Page 1138 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1138

Usage Usage refers to anytime data is in use or in transit over a
               network. When data is in use, it is in an unencrypted format.

               Application developers need to take steps to ensure that any sensitive
               data is flushed from memory after being used. Data in transit
               (transmitted over a network) requires protection based on the value of
               the data. Encrypting data before sending it provides this protection.

               Archive Data is sometimes archived to comply with laws or
               regulations requiring the retention of data. Additionally, valuable data

               is backed up as a basic security control to ensure that it is available
               even if access to the original data is lost. Archives and backups are
               often stored off-site. When transporting and storing this data, it’s
               important to provide the same level of protection applied during
               storage on-site. The level of protection is dependent on the
               classification and value of the data.

               Destruction or Purging When data is no longer needed, it should

               be destroyed in such a way that it is not readable. Simply deleting files
               doesn’t delete them but instead marks them for deletion, so this isn’t a
               valid way to destroy data. Technicians and administrators use a variety
               of tools to remove all readable elements of files when necessary. These
               often overwrite the files or disks with patterns of 1s and 0s or use other
               methods to shred the files. When deleting sensitive data, many
               organizations require personnel to destroy the disk to ensure that data

               is not accessible. The National Institute of Standards and Technology
               (NIST) special publication (SP) SP 800-88r1, “Guidelines for Media
               Sanitization,” provides details on how to sanitize media. Additionally,
               Chapter 5 covers various methods of destroying and purging data.


               Service-Level Agreements

               A service-level agreement (SLA) is an agreement between an

               organization and an outside entity, such as a vendor. The SLA
               stipulates performance expectations and often includes penalties if the
               vendor doesn’t meet these expectations.

               As an example, many organizations use cloud-based services to rent
               servers. A vendor provides access to the servers and maintains them to
               ensure that they are available. The organization can use an SLA to
   1133   1134   1135   1136   1137   1138   1139   1140   1141   1142   1143