Google defines an asset as “a useful or valuable thing, person or thing”. This means that assets in an organization could be information, equipment, or facilities that have great worth. The second domain of CISSP exam focuses on protecting assets. The following sections are covered by ‘Asset Security’:
Identify and classify information assets
Different types of information include financial details, password files and credit card information. Some information can be seen by everyone, but some information must be classified to ensure that only those with the appropriate clearance can see it.
Organizations can achieve their core Information security goals of confidentiality and integrity through classification. Before classifying data, security professionals must determine:
Who has access to the data
How data security is achieved
How long the data will remain stored
What method should be used to dispose off the data?
Do the data have to be encrypted?
What is the right use of data?
Data classification differs between the government/military and the commercial sectors. Below is an example of a commercial sector classification:
Private (Private data): Information such as bank account numbers, social security numbers, and bank account numbers.
The company restricted(Information that can be viewed only by a small group of employees)
Company confidential(Information that can be viewed by all employees but not for public use)
Public Information (Information that is accessible to all)
Below is a list of military data classifications:
Sensitive but unclassified or SBU
Unclassified (Reference: https://resources.infosecinstitute.com/cissp-domain-2-asset-security/)
Protect your privacy
Social media is the age of data privacy. Information is all around us and it is critical to decide whether we want to use, retain, or destroy them.
Data privacy has a history that dates back to the 1300s. It has evolved over time in two major worlds, the US and the EU. The European Union’s data protection directive was revised in 2012 by strengthening its data protection rules. These are the key points of the new rules.
Personal data collection should be limited to the essentials
By removing administrative obstacles, the EU’s Single Market dimension should be strengthened
Protect personal data that law enforcement has collected
Data transfers outside of the EU require streamlined procedures
As a follow-up to the previous point, the EU has made clear that data that travels beyond the EU must be protected. The US approach to data privacy is slightly different than that of the EU. Both countries value data privacy to the core. However, their approaches to it are very different. They have created the “Safe Harbor” framework. The US Department of Commerce developed the “Safe Harbor” program in collaboration with Federal Data Protection and Information Commissioner of Switzerland.
One of the benefits of the “Safe Harbor” program is that only US-based organizations can receive data from EU. Other regulations and rules ensure privacy for personal data.
Ensure appropriate asset retention
Data retention policies are the guidelines for how data is stored, retained, and destroyed. It is recommended that all stakeholders be involved in asset retention policies in order to ensure data retention. The following eight steps govern the retention of assets and data.
Understanding the business needs of your organization
Determine retention periods
draft record retention policies
Justify the record retenti