CISSP Domain 2 Asset Security Cheat Sheet

Determining Data Security Controls

Certification and Accreditation

  • Certification – A system has been certified to meet the security requirements of the data owner. Certification considers the system, the security measures, taken to protect the system, and the residual risk represented by the system
  • Accreditation – is the data owner’s acceptance of the certification, and of the residual risk, which is required before the system is put into production

Standards and Control Frameworks

  • PCI-DSS – Payment Card Industry Data Security Standards – seeks to protect credit cards by requiring vendors using them to take specific security precautions. PCI-DSS Core Principles:
    • Build and maintain a secure network and systems
    • Protect Cardholder Data
    • Maintain a Vulnerability Management Program
    • Implement Strong Access Control Measures
    • Regularly Monitor and Test Networks
    • Maintain an Information Security Policy
  • OCTAVE – Operationally Critical Threat, Asset and Vulnerability Evaluation – a risk management framework from Carnegie Mellon University. Three phase process for managing risks:
    • Phase 1 – Identifies staff knowledge, assets and threats
    • Phase 2 – Identifies vulernerabities and evaluates safeguards
    • Phase 3 – Conducts the Risk Analysis and develops the risk mitigation strategy
  • ISO 17799 and the ISO 27000 Series. ISO 17799 was a broad based approach for information security code of practices by the International Organization for Standardization (ISO/IEC 17799:2005 Information Technology Security Techniques-Code of practice for information security management). It contains 11 areas and controls:
    1. Policy
    2. Organization of information security
    3. Asset Management
    4. Human Resources Security
    5. Physical and environmental security
    6. Communications and operations management
    7. Access control
    8. Information systems acquisition, development, and maintenance
    9. Information Security incident Management
    10. Business Continuity Management
    11. Compliance

    ISO 17799 was renumbered to ISO 27002 in 2005 (TECHNIQUES – best practices). ISO 27001 is a related standard formally called ISO/IEC 27001:2005 Information technology – security techniques-information security management systems-requirements (REQUIREMENTS – process for auditing those best practices)

  • COBIT – Control Objectives for Information and related Technology) is a control framework for employing information security governance best practices within an organization. It has four domains:
    • Plan and organize
    • Aqcuire and Implement
    • Deliver and Support
    • Monitor and Evaluate
  • ITIL – Information Technology Infrastructure Libary is a framework for providing best services in IT service management (ITSM). It contains five Service management best practices
    • Service Strategy – Helps IT provides services
    • Service Design – details the infrastructure and arhcitecture required to deliver IT services
    • Service Transition – taken new projects and making them operational
    • Service Operation – IT operations controls
    • Continual Service Improvement – ways to improve existing IT services

Scoping and Tailoring

Scoping – The process of determining which portions of a standard will be employed by an organization. ie Organization choose not to deploy wifi can declare wifi provisions of standards out of scope and therefore do not apply
Tailoring – The process of customizing a standard for an organization. NIST 800-52 – Security and Privacy Controls for Federal Information Systems and Organizations describes the tailoring process:

  • Identify and designating common controls in initial security control baselines;
  • Applying scoping considerations to the remaining baseline security controls;
  • Selecting compensating security controls, if needed;
  • Assigning specific values to organization-defined security control parameters (ie password complexity policies) via explicit assignment and selection statements;
  • Supplementing baselines with additional security controls and control enchanements, if needed; and
  • Providing additional specification information for control implementation, if needed

Protecting data in motion and data at rest

Data at rest is stored data; residing on a disk or in a file. Data in motion is that data that is being transfered across a network.

  • Drive and Tape Encryption – Protect data at rest. Whole disk encryption of mobile device hard drives is recommended. Partial encryption solutions exposes risk associated with sensitive data stored in temporary files, unallocated disk space, swap space etc. Breach notification laws (HIPAA and ePHI) concerning PII contain exclusions for lost data that is encrypted.
  • Media Storage and Transportation – All sensitive backup data should be stored offsite, where transmitted offsite via networks, or physically moved as backup media. Sites using backup media should follow strict procedures for rotating media offsite. Always uses a bonded and insured company for offsite media storage. Ensure that the storage site is unlikely to be impacted by the same disaster that may strike the primary site, such as flood, earthquake, or fire. Never use informal practices, such as storing backup media at employees’ houses.
  • Protecting data in motion – Use standards based end to end encryption such as IPSEC VPN.
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV