After covering CISSP Domain 1 here, this article will focus on Domain 2, which is Asset Security. This domain seems very simple but I must tell you that questions that will be coming from this domain will be tricky. Again, some of the points below may seem odd to you but they hold good for CISSP. The objective of this module is to test candidate knowledge on concepts, structures, standards used to monitor, and secure assets. Let’s start:

  • Classification: This is used to label a type of information to identify the role level that can have access to information. The usual labels are private, restricted, confidential and public. The difference between restricted and confidential use is that in restricted mode data is only visible to a subset of employees. An important point to note in classification is that it is the duty of the data owner to classify data.
  • Categorization: This is used to identify information assets/types with regard to their impact if lost.

    Understand the difference between classification and categorization.

  • Data Policy: Remember a data policy is good only if it:
    • Is built with long-term goals
    • Is flexible and dynamic
    • Is able to address strategic issues such as data access, data acquisition, etc.
  • Understand the following roles and the differences between them:
    • Information Owner: This can be a group or an individual who has legal rights over data, who knows the criticality of information, who can identify need for information across various entities both inside and outside the organization, and know the retention basis of information.
    • Data Custodian: This role has the responsibility to oversee the aspects of data management. Basically the data custodian looks for adherence to policies, maintain appropriate data security with appropriate access, data quality and up to-date assignments.
  • Quality Control and Quality Assurance: it is very important to understand that data assurance maintain quality throughout all stages of data development, while data quality evaluates resulting data products.
  • Types of errors that can be introduced into data set: Following are the types of errors that can be found in the data set and which are monitored by data quality and data assurance procedures:
    • Errors of omission: These result from lack of documentation around known legitimate values. These are harder to detect.
    • Errors of Commission: Much simpler to detect and usually results from
      data entry.
  • Assessing Data Quality: Data quality can be assessed by :
    • Data Verification: It is used to verify that data in hand and at source matches
    • Data Validation: It is used to evaluate the goals with the derived data.

    Another important point about verification and validation is that data verification can be handled by less experienced personnel, while data validation requires expertise to handle data and evaluate them against defined goals.

    • Data Quality: This can be improved by prevention of errors and timely correction of introduced errors through rigorous data assurance/control.
    • Data Life Cycle Control: Understand the whole data life cycle first and then the control mechanisms around them. Main stages include data specification, data modeling, conceptual design, database management, data audit, data storage and data dissemination.
    • Data Remanence Techniques: In the exam, look out for the type of media is being asked for remanence. For example, drives like:
      • Hard Disk Drive: Understand the architecture of HDD. In HDD, data is being overwritten by altering the magnetic field of hard drive platter. Data remanence in HDD can be done in following ways:
        • Clearing
        • Purging
        • Destruction: This has further types:
          • Overwriting: Adopting the seven pass pattern. If you ask me, if done properly only one pass is enough.
          • Degaussing
          • Encryption
        • Media Destruction: This includes breaking of the device altogether or changing the phase of the device, i.e., to liquid or vaporized form. An important point to note for magnetic media is that its phase transition can be taken by raising it above curie temperature (1000’F).
      • Solid State Drives (SSD): These use flash memory to store data and data is not overwritten. It is way faster than HDD, as the data is accessed directly via a flash translation layer, thus reducing time for head movement. Because of this, when it comes to data remanence, simple overwriting won’t work with SSD. the following techniques should be used:
        • Built in sanitization commands
        • Crypto-erase
        • Sanitization

CISSP Instant Pricing- Resources

  • Retention Policies: Important point to note about retention policies are:
    • Retention policies should not be static
    • These policies should have cross-functional ownership.
    • Policies should be regularly audited and practiced at regular intervals.
  • Baseline: Minimum set of safeguards to protect IT systems of the enterprise.
  • Concept of Scoping and Tailoring: Scoping sets the overall terms and conditions around the implementation of individual security controls, whereas tailoring makes sure that the assessment procedures closely match the characteristics of information systems.
  • Difference between Link Encryption and End-to-End Encryption:
    • Link Encryption: In link encryption, data is encrypted at each node and, to continue routing, each node needs to decrypt and re-encrypt the packet. Here are some other important points that are usually tested:
      • Link encryption provides better confidentiality than end-to-end encryption.
      • On the downside, if a node is compromised link encryption, the message can be seen in clear.
    • End-to-End Encryption: As its name says, packet is encrypted at source and is decrypted at destination. In this routing information is available.
  • Categories of encryption tools:
    • Self-Encryption USB drives: These eliminate the need to install any third-party encryption software. The only limitation is that files will stay encrypted as long as they are on USB drive which means files can never be shared while maintaining encryption.
    • Media-Encrypting Software
    • File Encryption Software: This gives the freedom to share files with encryption on.
  • Retention Policies should never be generalized across different types of information assets.

Again, these are not the only important points that are there but these are some must points exam takers should be familiar with for Domain 2.