Tel: 020 8456 3550

Home » Training » CISSP » Asset Security

Asset Security

CHAPTER 2 ASSET SECURITY

AGENDA

* Roles within an Organization
* Classification of Data
* System Baselining and Hardening
* States of Data

 

ROLES AND RESPONSIBILITIES
* Senior/Executive Management
CEO: Chief Decision-Maker
CFO: Responsible for budgeting and finances
CIO: Ensures technology supports company’s objectives
ISO: Risk Analysis and Mitigation
* Steering Committee:  Define risks, objectives and approaches
* Auditors:  Evaluates business processes
* Data Owner:  Classifies Data
* Data Custodian:  Day to day maintenance of data
* Network Administrator:  Ensures availability of network resources
* Security Administrator: Responsible for all security-related tasks, focusing on Confidentiality and Integrity

 

AUDITING ROLE

* Objective Evaluation of controls and policies to ensure that they are being implemented and are effective.
* If internal auditing is in place, auditors should not report to the head of a business unit, but rather to legal or human resources–some other entity with out direct stake in result

 

DATA CLASSIFICATION

* Development of sensitivity labels for data and the assignment of those labels for the purpose of configuring baseline security based on value of data
* Cost: Value of the Data
* Classify: Criteria for Classification
* Controls: Determining the baseline security configuration for each
* Data Owner determines the classification of data
* Data Custodian maintains the data

 

CONSIDERATIONS FOR ASSET
VALUATION

* What makes up the value of an asset?
Value to the organization
Loss if compromised
Legislative drivers
Liabilities
Value to competitors
Acquisition costs
And many others

 

SENSITIVITY VS. CRITICALITY

 

* Sensitivity describes the amount of damage that would be done should the information be disclosed
* Criticality describes the time sensitivity of the data. This is usually driven by the understanding of how much revenue a specific asset generates, and without that asset, there will be lost revenue

 

STATES OF DATA

* At Rest:  File System Encryptions, EFS, TPM
* In Process: ?
* In Transit: IPSec, SSL/TLS

SYSTEM HARDENING & BASELINING

* Removing Unnecessary Services
* Installing the latest services packs and patches
* Renaming default accounts
* Changing default settings
* Enabling security configurations like auditing, firewalls, updates, etc..
* ***Don’t forget physical security!***

 

 

CONFIGURATION MANAGEMENT

* Defined by ISC2 as “a process of identifying and documenting hardware components, software and the associated settings.”
* The goal is to move beyond the original design to a hardened, operationally sound configuration
* Identifying, controlling, accounting for and auditing changes made to the baseline TCB
* These changes come about as we perform system hardening tasks to secure a system.
* Will control changes and test documentation through the operational life cycle of a system
* Implemented hand in hand with change control
* ESSENTIAL to Disaster Recovery

 

CONFIGURATION MANAGEMENT
DOCUMENTATION

* Make
* Model
* MAC address
* Serial number
* Operating System/Firmware version
* Location
* BIOS or other passwords
* Permanent IP if applicable
* Organizational department label

 

CHANGE MANAGEMENT

 

* Directive, Administrative Control that should be incorporated into organizational policy.
* The formal review of all proposed changes–no “on-the-fly” changes
* Only approved changes will be implemented
* The ultimate goal is system stability
* Periodic reassessment of the environment to evaluate the need for upgrades/modifications

 

THE CHANGE MANAGEMENT PROCESS

 

* Request Submittal
* Risk/Impact Assessment
* Approval or Rejection of Change
* Testing
* Scheduling/User Notification/Training
* Implementation
* Validation
* Documentation

 

PATCH MANAGEMENT

* An essential part of Configuration and Change Management
* May come as a result of vendor notification or pen testing
* Cve.mitre.org (Common Vulnerability and Exposures) database provides standard conventions for known vulnerabilities
* Nvd.nist.gov Enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, incorrect configurations, product names, and impact metrics.
* www.cert.gov: Online resource concerning common vulnerabilities and attacks

 

 

CHAPTER 2 ASSET SECURITY

REVIEW

* Roles within an Organization
* Classification of Data
* System Baselining and Hardening
* States of Data

Cloud Security Best Practices
Cloud Security Posts
Supporting
Find Us
By using this site you agree that we can place cookies on your device. See below:
Search SCS
E:enquiries@securecloudservices.io
logo

    Copyright © SecureCloudServices.io