Page 317 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 317
Determining Data Security Controls
After defining data and asset classifications, it’s important to define
the security requirements and identify security controls to implement
those security requirements. Imagine that an organization has decided
on data labels of Confidential/Proprietary, Private, Sensitive, and
Public as described previously. Management then decides on a data
security policy dictating the use of specific security controls to protect
data in these categories. The policy will likely address data stored in
files, in databases, on servers including email servers, on user systems,
sent via email, and stored in the cloud.
For this example, we’re limiting the type of data to only email. The
organization has defined how it wants to protect email in each of the
data categories. They decided that any email in the Public category
doesn’t need to be encrypted. However, email in all other categories
(Confidential/Proprietary, Private, Sensitive, and Public) must be
encrypted when being sent (data in transit) and while stored on an
email server (data at rest).
Encryption converts cleartext data into scrambled ciphertext and
makes it more difficult to read. Using strong encryption methods such
as Advanced Encryption Standard with 256-bit cryptography keys
(AES 256) makes it almost impossible for unauthorized personnel to
read the text.
Table 5.1 shows other security requirements for email that
management defined in their data security policy. Notice that data in
the highest level of classification category (Confidential/Proprietary)
has the most security requirements defined in the security policy.
TABLE 5.1 Securing email data
Classification Security requirements for email
Confidential/Proprietary Email and attachments must be encrypted
with AES 256.
(highest level of
protection for any data) Email and attachments remain encrypted
except when viewed.
