In Module 01, we described you the CISSP course material which consist of terms and meanings of CIA and IAAA, Tenets of Secure Design, risks – its assessments, analysis and mitigation, Governance and Management, Framework and Senior Management’s role, Policies Procedures Standards and Guidelines, Knowledge Transfer, Types of laws and BCP and BIA.
In the further CISSP online course, in Module 02, we will introduce you to something else, which will give you more information and knowledge you will need to pass the Asset Security Skill Certification Exam and Asset Security Certification Exam. So, let’s get to work and continue with our CISSP training online!
This chapter is about Asset Security. It’s important to start with the roles within an organization and to realize what is the meaning of that. As you know, there are different roles, for example, Security Chief Officer or data owners. After that we will discuss the different styles and needs of classifying data, and why is it so important. Then we are going further to securing the system and locking it, as it’s called hardening the system or baselining.
Roles and Responsibilities
As we said in Module 01 we talked about governance and management. Now, we will take a closer look at roles in management and responsibilities. So what is exactly a chief manager? It is someone who has all the authority of the organization, as obvious. There are different types of senior or executive manager: CIO who ensures technology supports company’s objectives, chief-decision maker or CEO, CFO responsible for finances and budgeting and ISO who is responsible for mitigation and risk analysis.
But who is considered to take care of objectives, defining risks and approaches? There we have the steering committee. Also, the team must be covered with the auditors, data custodian and network and security administrator (ensuring the availability of network resources and solving all the security-related tasks).
Responsibilities of the ISO are to provide C-I-A for all the information assets, to recommend the practices for ensuring the policies and standards. It is an obvious task, but better to mention-establishing security measurements are also their responsibility and maintaining the awareness of emerging threats.
When we think about data classification, we always think that these kinds of classifications are only used in military systems or any other highly important systems, but it’s not good to forget the data classifications are used anywhere. All the sensitive information should be classified and protected in a proper way. When we classify the data, then we know how much security it needs. Only then we can act properly and use the best security system that fits. Valuing the data by cost, then classifying it by Criterium and then determining the baseline security for it (controls). There we have data owner and data custodian. What does the Data Owner do? He determines the classification we mentioned, and the Custodian maintains that data.
So what are the valuable data that should be protected? How does that classification work? It’s all about sensitivity and criticality. When we talk about sensitivity, it’s obvious that those data should be kept private. Criticality is about the loss-the loss of time and information you had, the loss of properly running system etc.
The States of Data
Let’s start with explaining that data can be in three specific states. It can be at rest (encryptions, EFS, TPM), or it can be in process, or in transit (IPSec, SSL/TSL). The at rest data is stored somewhere and are not manipulated. You want to keep in sensitive and safe. It’s important to mention here that the TPM is the only one who will ensure you the whole safety of hardware system. You can encrypt your data, but if someone stoles you whole hardware, only TPM can save you.
We will now discuss hardening our system and baselining. What is our ultimate goal? It’s obvious that we do on our safety-making the system more secure. Always is recommended to remove all the apps, services and anything that is not necessary for you on your system. After you’ve removed everything unnecessary it’s important to install and patch the latest service packs. Besides that, you should enable the security configurations (firewalls, updates and auditing and so on).
What is the purpose of configuration management? It is to move beyond the original design hardened and operationally sound configuration. It’s defined by ISC2 ( the process of identifying and documenting hardware documents, associated settings, and documents).
Documentation that needs to be configured is a serial number, operating system, locations, all passwords, organizational department label and so on. What is the ultimate goal besides safety? It is system stability. We just don’t open some patches and install them without exploring what are they all about. The research is the key. It’s a harder way recovering your system than protecting it.
After we went through Module 02, in the end, there is an exam waiting for you. Actually, there are two of them, as we said at the beginning. Asset Security Skill Certification Exam and Asset Security Certification Exam.
The first one has 20 questions and time limit is 30 minutes. The second one the same.
Let’s make a summary. In this Module, we talked about different roles within an organization, classifications, and states of data and system hardening and baselining. We also talked about making your system more secure and configuration management. If you should consist something in this capture of most value, that it should definitely be configuration management, change management, and patch management. And last but not the least-always follow the process!
If you look at this domain, at first it looks simple. But don’t it trick you, it consists of much valuable information and advice covered with knowledge which can be implemented for your good.
We hope we helped you a lot and we are expecting you to take an exam and see how you understood what we discussed here about. Take your time and good luck! Hear to you in Module 03!