CISSP Domain 2 - Asset Security

1
learntorise
2
2.1 IDENTIFYING AND CLASSIFYING INFORMATION AND
ASSETS
Top Secret Highest security level, severe
damage Secret Highly sensitive information,
significant harm Data Classification Confidential
Restricted access information, moderate
harm For Official Use Only (FOUO) Limited
distribution, official use Unclassified Sensitive
But Unclassified (SBU) Sensitive, not national
security classified Tangible Assets Physical
items, visible and measurable Intangible Assets
Non-physical, intellectual property,
reputation Asset Classification Critical Assets
Essential for operations, high importance Non-cri
tical Assets Low importance, not vital
CISSP DOMAIN 2
www.infosectrain.com
3
2.2 ESTABLISHING INFORMATION AND ASSET HANDLING
REQUIREMENTS Importance Ensures data security
throughout its lifecycle Data
Maintenance
Best Practices Regular updates, backups, and
audits Importance Prevents unauthorized data
leaks
Data Loss Prevention (DLP)
Techniques Monitoring, encryption, access
control Importance Identifies and protects
critical data
CISSP DOMAIN 2
Marking Sensitive Data and Assets Handling
Sensitive
Classification Confidential, Public, etc.
Procedures Guidelines for secure management
Information and Assets
Access Control Role-based restrictions
Purpose Collect necessary data only
Data Collection Limitation
Minimization Principles Reduces risk exposure
Residency Compliance with data storage
regulations
Data Location
Cloud vs. On-premises Balances flexibility and
security Secure Storage Physical and digital
protection
Storing Sensitive Data
Encryption Ensures confidentiality Methods
Shredding, wiping
Data Destruction
Compliance Meets legal standards
www.infosectrain.com
4
2.3 PROVISION RESOURCES SECURELY
Understanding who owns data and assets Ensuring
accountability and responsibility for data
protection
Information and Asset Ownership
Definition and Importance
Hardware Assets Servers, Workstations,
Networking Equipment Software Assets Operating
Systems, Applications
CISSP DOMAIN 2
Asset Inventory
Intangible Assets Intellectual Property, Digital
Assets Asset Classification Public,
Private, Confidential, Sensitive Tagging and
Labeling Physical and digital marking of assets
Identification and Classification
Physical Controls Locks, Security Cameras,
Access Control Systems Technical Controls
Encryption, Access Controls, Firewalls Administrat
ive Controls Policies, Procedures,
Training Procurement Secure acquisition of assets
Asset Management
Protection and Controls
Lifecycle Management
Maintenance Regular updates, patches, and
repairs Disposal Secure destruction or recycling
of assets
www.infosectrain.com
5
2.4 MANAGE DATA LIFECYCLE
Owners Responsible for data governance and
policies Controllers Decide how and why data is
processed
Data Roles
Custodians Ensure safe custody and storage of
data

• Processors Process data as instructed by
  controllers
• Users and Data Subjects Access and use data
  individuals whose data is processed
• Data Collection Gather information
  systematically
• Data Location Physical/logical storage locations
• Data Maintenance Keep data accurate and
  up-to-date
• Data Retention Determine how long to keep data
• Data Remanence Residual data after deletion
• Overview Final data disposal

CISSP DOMAIN 2
Clearing Overwriting data Purging Making data
unrecoverable
Data Destruction
Methods of Sanitization
Degaussing Erasing magnetic fields Destruction
Physically destroying media
www.infosectrain.com
6
2.5 ENSURING APPROPRIATE DATA AND ASSET RETENTION
Legal and Regulatory Compliance
GDPR, HIPAA, SOX
Company-specific data retention policies
Retention Requirements
Business Policies
Alignment with business objectives Sensitive Data
CISSP DOMAIN 2
Data Classification
Non-Sensitive Data
Determining timeframes for retaining
records Legal and operational factors Physical
and digital storage
Retention Periods
Record Retention
Data Storage Solutions
Security measures for data protection Secure
disposal methods
Disposal and Destruction
Compliance with regulations End-of-Life (EOL)
No longer manufactured or sold
Other Significant Terms
End-of-Support (EOS) No more updates or
technical support End-of-Service-Life (EOSL)
Complete end of any support and updates
www.infosectrain.com
7
2.6 DETERMINE DATA SECURITY CONTROLS AND
COMPLIANCE REQUIREMENTS Data actively being
processed In Use
Security Access controls, data masking,
endpoint security, application security
Measures
Data moving across networks
Data States
In Transit
Encryption protocols, secure
Security tunneling, network security,
CISSP DOMAIN 2
Measures
secure email/file transfer
Data stored on devices
At Rest
Security Encryption, physical security,
access control lists, regular backups
Measures
Identify relevant systems Understand compliance
requirements Assess impact and criticality Modify
baseline controls Consider organizational
context Ensure practicality and effectiveness
Scoping
Scoping and Tailoring
Tailoring
Relevance Select appropriate standards (ISO/IEC
27001, NIST SP 800-53, PCI DSS) Coverage
Comprehensive security aspects
Standards Selection
Compliance Legal and regulatory
requirements Integration Align with existing
policies
www.infosectrain.com
8
FOUND THIS USEFUL?
To Get More Insights
Through Our FREE
Courses Workshops eBooks Checklists Mock
Tests
LIKE
FOLLOW
SHARE