Home > Articles

This chapter is from the book

This chapter is from the book

CISSP Cert Guide, 4th EditionCISSP Cert Guide, 4th Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

CISSP Cert Guide, 4th EditionCISSP Cert Guide, 4th Edition

Learn More Buy

Data Security Controls

Now it is time to discuss the data security controls that organizations must consider as part of a comprehensive security plan. Security professionals must understand the following as part of data security controls: data security, data states (data at rest, data in transit, and data in use), data access and sharing, data storage and archiving, baselines, scoping and tailoring, standards selection, and cryptography.

Data Security

Data security includes the procedures, processes, and systems that protect data from unauthorized access. Unauthorized access includes unauthorized digital and physical access. Data security also protects data against any threats that can affect data confidentiality, integrity, or availability.

To provide data security, an organization should implement security using a defense-in-depth strategy, as discussed in Chapter 1. If a single layer of access is not analyzed, then data is at risk. For example, you can implement authentication mechanisms to ensure that users must authenticate before digitally accessing the network. But if you do not have the appropriate physical security controls in place to prevent unauthorized access to your facility, an attacker can easily gain access to your network just by connecting an unauthorized device to the network.

Security professionals should make sure their organization implements measures and safeguards for any threats that have been identified. In addition, security professionals must remain vigilant and constantly be on the lookout for new threats.

Data States

Three basic data states must be considered as part of asset security. These three states are data at rest, data in transit, and data in use. Security professionals must ensure that controls are implemented to protect data in all three of these states.

Data at Rest

Data at rest is data that is being stored and not being actively used at a certain point in time. While data is at rest, security professionals must ensure that the confidentiality, integrity, and availability of the data are ensured. Confidentiality can be provided by implementing data encryption. Integrity can be provided by implementing the appropriate authentication mechanisms and ACLs so that only authenticated, authorized users can edit data. Availability can be provided by implementing a fault-tolerant storage solution, such as RAID.

Data in Transit

Data in transit is data that is being transmitted over a network or sent via a physical medium, like a DVD or flash drive. While data is being transmitted, security professionals must ensure that the confidentiality, integrity, and availability of the data are ensured. Confidentiality can be provided by implementing link encryption or end-to-end encryption. As with data at rest, authentication and ACLs can help with data integrity of data in transit. Availability can be provided by implementing server farms and dual backbones.

Data in Use

Data in use is data that is being accessed or manipulated in some way. Data manipulation includes editing the data and compiling the data into reports. The main issues with data in use are to ensure that only authorized individuals have access to or can read the data and that only authorized changes are allowed to the data. Confidentiality can be provided by using privacy or screen filters to prevent unauthorized individuals from reading data on a screen. It can also be provided by implementing a document shredding policy for all reports that contain PII, PHI, proprietary data, or other confidential information. Data integrity can be provided by implementing the appropriate controls on the data. Data locks can prevent data from being changed, and data rules can ensure that changes occur only within defined parameters. For certain data types, organizations may decide to implement two-person controls to ensure that data changes are entered and verified. Availability can be provided by using the same strategies as used for data at rest and data in transit. In addition, organizations may wish to implement locks and views to ensure that users needing access to data obtain the most up-to-date version of that data. Data in use is the most difficult data to protect.

Data Access and Sharing

Personnel must be able to access and share data in their day-to-day duties. This data usage starts when the data owner approves access for a user. The data custodian then gives the user the appropriate permissions for the data. But these two steps are an oversimplification of the process. Security professionals must ensure that the organization understands issues such as the following:

  • Are the appropriate data policies in place to control the access and use of data?

  • Do the data owners understand the access needs of the users?

  • What are the different levels of access needed by the users?

  • Which data formats do the users need?

  • Are there subsets of data that should have only restricted access for users?

  • Of the data being collected, is there clearly identified private versus public data?

  • Is data being protected both when it is at rest and when it is in transit?

  • Are there any legal or jurisdictional issues related to data storage location, data transmission, or data processing?

While the data owners and data custodians work together to answer many of these questions, security professionals should be involved in guiding them through this process. If a decision is made to withhold data, the decision must be made based on privacy, confidentiality, security, or legal/regulatory restrictions. The criteria by which these decisions are made must be recorded as part of an official organizational data policy.

Data Storage and Archiving

Data storage and archiving are related to how an organization stores data—both digital data and physical data in the form of hard copies. It is very easy for data to become outdated. Once data is outdated, it is no longer useful to the organization.

Although data storage used to be quite expensive, it has become cheaper in recent years. Security professionals should work with data owners and data custodians to help establish a data review policy to ensure that data is periodically reviewed to determine whether it is needed and useful for the organization. Data should be archived in accordance with data retention policies and schedules. Data that is no longer needed or useful for the organization should be properly destroyed. The exception is data that has been archived and must be kept for a certain duration based on a set retention policy period, especially data that may be on legal hold.

Note

Data retention is a set of rules within an organization that dictates types of unaltered data that must be kept and for how long. Archiving is the process of securely storing unaltered data for later potential retrieval. Data should be retained in accordance with a documented schedule, stored securely in accordance with its classification, and securely disposed of at the end of the retention period.

When considering data storage and archiving, security professionals need to ensure that the different aspects of storage are properly analyzed to ensure appropriate deployment. This includes analyzing server hardware and software, database maintenance, data backups, and network infrastructure. Each part of the digital trail that the data will travel must be understood so that the appropriate policies and procedures can be put into place to ensure asset privacy.

Data that is still needed and useful to the organization should remain in primary storage for easy access by users. Data marked for archiving must be moved to some sort of backup media or secondary storage. Organizations must determine the form of data archive storage that will best suit their needs. For some business units in the organization, it may be adequate to archive the data to magnetic tape or optical media, such as DVDs. With these forms of storage, restoring the data from the archive can be a laborious process. For business units that need an easier way to access the archived data, some sort of solid-state or hot-pluggable drive technology may be a better way to go.

No matter which media your organization chooses for archival purposes, security professionals must consider the costs of the mechanisms used and the security of the archive. Storing archived data that has been backed up to DVD in an unlocked file cabinet may be more convenient for a business unit, but it does not provide any protection of the data on the DVD. In this case, the security professional may need to work with the business unit to come up with a more secure storage mechanism for data archives. When data is managed centrally by the IT or data center staff, personnel usually better understand security issues related to data storage and may therefore not need as much guidance from security professionals.

Baselines

One practice that can make maintaining security simpler is to create and deploy standard images that have been secured with security baselines. A baseline is a set of configuration settings that provides a floor of minimum security in the image being deployed. Organizations should capture baselines for all devices, including network devices, computers, host computers, and virtual machines.

Baselines can be controlled through the use of Group Policy in Windows. These policy settings can be made in the image and applied to both users and computers. These settings are refreshed periodically through a connection to a domain controller and cannot be altered by the user. It is also quite common for the deployment image to include all of the most current operating system updates and patches.

When a network makes use of these types of technologies, the administrators have created a standard operating environment. The advantages of such an environment are more consistent behavior of the network and simpler support issues. System scans should be performed weekly to detect changes from the baseline.

Security professionals should help guide their organization through the process of establishing baselines. If an organization implements very strict baselines, it will provide a higher level of security that may actually be too restrictive. If an organization implements a very lax baseline, it will provide a lower level of security that will likely result in security breaches. Security professionals should understand the balance between protecting organizational assets and allowing users access, and they should work to ensure that both ends of this spectrum are understood.

Scoping and Tailoring

Scoping and tailoring are closely tied to the baselines. These processes allow an organization to narrow its focus to identify and address the appropriate risks.

Scoping instructs an organization on how to apply and implement security controls. Baseline security controls are the minimums that are acceptable to the organization. When security controls are selected based on scoping, documentation should be created that includes the security controls that were considered, whether the security controls were adopted, and how the considerations were made.

Tailoring allows an organization to more closely match security controls to the needs of the organization. When security controls are selected based on tailoring, documentation should be created that includes the security controls that were considered, whether the security controls were adopted, and how the considerations were made.

NIST SP 800-53, which is covered extensively in Chapter 1, provides some guidance on tailoring.

Standards Selection

Because organizations need guidance on protecting their assets, security professionals must be familiar with the standards that have been established. Many standards organizations have been formed, including NIST, the U.S. Department of Defense (DoD), and the International Organization for Standardization (ISO).

Note

Standards are covered extensively in Chapter 1. To locate information on a particular NIST or ISO standard, refer to the index.

The U.S. DoD Instruction 8510.01 establishes a certification and accreditation process for DoD information systems.

The ISO organization works with the International Electrotechnical Commission (IEC) to establish many standards regarding information security. The ISO/IEC standards that security professionals need to understand are covered in Chapter 1.

Security professionals may also need to research other standards, including standards from the European Network and Information Security Agency (ENISA), European Union (EU), and U.S. National Security Agency (NSA). It is important that the organization researches the many standards available and apply the most beneficial guidelines based on the organization’s needs.

Data Protection Methods

Data is protected in a variety of ways. Security professionals must understand the different data protection methods and know how to implement them. Data protection methods should include administrative (managerial), logical (technical), and physical controls. All types of controls are covered extensively in Chapter 1.

The most popular method of protecting data and ensuring data integrity is by using cryptography. However, security professionals should also understand Digital Rights Management (DRM), Data Loss Prevention (DLP), and Cloud Access Security Broker (CASB).

Cryptography

Cryptography, also referred to as encryption, can provide different protection based on which level of communication is being used. The two types of encryption communication levels are link encryption and end-to-end encryption.

Note

Cryptography is discussed in greater detail in Chapter 3, “Security Architecture and Engineering.”

Link Encryption

Link encryption encrypts all the data that is transmitted over a link. In this type of communication, the only portion of the packet that is not encrypted is the data-link control information, which is needed to ensure that devices transmit the data properly. All the information is encrypted, with each router or other device decrypting its header information so that routing can occur and then re-encrypting before sending the information to the next device.

If the sending party needs to ensure that data security and privacy are maintained over a public communication link, then link encryption should be used. This is often the method used to protect email communication or when banks or other institutions that have confidential data must send that data over the Internet.

Link encryption protects against packet sniffers and other forms of eavesdropping and occurs at the data link and physical layers of the OSI model. Advantages of link encryption include: All the data is encrypted, and no user interaction is needed for it to be used. Disadvantages of link encryption include: Each device that the data must be transmitted through must receive the key, key changes must be transmitted to each device on the route, and packets are decrypted at each device.

End-to-End Encryption

End-to-end encryption encrypts less of the packet information than link encryption. In end-to-end encryption, packet routing information and packet headers and addresses are not encrypted. As a result, potential hackers can obtain more information if a packet is acquired through packet sniffing or eavesdropping.

End-to-end encryption has several advantages. A user usually initiates end-to-end encryption, which allows the user to select exactly what gets encrypted and how. It affects the performance of each device along the route less than link encryption because every device does not have to perform encryption/decryption to determine how to route the packet.

Digital Rights Management (DRM)

Digital rights management (DRM) is a mechanism that provides copyright protection for copyrighted works. Using DRM, an organization or individual controls the use, modification, and distribution of copyrighted material.

When DRM is deployed, a DRM license is issued to grant access to the copyrighted material. The license defines the user’s terms and usually includes a decryption key for the copyrighted material. DRM has an always-on requirement, also referred to as persistent online authentication, that requires an Internet connection to access the copyrighted material. This authentication mechanism will periodically check the connection to the authentication server and will block the use of the copyrighted material if the connection fails. DRM also provides an audit trail that tracks copyrighted material usage and detects concurrent usages of copyrighted material. Finally, automatic expiration can be used so that copyrighted material can be shared as a subscription that blocks access after a certain date.

Pirating is any method of duplicating and distributing copyrighted works and is used for written material, videos, games, software, and more. DRM can be used to prevent the copying, printing, and forwarding of protected works.

Digital watermarking can be used to detect, but not prevent, copying of protected material. In addition, vendors sometimes insert metadata in the file that helps to identify the original purchaser of the protected content.

Each feature in DRM has advantages and disadvantages. Security professionals should work with management to perform a full risk analysis prior to deploying a DRM solution and include only those features that are needed.

Data Loss Prevention (DLP)

Data loss prevention (DLP) software scans communication to determine whether protected or confidential data is being exfiltrated. If the data being sent violates the DLP allowed rules, then the communication is blocked. The DLP system will look for data patterns or keywords based on the rules that a security administrator configures.

Two types of DLP systems are used: network-based and endpoint-based DLP. Network-based systems exist on a network edge and scan all data leaving the organization’s network. An endpoint-based system exists on an endpoint device, such as a file server, and can be configured to scan all data stored on the endpoint or leaving the endpoint in any manner, including printing and copying to a USB flash drive. Administrators can configure alerts so that any violation results in immediate notification of appropriate personnel.

DLP systems can examine zipped files but cannot decrypt or examine encrypted data. They can, however, scan an internal or cloud network and perform data discovery, which scans all data and reports the location of the data back to administrators. This report can then be used to configure the appropriate DLP rules to protect any newly discovered data. Data discovery scans should be performed on a regular basis.

Cloud Access Security Broker (CASB)

A cloud access security broker (CASB) is an application that monitors activity between users and cloud-based resources to apply the organization’s security policies, including policies that control authentication, authorize access, encrypt stored data, log all access, and alert on suspicious activity. It can also provide authentication controls, authorization controls, activity alerts, and DLP services.

Exam Preparation Tasks

As mentioned in the section “About the CISSP Cert Guide, Fourth Edition” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 9, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep practice test software.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020