Domain 2: Asset Security

Overview

This domain covers the identification, classification, and handling of information and assets to ensure appropriate protection throughout their lifecycle. Asset security is fundamental to protecting organizational resources and ensuring compliance with legal and regulatory requirements.

2.1 - Identify and classify information and assets

Data Classification Process

1. Identify owners

   • Assign data ownership responsibilities
   • Establish accountability for data protection
   • Define roles and responsibilities

2. Identify criticality/sensitivity

   • Assess business impact of data loss
   • Determine confidentiality requirements
   • Evaluate integrity and availability needs

3. Assign classification levels

   • Apply standardized classification scheme
   • Document classification decisions
   • Ensure consistent application

4. Establish handling requirements

   • Define access controls
   • Specify storage requirements
   • Set transmission protocols

5. Review and update

   • Regular classification reviews
   • Update based on changing business needs
   • Maintain classification accuracy

Common Data Classification Levels

Government Classifications

• Top Secret: Exceptionally grave damage to national security
• Secret: Serious damage to national security
• Confidential: Damage to national security
• Restricted: Undesirable effects on national security
• Unclassified: No national security implications

Commercial Classifications

• Confidential/Proprietary: Highest sensitivity, competitive advantage
• Private/Internal Use: Internal business information
• Sensitive: Requires special handling
• Public: No restrictions on disclosure

Asset Classification

Tangible Assets

• Hardware: Servers, workstations, network equipment
• Media: Storage devices, backup tapes, removable media
• Physical facilities: Data centers, offices, equipment rooms
• Personnel: Employees, contractors, vendors

Intangible Assets

• Software: Applications, operating systems, utilities
• Data: Databases, files, intellectual property
• Processes: Business procedures, workflows
• Reputation: Brand value, customer trust

Asset Valuation Methods

• Replacement cost: Cost to replace asset with equivalent
• Book value: Depreciated value on financial statements
• Market value: Current market price for similar assets
• Opportunity cost: Potential revenue loss from asset unavailability

2.2 - Establish information and asset handling requirements

Handling Requirements by Classification Level

Confidential/Top Secret

• Encrypted storage and transmission
• Need-to-know access only
• Secure destruction when no longer needed
• Audit trail for all access
• Physical security controls

Internal/Private

• Access controls based on business need
• Standard backup and recovery procedures
• Normal disposal procedures
• Regular access reviews

Public

• No special handling requirements
• Standard IT controls sufficient
• Normal disposal acceptable

Security Controls by Asset Type

Hardware Controls

• Physical access controls
• Asset tagging and inventory
• Secure disposal procedures
• Environmental controls
• Maintenance procedures

Software Controls

• License management
• Version control
• Configuration management
• Patch management
• Access controls

Data Controls

• Encryption requirements
• Access controls
• Backup procedures
• Retention policies
• Destruction methods

2.3 - Provision information and assets securely

Information and Asset Ownership

Data Owner Responsibilities

• Assign classification levels
• Determine access requirements
• Approve access requests
• Define retention requirements
• Authorize disposal/destruction

Asset Owner Responsibilities

• Define security requirements
• Approve configuration changes
• Monitor asset usage
• Ensure compliance with policies
• Authorize asset disposal

Asset Inventory Management

Tangible Asset Inventory

• Hardware tracking: Serial numbers, locations, configurations
• Media management: Cataloging, storage, handling procedures
• Equipment lifecycle: Procurement through disposal
• Maintenance records: Service history, warranty information

Intangible Asset Inventory

• Software licenses: Usage rights, compliance tracking
• Data repositories: Location, classification, ownership
• Intellectual property: Patents, trademarks, trade secrets
• Digital certificates: Validity, usage, renewal schedules

Asset Management Lifecycle

Acquisition Phase

• Security requirements definition
• Vendor security assessment
• Asset documentation
• Initial configuration
• Integration planning

Deployment Phase

• Secure configuration
• Access provisioning
• User training
• Monitoring setup
• Documentation updates

Operations Phase

• Regular maintenance
• Performance monitoring
• Security updates
• Access reviews
• Incident response

Disposal Phase

• Data sanitization
• Asset decommissioning
• Secure destruction
• Documentation updates
• License reclamation

2.4 - Manage data lifecycle

Data Lifecycle Phases

1. Creation/Collection

   • Data generation or acquisition
   • Initial classification
   • Ownership assignment
   • Quality validation

2. Storage

   • Secure storage implementation
   • Access control application
   • Backup procedures
   • Index and catalog

3. Use/Processing

   • Authorized access and modification
   • Processing controls
   • Quality maintenance
   • Usage monitoring

4. Sharing/Transmission

   • Secure transmission methods
   • Recipient verification
   • Transmission logging
   • Encryption requirements

5. Archival

   • Long-term storage
   • Reduced access requirements
   • Retention policy compliance
   • Periodic verification

6. Disposal

   • Secure destruction methods
   • Verification of destruction
   • Documentation of disposal
   • Certificate of destruction

Data Roles and Responsibilities

Data Owner

• Business responsibility for data
• Classifies data sensitivity
• Determines access requirements
• Approves access requests
• Defines retention and disposal requirements
• Usually senior business manager

Data Controller (GDPR Context)

• Determines purposes and means of processing
• Legal responsibility for compliance
• Data protection impact assessments
• Breach notification requirements
• Subject rights fulfillment

Data Steward

• Ensures quality of data
• Day-to-day data management
• Implements owner's requirements
• Monitors data usage
• Maintains data integrity
• Business responsibility for data quality

Data Custodian

• Technical responsibility for data
• Implements security controls
• Performs backups
• Applies access controls
• Monitors technical compliance
• Usually IT personnel

Data Processor (GDPR Context)

• Processes on behalf of controller
• Follows controller's instructions
• Responsible for performing audits
• Maintains processing records
• Implements technical safeguards
• Often third-party service providers

Users/Subjects

• Follow data handling policies
• Report security incidents
• Use data for authorized purposes only
• Respect privacy requirements

Memory Aid: "OCSPU" (Owner-Controller-Steward-Processor-Users)

• Owner: Business decisions and classification
• Controller: Legal responsibility (GDPR)
• Steward: Quality assurance and day-to-day management
• Processor: Technical implementation on behalf of controller
• Users: Follow policies and report incidents

Data Collection Considerations

• Purpose limitation: Collect only necessary data
• Data minimization: Minimize amount collected
• Consent management: Obtain appropriate permissions
• Quality assurance: Ensure accuracy and completeness
• Source verification: Validate data sources

Data Location Management

• Geographic considerations: Legal jurisdiction requirements
• Sovereignty issues: Data residency laws
• Cloud considerations: Multi-tenant environments
• Backup locations: Off-site storage requirements
• Disaster recovery: Geographic distribution

Data Maintenance

• Regular updates: Keep data current and accurate
• Quality checks: Periodic validation procedures
• Error correction: Processes for fixing inaccuracies
• Version control: Track changes and modifications
• Integrity verification: Hash checks and checksums

Data Retention

• Legal requirements: Compliance with regulations
• Business needs: Operational requirements
• Storage costs: Economic considerations
• Risk assessment: Security and privacy risks
• Retention schedules: Automated policy enforcement

Data Remanence

• Definition: Residual data after deletion attempts
• Magnetic media: Data recovery from magnetic storage
• Solid-state drives: Wear leveling complications
• Memory remanence: RAM data persistence
• Mitigation strategies: Proper sanitization methods

Data Destruction Methods

Clearing

• Logical techniques to sanitize data
• Software-based overwriting
• Suitable for internal reuse
• Not suitable for highly sensitive data

Purging

• Physical or logical techniques
• More thorough than clearing
• Makes data recovery infeasible
• Suitable for equipment reuse outside organization

Physical Destruction

• Physically destroys storage media
• Most secure method
• Makes media unusable
• Required for highly classified data

Specific Techniques

• Overwriting: Multiple passes with random data
• Degaussing: Magnetic field disruption
• Shredding: Physical destruction of media
• Incineration: Complete combustion
• Cryptographic erasure: Destroying encryption keys

2.5 - Ensure appropriate asset retention

End of Life (EOL) Management

• Vendor announcements: Monitor EOL schedules
• Migration planning: Replacement strategies
• Security implications: Unsupported systems risks
• Budget planning: Replacement costs
• Timeline management: Coordinated transitions

End of Support Considerations

• Security updates: No more patches
• Technical support: Limited or no vendor assistance
• Compliance issues: Regulatory requirements
• Risk assessment: Increased vulnerability exposure
• Mitigation strategies: Compensating controls

Asset Disposal Process

1. Data sanitization: Complete data removal
2. Asset decommissioning: System shutdown procedures
3. Physical disposal: Secure destruction or transfer
4. Documentation: Records of disposal activities
5. Verification: Confirmation of complete disposal

Certificate of Destruction

• Third-party validation: Independent verification
• Chain of custody: Asset tracking through disposal
• Destruction methods: Documentation of techniques used
• Serial numbers: Specific asset identification
• Legal compliance: Regulatory requirement fulfillment

2.6 - Determine data security controls and compliance requirements

Data States Protection

Data at Rest

• Encryption: Full disk, database, file-level
• Access controls: Authentication and authorization
• Physical security: Secure storage facilities
• Backup protection: Encrypted offline storage
• Key management: Secure key storage and rotation

Data in Transit

• Encryption protocols: TLS/SSL, VPN, IPSec
• Network segmentation: Isolated transmission paths
• Integrity protection: Hash verification
• Authentication: Mutual authentication
• Non-repudiation: Digital signatures

Data in Use

• Application controls: Runtime protection
• Memory protection: Secure processing environments
• User access controls: Principle of least privilege
• Process isolation: Containerization, virtualization
• Monitoring: Real-time activity surveillance

Memory Aid: "RIT" (Rest-In-Transit)

• Rest: Stored data needs encryption and access controls
• In Transit: Moving data needs secure protocols (TLS/VPN)
• In Use: Processing data needs application controls and monitoring

Scoping and Tailoring

Scoping Process

• System boundaries: Define what's included
• Data classification: Identify sensitivity levels
• Regulatory requirements: Applicable laws and standards
• Risk assessment: Threat and vulnerability analysis
• Business requirements: Operational needs

Tailoring Considerations

• Risk tolerance: Organizational appetite for risk
• Cost-benefit analysis: Security investment justification
• Technical constraints: System limitations
• Operational impact: Business process effects
• Compliance requirements: Mandatory controls

Standards Selection

International Standards

• ISO 27001/27002: Information security management
• ISO 27017: Cloud security guidance
• ISO 27018: Cloud privacy protection
• ISO 27040: Storage security guidance

National Standards

• NIST SP 800 series: Cybersecurity guidance
• FIPS 140-2: Cryptographic module standards
• Common Criteria: Security evaluation criteria

Industry Standards

• PCI DSS: Payment card data protection
• HIPAA: Healthcare information protection
• SOX: Financial reporting controls
• FERPA: Educational records protection

Data Protection Methods

Digital Rights Management (DRM)

• Purpose: Control digital content usage
• Technologies: Encryption, licensing, authentication
• Applications: Document protection, media distribution
• Limitations: User experience impact, circumvention risks
• Use cases: Intellectual property protection

Data Loss Prevention (DLP)

• Content inspection: Data identification and classification
• Policy enforcement: Automated rule application
• Monitoring capabilities: Real-time data flow surveillance
• Response actions: Block, quarantine, alert, encrypt
• Deployment models: Network, endpoint, cloud-based

DLP Detection Methods

• Pattern matching: Regular expressions, keywords
• Statistical analysis: Bayesian classifiers
• Fingerprinting: Document and database fingerprints
• Machine learning: Behavioral analysis
• Contextual analysis: Metadata examination

DLP Enforcement Actions

Remember "BQAE" (Block, Quarantine, Alert, Encrypt):

• Block: Prevent transmission/action entirely
• Quarantine: Isolate suspicious content for review
• Alert: Notify administrators of policy violations
• Encrypt: Automatically encrypt sensitive data

Cloud Access Security Broker (CASB)

• Visibility: Cloud service discovery and monitoring
• Compliance: Policy enforcement across cloud services
• Data security: Encryption and tokenization
• Threat protection: Malware detection and prevention
• Deployment models: Proxy, API-based, hybrid

CASB Capabilities

• Shadow IT discovery: Unauthorized cloud service detection
• Risk assessment: Cloud service security evaluation
• Policy enforcement: Consistent security across clouds
• Data protection: Encryption and DLP integration
• User behavior analytics: Anomaly detection

Additional Data Protection Technologies

Database Security

• Database encryption: Transparent data encryption
• Access controls: Role-based permissions
• Activity monitoring: Database activity monitoring (DAM)
• Vulnerability scanning: Database-specific assessments
• Masking and anonymization: Privacy protection techniques

Email Security

• Email encryption: S/MIME, PGP
• Email gateway: Anti-spam, anti-malware
• DLP integration: Content inspection
• Archiving: Legal and compliance requirements
• Policy enforcement: Automated rule application

Web Security

• Web filtering: URL categorization and blocking
• SSL inspection: Encrypted traffic analysis
• Sandboxing: Safe file execution environments
• Anti-malware: Real-time threat detection
• Data exfiltration protection: Upload monitoring

Key Memorization Items

Data Lifecycle

1. Creation/Collection
2. Storage
3. Use/Processing
4. Sharing/Transmission
5. Archival
6. Disposal

Data Classification Process

1. Identify owners
2. Identify criticality/sensitivity
3. Assign classification levels
4. Establish handling requirements
5. Review and update

Data Roles

• Owner: Business responsibility, classification decisions
• Steward: Quality assurance, business responsibility
• Custodian: Technical implementation
• Controller: Legal responsibility (GDPR)
• Processor: Processing on behalf of controller
• Users: Follow policies and procedures

Data States

• At Rest: Stored data (encryption, access controls)
• In Transit: Moving data (TLS, VPN, IPSec)
• In Use: Processing data (application controls, monitoring)

Data Destruction Methods

• Clearing: Logical sanitization for internal reuse
• Purging: Physical/logical, equipment reuse outside org
• Physical Destruction: Complete media destruction

Asset Types

• Tangible: Hardware, media, facilities, personnel
• Intangible: Software, data, processes, reputation