Welcome to the (ISC)2 Certified Information Systems Security

Professional (CISSP) Training Course

Course Agenda

Domain 1: Security and Risk Management

Domain 2: Asset Security

Domain 3: Security Architecture and Engineering

Domain 4: Communication and Network Security

Domain 5: Identity and Access Management (IAM)

Domain 6: Security Assessment and Testing

2
Course Agenda (continued)

Domain 7: Security Operations

Domain 8: Software Development Security

3
Domain 2
Asset Security

4
Domain Objectives
1. Understand key asset terms such as assets, information, data,
resources, etc.
2. Explain how security controls are dictated by the value of
assets, including information.
3. Understand that information/data is only one example of
valuable assets that organizations need to protect based on
the value of those assets to the organization.
4. Explain how asset classification drives the protection of assets
based on value.
5. Describe the asset lifecycle.

5
Domain Objectives (continued)
6. Understand how data classification and categorization applies to
the asset lifecycle.
7. Understand the importance of establishing accountability and
responsibilities for information ownership and custodianship.
8. Explain accountabilities and responsibilities for protection of assets
by owner, custodians, stewards, controllers, and processors.
9. Explain key terms associated with asset protection.
10. Understand how privacy of personal information is affected by
today’s technologies.

6
Domain Objectives (continued)
11. Explain the expectations of subjects according to privacy laws
and regulations.
12. Explain the importance of the Organization for Economic
Cooperation and Development (OECD) guidelines on Privacy
Protection.
13. Express the eight principles for privacy protection according to
the OECD guidelines.
14. Understand the concept of collection limitation as it applies to
privacy.
15. Understand asset retention and how retention policies are driven
by organizational requirements.
7
Domain Objectives (continued)
16. Explain the reasons that drive data and records retention,
including compliance or organizational requirements.
17. Understand the issues associated with long-term storage of assets.
18. Define baseline protection.
19. Explain how baselines can help an organization achieve minimum
levels of security associated with valuable assets.
20. Understand how baselines include security controls and how to
implement them.
21. Describe baseline protection and scoping and tailoring in
reference to asset protection.

8
Domain Objectives (continued)
22. Understand the different data states and explain how to
secure each.
23. Explain the difference between end-to-end and link encryption
as it relates to data in motion.
24. Understand how media requires controls to protect its content.
25. Understand labeling and marking requirements of assets that
have been classified.
26. Understand how the handling of media and assets that have
been classified should be allowed only to those that are
authorized.

9
Domain Objectives (continued)
27. Understand how storing, retention, and destruction of assets
is dictated by classification.
28. Understand data remanence and its impact to the value of
assets.
29. Explain the various options in addressing data remanence,
including clearing, purging, and destruction.
30. Explain methods used to clear, purge, and destroy data.

10
Domain Agenda

Information and Assets

Asset Lifecycle

Information and Asset Ownership

Protect Privacy

Asset Retention

11
Domain Agenda (continued)

Data Security Controls

Information and Asset Handling Requirements

Data Remanence

Domain Review

12
Module 1
Information and Assets

13
Module Objectives

1. Understand key asset terms such as assets, information, data,

resources, etc.
2. Explain how security controls are dictated by the value of
assets, including information.
3. Understand that information/data is only one example of
valuable assets that organizations need to protect based on
the value of those assets to the organization.
4. Explain how asset classification drives the protection of assets
based on value.

14
Assets, Information, and Resources

Assets Resources

Value

15
Assets, Information, and Other Valuable Resources

Value of Protection of
an Asset Valuable Assets

• Quantitative • Should be
• Qualitative based on the
value

16
Examples of Valuable Assets
Corporate
People Reputation/Bran Products
d

Information/
Architectures Processes
Data

Intellectual
Hardware Software
Property/Ideas

17
Identification/Discovery and Classification of Assets

Based on Value
Identify/Discover Assets Asset Classification

• Inventory • Requires management

• Needs to be formal process support, commitment, and
conviction
• Accountability
• Policies
• Training/awareness/
education

18
Classification Process

19
Process of Protection of Valuable Assets Based on

Classification
Identify and Locate Classify Based Protect Based on
Assets Including on Value Classification
Information

Asset discovery Requires ownership Baselines for each

to establish classification level
accountability

20
Module 2
Asset Lifecycle

21
Module Objectives

1. Describe the asset lifecycle.

2. Understand how data classification and categorization applies
to the asset lifecycle.

22
Asset Lifecycle
Steps:
1. Identify & Classify
2. Secure & Store
3. Monitor & Log
4. Recover
5. Disposition
6. Archive
OR
6. Destruction

23
Asset Lifecycle

24
Differences between Classification and Categorization

Classification Categorization

• The act of forming • The process of sorting

into a class or classes or arranging things
• A distribution into into classes
groups, as classes
according to common
attributes
25
Classification
Ensures assets are marked and protected (based on value) in
such a way that only those with an appropriate level of clearance
can have access to the information.

26
Categorization
The process of determining the impact of the loss of confidentiality,
integrity, or availability of the information to an organization.

27
Data Classification Policy

Who will have How the data How long the data
access to the data is secured is to be retained

What method(s) Whether the data

The appropriate
should be used to needs to be
use of the data
dispose of the data encrypted

28
Activity: Applying Policy Considerations in

Your Organization
INSTRUCTIONS
Working with a partner, discuss how you would apply each of the
policy considerations in your organization.

Who has access How the data How long the data
to the data is secured is to be retained

What method(s) Whether the

The appropriate
should be used to data needs to
use of the data
dispose of the data be encrypted

29
Examples of Classification Levels

• Should be easy to determine the right levels of classification by

the owner, and others should fully understand how to protect
• Examples
o Top Secret
o Company Restricted
o Company Confidential
o Public

30
Classification – Done by Owners

• The individual who owns the data should decide the classification
• Owners should review the classification on a regular basis and
adjust based on value at that particular time
o Classification system should allow the increase or decrease in
classification
o Change needs to be documented to allow system to adjust based
on new classification

31
Purpose of Asset Classification

Ensure that information assets receive an appropriate level

of protection

Provide security classifications that will indicate the need and

priorities for security protection

Minimize risks of unauthorized information alteration

Avoid unauthorized disclosure

32
Purpose of Asset Classification (continued)

Maintain competitive edge

Protect legal tactics

Comply with privacy laws, regulations, and industry standards

33
Classification Benefits

Benefits of having classifications are

• Awareness among employees and customers of the
organization’s commitment to protect information
• Identification of critical information
• Identification of vulnerability to modification
o Enable focus on integrity controls
• Sensitivity to the need to protect valuable information
o Understanding the value of information
o Meeting legal requirements

34
Issues Related to Classification

Information is classified by the Information Owner or designate

• Human error
• Proper classification is dependent on ability and knowledge of
the classifier
• Requires awareness of regulations and customer and business
expectations
• Requires consistent classification method—often the decisions
can be somewhat arbitrary
• Needs clear labeling of all classified items
• Must include support for declassification and destruction of
assets
35
Module 3
Information and Asset Ownership

36
Module Objectives

1. Understand the importance of establishing accountability and

responsibility for asset and information ownership and
custodianship.
2. Explain accountabilities and responsibilities for protection of
assets by owners, custodians, stewards, controllers, and
processors.
3. Explain key terms associated with asset protection.

37
Asset Protection and Classification Terminology
The following are key terms associated with asset management:
• Data subject
• Data owner
• Data custodian
• Data steward
• Personal data
• Processing
• Data controller
• Data processor

38
Data Ownership

Accountable for important information security activities

surrounding the lifecycle of information to:
• Protect it
• Ensure it is available to only those who require access
• Destroy it when it is no longer needed

39
Information Owner
The data owner typically has the following example accountabilities:
• Determine the impact the information has on the mission of the
organization.
• Understand the replacement cost of the information (if it can be
replaced).
• Know when the information is inaccurate or no longer needed and
should be destroyed.
• Determine who has a need for the information and under what
circumstances the information should be released.

40
Data Custodianship
Typical responsibilities include the following:
• Adherence to appropriate and relevant data policies, standards,
procedures, baselines and guidelines
• Ensuring accessibility to appropriate users, maintaining appropriate
levels of data security
• Fundamental data maintenance, including but not limited to data
storage and archiving
• Data documentation, including updates to documentation
• Assurance of quality and validation of any additions to data, including
supporting periodic audits to ensure ongoing data integrity

41
Difference Between Data Owner/Controller and
Data Custodian/Processor

Data Owner/Controller Data Custodian/Processor

The controller acts as the The processor processes data

owner, therefore is on behalf of the owners
accountable. (example cloud provider).

Accountable for the protection

of data based on relevant
national or community laws or
regulations.

42
Difference Between Data Owner/Controller and Data

Custodian/Processor (continued)
Data Owner/Controller Data Custodian/Processor
The natural or legal person, public The processor processes data on
authority, agency or any other body behalf of the owners (example
that alone or jointly with others cloud provider). Therefore, is
determines the purposes and means responsible for the adherence of
of the processing of personal data; policies, standards, procedures,
where the purposes and means of baselines, and guidelines to ensure
processing are determined by national protection while in their custody.
or community laws or regulations, the
controller or the specific criteria for
his nomination may be designated by
national or community law.

43
Activity: Understanding Accountability and

Responsibility
INSTRUCTIONS
Fill in each of the spaces with either the word “accountable” or
“responsible” as it relates to protection of data and each of the roles:

Data Steward Data Owner Data Custodian

Data Processor Data Controller Data Subject

44
Activity: Understanding Accountability and

Responsibility – Answers
INSTRUCTIONS
Fill in each of the spaces with either the word “accountable” or
“responsible” as it relates to protection of data and each of the roles:

Data Steward Data Owner Data Custodian

(responsible) (accountable) (responsible)

Data Processor Data Controller Data Subject

(responsible) (accountable) (control)

45
Module 4
Protect Privacy

46
Module Objectives

1. Understand how privacy of personal information is affected

by today’s technology.
2. Explain the expectations of subjects according to privacy laws
and regulations.
3. Explain the importance of the OECD Guidelines on Privacy
Protection.
4. Express the eight principles for privacy protection according
to the OECD guidelines.
5. Understand the concept of collection limitation as it applies
to privacy.

47
Privacy – Introduction
• Individuals should have control over their personal information
• According to many data protection laws, personal information must be
o Obtained fairly and lawfully
o Used only for the original specified purpose
o Adequate, relevant, and not excessive to purpose
o Accurate and up to date
o Not kept longer than necessary
o Accessible to the subject
o Kept secure
o Not transmitted to a country without adequate level of protection

48
OECD Privacy Guidelines
The OECD guideline principles are as follows:

Purpose
Collection Data Quality Use Limitation
Specification
Limitation Principle Principle Principle
Principle

Individual
Security Safeguards Openness Accountability
Participation
Principle Principle Principle
Principle

49
Example – Collection Limitation Principle

With the knowledge

and consent of the
Should be obtained by
There should be limits subject
lawful and fair means
to the collection of
data

50
Module 5
Asset Retention

51
Module Objectives

1. Understand asset retention and how retention policies are driven

by organizational requirements.
2. Explain the reasons that drive data and records retention,
including compliance or organizational requirements.
3. Understand the issues associated with long-term storage of assets.

52
Establishing Information Governance and Retention

Policies

Understand where the data exists

Classify and define data

Archive and manage data

53
Building Effective Archiving and Data Retention

Policies
Involve all stakeholders in the process

Establish common objectives for

supporting archiving and data retention
best practices within the organization

Monitor, review, and update documented

data retention policies and archiving
procedures

54
Creating a Sound Record Retention Policy

Evaluate statutory requirements, litigation obligations, and

business needs

Classify types of records

Determine retention periods and destruction practices

Draft and justify record retention policy

55
Creating a Sound Record Retention Policy

(continued)

Train staff

Audit retention and destruction practices

Periodically review policy

Document policy, implementation, training, and audits

56
Activity: Review an Organization’s Sample

Policy
INSTRUCTIONS
• Working with a partner, review the following sample policy
• For your assigned section, note your ideas about why each
aspect of the policy is in place or the risks to the organization
if the policy is not implemented
• Be prepared to share your thoughts with the group

57
Important Considerations
• Who needs access to archived data and why?
How fast do they need it?
• Do access requirements change as the archives age?
• How long do we need to keep the archived data? When
should it be disposed of or deleted?

58
Best Practices

Promote cross-functional ownership

Promote cross-functional ownership for archiving, retention,

and disposal policies

Plan and practice data retention and orderly disposal

Key areas of focus: media, hardware, and personnel

59
Examples of Data Retention Policies

European Document Retention Guide 2013

State of Florida Electronic Records and Records Management

Practices, November 2010

The Employment Practices Code, Information Commissioner’s

Office, UK, November 2011

Wesleyan University, Information Technology Services Policy

Regarding Data Retention for ITS-Owned Systems, September 2013

60
Examples of Data Retention Policies

(continued)

Visteon Corporation, International Data Protection Policy,

April 2013

Texas State Records Retention Schedule (Revised 4th edition),

effective July 4, 2012

61
Module 6
Data Security Controls

62
Module Objectives

1. Define baseline protection.

2. Explain how baselines can help an organization achieve minimum
levels of security associated with valuable assets.
3. Understand how baselines include security controls and how to
implement them.
4. Describe baseline protection and scoping and tailoring in reference
to asset protection.
5. Understand the different data states and explain how to secure each.
6. Explain the difference between end-to-end and link encryption
as it relates to data in motion.

63
Baselines

Used as reference points

Minimum levels of
to ensure minimum
security and protection
levels
requirements
for assets

64
Example Baselines and How They Can Be Used to Enforce

Security Controls
Classification Access Encryption Labeling Monitoring

High – Strong passwords – 128 bit symmetric – Electronic – Real time using
– Asset owner encryption for watermark SIEM
approves request, creation, – Physical
review, and data-in-motion, watermark
termination data-at-rest
– NDA

Medium – Passwords – 128 bit encryption – None – Timely

– Asset owner for data-in-motion
approves request,
review, and
termination

Low – Asset owner – None – None – None

approves request,
review, termination
65
 Baselines – Summary
• Consistent reference point
• Define minimum levels of protection to protect valuable assets
• Can be configurations for specific architectures and systems

66
Considerations
Which parts of the
Should the same
enterprise or
baseline be applied
systems can be
throughout the
protected by the
whole enterprise?
same baseline?

How will the

At what security
controls forming the
level should the
baselines be
baseline aim?
determined?

67
Objective of Baseline Protection
• Establish a minimum set of safeguards to protect assets
that have value.

68
Baseline Catalogs

Catalogs of baseline safeguards can provide comprehensive

guidance on baseline creation. Could be obtained from
• International and national standards organizations
• Industry sector standards or recommendations
• Some other company, preferably with similar business
objectives and of comparable size

69
Generally Accepted Principles

Information System Security Objectives

Prevent, Detect, Respond, and Recover

Protection of Information While Being Processed, in Transit,

and in Storage

External Systems Are Assumed to Be Insecure

70
Generally Accepted Principles (continued)

Resilience for Critical Information Systems

Auditability and Accountability

71
Scoping and Tailoring

Scoping—limiting general baseline recommendations by

removing those that do not apply

Tailoring—altering baselines recommendations to apply more

specifically

72
Case: Standards Selection Review
INSTRUCTIONS
Working on your own, review your assigned standards and prepare
to introduce them to the rest of the class

73
CSIS 20 Critical Security Controls Initiative
The five “critical tenets”:

Offense Informs
Prioritization Metrics
Defense

Continuous
Automation
Monitoring

74
Current List of Critical Security Controls – Version 5.1

A list of critical security controls developed by the Council on

CyberSecurity.

For more information see their white paper here:

https://www.cisecurity.org/documents/CSC-MASTER-VER5.1-
10.7.2014.pdf

75
NIST Security Content Automation Protocol (SCAP)

Multi-purpose
Suite of specifications framework of
specifications

76
SCAP Version 1.2 Categories

Reporting
Languages Enumerations
Formats

Measurement
and Scoring Integrity
Systems

77
Framework for Improving Critical Infrastructure

Cybersecurity
Common taxonomy for organizations to
• Describe their current cybersecurity posture
• Describe their target state for cybersecurity
• Identify and prioritize opportunities for improvement within the
context of a continuous and repeatable process
• Assess progress toward the target state
• Communicate among internal and external stakeholders about
cybersecurity risk

78
Framework Components
Framework Core is a set of cybersecurity activities, desired
outcomes, and applicable references that are common across
critical infrastructure sectors.

79
Framework Components (continued)

Framework
Implementation Framework Profile
Tiers

80
Data States

Data Data Data

at in in
Rest Motion Use

81
Protection of Data
• Data protection involves both data at rest, in motion, or
in use

• But always based on classification

82
Data at Rest

The protection of stored data is often a key requirement for an

organization’s sensitive information

Backup data, off-site storage, password files, and many other types
of sensitive information need to be protected

This is typically done through the use of cryptographic algorithms

83
Data at Rest – Description of Risk
Malicious actors may
• Affect confidentiality, integrity, and availability
• Examples:
o Gain unauthorized physical or logical access to assets
o Transfer information from the device to an attacker’s system
o Perform other actions that jeopardize the confidentiality of the
information on a device

84
Data at Rest – Recommendations

Implement controls such as encryption, access controls, and

redundancy Develop and test an appropriate Data Recovery Plan

Use compliant encryption algorithm and tools

Whenever possible, use AES for the encryption algorithm because

of its strength and speed

Follow strong password requirements

Do not use the same password from other systems

85
Data at Rest – Recommendations (continued)

Use a secure password management tool to store sensitive

information such as passwords and recovery keys

Where passwords need to be shared with other users, ensure that

passwords are sent separately from the encrypted file

Do not write down the password and store it at the same location
as the storage media

86
Data at Rest – Recommendations (continued)

• After the valuable data is copied to a removable media:

o Verify that the removable media works by following instructions to
read the encrypted valuable data
o If applicable, securely delete unencrypted valuable data following
secure deletion guidelines
• Removable media should be labeled with:
o Title
o Data owner
o Encryption date

87
Data in Transit
Prevent the contents of the message from being revealed even
if the message itself was:
• intercepted
• in transit

88
 Link Encryption
• Link encryption encrypts all of the data along a communications
path
• Performed by service providers

89
End-to-End Encryption
• Data is encrypted at the start of the transmission and remains
encrypted until decrypted at the remote end
• Although data remains encrypted throughout the network,
routing information needs to be visible

90
Comparison of End-to-End and Link Encryption

91
Data in Transit – Description of Risk
Malicious actors may intercept or monitor plaintext data
transmitting across network and gain unauthorized access
that jeopardizes confidentiality, integrity, or availability.

92
Data in Transit – Recommendations
• Valuable data must be encrypted when transmitted across
any network
• Email is not considered secure and must not be used to
transmit valuable data

93
Data in Transit – Recommendations (continued)

Where a device is reachable via web interface, web traffic must be

transmitted over secure network protocols, using only strong
security such as SSLv3, and TLS v1.1 or v1.2

Valuable data transmitted over email must be secured using

cryptographically strong email encryption tools such as PGP
or S/MIME

94
Data in Transit – Recommendations (continued)

Non-web valuable data traffic should be encrypted via application-

level encryption

Where an application database resides outside the application server,

all connections between the database and application should be
encrypted using FIPS-compliant cryptographic algorithms

95
Data in Transit – Recommendations (continued)

Where application-level encryption is not available for non-web

valuable data traffic, implement network-level encryption such as
IPSec or SSH tunneling

Encryption should be applied when transmitting valuable data

between devices in protected subnets with strong firewall controls

Good access controls to limit access should also be used

Redundancy controls need to be applied

96
Data in Use

Can be particularly challenging to protect as data in use typically is

in clear text

Data being processed on a architecture may be at risk, depending on

the vulnerabilities on the architecture

If the application processing the data or the architecture is

insecure, so is the data

97
Data in Use – Recommendations

Concept of “enclave” protection is recommended

Secure dedicated portions of memory where the processing actually

happens

Enclaves are isolated from other components of the architectures

98
Activity: Data at Rest/Data in Transit

Comparison
INSTRUCTIONS
Working with a partner, complete the following table.

Data at Rest Data in Transit

Definition

Risk Profile

Recommendations
(list at least two)
99
Examples of Insecure Network Protocols and Their

Secure Alternatives

Action Instead of this … Use these …

Web Access HTTP HTTPS

File Transfer FTP, RCP FTPS, SFTP, SCP

Remote Shell telnet SSH v3

Remote Desktop VNC radmin, RDP

100
Picking Encryption Algorithms
• Always choose the encryption algorithms that support longer
key lengths as they generally provide stronger protection
• Since passwords are often used to control the keys within the
cryptosystem, long complex passphrases are stronger than
shorter passphrase

101
Wireless Connections
When connecting to wireless networks to access a system
handling valuable data, only connect to wireless networks
employing cryptographically strong wireless encryption
standards such as WPA2.

102
Module 7
Information and Asset Handling Requirements

103
Module Objectives

1. Understand how media requires controls to protect its content

2. Understand labeling and marking requirements of assets that have
been classified
3. Understand how the handling of media and assets that have been
classified should be allowed only to those that are authorized
4. Understand how storage, retention, and destruction of assets is
dictated by classification

104
Media

Media storing sensitive information requires physical and logical

controls

Media lacks the means for digital accountability when the data is
not encrypted

For this reason, extensive care must be taken when handling

sensitive media

105
Marking

Storage media should have a physical label, identifying the

sensitivity of the information contained

The label should clearly indicate if the media is encrypted

The label may also contain information regarding a point of

contact and a retention period

When media is found or discovered without a label, it should be labeled

at the highest level of sensitivity until the analysis reveals otherwise

106
Handling

Only designated personnel should have access to sensitive media

Policies and procedures describing the proper handling of

sensitive media should be communicated

Individuals responsible for managing sensitive media should be

trained on the policies and procedures

107
Storing
• Sensitive media should not be left lying about where
a passerby could access it.
• Whenever possible, backup media should be encrypted
and stored in a security container.

108
Destruction
Media that is no longer needed or is defective should be
defensibly destroyed rather than simply disposed of.

109
Record Retention
• Information and data should be kept only as long as it is
required
• Ensure that:
o The organization understands the retention requirements for
different types of data throughout the organization
o The organization documents in a record’s schedule the retention
requirements for each type of information
o The systems, processes, and individuals of the organization retain
information in accordance with the schedule but not longer

110
Module 8
Data Remanence

111
Module Objectives

1. Understand data remanence and its impact to the value of assets.

2. Explain the various options in addressing data remanence, including
clearing, purging, and destruction.
3. Explain methods used to clear, purge, and destroy data.

112
Data Remanence
• The residual physical representation of data that has been in
some way erased
• After storage media is erased, there may be some physical
characteristics that allow data to be reconstructed

113
Data Remanence (continued)
• On a hard disk drive (HDD), the data is magnetically written onto
the drive by altering the magnetic field of the hard drive platter
• Solid-state drives (SSDs) use flash memory to store data
• Three commonly accepted countermeasures employed to
address data remanence in HDDs:
o Clearing
o Purging
o Destruction

114
Clearing
• The removal of sensitive data from storage devices so there is
assurance that the data may not be reconstructed using normal
system functions or software file/data recovery utilities
• The data may still be recoverable but not without special
laboratory techniques

115
Purging
The removal of sensitive data from a system or storage device with
the intent that the data cannot be reconstructed by any known
technique.

116
Destruction

The storage media is made unusable for conventional equipment

Effectiveness of destroying the media varies

Destruction using appropriate techniques is the most secure method

of preventing retrieval and referred to as “defensible destruction”

117
Data Destruction Methods

Overwriting Degaussing Encryption

118
Media Destruction – Defensible Destruction
• Physically breaking the media apart
• Chemically altering the media into a non-readable, non-reverse-
constructible state
• Phase transition
• For magnetic media, raising its temperature above the Curie
Temperature

119
Solid-State Drives (SSDs)
• SSDs use flash memory for data storage and retrieval
• Flash memory differs from magnetic memory in one key way:
flash memory cannot be overwritten

120
Solid-State Drive (SSD) Data Destruction

Unlike HDDs, overwriting is not effective for SSDs

SSD manufacturers include built-in sanitization commands that

are designed to internally erase the data on the drive

Cryptographic erasure, or crypto-erase, takes advantage of the

SSD’s built-in data encryption

The best data destruction method is a combination of

crypto-erase, sanitization, and targeted overwrite passes

121
Cloud-Based Data Remanence
• Little to no visibility into the management and security of the
data in many cases
• PaaS-based architectures can actually provide a solution for the
issues raised by data remanence in the cloud
• Crypto-Erase / Crypto Shredding

122
Module 9
Domain Review

123
Domain Summary

• Asset Security is all about the protection of valuable assets to an

organization as those assets go through their lifecycle. Protection
will always be done based on value.
• The value of the asset is expressed by its classification level that is
initiated by the owner. The value must be monitored as the asset
goes through its lifecycle.
• Classification, therefore, protects the asset based on its value. To
protect the asset based on its classification, we need to implement
baselines of minimum levels of security for each of the
classification levels.

124
Domain Summary (continued)
• To properly protect valuable assets, such as information, an
organization requires the careful and proper implementation
of ownership and classification processes that can ensure the
assets receive the level of protection based on their value to
the organization.

125
Domain Summary (continued)

• The enormous increase in the collection of personal information

by organizations has resulted in a corresponding increase in the
importance of privacy considerations, and privacy protection
constitutes an important part of the asset security domain.
Individual privacy protection in the context of asset security
includes the concepts of asset owners and custodians, processors,
remanence, and limitations on collection and storage of valuable
assets such as information. This also includes the important issue
of retention as it relates to legal and regulatory requirements to
the organization.

126
Domain Summary (continued)

• Appropriate security controls must be chosen to protect the asset

as it goes through its lifecycle, keeping in mind the requirements
of each of the lifecycle phases and the handling requirements
throughout. Therefore, understanding and applying proper
baselines, scoping and tailoring, standards selection, and proper
controls need to be understood by the security professional. This
also requires the protection of data in different states, these states
being data at rest, data in motion, and data in use. Encryption can
be an effective tool in protecting all states.
• The asset lifecycle should end with the asset and data being
destroyed securely, this is referred to as defensible destruction.

127
Domain Review Questions

1. How can an asset classification program improve the

organization’s ability to achieve its goals and objectives?

A. By meeting the requirements imposed by the audit function

B. By controlling changes to production environments
C. By enhancing ownership principles
D. By specifying controls to protect valuable assets

128
Answer

The correct answer is D.

Asset classification is implemented to allow the organization

to protect assets based on the value of those assets, which is
categorized by its classification level. Protection of assets,
including information, is always done based on its value and,
therefore, asset classification not only portrays its value, but
also defines the protection requirements.

129
Domain Review Questions

2. What is the correct order of the asset lifecycle phases?

A. Create, use, share, store, archive, and destroy

B. Create, share, use, archive, store, and destroy
C. Create, store, use, share, archive, and destroy
D. Create, share, archive, use, store, and destroy

130
Answer

The correct answer is C.

This is the correct order of the lifecycle phases of assets: create,

store, use, share, archive, and destroy. This is according to the
Securosis Blog. Asset classification, therefore, needs to be able
to protect assets in whatever phase they are in.

131
Domain Review Questions

3. Which of the following is the BEST definition of defensible

destruction?

A. The destruction of assets using defense approved methods

B. The destruction of assets using a controlled, legally defensible,
and compliant way
C. The destruction of assets without the opportunity of the
recovery of those assets
D. The destruction of assets using a method that may not allow
attackers to recover data

132
Answer

The correct answer is B.

The perfect definition of legally defensible destruction of assets,

which should end the asset lifecycle, is eliminating data using a
controlled, legally defensible, and regulatory compliant way.

133
Domain Review Questions

4. In an environment where asset classification has been

implemented to address the requirements of privacy protection,
who in the following list is considered to be the “owner” and,
therefore, has the accountability to ensure that the requirements
for protection and compliance are addressed properly?

A. Data processor
B. Data subject
C. Data controller
D. Data steward

134
Answer

The correct answer is C.

In specific privacy legislation, the roles for accountability of

protection of subject’s personal privacy information is assigned to
the data controller. They act as the “owner” and, therefore, have
the accountability to protect based on legislative and legal
requirements.

135
Domain Review Questions

5. Which of the following is NOT a Organization for Economic

Cooperation and Development (OECD) principle of privacy
protection?

A. Collection Limitation Principle

B. Right to be Forgotten Principle
C. Use Limitation Principle
D. Accountability Principle

136
Answer

The correct answer is B.

The right to be forgotten principle is not a principle addressed in

the OECD guidelines for privacy protection. It has been introduced
and is part of privacy legislation in Europe and Argentina since
2006 and is part of the new General Data Protection Regulation
(GDPR) to take effect in Europe.

137
Domain Review Questions

6. Effective retention requirements for organizations requires

all of the following EXCEPT for?

A. Policy
B. Awareness, education, training
C. Understanding of requirements related to compliance
D. Data steward

138
Answer

The correct answer is D.

A data steward may be required to address the proper protection

of assets but is NOT a requirement to implement effective data
retention methods in the organization. The other three answers
are absolutely critical in addressing any important requirement,
including retention.

139
Domain Review Questions

7. Which of the following is not an objective of baseline security

controls used in protecting assets?

A. Specific steps that must be executed

B. Minimum level of security controls
C. May be associated with specific architectures and systems
D. A consistent reference point

140
Answer

The correct answer is A.

Specific steps required to be executed are actually examples of

procedures, not baselines. A baseline is a minimum level of
security that must be achieved so that they can be consistently
referenced and may be specific to certain architectures and
systems.

141
Domain Review Questions

8. Which of the following is the BEST definition of “scoping”?

A. Altering baselines to apply more specifically

B. Modifying assumptions based on previous learned behavior
C. Limiting general baseline recommendations by removing those
that do not apply
D. Responsible protection of assets based on goals and objectives

142
Answer

The correct answer is C.

Limiting recommendations by removing those that do not apply

is “scoping.” You are scoping to make sure things apply in the
environments that you are trying to understand fully, from the
perspective of protecting assets.

143
Domain Review Questions

9. Which of the following is the BEST definition of an asset?

A. A hardware system in a data center

B. People in specific valuable environments
C. Software running in a categorized environment
D. Any item perceived as having value

144
Answer

The correct answer is D.

Even though A, B, and C may be considered to be assets, the

question is asking for the best definition, not examples. An asset
is anything that has value to the organization.

145
Domain Review Questions

10. Which of the following is NOT an example of a data state?

A. Data in motion
B. Data in use
C. Data in storage
D. Data at rest

146
Answer

The correct answer is C.

Data in storage may be an example of data at rest, which is the

correct terminology related to a data state. The three valid data
states are data in motion, data at rest, and data in use. It is
important to protect data in all three states and of course always
based on value.

147