Page 352 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 352

Summary


               Asset security focuses on collecting, handling, and protecting
               information throughout its lifecycle. This includes sensitive
               information stored or processed on computing systems or transferred

               over a network and the assets used in these processes. Sensitive
               information is any information that an organization keeps private and
               can include multiple levels of classifications.

               A key step in this process is defining classification labels in a security
               policy or data policy. Governments use labels such as top secret,
               secret, confidential, and unclassified. Nongovernment organizations
               can use any labels they choose. The key is that they define the labels in

               a security policy or a data policy. Data owners (typically senior
               management personnel) provide the data definitions.

               Organizations take specific steps to mark, handle, store, and destroy
               sensitive information and hardware assets, and these steps help
               prevent the loss of confidentiality due to unauthorized disclosure.
               Additionally, organizations commonly define specific rules for record

               retention to ensure that data is available when it is needed. Data
               retention policies also reduce liabilities resulting from keeping data for
               too long.

               A key method of protecting the confidentiality of data is with
               encryption. Symmetric encryption protocols (such as AES) can encrypt
               data at rest (stored on media). Transport encryption protocols protect
               data in transit by encrypting it before transmitting it (data in transit).

               Applications protect data in use by ensuring that it is only held in
               temporary storage buffers, and these buffers are cleared when the
               application is no longer using the data.

               Personnel can fulfill many different roles when handling data. Data
               owners are ultimately responsible for classifying, labeling, and
               protecting data. System owners are responsible for the systems that
               process the data. Business and mission owners own the processes and

               ensure that the systems provide value to the organization. Data
               processors are often third-party entities that process data for an
   347   348   349   350   351   352   353   354   355   356   357