CCT 032: Managing Data Lifecycle for (CISSP Domain 2)

CCT 032 - RCR 129 - Managing Data Lifecycle for CISSP Success (Domain 2)

[00:00:00] Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity.

Alright, let's get started.

Hey all is Sean Gerberg again with CISSP cyber training and I hope you all are having a beautiful day wherever you're at around the globe. Uh, I know I've got people listening from all over the place, so it's amazing how I hear some of the different feedback of where people live and, uh, the cultures.

It's pretty cool, um, that I'm living in Wichita, Kansas. This is where the podcast is originating. And if you're not familiar with where Wichita is, we are in the center of the United States. So just pretty much you go in the middle, just point your finger to the United States, drop your finger in the middle [00:01:00] and my about go down about 60 us, uh, 60 miles and then you will find Wichita, Kansas.

So yes, we are pretty much in the middle and it. Is an amazing place to live. So I've, I've been, I've been fortunate, I've traveled all over the globe and, um, there's a lot of beautiful places around the globe, but Wichita's kind of us, it's been our home for going on 30 years, so it's a great place to be.

But we are not here to talk about Wichita, Kansas. We are here to talk about, Managing data lifecycle. Yes. That is exciting, intriguing. And it's gonna be something that you will remember and pass down to your children for years and years to come if you have children. If you don't have children, you can pass it down to your dog, cat, or other pet of your choice.

Unless you have an iguana, then they probably won't pay much attention to you because they're hiding. But that being said, we're gonna talk about managing data life cycle, uh, for the C I S S. Now all of you all are listening to this, this podcast. Um, [00:02:00] most of you are in the process of studying for your CISSP exam or then, or you're just wanting to learn some more in information around cybersecurity.

That is okay cuz we are gonna talk about. How the CISSP exam is going to be focused on specifically these questions and these topics, as well as though we're gonna give you a perspective from a security, uh, leader within an organization to kind of give you an idea why. We talk about these various things, and it's not just the book information, it's real life information that you can use.

Uh, I talk to my students in my local college that I teach at. Uh, they are all asked, bring up that point that I bring in the real life aspects of how you will deal with this, not just the textbook. Uh, questions. So let's get started. We are gonna get into managing data life cycle, and one of the pieces around data life cycle, we call it data life cycle management.

And what it basically does is it, it encompasses the stages [00:03:00] of data creation storage. Use and retention. Retention, retention disposal ends well as all the other aspects that are tied specifically to data loss retention. Now, when you're dealing with data loss, you're also gonna be focused on data integrity, confidentiality, availability.

Those are key factors. As we talk about the C I A triad, what you need to keep in mind. And so data loss mana, data lifecycle management is an important, far part of what we do on a day-to-day basis. I'll say that, uh, we, people are creating data all the time. Uh, we have different businesses that their employees are creating data.

They send the data to outside locations. They store the data in various spots throughout the network, and then they end up using that data. And then when it's all said and done, hopefully, They destroy the data. Now, one of the things that comes up, and you'll run into this time and time again in your information security career is once the data has been created, it usually doesn't get deleted very [00:04:00] quickly, and it usually has, the lifecycle design is that it will actually end up at some point be disposed of, but in most cases it's just like 99.999% of the time.

Data never dies. It always is there. I've seen situations where I've gone onto networks when I was a red teamer and we would go and we would, we would hack into various government entities. We would go in and look for data that was specifically used for what we're trying to accomplish. And in the process of scanning networks, looking for specific data that was tied to our mission, we would see data from like 1990s.

Right. So, Completely old. That's the kind of data that most of you would be going. It's a turn of the century old kind of data. Now granted this is back in 2005, 2007, so that's a few years ago, but I guarantee you that you can go onto almost any network out there if it's been around for a while, if the [00:05:00] business has been around, and you will find.

Out there in the 1990s, two thousands, it guaranteed because what happens is, is people are hoarders, and if you're not familiar with that term, these are folks that will just hold on to everything because the thought process is maybe just, maybe I'll use it again. Or they get in a situation where their networks are so big and complex that they forget about it, and it gets stuffed in a corner somewhere in your network to be for.

Now, in most cases, this can be not necessarily a big deal, right? Other than the cost of data storage. And we'll get into some of those pieces, leaving data for a long time. It doesn't necessarily have to be a bad thing Now, If the data is associated with something that's related to your business, i e, it has high importance like intellectual property or there's a lot of privacy data that's associated with it.

Those are pieces and situations where you want that [00:06:00] data either controlled. And protected, or you want it destroyed. And that's a key thing is you just want to make sure that you do not keep this data for long periods of time. Now, so how does this happen, right? When you're dealing with data classification and categorization that you, you hear that term?

What does that mean? Well, when you're getting all this. All this information, it is stored right? You got the pictures of Billy Bob in his, uh, weird shirt fishing off of a bass boat, or you've got the pictures of your dog wearing a 2, 2, 4 Halloween. I don't know, but there's all of this data that's out there.

How do you ensure that it's protected? But you ha. So then what you have to do is you have to deal with data classification and categorization. Now the CISSP exam is gonna talk about data classification. So if you're listening to this and you're going, what is that? Well, data [00:07:00] classification is basically putting a.

A label on the data to ensure that you properly know what it is and that you can properly protect it. So let's use it as an example. In the military, we had various levels of security. We have your, uh, business confidential, you have your secret, you have top secret. You have above top secret. They had different caveats that go into.

And so therefore, those were classifications that were put in place. Now this classification was designed. To ensure that you had the proper protections around the data. So, as an example, you know, we talked about secret. Well, secret would only allow certain peoples that had the right tickets. We call it ticket, you can, whatever you wanna call it.

They had the right capability to gain access to that secret information. If you didn't have the. Right Willy Wonka Golden Ticket. If you didn't have that [00:08:00] ticket, you would not be allowed access to the secret data. Now the same went for top secret and above. Now as you're looking, listening to this podcast, you probably see some things in the United States, an individual let out some information that would be considered highly sensitive or potentially secret.

I don't know the actual classification of. But let's just talk about the fact that he released information that was secret, that was not meant to be out in the public domain. That is a classification breach. You want to make sure that you understand the classification around that. Now, this is based on different aspects, the sensitivity of the data, the criticality of the data.

Are there any regulatory requirements? So now let's talk about. Sensitivity, if you have something that's sensitive, business confidential would be highly sensitive. We wouldn't want just anybody gaining access to that information. Now, is it critical for your business to operate [00:09:00] now? In some cases, when you're dealing with business sensitivity?

It is something that I don't want my competitors to have access to it. So if I don't want my competitors to have access, Then I would consider that potentially a critical piece of data. Now, if I have information that's sensitive to my business, i e let's say, My business has 5,000 employees, hypothetically.

So if I have 5,000 employees that's sensitive. Now my competitor gets ahold of that and goes, well, hey, Sean, at company X, Y, Z has 5,000 employees. Eh, eh, does it really matter? Not so much. It's sensitive. Yeah, but does it really matter? That's not a big deal. So the point of it is, is that you have to determine the sensitivity of that information.

If it's critical, like it is the Coca-Cola formula to make that fizzy drink amazing. That would be critical. If [00:10:00] that got out, it could potentially destroy our business. That is a critical piece of inform. Now regulatory issues is this, so let's say hypothetically, well, I will use, in the United States we have the epa, which is the Environmental Protection Agency.

What is the Environmental Protection Agency? These are folks that go around and they ensure that you don't. Release things to the atmosphere in the United States. We had some rail cars that were tipped over and they, they leaked out in, uh, not information. They leaked out toxic stuff into the environment.

The EPA are the folks that will go and regulate that and ensure that that information or that information, that that toxic stuff is taken. So because of that, there's a regulatory requirement for you to maintain the data associated with anything that's caustic like that any chemicals. So that would have to be [00:11:00] maintained through the epa.

If you don't take care of that data, you could be subject to fines from the, in this case, the epa, because you did not properly protect the. I've seen this time and again, and you're gonna want to ensure that you have this in place, especially as it relates to regulatory data. That information must be backed up and not just backed up, which we'll get into in a minute.

It should be properly protected with even a disaster recovery plan. So those pieces are a big factor when it comes around data classification and categor. Now because you have this data, so let's say you've, now I've labeled it secret, I'm now watching taking care of it. What are some things that you would deal with?

Well, from a handling standpoint, if I know that it's classified and it's categorized a certain way, Then I know that only certain people can hold it. Only certain people can manage it. And that is what we [00:12:00] call a data handling and the protection around it. So if you have that data handling mechanism in place, now what ends up happening is, is that you ensure that the people that gotta hold that data don't just go store it in the cloud somewhere.

They must follow a proper procedure to do. So again, it's important that you have good classification, good categorization, your data based on sensitivity, criticality, and regulatory requirements. And then from there, you must ensure that the data classification and categorization can help make decisions on how you should do your business.

If you have business critical data and it's stored and protected, but nobody can have access. Well, now you're in a situation where that doesn't really help you make an informed decision around your business. So it's important that you just manage that data as PO as best as you possibly can. Now, when let's get into data creation and collection.[00:13:00] 

So when you're creating this data, you need to understand what are the methods in which you're collecting it. Also, how are you best protect. So as we're collecting information, let's say in this case I'm doing a podcast, it's creating data. I'm collecting this data on my computer. I'm then in turn going to upload that data to the podcast hosting location.

Right. Their website, this Buzz Sprout is it? So I'm gonna upload this data to Buzz Sprout. Well, with that being said, then what's going to happen is, is I'm going to focus specifically on how is that best protected. So let's go for an example. I have a very complex password to upload that to Buzz Sprout.

So I'm telling y'all all this. You're like going, oh great, let's go hack on. Right? Well, no, I've got a super complex password that's like nasty gn. Really bad. On top of that, I have multifactor authentication put in on that Buzz Buzz Sprout account. Why? Because [00:14:00] I wanna make sure that if my co, my password is ever compromised, which is like really nasty and long, that you can't gain access because I have multifactor enabled on that data.

Now that is one of the controls you can put in place. Now does bow buzz sprout. This data? I don't know. Honestly, they, I would assume they probably don't, just because it adds a lot of overhead and in reality it's an audio file that I'm broadcasting to the world. So there really isn't a whole lot there, but.

There in cases where you may have that data being stored in a central location, you'll want to have that properly protected. That could be encryption, it could be access controls. Okay. Sean is only allowed with multifactor complex passwords and potentially even a token to gain access to the data. So I've got encryption, I've got access.

I've got all of those pieces that are potentially put in place to help protect the data. [00:15:00] Now, by doing that, I adding the encryption. By adding the access controls, I am now ensuring that that data is properly protected and I can ensure the quality of the data. So let's say for example, you have a application and this application sends information to the cloud.

It does this on a routine basis, and your business runs off of this data. This data is extremely important. It cannot be compromised, it cannot be modified. Your business will run on it now. So then it gets to a situation where maybe, maybe just maybe you don't encrypt the data from your applic. To that cloud location.

And if you don't do that, it's being able to be intercepted. If it's intercepted it, now someone's able to inject or add information to that data stream by doing so that could potentially cause issues, right? If this data is that important to your company, could cause [00:16:00] issues with your company. And so if that's the case, you now will not trust the data's accuracy and if you don't trust the I.

Of that data, you will throw it out because you don't wanna have a situation where now you have you, you go on this sense of trust that it is there. Now use an example. We use this, it, it's an old example, but let's just talk about, uh, the nine 11 attacks on the United States. When that occurred back in September, 2001, the nine 11 attacks, when that occurred, shortly after that, within a couple years, akata made a comment.

They said that they were going to attack the US stock market. So in the process of attacking the, the, of saying they're going to attack the US stock market, it dropped like 20%. That. It was like it dropped like 3000 points or something like that, which in today's world, I was like, eh, it's not a big deal.

But back then that was a huge thing and it dropped like 20%, but it was done only because of the [00:17:00] psychological operations that were accomplished. Because of this. So what does that mean? Means is the fact that if you were going out there and you said this, you don't trust the information, you don't trust the data.

In this case, someone injected their thought process into it, and because of that you questioned what was happening. So because of that, you didn't trust it. So if you didn't trust it, you now don't have complete feeling that this information is correct. So that's why the stock market dropped 3000 points is because that was, someone said they were gonna be, it was gonna.

And it never did get hacked, but just because they said it did, people reacted. So it's important that you understand the completeness of your data, that you are best protecting it because of the fact that it's, the reliability and the completeness of it is so, so important. Now data storage and transmission.

So we kind of talked a little bit about transmission. Transmission. You may have a situation where you have an encryption key that's set up between two points. That [00:18:00] would be the transmission encryption, and if you have that enable, that's awesome. That's a great way for you to limit someone coming in and injecting their information into your data stream.

The other part about this is the fact of the access controls that are tied to it as. But you also need to focus on the physical security and the recovery and the network security tied to that. So what does that mean? So let's go for an example. You have a, a location, and at this location you do backups.

Well, your backups are stored in one spot. Now, if they're stored in that spot and they don't have encryption in place, someone could take the backups reit, reinstall them in a offsite location, and potentially could gain access to your data. So you'd want to have those backups encrypted. So that would be the data storage piece of this.

Okay, so let's also say that you are now backing up to the cloud. You want to ensure that that information is properly protected and [00:19:00] secured. So as you back up the information, so you had it locally, you encrypted it, you now upload it to the cloud. Is it protected there? Do you have it encrypted in transmission to the cloud?

Do you have it encrypted while it's at rest in the cloud? Now some things that have happened as it relates to aws, let's use that as an. You'll upload, upload it, upload it. You'll upload it to the cloud and as you upload it to there, then for long-term storage, maybe you move it into what they call Amazon Glacier.

If you move it into Glacier, it is now sitting in another repository. Is it encrypted there? So those are all the key pieces that you really need to think about as it's relating to data creation and collection data, storage and transmission. So it's really, really, I. Now data use and sharing, we kind of already talked about it.

When you're handing this over to people, how are you protecting it from a sharing standpoint? Are there access controls in place? Is [00:20:00] there user authentication so that when I come in, I actually have access to the information and it do I is the right, am I the right person that has access to that inform?

Also, do you have a logging mechanism in place? So I, you've now I allowing me access into this Amazon S3 bucket. Do you have logging to ensure that when Sean goes to this S3 bucket, Sean is the right person to have access to this S3 bucket and then you can go back and audit or assess to ensure that that has been the proper information for.

The other thing ever comes around to is data retention and disposal. So one key PA pass that happens a lot is around the data retention. How long do you keep the data for now you do, we talked about earlier where there people will be hoarders, they'll hold on to the data. Now the key around that though is, is do you have to keep it for a certain period due to [00:21:00] regulation issues?

We talked about it in previous podcasts. If you have regulatory requirements, do you need to keep it? Well, if you need to keep it, how long do you need to keep it? I've worked with regulatory entities before and many of them have a minimum of five years, so you need to keep the data for that period. So if you look at the application that you have and the application is storing it for five years, what happens if that application is compromised?

So let's say a ransomware event happens, it hacks that information and it hacks it to the point where it encrypts it. And now that regulatory information that you need to have available to you in the event of a regulatory issue is now. Okay, what do you do now? So it's important that you have a good retention strategy in place and a good protection of the data in place.

Now disposal, that's another part, right? So if you deal with the [00:22:00] keeping of it, how do you eventually get rid of it? So we talked about before where people are hoarders, people hold onto the data. How do we ensure that people will get rid of it over a period of time? And this comes into where you have a policy in place that walks through that.

So you need to make sure that you have that policy and you follow through and you delete the data that is no longer needed. Data backup and disaster recovery. So data backups are important and in almost every application will back up the data. But the question is, is does it back it up locally? Does it back it up on a server?

Does it back it up to the cloud? Is it a SaaS product? When we say SaaS, that's software as a service. So let's say you buy a service from I, I use QuickBooks. I've done that on on various podcasts before. I've used that as an example. You have a QuickBooks account. Well, that QuickBooks is a SaaS product and they have a backup and recovery [00:23:00] solution as well.

If you go to my website, CISSPs Cyber Training and get some of. Awesome, incredible stuff that you will find is out there that you might can throw a plug in there, you know? But if you go out there, I'm hosted on a web platform that is a SaaS product. So if you go to that SaaS product, you can see it's got a backup and or backup and recovery solution.

Specifically for my. Business and for my website, again, kind of calling back, you'd need to check out CISSP cyber training.com. Go check it out. You will love it. There's some, as I saw you, some trials out there, I have exam questions out there. I have study guides, but the bottom line that is, is that I'm not just throwing videos at you.

I want to help you in your CISSP journey. You need to go to cis s p cyber training.com, and there you'll be able to see some. Awesome things that are out there that you won't be able to find anywhere else. You can find questions everywhere else. You can find [00:24:00] videos on YouTube. You can get all this stuff for free.

And I'm telling you, go to YouTube. If you don't want to go through my courses, that's totally fine, but go to YouTube. You can find 'em all for free. But the problem you won't get with those is you will not get me. I will be there to help you on this CISSP process. Every step of the. All right. That was a plug I had to throw out.

Okay. Point eight. Legal and regulatory considerations, though these are different considerations as it relates to the data life cycle. We kind of talked about it a little bit, but when you're dealing with data breach notification, when you're dealing with the EPA and having to let them know in the event that there was an incident, you're going to have to understand as it relates to data.

Who do I need to talk to? Do I need to talk to these people? Who does the talking? One thing to consider as you're relating to legal is, is it the ciso? Is it the security leader talking to these [00:25:00] folks, or is it your legal representative? Now, if you're in a large company, obviously legal representative, you may be called in as a subject matter expert to explain the situation, but at the end of all, Most cases, you are the person that is going to pass this off to the legal council to let them go ahead and talk to the regulators and the regulatory commissions based on these specific situations now.

But you run into, you've got data protection laws, you've got privacy laws, you've got industry specific regulations. All of those need to be considered as you're relating to legal and regulatory considerations associated with data lifecycle. Now data governance and accountability, what are those? So do you need to understand that when you're dealing with governance and what We'll kind of, we'll have other podcasts that'll get into governance.

But governance is more or less the framework in which you're going to operate. It's the, it's the way you're gonna follow your different path. It's the defined [00:26:00] process by which you're going to go about this. Okay. And so it's gonna under come down to data lifecycle management. How are you maintaining the.

Who has the ownership of the data? What is the stewardship around it, and is there any audit trails relating to the data specifically? Do you have that governance, that written out plan on who owns all of this information detailed out? And then do you have the accountability to ensure that you have the data, proper data owners, data custodians, et cetera, et cetera.

It's important that all of that is properly taken. So as we're dealing with the last part about emergent technologies and trends, you're gonna be having to manage the data lifecycle as it relates to cloud computing, which we talked about. Big data, iot, ai, and ml, which is artificial intelligence and machine learning.

You need to explore those things and how they're going to impact your activities. So it's important that you do understand that and you. Important [00:27:00] that you explore how the data management works within your organization. You need to also understand how by bringing in these different types of technologies, these machine learning and AI technologies, how is that going to overall impact?

Your organization and the data that you're trying to best protect. So again, the tech, the new emerging technologies are coming more and more all the time. We need to be better prepared for them as it relates to the data life cycle management. Okay, so as we're closing up here, this, the whole purpose of what we came forward today was to talk about how in the C I S S P, you can have various aspects to include data classification, creation stories, transmission sharing, all of those pieces as it relates to data lifecycle management and data lifecycle management is, Cool.

As that may sound right. Data lifecycle management. No, it, it's, it's not cool. It's not, but it's [00:28:00] important for you to understand how you protect the data within your company because they will be looking to you as the security person for your company to ensure that their data is properly protected once you pass the CISSP exam.

That is step one in this long process in which you will gain more. So that you can provide the best enter or expertise and knowledge for these companies that you possibly can. All right, that's all I have for today. We super excited to be back here with CISSP Cyber Training. Hope you guys have a wonderful day and we'll catch you on the flip side.

See ya.