Chapter 4

Asset Security

IN THIS CHAPTER

Understanding commercial and government data classification

Establishing ownership of data

Addressing privacy issues

Managing records retention

Identifying appropriate data security controls

Ensuring proper handling of sensitive information assets

The Asset Security domain addresses the collection, classification, handling, and protection of information assets throughout the information lifecycle. Important concepts within this domain include data ownership, privacy, data security controls, and cryptography. This domain represents 10 percent of the CISSP certification exam.

Classify Information and Supporting Assets

Information and data, in all their various forms, are valuable business assets. As with other, more tangible assets, the information’s value determines the level of protection required by the organization.

A data classification scheme helps an organization assign a value to its information assets based on its sensitivity to loss or disclosure and its criticality to the organization’s mission or purpose, and helps the organization determine the appropriate level of protection. Additionally, data classification schemes may be required for regulatory or other legal compliance.

Applying a single protection standard uniformly across all of an organization’s assets is neither practical nor desirable. In such a case, either noncritical assets are over-protected or critical assets are under-protected.

An organization’s employees also need to understand the classification schema being used, how to classify information assets, handling and safeguarding requirements, and proper destruction or disposal procedures.

Commercial data classification

Commercial data classification schemes are typically implemented to protect information that has a monetary value, to comply with applicable laws and protect privacy, and to limit liability. Criteria by which commercial data is classified include

• Value: The most common classification criterion in commercial organizations. It’s based on monetary value or some other value.
• Age/useful life: Information that loses value over time, becomes obsolete or irrelevant, or becomes common/public knowledge is classified this way.
• Regulatory requirements: Private information, such as medical records subject to HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act) regulations and educational records subject to the Privacy Act (see Chapter 3), may have legal requirements for protection. Classification of such information may be based not only on compliance but also on liability limits.

Descriptive labels are often applied to company information, such as Confidential and Proprietary and Internal Use Only. However, the organizational requirements for protecting information labeled as such are often not formally defined. Organizations should formally identify standard classification levels as well as specific requirements for labeling, handling, storage, and destruction/disposal.

DATA CLASSIFICATION BEGETS SYSTEM CLASSIFICATION

Data classification is related to the identification of the sensitivity or criticality of data and proper procedures for handling that data. Asset classification, however, also applies to the information systems that store, process, and transmit this information. Better organizations go beyond data classification and implement system classification, and the two are distinctly related: Systems that store or process data at higher classification levels should be protected better than systems that do not store or process data at higher classification levels.

This practice has been around for quite a long time. In PCI, for example, systems that are in scope for PCI are required to have additional safeguards that an organization may not implement on its other systems. And, often, organizations place these systems in separate networks that have stricter network-level access controls.

Government data classification

Government data classification schemes are generally implemented to

• Protect national interests or security.
• Comply with applicable laws.
• Protect privacy.

One of the more common systems, used within the U.S. Department of Defense (DoD), consists of five broad categories for information classification: Unclassified, Sensitive but Unclassified (SBU), Confidential, Secret, and Top Secret. We discuss all these categories in the following sections.

Within each classification level, certain safeguards are required in the use, handling, reproduction, transport, and destruction of Defense Department information. In addition to having an appropriate clearance level at or above the level of information being processed, individuals must have a need to know before they can access the information. Those who need to know are those who require the information so as to perform an assigned job function.

Unclassified

The lowest government data classification level is Unclassified. Unclassified information isn’t sensitive, and unauthorized disclosure won’t cause any harm to national security. Unclassified information may include information that was once classified at a higher level but has since been declassified by an appropriate authority. Unclassified information isn’t automatically releasable to the public and may include additional modifiers such as For Official Use Only or For Internal Use Only.

Sensitive but Unclassified (SBU)

Sensitive but Unclassified information is a common modifier of unclassified information. It generally includes information of a private or personal nature. Examples include test questions, disciplinary proceedings, and medical records.

Confidential

Confidential information is information that, if compromised, could cause damage to national security. Confidential information is the lowest level of classified government information.

Secret

Secret information is information that, if compromised, could cause serious damage to national security. Secret information must normally be accounted for throughout its lifecycle, all the way to its destruction.

Top Secret

Top Secret information is information that, if compromised, could cause grave damage to national security. Top Secret information may require additional safeguards, such as special designations and handling restrictions.

WHAT YOU NEED TO KNOW ABOUT NEED-TO-KNOW

The concept of need-to-know states that only people with an established need to know certain information in order to perform their job functions should have access to that information. In addition to having a need-to-know, an individual must have an appropriate security clearance level in order for access to be granted. Conversely, an individual with the appropriate security clearance level, but without a need-to-know, should not be granted access.

One of the most difficult challenges in managing need-to-know is the use of controls that enforce need-to-know. Also, information owners need to be able to distinguish I need-to-know from I want-to-know, I-want-to-feel-important, and I’m-just-curious.

An individual must have the appropriate clearance level and need-to-know for access to classified information.

Determine and Maintain Ownership

Within an organization, owners and custodians of systems, data, and the business or mission (more specifically, a line of business or mission aspect) are implicitly or explicitly assigned.

Organizations should explicitly define owners and custodians of sensitive assets to avoid any confusion or ambiguity regarding roles, responsibilities, and accountability.

An owner is normally assigned at an executive or senior-management level within an organization, such as director or vice president. An owner doesn’t legally own the asset assigned to him or her; the owner is ultimately responsible for safeguarding assigned assets and may have fiduciary responsibility or be held personally liable for negligence in protecting these assets under the concept of due care. For more on due care, read Chapter 3.

Typical responsibilities of an owner may include

• Determining classification levels for assigned assets.
• Determining policy for access to the asset.
• Maintaining inventories and accounting for assigned assets.
• Periodically reviewing classification levels of assigned assets for possible downgrading, destruction, or disposal.
• Delegating day-to-day responsibility (but not accountability) and functions to a custodian.

A custodian is the individual who has day-to-day responsibility for protecting and managing assigned assets. IT systems administrators or network administrators often fill this role. Typical responsibilities may include

• Performing regular backups and restoring systems and/or data, when necessary.
• Ensuring that appropriate permissions are properly implemented on systems, directories, and files, and provide sufficient protection for the asset.
• Ensuring that IT systems are adequately protected with system hardening and other safeguards.
• Assigning new users to appropriate permission groups and revoking user privileges, when required.
• Maintaining classified documents or other materials in a vault or secure file room.

The distinction between owners and custodians, particularly regarding their different responsibilities, is an important concept in information security management. The data owner has ultimate responsibility for the security of the data, whereas the data custodian is responsible for the day-to-day security administration.

Protect Privacy

As discussed in Chapter 3, the concept of privacy is closely related to confidentiality, but is more specifically focused on preventing the unauthorized use or disclosure of personal data.

Personal data, commonly referred to as personally identifiable information (PII) may include

• Name
• Addresses
• Contact information
• Social Security Number
• Financial account number
• Birthdate and birthplace
• Race
• Marital status
• Sexual orientation or lifestyle
• Credit history and other financial information
• Criminal records
• Education
• Employment records and history
• Health records and medical data (known as protected health information, or PHI; known as electronic protected health information, or ePHI, when in electronic form)
• Religious preference
• Political affiliation
• Other unique personal characteristics or traits

Every organization that collects any personal data about anyone (including employees, customers, and patients, among others) must have a well-defined, published, and distributed privacy policy that explains why the data is being collected, how it is being used, how it will be protected, and what the individual’s rights are regarding the personal data that is being collected.

As with any other sensitive data, organizations must assign data owners and custodians (or processors) who are ultimately responsible for safeguarding personal data, and for the secure collection, processing, and use of the data. Anyone within an organization that has access to personal data in any capacity must be thoroughly familiar with established procedures for collecting, handling, and safeguarding such information throughout its entire lifecycle. This includes retention and destruction of private data, and technical issues such as data remanence.

Data remanence refers to residual data that remains on storage media or in memory after a file or data has been deleted or erased. Data remanence occurs because standard delete routines only mark “deleted” data as storage or memory space that is available to be overwritten. To completely eliminate data remanence, the storage media and memory must be properly wiped, degaussed, encrypted, or physically (and completely) destroyed. Object reuse refers to an object (such as memory space in a program, or a storage block on media) that may present a risk of data remanence if it is not properly cleared.

Many privacy protection laws and regulations exist at continental (such as the European Union), country (or federal), state, and local levels throughout the world, as well as in various industries. Privacy protection laws are among some of the most rigorous laws enacted and legal requirements vary greatly. These laws also commonly limit the collection, use and retention of personal data, as well as trans-border information flows (or export) of personal data. Privacy laws are discussed in Chapter 3.

Finally, within an organization, certain employee privacy issues often arise regarding employee rights with respect to monitoring, search, drug testing, and other policies.

Monitoring commonly occurs in many forms within an organization including Internet, email, and general computer usage, as well as through surveillance cameras, access badges or keys, and time clocks, among others. Mandatory and random drug testing and searches of desks, lockers, work areas, and even personally-owned vehicles are other common policies that can evoke employee privacy concerns.

To reduce or eliminate employee privacy concerns, organizational policies should clearly define (and require written acknowledgement of) acceptable use policies (AUPs) for computer, Internet, and email usage. Additional policies should explain monitoring purposes, acceptable use or behavior, and potential disciplinary actions as a result of violations. Finally, organizational policies should clearly state that the employee has no expectation of privacy with regard to the organization’s monitoring and search policies.

Ensure Appropriate Retention

Most organizations are bound by various laws, regulations and standards to collect and store certain information, as well as to keep it for specified periods of time. An organization must be aware of legal requirements and ensure that it’s in compliance with all applicable regulations and standards.

Records retention policies should cover any electronic records that may be located on file servers, document management systems, databases, email systems, archives, and records management systems, as well as paper copies and backup media stored at off-site facilities.

Organizations that want to retain information longer than required by law should firmly establish why such information should be kept longer. Nowadays, just having information can be a liability, so keeping sensitive information longer should be the exception rather than the norm.

Data retention applies equally to the minimum as well as the maximum period of time that data may be retained in an organization. Retaining data longer than necessary (or permitted by law) increases an organization’s liability, particularly where sensitive information is concerned. The Payment Card Industry Data Security Standard (PCI DSS) requires that credit card data be retained for as short a period of time as possible (and certain items like magnetic stripe data and PINs may not be retained at all!), whereas log data must be retained for at least one year (to aid in investigations).

At the opposite end of the records retention spectrum, many organizations now destroy records (including backup media) as soon as legally permissible in order to limit the scope (and cost) of any future discovery requests or litigation. Before implementing any such draconian retention policies that severely restrict your organization’s retention periods, you should fully understand the negative implications such a policy has for your disaster recovery capabilities. Also, consult with your organization’s legal counsel to ensure that you’re in full compliance with all applicable laws and regulations.

Although extremely short retention policies and practices may be prudent for limiting future discovery requests or litigation, they’re illegal for limiting pending discovery requests or litigation (or even records that you have a reasonable expectation may become the subject of future litigation). In such cases, don’t destroy pertinent records — otherwise, you go to jail. You go directly to jail! You don’t pass Go, you don’t collect $200, and (oh, yeah) you don’t pass the CISSP exam, either — or even remain eligible for CISSP certification!

Determine Data Security Controls

Sensitive assets, including data, must be appropriately protected throughout their lifecycles. Information Lifecycle Management (ILM) covers data through the following five stages:

• Creation. Data is created by an end user or application. Data needs to be classified at this time, based on the criticality and sensitivity of the data, and a data owner (usually, but not always, the creator) needs to be assigned. Data may exist in many forms such as in documents, spreadsheets, email and text messages, database records, forms, images, presentations (including videoconferences), and printed documents.
• Distribution (“data in motion”). Data may be distributed (or retrieved) internally within an organization or transmitted to external recipients. Distribution may be manual (such as via courier) or electronic (typically over a network). Data in transit is vulnerable to compromise, so appropriate safeguards must be implemented based on the classification of the data. For example, encryption may be required to send certain sensitive data over a public network. In such cases, appropriate encryption standards must be established. Data loss prevention (DLP) technologies may also be used to prevent accidental or intentional unauthorized distribution of sensitive data.
• Use (“data in use”). This stage refers to data that has been accessed by an end user or application and is being actively used (for example, read, analyzed, modified, updated, or duplicated) by that user or application. Data in use must be accessed only on systems that are authorized for the classification level of the data and only by users and applications that have appropriate permissions (clearance) and purpose (need-to-know).
• Maintenance (“data at rest”). Any time between the creation and disposition of data that it is not “in motion” or “in use”, data is maintained “at rest”. Maintenance includes the storage (on media such as a hard drive, removable USB thumb drive, backup magnetic tape, or paper) and filing (for example, in a directory and file structure) of data. Data may also be backed up, and the backup media transported to a secure off-site location (referred to as “data in transit”). Classification levels of data should also be routinely reviewed (typically by the data owner) to determine if a classification level needs to be upgraded (not common) or can be downgraded. Appropriate safeguards must be implemented and regularly audited to ensure:
  • Confidentiality (and privacy). For example, using system, directory and file permissions, and encryption.
  • Integrity. For example, using baselines, cryptographic hashes, cyclic redundancy checks (CRCs), and file locking (to prevent or control modification of data by multiple simultaneous users).
  • Availability. For example, using database and file clustering (to eliminate single points of failure), backups and real-time replication (to prevent data loss).
• Disposition. Finally, when data no longer has any value or is no longer useful to the organization, it needs to be properly destroyed in accordance with corporate retention and destruction policies, as well as any applicable laws and regulations. Certain sensitive data may require a final disposition determination by the data owner, and may require specific destruction procedures (such as witnesses, logging, and a magnetic wipe followed by physical destruction).

Data that has merely been deleted HAS NOT been properly destroyed. It is merely “data at rest” waiting to be over-written — or inconveniently discovered by an unauthorized and potentially malicious third party!

Data remanence refers to data that still exists on storage media or in memory after the data has been “deleted”.

Baselines

Establishing a baseline is a standard business method used to compare an organization to a starting point or minimum standard, or for comparing progress within an organization over time. With security controls, these methods provide valuable insight:

• Comparing to other organizations. Organizations can compare their control sets with other organizations, to see what differences exist in controls.
• Comparing internal controls over time. An organization can baseline its set of controls, to see what changes occur in its control set over a period of years.
• Comparing control effectiveness over time. An organization can compare its record of control effectiveness, to see where progress is being made, and where more effort is needed to make progress.

Scoping and tailoring

Because different parts of an organization and its underlying IT systems store and process different sets of data, it doesn’t make sense for an organization to establish a single set of controls and impose them upon all systems. Like an oversimplified data classification program and its resulting overprotection and under-protection of data, organizations often divide themselves into logical zones, and then specify which controls and sets of controls are applied into these zones.

Another approach is to tailor controls and sets of controls to different IT systems and parts of the organization. For instance, controls on password strength can have categories that are applied to systems with varying security levels.

Both approaches for applying a complex control environment into a complex IT environment are valid – they’re really just different ways of achieving the same objective: applying the right level of control to various systems and environments, based on the information they store and process or on other criteria.

Standards selection

Several excellent control frameworks are available for security professionals’ use. In no circumstances is it necessary to start from scratch. Instead, the best approach is to start with one of several industry leading control frameworks, and then add or remove individual controls to suit the organization’s needs.

Control framework standards include

• ISO/IEC 27002, Code of practice for information security management.
• COBIT 5, Control Objectives for Information and Related Technology.
• NIST SP800-53, Recommended Security Controls for Federal Information Systems and Organizations.
• NIST SP800-171 Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
• NIST Cyber Security Framework (CSF), Framework for Improving Critical Infrastructure Cybersecurity.

Cryptography

Crypto plays a critical role in data protection, whether we’re talking about data in motion through a network, or at rest on a server or workstation. Cryptography is all about hiding data in plain sight, because there are situations where persons may be able to access sensitive data; crypto denies people that access unless they are in possession of an encryption key and the method for decrypting it.

Establish Handling Requirements

Sensitive information such as financial records, employee data, and information about customers must be clearly marked, properly handled and stored, and appropriately destroyed in accordance with established organizational policies, standards, and procedures:

• Marking: How an organization identifies sensitive information, whether electronic or hard copy. For example, a marking might read CONFIDENTIAL (discussed earlier in this chapter). The method for marking will vary, depending on the type of data we’re talking about. For example, electronic documents can have a marking in the margin at the footer of every page. Where sensitive data is displayed by an application, it may be the application itself that informs the user of the classification of data being displayed.
• Handling: The organization should have established procedures for handling sensitive information. These procedures detail how employees can transport, transmit, and use such information, as well as any applicable restrictions.
• Storage and Backup: Similar to handling, the organization must have procedures and requirements specifying how sensitive information must be stored and backed up and how backup media must be protected.
• Destruction: Sooner or later, an organization must destroy a document that contains sensitive information. The organization must have procedures detailing how to destroy sensitive information that has been previously retained, regardless of whether the data is in hard copy or saved as an electronic file.

DETERMINING APPROPRIATE HANDLING REQUIREMENTS

You may be wondering, how do I determine what constitutes appropriate handling requirements for each classification level? There are two main ways to figure this out:

• Applicable laws, regulations, and standards. Oftentimes, regulations such as HIPAA and PCI contain specific requirements for handling sensitive information.
• Risk assessment. As described in Chapter 3, a risk assessment is used to identify relevant threats and vulnerabilities, as well as the establishment of controls to mitigate risks. Some of these controls may take the form of data handling requirements that would become a part of an organization’s asset classification program.