Data security controls and the CISSP exam
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
After human resources, information is one of the most important assets of any organization. Security and risk management are always information- or data-centric, as every effort of protecting systems and networks tries to attain three outcomes:
- Confidentiality
- Data availability
- Integrity
Earn your CISSP, guaranteed!
Data security controls are used to safeguard sensitive and important information or to have a countermeasure against its unauthorized use. These controls help to counteract, detect, minimize or avoid security risks to computer systems, data, or another information set. This further aids in reducing the risk of data loss or damage by deterring, slowing down or stopping any possible malicious attack on data assets.
This is an important part of the CISSP exam and comprises Section 5 of CISSP domain 2: Asset security.
Technical control
Technical controls are security controls executed by computer systems and can offer automated protection against misuse or unauthorized access to valuable information, facilitate security violation detection, and support requirements of security related to data and applications.
Security system
Information systems security is commonly known as INFOSEC. It refers to the methodologies and processes involved with maintaining the confidentiality of information, making the information available, and guaranteeing its integrity. The security system also involves access controls that prevent entering and accessing any system by unauthorized personnel.
Data security
Data security is an important part of the modern world, where most sensitive information is kept in electronic form. The main aspect of data security implies that both data at rest and in transit is protected and data leak protection is implemented. Moreover, it involves other operational, administrative, and architectural controls. All these measures should be specifically reflected in the coding of the software features.
The cybersecurity framework includes:
- Cryptographic protection
- Denial of service protection
- Information on shared resources
- Protection of information at rest
- Transmission confidentiality and integrity
- Transmission of security attributes
The above controls have to be implemented by different means, such as processing labels applied to information, software security architecture, appropriate use of cryptography, and error handling.
Data at rest
Data at rest, in general, refers to the data stored in persistent storage. This includes information stored on tape or disk. On the other hand, data in use usually refers to information being processed by the CPU or RAM, i.e. the central processing unit and the random access memory of a computer.
Data in transit
Data in transit can be defined into two distinct categories: data that flows over untrusted or public networks, and data or internet having information flows through a private network (an enterprise or corporate Local Area Network or LAN). Data in motion are also often referred to as data in transit.
Earn your CISSP, guaranteed!
Scoping and tailoring
Scoping and tailoring are the processes of clarifying and limiting general recommendations applicable to a precise environment.
Scoping is more applicable to limit general recommendations through the removal of aspects not applicable to any specific environment or institutions. Tailoring, on the other hand, involves the alteration of details regarding general information that is more specifically applicable to an institution or environment.
IT baseline protection
IT baseline protection is a German Federal Office approach toward information security. It is a process involving identification and implementation of computer security measures taken by an organization. IT baseline protection aims to achieve a satisfactory and suitable security level for every IT system. Therefore, it recommends well-proven personnel, technical, organizational, and infrastructural safeguards. Every institution and federal agency must show a systematic approach to secure its IT systems.
Overview baseline security
The phrase baseline security implies standard security measures to be implemented for typical IT systems. Baseline security can be used for different contexts having somewhat diverse meanings, such as:
- Cisco Security Baseline: This vendor recommendation is focused on security controls of a network and its devices.
- Microsoft Baseline Security Analyzer: This is a software tool for the security of Microsoft operating systems and services.
- Nortel Baseline Security: This is a set of best practices and requirements for different network operators.
ISO/IEC 13335-3 has been replaced by ISO/IEC 27005, which defines the approach of baseline risk management and is regarded as the standard. However, there are many available policies related to baseline security for organizations. The FSI from Germany has a widespread baseline security standard that is compliant with the recent ISO/IEC 27000-series.
IT security standards and frameworks
The challenges involving the organization of an information security program are quite overwhelming, as there are too many aspects to address. To assess effectively the security requirements of an institution and to further evaluate and choose different security policies and products, the manager in charge of security needs to have some systematic means of defining the security requirements as well as characterizing the approaches to satisfy them. Inside a centralized data processing setting this procedure is difficult enough, and the widespread use of LANs and WANs respectively compounded the problems.
Management faces tough challenges in providing formidable information security. There are substantial information system assets even in relatively small institutions as they include files and databases associated with company operation, personnel, financial matters, and other factors. Characteristically, the information system setting is always complex as it includes a variety of storage systems, local networks, workstations, servers, the Internet and other forms of remote network connections. Security managers also face a range of growing threats that are getting more advanced in scope and sophistication. The range of security failure consequences is substantial for both the organization and the individual managers, and includes civil liability, financial loss, and even criminal liabilities.
In such circumstances, standards to provide information system security turn out to be an essential part of every organization. Such standards can define the security function scopes and required features, policies to manage both data sets and human assets, evaluate the criteria for effective security measures, techniques required for ongoing security assessment, and monitoring security breaches as well as processes to deal with security failures.
Cryptography
It is quite evident and rational that no infrastructure security controls can be 100% efficient. In a layered security model, it is often essential to employ one ultimate prevention control to protect sensitive information, known as encryption.
Encryption cannot be, however, a universal remedy for information security concerns. It does not have the power to solve every data-centric security issue your organization may have. Rather, encryption may simply act as one of the many controls to secure sensitive information. Encryption over the years has been proven to be an effective ingredient in information security architecture.
Encryption uses cryptography, a science of applying logic and complex mathematics that helps in designing robust encryption methods. Strong encryption hides the meaning of important data. It also needs to have instinctive leaps to permit creative application of new or already known methods or strategies. Overall, cryptography is a smart art to protect valuable information by hiding its meaning from unauthorized personnel.
Early cryptography
As mentioned above, cryptography is the science of information security, and has been historically used to provide secure communication between military forces, government agencies, and individuals. In the modern world, cryptography is the basis of security technologies employed to protect data, resources, and information on open or closed networks.
Cryptography has evolved through war when it was necessary to hide sensitive, important information from the enemy. Nothing is more confidential than information related to secret agents and operations.
Field commanders in war and secret agents require the transmission of information to be kept secret to ensure advantages during the maneuver, surprise, and timing during operations. Hiding its meaning is the best way to keep information secret.
In the past, cryptography almost exclusively referred to encryption, a process of transferring ordinary information (known as plaintext) to unintelligible text (known as ciphertext). On the other hand, decryption is just the reverse process involving the reconversion of the unintelligible ciphertext into plaintext.
Information and network security are provided by modern electronic cryptosystems by using complex mathematical algorithms along with additional methods and systems. The following basic technologies are usually used by the modern cryptographic-based security methods to offer security functions:
- Digital signatures
- Encryption algorithms
- Functions of HMAC or Hashed Message Authentication Code
- Message digest functions
- Secret key exchange algorithms
Public key infrastructure: Basic components
A public key infrastructure commonly known as the PKI gives the framework of standards, protocols, services, and technology to enable you to manage and deploy a robust and scalable information security system using PKI technology. The basic components of PKI include certification authorities, lists of certificate revocation, and digital certificates. A public key infrastructure has to be built before widespread use, and managing of public key cryptography is easily possible on public networks. With no PKI in place, it is in general not suitable to have a public key technology for deployment in large-scale enterprises.
Risk factors associated with cryptography systems
There is, of course, no simple formula or way to determine how safe it is to use a specific cryptosystem against malicious attackers and potential compromises in security. Nevertheless, the following aspects usually affect the threats of successful cryptosystem attacks:
Sum of plaintext known to cyber attackers
- Key lifetimes
- Public key length
- Randomness of keys generated
- Private keys’ secure storage
- Security protocols’ strength
- Strength of implementation of the security technology
- Symmetric key length
Restrictions on cryptography export
Export restrictions are often imposed on cryptography for security reasons. Many governments, including the US government, currently have an export restriction in place on encryption technology. Many governments also impose import restrictions on technologies related to encryption. Thus, it is essential to review whether the encryption you are using is allowed in your country, along with the real potential or effectiveness of that encryption, as security varies as per the restrictions of encryption export or import for a particular geographical area.
In Domain 2 of the CISSP exams, there is a section named Determination of Data Security Controls that covers in detail the data security controls in its four sub-sections: Baselines, Scoping and Tailoring, Standard Selection and Cryptography.
Earn your CISSP, guaranteed!
Sources
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- Data security controls and the CISSP exam
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
