Page 323 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 323

(UUID) and can enforce security policies. DLP systems can block
                  users from copying data to other USB devices and ensure that data

                  is encrypted when a user copies it to one of these devices.


               Marking also includes using digital marks or labels. A simple method

               is to include the classification as a header and/or footer in a
               document, or embed it as a watermark. A benefit of these methods is
               that they also appear on printouts. Even when users include headers
               and footers on printouts, most organizations require users to place
               printed sensitive documents within a folder that includes a label or
               cover page clearly indicating the classification. Headers aren’t limited

               to files. Backup tapes often include header information, and the
               classification can be included in this header.

               Another benefit of headers, footers, and watermarks is that DLP
               systems can identify documents that include sensitive information,
               and apply the appropriate security controls. Some DLP systems will
               also add metadata tags to the document when they detect that the
               document is classified. These tags provide insight into the document’s

               contents and help the DLP system handle it appropriately.

               Similarly, some organizations mandate specific desktop backgrounds
               on their computers. For example, a system used to process proprietary
               data might have a black desktop background with the word
               Proprietary in white and a wide orange border. The background could
               also include statements such as “This computer processes proprietary

               data” and statements reminding users of their responsibilities to
               protect the data.

               In many secure environments, personnel also use labels for
               unclassified media and equipment. This prevents an error of omission
               where sensitive information isn’t marked. For example, if a backup
               tape holding sensitive data isn’t marked, a user might assume it only
               holds unclassified data. However, if the organization marks

               unclassified data too, unlabeled media would be easily noticeable, and
               the user would view an unmarked tape with suspicion.

               Organizations often identify procedures to downgrade media. For
               example, if a backup tape includes confidential information, an
   318   319   320   321   322   323   324   325   326   327   328