CISSP Domain 2: Asset Classification Lecture Notes

Introduction

• Presenter: Rob Witcher
• Purpose: To review major topics related to asset classification in Domain 2 of the CISSP exam.
• Asset classification ensures appropriate protection of organizational assets.

Understanding Assets

• Definition of an Asset: Anything of value to the organization, including:
  • People
  • Buildings
  • Equipment
  • Software
  • Data
  • Intellectual Property
• Importance of Asset Classification:
  • Focus on classifying all organizational assets, not just data.

Asset Classification Process

1. Creating an Asset Inventory:

   • Catalog of all organizational assets.
   • Clearly defined ownership for each asset is critical.

2. Determining Asset Value & Classification:

   • Owners determine asset value and appropriate classification.
   • Objective: Identify asset value and determine protection level required.

3. Classification Levels:

   • Define classes (e.g., public, proprietary, confidential).
   • Classes vary by organization; do not memorize specific schemes.

4. Documenting Policies and Procedures:

   • Use a data classification policy.
   • Develop standards, procedures, baselines, and guidelines based on that policy.
   • Procedures: Step-by-step instructions for data classification.
   • Baselines: Define minimum security requirements for classes.

Key Concepts

Labeling vs. Marking

• Labeling: Indicates the classification of an asset (e.g., "Top Secret").
• Marking: Instructions on how to protect the asset based on its classification.

Categorization

• Process of assigning assets to defined classes.

Protecting Assets Based on Classification

• Accountable Roles:
  • Data Owner / Data Controller: Determines classification and ensures protection.
  • Data Processor: Processes data on behalf of the owner (e.g., Cloud Service Provider).
  • Data Custodian: Responsible for technical data management (security, backups).
  • Data Steward: Business responsibility ensures data governance and quality.
  • Data Subject: Individual the data relates to.

Protecting Data in Various States

Data at Rest

• Techniques for Protection:
  • Encryption: Protects data by enciphering it.
  • Access Controls: Multi-factor authentication and logging/monitoring.
  • Backup and Resiliency Controls: To prevent accidental loss or destruction.

Data in Motion

• Techniques for Protection:
  • End-to-End Encryption: Data is encrypted throughout its journey.
  • Link Encryption: Data decrypted and re-encrypted at every node.
  • Onion Routing: Multiple layers of encryption for confidentiality – example: Tor.

Data in Use

• Protecting data while it is being accessed/edit by users.
• Controls: Good access controls, data loss prevention methods, and potential use of homomorphic encryption.

Data Archiving

• Long-term retention of inactive data.
• Ensure archived data is protected based on classification policy.

Data Destruction Techniques

1. Destruction: Physically destroys media.
2. Purging: Logical or physical techniques make data unrecoverable.
3. Clearing: Makes data less recoverable but not impossible.

Data Destruction Methods (Best to Worst)

• Best: Physical destruction (completely destroy the media).
• Shredding/drilling.
• Degaussing: Strong magnetic field that may destroy data but can render media unusable.
• Crypto-Shredding: Destroying encryption keys makes data unrecoverable.
• Overwriting/Wiping: Attempts to replace existing data, but some data may still be recoverable.
• Worst: Formatting the drive leaves data intact and recoverable.

Periodic Review of Asset Classification

• Regularly assess and review asset classes and their classifications to keep up with changing laws and business requirements.

Conclusion

• Overview covered the critical concepts of asset classification for the CISSP exam.
• Call to Action: Like the video, subscribe for further content, and check description for more Mind Map videos.