Page 324 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 324

administrator might want to downgrade the tape to unclassified. The
               organization would identify trusted procedures that will purge the tape

               of all usable data. After administrators purge the tape, they can then
               downgrade it and replace the labels.

               However, many organizations prohibit downgrading media at all. For
               example, a data policy might prohibit downgrading a backup tape that
               contains top secret data. Instead, the policy might mandate destroying
               this tape when it reaches the end of its lifecycle. Similarly, it is rare to

               downgrade a system. In other words, if a system has been processing
               top secret data, it would be rare to downgrade it and relabel it as an
               unclassified system. In any event, approved procedures would need to
               be created to assure a proper downgrading.




                             If media or a computing system needs to be downgraded

                  to a less sensitive classification, it must be sanitized using
                  appropriate procedures as described in the section “Destroying
                  Sensitive Data” later in this chapter. However, it’s often safer and
                  easier just to purchase new media or equipment rather than follow

                  through with the sanitization steps for reuse. Many organizations
                  adopt a policy that prohibits downgrading any media or systems.




               Handling Sensitive Information and Assets

               Handling refers to the secure transportation of media through its
               lifetime. Personnel handle data differently based on its value and
               classification, and as you’d expect, highly classified information needs
               much greater protection. Even though this is common sense, people
               still make mistakes. Many times, people get accustomed to handling
               sensitive information and become lackadaisical with protecting it.

               For example, it was reported in 2011 that the United Kingdom’s

               Ministry of Defense mistakenly published classified information on
               nuclear submarines, in addition to other sensitive information, in
               response to Freedom of Information requests. They redacted the
               classified data by using image-editing software to black it out.
               However, anyone who tried to copy the data could copy all the text,
   319   320   321   322   323   324   325   326   327   328   329