CISSP Domain 2 Refresh: Asset Security

August 7, 2018 by Sumit Bhattacharya


The Certified Information Systems Security Professional (CISSP) cert is the perfect credential, for Security professionals. In fact, the CISSP is a mandatory cert to have to land any senior level position, as depicted below:

This article covers the second of those eight domains, Asset Security.  In this article, we will focus on each topic covered in the first domain. Topics which are covered under this domain are:

Data Security

The most valuable asset of an organization is its data when security professionals begin thinking about data security; they normally start thinking about the security controls used to protect confidentiality, integrity, and availability of assets holding the data of an organization.

  1. Securing data at rest: Data at rest is data stored somewhere for later use. Although the data sets are not being used at the current time, Security professionals must be able to protect against all the schemes the attacker tries to steal data.
  2. Data in motion is data that is being used and is traversing across a network medium. Data in motion must be protected against eavesdropping attacks.

Things to do to protect your organization’s data

  • Have clear policies and procedures surrounding the appropriate use of data.
  • Different types of encryption for different environments to protect sensitive information
  • Access controls to restrict access to information

Data security policy key criteria

  • Policies should provide the foundational authority for data security efforts adding legitimacy to your work and providing hammer if needed to ensure compliance.
  • Policies provide guidance on the appropriate paths to follow when requesting access to data for business purposes.
  • Policies should also have an exception process for formally requesting policy exceptions when necessary to meet business requirements.

Key issues data security policy should cover

  • Data classification policies:
    Describes the security levels of information used in an organization and the process for assigning information to a particular classification level. These classifications are assigned based on both the sensitivity of the information and the criticality of that information to the enterprise.
  • Data storage policies: Data storage is a key component of security policy. It explains to the users the appropriate storage locations for data of varying classification levels. For example, the policy might restrict the use of cloud storage solutions for highly sensitive information.

    Data storage policies should also address access control requirements for stored information, including the process used to gain access to data and the mechanisms used to enforce access controls.

  • Data Transmission policies
    protect data in motion; it should cover what data may be transmitted over different kinds of networks and under what authority.
  • Data lifecycle policies
    provide important guidance concerning the end of life process for information. This is important because information may retain sensitivity even after the organization no longer requires it. Data lifecycle policies should include data retention policies, data disposal policies.

Data security roles – Many different people throughout the organization play a role in protecting information.

  • Data Owner– Is a senior-level official/business leader who has overall responsibility for the corresponding datasets.
    They usually delegate that responsibility to a data steward for nitty-gritty decisions of data governance.
  • Data Steward– Data steward, handles the implementation of the high-level policies set by the data owner. They might make day to day decisions about who may access a dataset. In most cases, there is a reporting relationship between the data owner and the data steward.
  • Data Custodian– are the individuals who actually store and process the information in question they are also called data processors. Technologists are often data custodians for almost all the data in the organization due to the nature of their jobs.

Data Privacy –There are ten principles outlined by Generally Accepted Privacy Principles (GAPP)

  • Management – Organization handling private information should have appropriate policies, procedures, and governance structures in place to protect the privacy of the information
  • Notice – The organization provides notice to the Data subjects about its privacy policies and procedures and also indicates the purposes for which information is being collected and used.
  • Choice and Consent – The entity should inform data subjects of their option regarding the data they own and get consent (implicit or explicit) from those individuals for the collection, storage, use, and sharing of that information.
  • Collection– The collection of personal information purposes should disclose in their privacy notices by the organization.
  • Usage, Retention, and Disposal– The organization should retain personal information as long as it is required after that data should be disposed of securely
  • Access – Organizations should provide individual access to their information with the ability to review and update whenever need.
  • Disclosure to Third Parties– The information is only shared with third parties by the organization if that sharing is consistent with purposes disclosed in privacy notices and they have the implicit or explicit consent of the individual to share that information.
  • Security- It’s the organization’s responsibility to secure private information against unauthorized access, either physically or logically.
  • Quality– The organization should take appropriate steps to guarantee that the private information they maintain is accurate, complete, and relevant.
  • Monitoring and Enforcement– The organization should have a program in place to monitor compliance with its privacy policies and provide procedures to address dispute pertaining the same.

Data Security Controls

Security baselines- provide enterprises with an effective way to specify the security standards for computing systems and efficiently apply those standards across deployed devices. It should be

  • Generic-These generic baselines are very helpful during many times when new networking devices are introduced into an IT Infrastructure for the very first time.
  • Absolute- These are the security baselines for the operating systems, mobile technologies, network devices, appliances, and other systems which are commonly used in their environments.

Monitoring– 24 x 7 X 365 monitoring is required once the baselines have been established. Various factors like users accidentally adjust settings; attackers undermine security, etc. might cause deviations from that baseline.

Taking Advantage of Available Industry Standards – Security configuration standards may contain n number of individual settings that experts recommend improving system security, and its time consuming to create documentation for the same. Organizations could save countless hours of work by leveraging the available standards from the following sources:

  • Vendor– Vendors who create devices, applications, they know their products better than anyone else, and they have a vested interest in helping you and your organization securely. For example – Microsoft Security Compliance Manager.
  • Government Agencies– Government also spends quite a bit of time and energy developing security standards for example NIST.
  • Independent Organizations
    Some entities want an even more objective source than the government and vendor and seek out third-party organizations that exist solely to provide security advice, for example, CIS.

Customizing Security Standards– Customization on the existing standards will depend upon the organizations own security and business requirements, but the idea is that they don’t need to write an entire standard from scratch. They can simply reference an existing standard and then just note the differences where controls are added, modified, or removed.

File Permissions- This is a type of access control which allows the simple enforcement of an organizations security policies by limiting data access on an as-needed basis.

  • Windows file system
    • Full Control: Read, Write and Execute permissions are granted.
    • Read: Files can only be read and not modified.
    • Read & Execute: The end user can not just read the file, but then can launch it as well.
    • Write: Files can be written and modified.
    • Modify: is a combination Read & Execute and Write permissions and includes the ability to delete.
  • Linux file system
    • chown changes a file or directory user owner.
    • chgrp changes a file or directory group owner.
    • Chmod changes the permissions on a file or directory
    • Linux uses three different permissions for each file the Read permission– r, Write permission-w, and Execute permission-x, and then uses letter abbreviations for each type of owner the User Owner, abbreviated with a u, the Group Owner, abbreviated with a g and all other users, abbreviated with an o.

Encryption – In simple words encryption can be defined as the conversion of plain text into cipher text using a mathematical algorithm. Encryption should be implemented to the following

  • Full disk encryption
  • Database encryption
  • Hardware encryption

Note: Cloud data security-
Organizations should follow the same security controls to data stored in the cloud as it would data stored in their own datacenter.

Information Classification-
Information classification policies describe the security levels of information used in an organization and the process for assigning information to a particular classification level. The different security categories or classifications used by an organization determine the appropriate storage handling and access requirements for classified information.

Government or Military Sector Classification of Data

  • Top Secret
  • Secret
  • Confidential
  • Sensitive but Unclassified or SBU
  • Unclassified

Commercial or Private Sector Classification of Data

  • Confidential
  • Private
  • Sensitive
  • Public


This concludes the domain ‘Asset Security.’ The next article will focus on the domain of Security Engineering.

Posted: August 7, 2018
Articles Author
Sumit Bhattacharya
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *