Page 319 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 319
control is strong encryption using AES 256. Administrators would
identify methodologies making it easy for employees to meet the
requirements.
Although it’s possible to meet all of the requirements in Table 5.1, they
require implementing other solutions. For example, software company
Boldon James sells several products that organizations can use to
automate these tasks. Users apply relevant labels (such as confidential,
private, sensitive, and public) to emails before sending them. These
emails pass through a data loss prevention (DLP) server that detects
the labels, and applies the required protection.
Of course, Boldon James isn’t the only organization that
creates and sells DLP software. Other companies that provide
similar DLP solutions include TITUS and Spirion.
Table 5.1 shows possible requirements that an organization might
want to apply to email. However, an organization wouldn’t stop there.
Any type of data that an organization wants to protect needs similar
security definitions. For example, organizations would define
requirements for data stored on assets such as servers, data backups
stored onsite and offsite, and proprietary data.
Additionally, identity and access management (IAM) security controls
help ensure that only authorized personnel can access resources.
Chapter 13, “Managing Identity and Authentication,” and Chapter 14,
“Controlling and Monitoring Access,” cover IAM security controls in
more depth.
WannaCry Ransomware
You may remember the WannaCry ransomware attack starting on
May 12, 2017. It quickly spread to more than 150 countries,
infecting more than 300,000 computers and crippling hospitals,
public utilities, and large organizations in addition to many regular
users. As with most ransomware attacks, it encrypted data and
