- only designated employees should have access to sensitive media
- policies and procedures on how to handle sensitive media should be promulgated
- with respect to the previous point, regular personal training sessions should become an inseparable part of this process
- despite all efforts made during these preceding phases, security experts should never assume that everyone is fully aware of or comprehend all security procedures – an exquisite countermeasure would be using logs and other records to track the activities of personnel handling backup media
Any data loss can be potentially disastrous. Therefore, each organization should undertake a number of measures to guarantee an utmost level of protection with regard to storing data, especially when sensitive data is involved. Some of these measures are, as follows:
- Encryption – for instance, the AES 256 encryption and the built-in capabilities of many operating systems to encrypt files and whole disk drives.
- Physical safety – sensitive data stored on physical media (e.g. backup tapes or portable thumb drives) is to be kept locked in safes, vaults or secure rooms.
- Do not compromise on the quality of the media holding the sensitive data – purchase high-quality media, such as USB flash drives with built-in encryption or such that come along with biometric authentication features.
Ideally, each of these steps would provide layered protection. However, encryption should be considered conditio sine qua non for any data at rest. Also, heating, ventilation, and air conditioning systems (HVAC) take care of the environmental controls that are used to preserve intact the media that contain sensitive data.
Recommendations on storing sensitive data:
- do not store sensitive media where a random passerby could access it
- ideally, backup media should be encrypted and then stored in a fire-resistant box
- it would be a good idea to store encrypted backup media at an off-site location out of disaster recovery purposes
- access limits and separation of duties should be enforced except in cases where it is cost-ineffective.
All organizations are advised to incorporate into their security or data policy a proper data destruction program based on predefined acceptable methods for completely erasing media stuffed with sensitive information. The 7th edition of CISSP Official Study Guide provides an excellent example with respect to the subtle nuances of caution one needs to take depending on the different data classifications: “[A]n organization may require the complete destruction of media holding highly classified data, but allow personnel to use software tools to overwrite data files classified at a lower level.”
Hard drives, magnetic media, or thumb drives must go through a process called “Sanitization.” The ultimate goal behind this action (no matter how arduous it might be) is rendering the entire data completely irrecoverable. Widely used sanitization methods are:
Drive wiping – that is overwriting all information on the drive, which, in essence, allows the reuse of drives.
Zeroization – i.e., overwriting all data with zeros. Having been used originally with mechanical cryptographic devices, zeroization still succeeds to prevent hackers from recovering encryption keys, as well as the sanitized data.
Degaussing – when the magnetic field of a powerful magnet penetrates the media, it reverses the polarity of the magnetic parts inside the hard disk or the tape.
Because all data has a lifetime, it will eventually end up being purged, released, or labeled unclassified. For instance, the JFK Records Act of 1992 came into force to classify all records related to the assassination of President John F. Kennedy. However, the act states that these records should be declassified and made public by 2017.
Record retention is a process based on the preservation and maintenance of valuable information and then discarding it in a safe manner when its existence is no longer necessary.
Except for record retention, there are two other types of retention: 1) hardware and 2) personnel. The first one refers to all hardware products within an organization being replaced every 3-5 years. Personnel retention, on the other hand, refers to “retaining” knowledge that the personnel gain while employed by an organization.” Non-disclosure agreements (NDAs) signed by employees upon hiring them prevent these people from sharing proprietary data and trade secrets with others.
While organizations are free to draft their own data retention policy, they must also adhere to a number of data retention laws, especially if these organizations operate within regulated industries.
An excellent illustration of a data retention requirement is the one posed by many organizations to keep all audit logs for a minimum of three years. By doing so, these organization could review past security incidents.
Sometimes keeping data indefinitely, however, is not a feasible option as well, because the longer data is retained, the costlier its upkeep will be. Moreover, it should be noted that the current trend about data retention policies is implementing short email retention policies out of a desire to reduce legal liabilities.
1. What is considered proprietary information?
- Asset information (an IP or MAC address), address information, biometric data, data related to physical characteristics (an image), etc.
- Source and object code, copyright materials, engineering drawings, algorithms, schemes, flowcharts, processes of manufacturing, marketing, trade secrets, pricing and financial data, etc.
- A Social Security number, driver’s license data, health plan data, medical record numbers, names of relatives, IP addresses, images, biometric data, etc.
2. According to the official CISSP materials, what is considered a type of retention?
- Customer retention
- Personnel retention
- Data retention
- Waste retention
- Hardware retention
3. Why is deemed to be bad practice when companies tailor their retention schedule based on the longest retention period they identify, applying it as a cure-all to all retention records?
- It consumes much space
- It creates significant “noise” in cases when employees search or process records
- It may increase the exposure to legal liabilities
- All of the above
4. Can you briefly describe the term “security baselines” within the meaning of CISSP exam and the main objective of baseline protection?
5. Scoping & Tailoring are stages of which process?
- Determining of the relevant regulatory framework
- Determining of data ownership within an organization
- Determining of security controls
6. What is the type of the U.S. legal system (Tip: civil law system vs. common law system)? Can you explain its main characteristics?
Credit: “Map of the Legal systems of the world.”
7. Do trade secrets fall into the category of intellectual property in the United States?
8. Enumerate three compliance laws in the United States.
9. What is the name of the “successor” of the EU-U.S. Safe Harbor mechanism?
10. Which is the missing data role in the image below?
Abernathy, R and Mcmillan, T. (2013). CISSP Cert Guide. Available at https://books.google.bg/books?id=TGYlDAAAQBAJ&pg=PT268&lpg=PT268&dq=data+retention+cissp&source=bl&ots=70xzZI3KMG&sig=fOqRJkXQvTjBiMrezfwVypJc8yw&hl=en&sa=X&ved=0ahUKEwi30qCau5HQAhVF0hoKHd7wAQEQ6AEIPzAH#v=onepage&q=data%20retention%20cissp&f=false (07/12/2016)
Conrad, E., Misenar, S., Feldmand, J. (2013). Eleventh Hour CISSP®: Study Guide. Available at https://books.google.bg/books?id=WZo5DAAAQBAJ&pg=PA36&lpg=PA36&dq=business+owner+cissp&source=bl&ots=MHPd5YM_2z&sig=HhedZp4GSREFZSKMYXPh5FZYCN0&hl=bg&sa=X&ved=0ahUKEwiQ08_eyYDQAhUG0hoKHd89DDs4ChDoAQguMAI#v=onepage&q=business%20owner%20cissp&f=false (07/12/2016)
Conrad, E., Misenar, S., Feldman, J. (2016). CISSP Study Guide. Available at https://books.google.bg/books?id=M8EtBQAAQBAJ&pg=PA96&lpg=PA96&dq=scoping+and+tailoring+privacy&source=bl&ots=uqXMIoJuJG&sig=Y7zNS7XTV1or5mf3f2QRv_Qskjw&hl=bg&sa=X&ved=0ahUKEwjrtcHDlu_PAhWGXRQKHTEBCFkQ6AEIRDAE#v=onepage&q=scoping%20and%20tailoring%20privacy&f=false (07/12/2016)
Gibson, D. (2012). CISSP Rapid Review. Available at https://books.google.bg/books?id=CrpCAwAAQBAJ&pg=PT281&lpg=PT281&dq=data+retention+cissp&source=bl&ots=dAw1YsSD47&sig=mOJz-Bp8zE_XvfTfcky0KOAfkXY&hl=en&sa=X&ved=0ahUKEwi30qCau5HQAhVF0hoKHd7wAQEQ6AEIRTAJ#v=onepage&q=data%20retention%20cissp&f=false (07/12/2016)
Gordon, A. (2015). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition. Available at https://www.amazon.com/Official-Guide-CISSP-Fourth-Press/dp/1482262754 (07/12/2016)
Gregg, M. CISSP Exam Cram. Available at https://books.google.bg/books?id=2UzODAAAQBAJ&pg=PT74&lpg=PT74&dq=scoping+and+tailoring+privacy&source=bl&ots=Se48Y2tn1w&sig=RCtlfF8gBupaZgr08uj1OkSV-M0&hl=bg&sa=X&ved=0ahUKEwjrtcHDlu_PAhWGXRQKHTEBCFkQ6AEIPzAD#v=onepage&q=scoping%20and%20tailoring%20privacy&f=false (07/12/2016)
Stewart, J., Chapple, M., Gibson, D. (2015). Certified Information Systems Security Professional Study Guide (7th Edition).
Srinivasan, M. L. (2016). CISSP in 21 Days. Available at https://books.google.bg/books?id=vf5vDQAAQBAJ&pg=PT4&lpg=PT4&dq=cissp+exam+data+handling&source=bl&ots=MMj4n3N305&sig=FizFaYimUsItaD6QCSqc5FwXvU4&hl=bg&sa=X&ved=0ahUKEwi26-CAiO_QAhVM2RoKHTt9An04ChDoAQg7MAM#v=onepage&q&f=false (07/12/2016)
Tipton, H. (2007). Official (ISC)2 Guide to the CISSP CBK. Available at https://books.google.bg/books?id=Ka4oT0PWHUEC&pg=PA106&lpg=PA106&dq=security+baseline+privacy+cissp&source=bl&ots=VyR2snCd41&sig=vU9wQ1-RdD3GGt7HahWCx4dnUJ8&hl=bg&sa=X&ved=0ahUKEwiw5qXrme_PAhXEWRQKHeRBDEEQ6AEIcDAJ#v=onepage&q&f=false (07/12/2016)
2. b), c), e)
4. Security Baselines
The enforcement of fundamental elements of information security needs to have a starting point – i.e., measures collectively known as ‘Baselines’ – which is, in fact, the first layer of an in-depth defense. All fragments that mold a security baseline create a strong foundation on which an enterprise can build its security backbone. They comprise advanced methods, techniques, and technologies. Establishing a minimum set of safeguards designed to shield the IT infrastructure of an organization is the main objective of baseline protection.
Blue – Civil Land / Red – Common Law
Credit: “Map of the Legal systems of the world.”
It is a legal system based on new principles or concepts – also known as precedents – established in courts of law with respect to landmark cases. The relationship between these precedents and the laws or statues created by a legislature can be complex. By way of illustration, some jurisdictions’ constitutions allow judicial decisions to lay the foundations of future statutes or statutory provisions, or allow to give an interpretation to the meaning contained in the statutory provisions.
The origins of common law can be traced back to Anglo-Saxon law and a lesser extent to legal concepts from Norman law. Common law nowadays is in practice in most of the United Kingdom, Ireland, Australia, New Zealand, most of India, Pakistan, Bangladesh, Hong Kong, South Africa, Canada (excluding Quebec), the United States, on a state level, (excluding Louisiana), etc.
8. Typical regulatory compliance laws are HIPAA, the Federal Information Security Management Act (FISMA), the Sarbanes-Oxley Act (SOX), and Payment Card Industry Data Security Standard (PCI DSS), to name a few.
9. The “EU-U.S. Privacy Shield.”