Data security controls and the CISSP exam
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
After human resources, information is one of the most important assets of any organization. Security and risk management are always information- or data-centric, as every effort of protecting systems and networks tries to attain three outcomes:
- Data availability
Data security controls are used to safeguard sensitive and important information or to have a countermeasure against its unauthorized use. These controls help to counteract, detect, minimize or avoid security risks to computer systems, data, or another information set. This further aids in reducing the risk of data loss or damage by deterring, slowing down or stopping any possible malicious attack on data assets.
This is an important part of the CISSP exam and comprises Section 5 of CISSP domain 2: Asset security.
Technical controls are security controls executed by computer systems and can offer automated protection against misuse or unauthorized access to valuable information, facilitate security violation detection, and support requirements of security related to data and applications.
Information systems security is commonly known as INFOSEC. It refers to the methodologies and processes involved with maintaining the confidentiality of information, making the information available, and guaranteeing its integrity. The security system also involves access controls that prevent entering and accessing any system by unauthorized personnel.
Data security is an important part of the modern world, where most sensitive information is kept in electronic form. The main aspect of data security implies that both data at rest and in transit is protected and data leak protection is implemented. Moreover, it involves other operational, administrative, and architectural controls. All these measures should be specifically reflected in the coding of the software features.
The cybersecurity framework includes:
- Cryptographic protection
- Denial of service protection
- Information on shared resources
- Protection of information at rest
- Transmission confidentiality and integrity
- Transmission of security attributes
The above controls have to be implemented by different means, such as processing labels applied to information, software security architecture, appropriate use of cryptography, and error handling.
Data at rest
Data at rest, in general, refers to the data stored in persistent storage. This includes information stored on tape or disk. On the other hand, data in use usually refers to information being processed by the CPU or RAM, i.e. the central processing unit and the random access memory of a computer.
Data in transit
Data in transit can be defined into two distinct categories: data that flows over untrusted or public networks, and data or internet having information flows through a private network (an enterprise or corporate Local Area Network or LAN). Data in motion are also often referred to as data in transit.
Scoping and tailoring
Scoping and tailoring are the processes of clarifying and limiting general recommendations applicable to a precise environment.
Scoping is more applicable to limit general recommendations through the removal of aspects not applicable to any specific environment or institutions. Tailoring, on the other hand, involves the alteration of details regarding general information that is more specifically applicable to an institution or environment.
IT baseline protection
IT baseline protection is a German Federal Office approach toward information security. It is a process involving identification and implementation of computer security measures taken by an organization. IT baseline protection aims to achieve a satisfactory and suitable security level for every IT system. Therefore, it recommends well-proven personnel, technical, organizational, and infrastructural safeguards. Every institution and federal agency must show a systematic approach to secure its IT systems.
Overview baseline security
The phrase baseline security implies standard security measures to be implemented for typical IT systems. Baseline security can be used for different contexts having somewhat diverse meanings, such as:
- Cisco Security Baseline: This vendor recommendation is focused on security controls of a network and its devices.
- Microsoft Baseline Security Analyzer: This is a software tool for the security of Microsoft operating systems and services.
- Nortel Baseline Security: This is a set of best practices and requirements for different network operators.
ISO/IEC 13335-3 has been replaced by ISO/IEC 27005, which defines the approach of baseline risk management and is regarded as the standard. However, there are many available policies related to baseline security for organizations. The FSI from Germany has a widespread baseline security standard that is compliant with the recent ISO/IEC 27000-series.
IT security standards and frameworks
The challenges involving the organization of an information security program are quite overwhelming, as there are too many aspects to address. To assess effectively the security requirements of an institution and to further evaluate and choose different security policies and products, the manager in charge of security needs to have some systematic means of defining the security requirements as well as characterizing the approaches to satisfy them. Inside a centralized data processing setting this procedure is difficult enough, and the widespread use of LANs and WANs respectively compounded the problems.
Management faces tough challenges in providing formidable information security. There are substantial information system assets even in relatively small institutions as they include files and databases associated with company operation, personnel, financial matters, and other factors. Characteristically, the information system setting is always complex as it includes a variety of storage systems, local networks, workstations, servers, the Internet and other forms of remote network connections. Security managers also face a range of growing threats that are getting more advanced in scope and sophistication. The range of security failure consequences is substantial for both the organization and the individual managers, and includes civil liability, financial loss, and even criminal liabilities.
In such circumstances, standards to provide information system security turn out to be an essential part of every organization. Such standards can define the security function scopes and required features, policies to manage both data sets and human assets, evaluate the criteria for effective security measures, techniques required for ongoing security assessment, and monitoring security breaches as well as processes to deal with security failures.
It is quite evident and rational that no infrastructure security controls can be 100% efficient. In a layered security model, it is often essential to employ one ultimate prevention control to protect sensitive information, known as encryption.
Encryption cannot be, however, a universal remedy for information security concerns. It does not have the power to solve every data-centric security issue your organization may have. Rather, encryption may simply act as one of the many controls to secure sensitive information. Encryption over the years has been proven to be an effective ingredient in information security architecture.
Encryption uses cryptography, a science of applying logic and complex mathematics that helps in designing robust encryption methods. Strong encryption hides the meaning of important data. It also needs to have instinctive leaps to permit creative application of new or already known methods or strategies. Overall, cryptography is a smart art to protect valuable information by hiding its meaning from unauthorized personnel.
As mentioned above, cryptography is the science of information security, and has been historically used to provide secure communication between military forces, government agencies, and individuals. In the modern world, cryptography is the basis of security technologies employed to protect data, resources, and information on open or closed networks.
Cryptography has evolved through war when it was necessary to hide sensitive, important information from the enemy. Nothing is more confidential than information related to secret agents and operations.
Field commanders in war and secret agents require the transmission of information to be kept secret to ensure advantages during the maneuver, surprise, and timing during operations. Hiding its meaning is the best way to keep information secret.
In the past, cryptography almost exclusively referred to encryption, a process of transferring ordinary information (known as plaintext) to unintelligible text (known as ciphertext). On the other hand, decryption is just the reverse process involving the reconversion of the unintelligible ciphertext into plaintext.
Information and network security are provided by modern electronic cryptosystems by using complex mathematical algorithms along with additional methods and systems. The following basic technologies are usually used by the modern cryptographic-based security methods to offer security functions:
- Digital signatures
- Encryption algorithms
- Functions of HMAC or Hashed Message Authentication Code
- Message digest functions
- Secret key exchange algorithms
Public key infrastructure: Basic components
A public key infrastructure commonly known as the PKI gives the framework of standards, protocols, services, and technology to enable you to manage and deploy a robust and scalable information security system using PKI technology. The basic components of PKI include certification authorities, lists of certificate revocation, and digital certificates. A public key infrastructure has to be built before widespread use, and managing of public key cryptography is easily possible on public networks. With no PKI in place, it is in general not suitable to have a public key technology for deployment in large-scale enterprises.
Risk factors associated with cryptography systems
There is, of course, no simple formula or way to determine how safe it is to use a specific cryptosystem against malicious attackers and potential compromises in security. Nevertheless, the following aspects usually affect the threats of successful cryptosystem attacks:
Sum of plaintext known to cyber attackers
- Key lifetimes
- Public key length
- Randomness of keys generated
- Private keys’ secure storage
- Security protocols’ strength
- Strength of implementation of the security technology
- Symmetric key length
Restrictions on cryptography export
Export restrictions are often imposed on cryptography for security reasons. Many governments, including the US government, currently have an export restriction in place on encryption technology. Many governments also impose import restrictions on technologies related to encryption. Thus, it is essential to review whether the encryption you are using is allowed in your country, along with the real potential or effectiveness of that encryption, as security varies as per the restrictions of encryption export or import for a particular geographical area.
In Domain 2 of the CISSP exams, there is a section named Determination of Data Security Controls that covers in detail the data security controls in its four sub-sections: Baselines, Scoping and Tailoring, Standard Selection and Cryptography.