10.04.

2024

Asset Security

Gizli 1
Topics
10.04.2024

• Identify & Classify Information &

Assets

• Information & Asset Handling

Requirements

• Provision Information & Assets

Securely

• Manage Data Lifecycle

• Ensure Appropriate Asset Retention

• Data Security Controls &

Compliance Requirements

Gizli 2
Data Classification
10.04.2024

• One of the first steps in the lifecycle is

– identifying and
– classifying information and assets
• Assets
– Information,
– Hardware used to process that data
– Media used to store/hold data
• Sensitive data
– isn't public or unclassified
– needs to protect due to:
• its value
• comply with existing laws and regulations
Gizli 3
Data Classification

• In order to have effective controls, organizations must have a detailed

inventory of information assets.
• Most organizations use a classification scheme with three to five levels of
sensitivity.
• Data classification provides the following benefits:
• Defines level of access controls
• Reduces risk and cost of over- or under-protecting information resources
• Maintains consistent security requirements
• Enables uniform treatment of data by applying level-specific policies and procedures
• Identifies who should have access

Gizli
Data Classification (cont’d)

• The information owner should decide on the appropriate classification,

based on the organization’s data classification and handling policy.
• Data classification should define:
• The importance of the information asset
• The information asset owner
• The process for granting access
• The person responsible for approving the access rights and access levels
• The extent and depth of security controls
• Data classification must also take into account legal, regulatory,
contractual and internal requirements for maintaining privacy,
confidentiality, integrity and availability.

Gizli
 Asset Identification and Valuation

• Effective resource
valuation is best based on
loss scenarios.
Provide identification and classification
of assets that need protection: • Apply a consistent
approach to prioritize
Inventory information assets efforts ahead of
calculating exact valuation
Determine relative business value figures.
• Consider the range of
Leverage classification and potential loss and impacts:
justification for protection
• Cost to create or restore
Discover possible unidentified
assets • Contribution to revenue
• Legal or regulatory
sanctions
©2022 ISACA. All rights reserved.

• Loss of trade secrets

Gizli
Sensitive Data
10.04.2024

• Personally Identifiable Information (PII) (NIST SP

800-122 provides formal definitions),
• Protected Health Information (PHI) are two
important types to protect
• Proprietary data: any data that helps an
organization maintain a competitive edge
• Organizations classify data using labels

Gizli 7
Government Data Classification

10.04.2024

Classification Description
Top Secret Disclosure of top secret data would cause severe damage
to national security.
Secret Disclosure of secret data would cause serious damage to
national security. This data is considered less sensitive than
data classified as top secret.

Confidential Confidential data is usually data that is exempt from

disclosure under laws such as the Freedom of Information
Act but is not classified as national security data.

Sensitive But SBU data is data that is not considered vital to national
Unclassified (SBU) security, but its disclosure would do some harm. Many
agencies classify data they collect from citizens as SBU. In
Canada, the SBU classification is referred to as protected
(A, B, C).
Unclassified Unclassified is data that has no classification or is not
sensitive.

Gizli 8
COMMERCIAL DATA CLASSIFICATIONS

10.04.2024

ClassificationDescription
Sensitive Data that is to have the most limited access and requires a high degree
of integrity. This is typically data that will do the most damage to the
organization should it be disclosed.
Confidential Data that might be less restrictive within the company but might cause
damage if disclosed.
Private Private data is usually compartmental data that might not do the
company damage but must be keep private for other reasons. Human
resources data is one example of data that can be classified as private.

Proprietary Proprietary data is data that is disclosed outside the company on a

limited basis or contains information that could reduce the company's
competitive advantage, such as the technical specifications of a new
product.
Public Public data is the least sensitive data used by the company and would
cause the least harm if disclosed. This could be anything from data used
for marketing to the number of employees inthe company.

Gizli 9
Criteria for Setting Data Classification

10.04.2024

• After the classification scheme is identified, the organization

must create the criteria for setting the classification
• Value - Usefulness - Age - Association
• Some considerations are as follows:

• Who should be able to access or maintain the data?

• Which laws, regulations, directives, or liability might be required in
protecting the data?
• For government organizations, what would the effect on national
security be if the data were disclosed?
• For nongovernment organizations, what would the level of damage be
if the data was disclosed or corrupted?
• Where is the data to be stored?
• What is the value or usefulness of the data?

Gizli 10
Asset Classification Questions

• How many classification levels are • What is the life cycle of the information?
suitable for
• What are the processes associated with
the enterprise?
the
• How will information be located? various stages in the information asset
life cycle?
• What process is used to determine
classification? • How will it be retained according to policy
or law?
• How will classified information be
identified? • How will it be safely destroyed at the end
of the retention period?
• How will it be marked?
• Who has ownership of information?
• How will it be handled?
• Who has access rights?
• How will it be transported?
• Who has authority for determining access
• How will confidential information be
to the data?
stored
and archived? • What approvals are needed for access?

Gizli
Question

Which of the following is the MOST

important prerequisite to undertaking
asset classification?

A. Threat analysis
B. Impact assessment
C. Controls evaluation
D. Penetration testing

Gizli
Question

Information classification is important to

properly manage risk PRIMARILY
because:

A. it ensures accountability for information

resources as required by roles and
responsibilities.
B. it is a legal requirement under various
regulations.
C. it ensures adequate protection of assets
commensurate with the degree of risk.
D. asset protection can then be based on the
potential consequences of compromise.

Gizli
 Question

From a control perspective, the PRIMARY

objective of classifying information assets is
to:

A. establish guidelines for the level of access

controls that should be assigned.
B. ensure access controls are assigned to all
information assets.
C. assist management and auditors in risk
assessment.
D. identify which assets need to be insured
against losses.

14

Gizli
Question

The FIRST step in data

classification is to:

A. establish ownership.
B. perform a criticality analysis.
C. define access rules.
D. create a data dictionary.

Gizli
Asset Classification
10.04.2024

• Asset classifications should match data classification

• Clearance: relates to access to certain classification
of data or equipment, and who has access to that
level or classification
• A formal access approval process should be used to
change user access; the process should involve
approval from the data/asset owner, and the user
should be informed about rules and limits
• Before a user is granted access they should be
educated on working with that level of classification
• Classification labels help users use data and assets
properly

Gizli 16
Information and Asset Handling Requirements
10.04.2024

• Data and asset handling key goal is to prevent data

breaches, by using:
– Data Maintenance: on-going efforts to organize
and care for data through it's life cycle
– Data Loss Prevention (DLP): systems that detect
and block data exfiltration attempts; two primary
types:
• Network-Based DLP
• Endpoint-Based DLP
– Marking: (Labeling) sensitive information/assets
ensures proper handling (both physically and
electronically)

Gizli 17
DLP Solutions

• Data at rest
• Data in motion
• Data in use
• Policy creation and management
• Directory services integration
• Workflow management
• Backup and restore
• Reporting
• DLP risk, limitations and
considerations

Gizli
Data Leakage

• Data leakage involves the unauthorized transfer of sensitive or

proprietary information from an internal network to the outside world.
• Data leak prevention is a suite of technologies and associated processes
that locate, monitor and protect sensitive information from unauthorized
disclosure.
• DLPs have three key objectives:
• Locate and catalog sensitive information stored throughout the enterprise.
• Monitor and control the movement of sensitive information across enterprise
networks.
• Monitor and control the movement of sensitive information on end-user systems.

Gizli
Information and Asset Handling Requirements
10.04.2024

• Handling: refers to secure transport of media through its

lifetime
• Data Collection Limitation: prevent loss by not collecting
unnecessary sensitive data
• Data Location: keep dup copies of backups, on- and off-site
• Storage: define storage locations and procedures by storage
type; use physical locks for paper-based media, and encrypt
electronic data
• Destruction: destroy data no longer needed by the
organization; policy should define acceptable destruction
methods by type and classification (see NIST SP-800-88 for
details)

Gizli 20
Secure Data Destruction
10.04.2024

• Erasing: usually refers to a delete operation on media,

leaving data remanence
• Clearing/Overwriting: over-writing existing data
• Purging: usually refers to mutliple clearing passes
combined with other tools (see below) -- not considered
acceptable for top secret data
• Degaussing: used on magentic media
• Zero fill: Overwrite all data on drives with zeros
• (Physical) destruction: used for SSD/electronic
components, or in combination with other less-secure
methods
• Cryptographic Erasure: AKA cryptoshedding, basically
destroying encryption key; may be only secure method
for cloud storage

Gizli 21
Secure Provision of Resources
10.04.2024

• The primary purpose of security operations practices is

to safeguard assets such as information, systems,
devices, facilities, and apps
• These practices help to:
– identify threats,
– İdentify vulnerabilities, and
– implement controls to reduce the risk to these asssets
• Implementing common security operations concepts,
along with performing periodic security audits and
reviews demonstrates a level of due care
• Need-to-know principle imposes the requirement to
grant users access only to data or resources they need
to perform assigned work tasks
• Least privilege principle states that subjects are
granted only the privileges necessary to perform
assigned work tasks and no more
Gizli 22
Information and Asset Ownership
10.04.2024

• Data Owner

• Data Custodian

• Data Stewart

• Systems Owners

• Administrators

• End User

Gizli 23
Data Owner

10.04.2024

• Top level/primary responsibility for data

• Define level of classification

• Define controls for levels of classification

• Define baseline security standards

• Decide on impact analysis

• Decide when to destroy information

Gizli 24
Data Custodian

10.04.2024

• Grant permissions on daily basis

• Ensure compliance with data policy and data ownership
guidelines
• Ensure accessibility, maintain and monitor security
• Data archive
• Data documentation
• Take regular backups , restore to check validations
• Ensure CIA
• Conduct user authorization
• Implement security controls

Gizli 25
Data Steward
10.04.2024

• Influences digital transformation and data services

creation
• Reports data quality and data governance policy
compliance
• Identifies opportunities to improve data quality
• Monitors and controls data governance by using metrics
and feedbacks

Gizli 26
 Data Quality

Contextual

Security/
Intrinsic
accessibility

Data
Quality

27

Gizli
Systems Owners/Administrators/End Users
10.04.2024

• System Owners
– Apply Security Controls
• System Administrators
– Grant permission for data handling
• End Users
– Uses information for their tasks/jobs
– Adhere security policies and procedures

Gizli 28
BREAK

Gizli
Manage Data Lifecycle
10.04.2024

• Data Collection
• Data Location
– the location of data backups or data copies
• Data Maintenance
– managing data as through the data lifecycle (creation,
usage, retirement).
– Data maintenance is the process (often automated) of
making sure the data is available (or not available) based
on where it is in the lifecycle

Gizli 30
 Data Life Cycle

Plan

Dispose Design

Monitor Build/acquire

Use/operate

31

Gizli
Asset Retention
10.04.2024

• Retention requirements apply to data or records, media

holding sensitive data, systems that process sensitive
data, and personnel who have access to sensitive data
• Three fundamental retention policy questions:
– How to retain: data should be kept in a manner that
makes it accessible whenever required; take taxonomy (or
the scheme for data classification) into account
– How long to retain data: general guidelines for business
data is 7 years (but can vary by country/region/regulation)
– What data to retain

Gizli 32
Asset Retention (e.g. EOL, EOS)
10.04.2024

• Hardware: even if you maintain data for the appropriate

retention period, it won’t do you any good if you don’t
have hardware that can read the data
• Personnel: beyond retaining data for required time
periods and maintaining hardware to read the data, you
need personnel who know how to operate the hardware to
execute restoraton processes
• End-Of-Life (EOL): often identified by vendors as the
time when they stop offering a product for sale
• End-Of-Support (EOS)/End-Of-Service-Life (EOSL):
often used to identify when support ends for a product
• EOL,EOS/EOSL can apply to either software or hardware

Gizli 33
Data States
10.04.2024

• Data at rest: any data stored on media such as hard drives or external
media
• Data in transit: any data transmitted over a network
• Encryption methods protect data at rest and in transit
• Data in use: refers to data in memory and used by an application
• Applications should flush memory buffers to remove data after it is no
longer needed

Gizli 34
Data Security Controls & Compliance Requirements
10.04.2024

• Security controls that protect data in each possible state:

- at rest,
- n transit or
- in use
• Each state requires a different approach to security.
• There aren’t as many security options for data in use as there are for data
at rest or data in transit.
• Data In-use Controls:
– Keeping the systems patched,
– Maintaining a standard computer build process, and
– Running anti-virus/malware
• Data At-rest Controls:
– Encryption
– Hardening OS
• Data In-transit Controls:
– Using secure transmission protocols
– Digital signatures

Gizli 35
Scoping and Tailoring Security Controls
10.04.2024

• Scoping: refers to reviewing a list of baseline security controls

and selecting only those controls that apply to the systems you're
trying to protect
• After selecting a control baseline, orgs fine-tune with tailoring and
scoping processes. A big part of the tailoring process is aligning
controls with an organization's specific security requirements
• Tailoring:refers to modifying the list of security controls within a
baseline to align with the organization's mission
• It includes the following activities:
– Identifying and designating common controls
– Applying scoping considerations
– Selecting compensating controls
– Assigning control values

Gizli 36
Security Standards Selection
10.04.2024

• Standards Selection

• Organizations need to identify the standards (e.g. PCI DSS, GDPR etc) that
apply and ensure that the security controls they select fully comply with
these standards
• Even if the organization doesn't have to comply with a specific standard,
using a well-designed community standard can be helpful (e.g. NIST SP
800 documents)
• Standards selection is the process by which organizations plan, choose and
document technologies or architectures for implementation. (For example,
you might evaluate three vendors for a security control; you could use a
standards selection process to help determine which solution best fits the
organization)
• Vendor selection is closely related to standards selection but focuses on
the vendors, not the technologies or solutions
• The overall goal is to have an objective and measurable selection process.
If you repeat the process with a totally different team, the alternate team
should come up with the same selection

Gizli 37
Data Protection Methods
10.04.2024

• Digital rights management (DRM): methods used in

attempt to protect copyrighted materials
• Cloud Access Security Brokers (CASBs) - software
placed logically between users and cloud based resources,
that can ensure that cloud resources have the same
protections as resources within a network.
• Note that Entities must comply with the EU GDPR, use
additional data protection methods such as
pseudonymization, tokenization, and anonymization
• Tokenization involves the use of randomly generated
numbers (tokens) as replacements for sensitive data
• Pseudonymization strategy involves replacement of real
names with temporary ID
• Data Anonymization. A method which removes personally
identifiable information from data sets

Gizli 38
Question

Mark and Loretta are in the process of de-

identifying customer data before providing
customer database access to Zack, a third-party
vendor. Mark has identified all the QI that can
identify the individual. Loretta suggests
replacing some of these QI with new data, while
keeping other QI unchanged. This is:

A.Pseudonymization
B.k-anonymization
C.Hashing
D.Data minimization

Gizli
Review Question - Discussion

While discussing how to classify the enterprise’s data for destruction,

Neil comes across customer data which is more than 10 years old. The
enterprise data retention policy does not allow retaining sensitive
customer data beyond a period of 6 years. He needs to explain to Cathy,
the junior data security engineer about the different methods of
permanent data destruction.

1. A method in which only the encryption keys are Crypt-

deleted shredding:
.
2. A method in which data is wiped from
Degaussing
magnetic-based media

3. A method which involves physical destruction of

the storage media Destruction

4. A method which removes personally identifiable Data

information from data sets Anonymization

Gizli
Question

Bob and Neal are designing internal data

retention policies for their enterprise. Bob says
that the policies should uniformly target all data
available with them. But Neal has a different
idea, and Bob realizes he is right. Which of the
following options would Neal have suggested for
Bob to agree with him?

A. Retention policies should focus on public data

B. Retention policies for internal data should be
formulated according to the rules and regulation
laws prevalent in the state
C. Retention policies should address classes of data like
PII and PHI
D. Retention policies should be formulated such that
sensitive classes of data are retained for an
indefinite period

Gizli
 Question

What type of data is BEST protected using

the TLS protocol?

A. Data in use
B. Data in archived status
C. Data at rest
D. Data in motion

42

Gizli
 Question

Which one of the following data disposal

methods is the LEAST secure way to remove
data from magnetic media?

A. Erasing
B. Destruction
C. Degaussing
D. Purging

43

Gizli
 Question

Which one of the following locations is an

example of data in use?

A. RAM
B. Network transmission
C. SSD
D. Magnetic disk

44

Gizli
 Question

What individual in an organization is

responsible for updating the system security
plan when a significant change occurs?

A. System owner
B. Business owner
C. Asset owner
D. Data owner

45

Gizli
 Question

Which of the following is not a common trait

of DRM solutions??

A. Persistence
B. Continous audit trail
C. Automatic expiration
D. Virtual licensing

46

Gizli
 Question

Which one of the following characteristics is

MOST important when assigning a data
classification level?

A. Value of the data

B. Size of the data
C. Identity of data owner
D. Format of the data

47

Gizli
 Question

An organization with a comprehensive asset handling

policy has been experiencing data leaks. Recently a
suspected shoulder surfing incident at a local coffee
shop resulted in an important contract file being
exposed. In another incident, the controller
inadvertently sent the employee salary spreadsheet to
an external user with a similar name due to type-
ahead suggestions in email. Which of the following
may help prevent similar incidents in the future?
A. Require password protection on all financial
spreadsheets
B. Restrict the usage of public wireless guest
networks
C. Require privacy screens on laptops and other
portable devices
D. Provide user awareness training on proper asset
48 handling
Gizli
 Question

Which of the followings are the PRIMARY

drivers for retention of enterprise assets?

A. Assets sensitivity and importance levels

B. Legal and business requirements
C. Results of asset vulnerability assessments
D. Storage capacity and security needs

49

Gizli