2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	188/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 184 185 186 187 188 189 190 191 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Selecting Standards

Scoping and Tailoring
Scoping
refers to reviewing a list of baseline security controls and selecting only those con-
trols that apply to the IT system you’re trying to protect. For example, if a system doesn’t
allow any two people to log on to it at the same time, there’s no need to apply a concurrent
session control.
Tailoring
refers to modifying the list of security controls within a baseline so that they
align with the mission of the organization. For example, an organization might decide that a
set of baseline controls applies perfectly to computers in their main location, but some con-
trols aren’t appropriate or feasible in a remote office location. In this situation, the organiza-
tion can select compensating security controls to tailor the baseline to the remote location.
Selecting Standards
When selecting security controls within a baseline, or otherwise, organizations need to
ensure that the controls comply with certain external security standards. External elements
typically define compulsory requirements for an organization. As an example, the Payment
Card Industry Data Security Standard (PCI DSS) defines requirements that businesses must
follow to process major credit cards. Similarly, organizations that want to transfer data to
and from EU countries must abide by the requirements in the GDPR.
Obviously, not all organizations have to comply with these standards. Organizations
that don’t process credit card transactions do not need to comply with PCI DSS. Similarly,
organizations that do not transfer data to and from EU countries do not need to comply
with GDPR requirements. Organizations need to identify the standards that apply, and
ensure that the security controls they select comply with these standards.
Even if your organization isn’t legally required to comply with a specific standard, using
a well-designed community standard can be very helpful. As an example, U.S. government
organizations are required to comply with many of the standards published by NIST SP
800 documents. These same documents are used by many organizations in the private
sector to help them develop and implement their own security standards.
Summary
Asset security focuses on collecting, handling, and protecting information throughout its
lifecycle. This includes sensitive information stored or processed on computing systems or
transferred over a network and the assets used in these processes. Sensitive information is any
information that an organization keeps private and can include multiple levels of classifications.
A key step in this process is defining classification labels in a security policy or data
policy. Governments use labels such as top secret, secret, confidential, and unclassified.

188
Chapter 5
■
Protecting Security of Assets
Nongovernment organizations can use any labels they choose. The key is that they define
the labels in a security policy or a data policy. Data owners (typically senior management
personnel) provide the data definitions.
Organizations take specific steps to mark, handle, store, and destroy sensitive informa-
tion and hardware assets, and these steps help prevent the loss of confidentiality due to
unauthorized disclosure. Additionally, organizations commonly define specific rules for
record retention to ensure that data is available when it is needed. Data retention policies
also reduce liabilities resulting from keeping data for too long.
A key method of protecting the confidentiality of data is with encryption. Symmetric
encryption protocols (such as AES) can encrypt data at rest (stored on media). Transport
encryption protocols protect data in transit by encrypting it before transmitting it (data in
transit). Applications protect data in use by ensuring that it is only held in temporary stor-
age buffers, and these buffers are cleared when the application is no longer using the data.
Personnel can fulfill many different roles when handling data. Data owners are ulti-
mately responsible for classifying, labeling, and protecting data. System owners are respon-
sible for the systems that process the data. Business and mission owners own the processes
and ensure that the systems provide value to the organization. Data processors are often
third-party entities that process data for an organization. Administrators grant access to
data based on guidelines provided by the data owners. A custodian is delegated day-to-day
responsibilities for properly storing and protecting data. A user (often called an end user)
accesses data on a system.
The EU General Data Protection Regulation (GDPR) mandates protection of privacy
data and restricts the transfer of data into or out of the EU. A data controller can hire a
third party to process data, and in this context, the third party is the data processor. Data
processors have a responsibility to protect the privacy of the data and not use it for any
other purpose than directed by the data controller. Two key security controls mentioned
in the GDPR are encryption and pseudonymization. Pseudonymization refers to replacing
data with pseudonyms.
Security baselines provide a set of security controls that an organization can implement
as a secure starting point. Some publications (such as NIST SP 800-53) identify secu-
rity control baselines. However, these baselines don’t apply equally to all organizations.
Instead, organizations use scoping and tailoring techniques to identify the security controls
to implement in their baselines. Additionally, organizations ensure that they implement
security controls mandated by external standards that apply to their organization.
Exam Essentials

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 184 185 186 187 188 189 190 191 ... 881