CISSP Domain #2: Asset Security – What you need to know for the Exam
What Percentage of the CISSP Exam Material Covers Asset Security?
Asset security falls into the second domain of CISSP exam and makes up 12.5% of the questions for this exam. Asset security includes the concepts, structures, principles, and standards aimed at monitoring and securing assets, and those controls that enforce several levels of confidentiality, availability, and integrity.
By definition, an asset is anything that can be important to the organization, such as partners, employees, facilities, equipment, and information. Information is usually the most important asset to any company or organization and is valuable to every information system. Information moves via the company’s information system and must be disposed of appropriately after it is no longer of use.
However, CISSP candidates must understand the core concepts of asset security and their applications. The following topics are included in this domain:
- Data Management: Maintain and determine ownership.
- Longevity and Use: Data Security, access, sharing, and publishing.
- Data Standards: Data lifecycle control, specification, storage, and arching.
- Ensure Appropriate Retention: Media, personnel, and hardware, company data retention policies.
- Determine Data Security Controls: Data at rest, data in transit, tailoring and scoping.
The essential metadata items that are attached to organizations’ valuable information are a classification level. The classification tag remains affixed throughout the information life-cycle (Acquisition, Use, Archival, and Disposal) and ensures the protection of information.
The words used to classify information are “criticality,” “sensitivity,” sometimes in combination. The “sensitivity” of information is compromised if unauthorized individuals access it. For example, the information losses suffered by the organizations, such as the Office of Personnel Management and the National Security Agency. On the other hand, critical information is necessary for the functioning of any organization. For instance, a company, Code Spaces, that offered code repository services in 2014, was shut down when unauthorized individuals deleted their code repositories.
Exam Tip: The destruction and handling requirements are different for each classification level.
The organization can choose the classification level, but it depends on whether it has a commercial business or military agency. The typical levels of commercial business and military data involve:
- Public data can be viewed by the general public and, therefore, the disclosure of this data could not cause any damage. For example, the general public can be aware of the organization’s upcoming projects.
- Sensitive information needs extraordinary precautions to ensure confidentiality and integrity for its protection. For example, the sensitive data may include company’s financial information.
- Private data may include personal information, such as credit card information and bank accounts. Unauthorized disclosure can be disastrous.
- Confidential information is only used within the organization and, in the case of unauthorized disclosure, the organization could suffer serious consequences.
- Unclassified information is not sensitive, such as recruiting information in the military.
- Secret information, if disclosed, can adversely affect the national security, such as the release of military deployment plans.
- Top secret information, if disclosed, could cause massive damage to national security, such as the disclosure of spy satellite information.
Exam Tip: The terms “sensitive” and “private” are typically associated with non-governmental organizations (NGOs) and the terms “top secret,” “secret,” and “unclassified” are related to government agencies.
Caution: The classification rule must be applied to data irrespective of its format; it doesn’t matter whether the data is audio, video, fax, digital, paper, etc.
The transit of information must complete its life cycle successfully. The various entities that make the life cycle successful include the data owners, data custodian, system owner, security administrator, supervisor, and user. Each has a unique role in protecting the organization’s assets.
The Data Owner, or Information Owner, is a manager who ensures data protection and determines the classification level. He also determines whether the data is in hard-copy or soft-copy form.
The System Owner controls the working of the computer that stores data. This involves the software and hardware configurations, such as managing system updates, patches, and so on.
The Data Custodian performs frequent data backups and restoration and maintains security, such as the configuration of antivirus programs.
The Security Administrator assigns permission and handles data on a network.
The Users must comply with rules, mandatory policies, standards, and procedures. For instance, the user should not share his account or other confidential information with other colleagues.
The Supervisor, or User Manager, is responsible for overseeing the activities of all the entities aforementioned above.
Data protection requires that sensitive data, when processed for any purpose, should not be preserved for a longer time. Unfortunately, there is no universal agreement on how long the organization should retain data. However, the regulatory and legal requirements vary among business communities and countries. Every organization must follow data retention policies to thwart disaster, particularly when coping with the ongoing or pending litigations.
Examples of retention policies include:
- The State of Florida Electronic Records and Records Management Practices, 2010
- The European Documents Retention Guide, 2012
How to Develop a Retention Policy?
There are three fundamental questions that every retention policy must answer:
- How to Retain Data:The data should be kept in a manner so that it is accessible whenever required. To make this accessibility certain, the organization should consider some issues, including:
- The Taxonomy is the scheme for data classification. This classification involves various categories, including the functional (human resource, product developments), the organizational (executive, union employee), or any combination of these.
- The Normalization develops tagging schemes that ensure that the data is searchable. In fact, non-normalized data is kept in various formats such as audio, video, PDF files, etc.
- How Long to Retain Data:The classical data retention longevity approaches were: “thekeep everything” camp and “the keep nothing” camp. But in modern times, these approaches are dysfunctional in many circumstances, particularly when an organization encounters a lawsuit.
As aforementioned, there is no universal pact on data retention policies. Nevertheless, the rules of thumb or general guidelines for data retention longevity are described in Table 1.
- What Data to Retain:The data related to business management, third party dealings, or partnership is valuable for any organization. Moreover, the counsel opinion has paramount importance, because he suggests what data is useful in the event of litigation.
After the trauma of 9/11 attacks in New York City, many countries moved towards security instead of privacy. However, the security leaks of Edward Snowden, in 2013, again motivated the countries to focus on towards more privacy protection. Many organizations consider both security and privacy in their information systems.
Data Owners play a vital role for privacy protection as they directly or indirectly decide who has access to particular data.
Data Remnants are still left even after the deletion of data and they could badly threaten privacy. In fact, the data deletion operation just marks the memory available for other data without erasing the original data. There are four approaches used to counter data remanence:
- Overwriting makes the original data unrecoverable by replacing its memory location (the pattern of 0’s and 1’s) with the fixed or random patterns of 0’s and 1’s.
- Degaussing removes the magnetic field patterns on disk drives using magnetic force. As a result, the original data is wiped and unrecoverable.
- Encryption makes the data unusable even after deletion because the key is always attached to data that is only available to the owner of data.
- Physical destruction is achieved when the physical media is destroyed using shredding technique.
Limits on Collection: The organizations must collect at least a minimum amount of data, as it can be a matter of law later on. In 2014, more than 100 countries passed privacy protection laws that affect organizations in their jurisdictions. The policies vary among countries; for example, Argentina has the most restrictive privacy, while China has no restrictions at all.
Data Security Controls
Determining data security controls is a Herculean task. However, the standards, scoping, and tailoring are employed to choose the controls. Also, control’s determination is affected by the situation either the data is in motion, at rest, or in use. Figure 1 shows the states of data.
Scoping and Tailoring: Scoping is a process to determine which standard will be used by the organization. The tailoring helps in customizing the standard for organizations.
Data in motion is data that is being transmitted across the network, while data at rest is stored on the hard drive. Either type needs unique controls for protection.
Drive Encryption is the control for the protection of data at rest. This control is recommended for all media and cellular devices that contain confidential information.
Media Transportation and Storage provides data protection through backup and facilitates data storage off site through physically movement or via networks.
Protecting data in motion requires the secure transit of data via networks. Table 2 shows the examples of insecure network protocols and their reliable solutions:
Handling requirements include proper marking, handling, storing, and destroying of sensitive media under the policies and procedures.
Where Should I Focus My Time Studying?
Quizzing is the best way to assess your understanding of this subject and your preparation before taking the CISSP exam. You should attempt the mock exams to test your current command of the subject. In case of failure, retry for the second attempt, because failure and then preparation is the key to success.
Moreover, studying the right material is also very important. The official books recommended by the (ISC)2 that takes the CISSP exam, include:
- Guide to CISSP, 4th Edition by Adam Gordon
- CISSP Study Guide, 7th Edition by James Michael Stewart
- CISSP Practice Tests by Mike Chapple and David Seidl
- CISSP for Dummies by Lawrence C. Miller
- Official CISSP Study App
How Is This Information Useful in the Real World?
The applications of asset security are implemented in the organizations worldwide, including:
- Business Communities
- Governmental Organizations (Law enforcement, Military, etc.)
- Non-Governmental Organizations (NGOs), such as UN AIDS, Orbis International, Acumen Fund, Danish Refugee Council, and so on
Asset security assists in resolving cases that include fraudulent activities and sometimes criminal jurisdictions. For example, in December 2015, a notorious pharmaceutical executive, Martin Shkreli, was convicted of security fraud. He sought funds from new companies to pay debts previously incurred by the financially paralyzed companies.
Governmental institutions keep its citizens’ confidential data private, such as their national identity card numbers. Likewise, telecommunication companies don’t reveal your private phone calls and text messages to the general public.
Many countries have made legislation regarding assets security. Some examples include:
- The United Kingdom’s Official Secrets Act
- China’s Law on Guarding State Secrets
- Canada’s Law on Guarding State Secrets
CISSP Boot Camp
Are you looking for CISSP certification? Self-paced CISSP training? The InfoSec Institute offers CISSP Boot Camp Course for the candidates who want to pass the CISSP exam. The institute has the highest pass rates in the industry with 92% Classroom Boot Camps, and 94.7% live online. Moreover, InfoSec has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.
InfoSec also provides thousands of articles on various security topics.
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.