2 cissp ® Official Study Guide Eighth Edition

Security requirements for email

Download 19,3 Mb.

Pdf ko'rish

bet	169/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 165 166 167 168 169 170 171 172 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Security requirements for email
Confidential/Proprietary
(highest level of protection
for any data)
Email and attachments must be encrypted with AES 256.
Email and attachments remain encrypted except when
viewed.
Email can only be sent to recipients within the
organization.
Email can only be opened and viewed by recipients
(forwarded emails cannot be opened).
Attachments can be opened and viewed, but not saved.
Email content cannot be copied and pasted into other
documents.
Email cannot be printed.
Private
(examples include PII and PHI)
Email and attachments must be encrypted with AES 256.
Email and attachments remain encrypted except when
viewed.
Can only be sent to recipients within the organization.
Sensitive
(lowest level of protection for
classified data)
Email and attachments must be encrypted with AES 256.
Public
Email and attachments can be sent in cleartext.
The requirements listed in Table 5.1 are provided as an example only. Any
organization could use these requirements or define other requirements
that work for them.

Identify and Classify Assets
167
Security administrators use the requirements defi ned in the security policy to identify
security controls. For Table 5.1 , the primary security control is strong encryption using
AES 256. Administrators would identify methodologies making it easy for employees to
meet the requirements.
Although it’s possible to meet all of the requirements in Table 5.1 , they require imple-
menting other solutions. For example, software company Boldon James sells several prod-
ucts that organizations can use to automate these tasks. Users apply relevant labels (such
as confi dential, private, sensitive, and public) to emails before sending them. These emails
pass through a data loss prevention (DLP) server that detects the labels, and applies the
required protection.
Of course, Boldon James isn’t the only organization that creates and sells
DLP software. Other companies that provide similar DLP solutions include
TITUS and Spirion.
Table 5.1 shows possible requirements that an organization might want to apply to
email. However, an organization wouldn’t stop there. Any type of data that an organiza-
tion wants to protect needs similar security defi nitions. For example, organizations would
defi ne requirements for data stored on assets such as servers, data backups stored onsite
and offsite, and proprietary data.
Additionally, identity and access management (IAM) security controls help ensure that
only authorized personnel can access resources. Chapter 13, “Managing Identity and
Authentication,” and Chapter 14, “Controlling and Monitoring Access,” cover IAM secu-
rity controls in more depth.
WannaCry ransomware
You may remember the WannaCry ransomware attack starting on May 12, 2017. It quickly
spread to more than 150 countries, infecting more than 300,000 computers and crippling
hospitals, public utilities, and large organizations in addition to many regular users. As
with most ransomware attacks, it encrypted data and demanded victims pay a ransom
between $300 and $600.
Even though it spread quickly and infected so many computers, it wasn’t a success for the
criminals. Reports indicate the number of ransoms paid was relatively small compared to
the number of systems infected. The good news here is that most organizations are learn-
ing the value of their data. Even if they get hit by a ransomware attack, they have reliable
backups of the data, allowing them to quickly restore it.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 165 166 167 168 169 170 171 172 ... 881