Page 326 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 326
against any type of loss. The obvious protection is encryption. AES 256
provides strong encryption and there are many applications available
to encrypt data with AES 256. Additionally, many operating systems
include built-in capabilities to encrypt data at both the file level and
the disk level.
If sensitive data is stored on physical media such as portable disk
drives or backup tapes, personnel should follow basic physical security
practices to prevent losses due to theft. This includes storing these
devices in locked safes or vaults and/or within a secure room that
includes several additional physical security controls. For example, a
server room includes physical security measures to prevent
unauthorized access, so storing portable media within a locked cabinet
in a server room would provide strong protection.
Additionally, environmental controls should be used to protect the
media. This includes temperature and humidity controls such as
heating, ventilation, and air conditioning (HVAC) systems.
Here’s a point that end users often forget: the value of any sensitive
data is much greater than the value of the media holding the sensitive
data. In other words, it’s cost effective to purchase high-quality media,
especially if the data will be stored for a long time, such as on backup
tapes. Similarly, the purchase of high-quality USB flash drives with
built-in encryption is worth the cost. Some of these USB flash drives
include biometric authentication mechanisms using fingerprints,
which provide added protection.
Encryption of sensitive data provides an additional layer
of protection and should be considered for any data at rest. If data
is encrypted, it becomes much more difficult for an attacker to
access it, even if it is stolen.
Destroying Sensitive Data
When an organization no longer needs sensitive data, personnel
should destroy it. Proper destruction ensures that it cannot fall into
