CISSP Chapter 5 28 terms dreyth

How do data classes map to govt and Class 3 - Top Secret / Confidential 
private company classification levels? (Exceptionaly grave damage)

Class 2 - Secret / Private

(Serious damage)

Class 1 - Confidential / Sensitive

(Damage)

Class 0 - Unclassified / Public

(No damage)

Why should you still protect public or You want to ensure its integrity. For example, you don't want attackers 
unclassified data? changing your welcome message.

How can you protect data in use? Data in use resides in an applications memory buffer. This buffer must 
be purged and completey removed from memory when the it's no
longer needed.

What is the main reason data should be When users know the sensitivity of data, they are more likely to take 
marked? appropriate steps to control and protect it properly.

What are some ways to digitally mark data? Change the metadata. This also allows DLP systems to detect it and 
ensure proper protection.

You can also put headers and footers on your documents. These will
alsp show when printed.
Why should you also label data that is Removes ambiguity. If a user finds an unmarked folder that has 
unclassified? confidential files, he won't automatically assume it's public so it will be
handled with suspicion.

What should you do if you want to Sanitize it. Usually it's safer and cheaper to just destroy it and purchase 
downgrade a system or media to a lower new media instead of reusing it.
classification level?

What level of protection should back ups of The same exact level as their originals. 
data have?

What's the difference between file level and One encrypts the entire disk. The other encrypts individual files. 
disk level encryption?

What should you do when you no longer Destroy it. 

need sensitive data?

Why can't you degauss SSDs? They have circuitry instead of magnetic flix to store data so they don't 
have data remanence.

What media can be degaussed? What HDDs, magnetic tapes, and floppy drives can be degaussed. 
can't?
CDs, DVDs, and SSDs can't be degaussed.

What's the difference between erasing, Erasing just deletes. 

clearing, and purging?
Clearing will overwrite. This prepares the media for reuse. Sometimes
a triple pass is used (bits, complements, random bits).

Purging is intended clearing of data involving degaussing and

overwriting many times. Protects against any known recovery method.
Still not good enough for US govt top secret data though.
Why isn't purging always trusted? Bad sectors and SSDs can cause problems. 
What is sanitation? The overall process that makes data completely unrecoverable by any 
means.

What is record retention? The act of retaining data for as long as it is needed, but destroying it 
when it is not.

What do transport encryption methods do? Encrypt data before transmission happens. 
How does IPsec protect data? The AH provides authentication and integrity. The ESP provides 
confidentiality.

What transport encryption methods should IPsec and SSH. This allows for use of protocols like SFTP and SCP. 
be used when sending data internally?

What are the four respnsibilities of a data Lay out the appropriate use and protection rules. 
owner according to NIST?
Advise info system owners on controls for the system where the data
resides.

Decide who has access to the system and their permissions.

Help assess the system's security controls.

What is a system owner? Somebody who owns the information system where data resides. 
Usually this is the same person as the daya owner.

What five responsibilities does NIST lay out Develop security plan for the system. 
for system owners?
Maintain the plan and endure system is deployed in according to it.

Make sure users and support get proper training, like knowing rules of
 behavior or AUP.

Update the plan when changes occur.

Help assess and implement the systems security controls.

What is a business/mission owner? They own a business process, like sales. They will use systems owned 
by a systems owner. They just ensure these systems provide value to
the business processes.

Explain cost center vs profit center. Security team is a cost center since they don't generate profits. Sales 
is a profit center.

The business side will sometimes view IT as reducing profits, so a

healthy balance between the two is needed.

What is a data processor? A natural or legal person which processes personal data on behalf of 
the data controller who controls the data.

What is safe harbor's goal? To follow principles that satisfy the EU Data Protection Directive. It 
prevents unauthorized disclosure of information handled by data
processors, data controllers, and its transmission.

What are the seven safe harbor principles? Notice - Tell the individuals the purpose of data collection. 
Choice - Individuals can opt out.

Onward Transfer - The organization can only transfer data to other

organization with notice and choice policies.

Security - Individual's data will be protected.

 Data Integrity - Organizations can only use the data for the laid out
purposes, and it must ensure the data is reliable.

Access - Individuals must have access to the data, and can

delete/correct data when it is inaccurate.

Enforcement - Must implement mechanisms to ensure compliance

with the principles.

What does an asministrator do? Grants permissions based on principle of least privilege and need to 
know. Usually uses RBAC by granting permissions to groups, and then
assigning users to those groups.