CCT 034: Understanding Data Asset Ownership and Management (CISSP Domain 2.4)

CCT 034 - RCR 131 - Understanding Data Asset Ownership and Management (D2.4)

[00:00:00] Welcome to the Reduced Cyber Risk and CISSP training podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is CISSP Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam.

And grow your cybersecurity knowledge. Alright, let's get started. Let's go. So it's good. Today we're gonna be getting into data, asset ownership, and how do you deal with data management? And so some people will look at this and think, how do I do this? And I'll come back to, as a friend of mine once said, when I first started dealing with cybersecurity and the corporate world, he made this comment, he said, Cyber or data, it's all about the data.

And so if you can focus on the data and what you are going to do with the data, then that will help alleviate a lot of the problems and on a daily basis. I deal with lots of situations where the information is out there. [00:01:00] They've created information, but they don't know. Who owns it because the person who did create it has long since left the company.

How do I manage it? They don't know even really even the data exists in many cases. So the best practice is we're gonna focus on how do you deal with data management and data ownership. So we're, today's article we're gonna get into is a simply learn.com, and they have a tutorial out there on some best practices around data management.

So there's a plethora or a cornucopia of large amounts of data available for you to study the C I S P. Again, the great part about reduced cyber risk is the fact that I just don't just give you C I S P exam questions and answers to the test. It is also adding some real life spin to it because the simple fact of it is taking the test is only the first part in this arduous, ongoing journey of cybersecurity.

So let's roll into the data management aspects. Now again from simples learn.com best practices for [00:02:00] data management. Now we're gonna get into this, and they had a couple bullets out there that they put out, round data management, data policies and so forth. Now when they're talking about data management, they said some of the best practices that you should follow revolve around having a data management policy, which will guide the overall data management program in an organization.

Now, I can't stress this enough that having the data management. Policy is very important. I've been in multiple organizations where the policy piece, the paperwork piece, has not been as significant as it probably should be, and so therefore you don't really have something to anchor back to. When you have that data management policy built and available and it's been vetted through leadership, then it makes it really easy to come back to and provide it to you, your.

To employees within a company or to your customers, whoever that might be, even if you're a contractor. So it's important to have a data management policy, have defined clear roles and responsibilities for managing the data. This would be a data provider, data owner, and a [00:03:00] custodian. And all these questions, you will are all these.

These terms and questions you will see on the C I P exam. So it's important to have a data provider, a data owner, and a custodian. Now you're gonna see that because if you don't define those roles in what they're ro, what they're supposed to do, it does get really wonky, especially as you're trying to put some level of data management into your organization.

Now, something to consider if you're in a small company. This makes it a whole lot easier than if you're in a very large company that never had this to begin with. So those are just considerations. Audit effectiveness of controls, processes, and practices for data management. Now you need to also, as you put these things in place, you need to audit and assess what are the controls, processes, and practices, but with just the.

Practicing and the auditing around it. It's important that you build this into a quarterly or a semi-annually amount of time that you go back and do these audits create procedures and quarterly control and assurance. So you gotta, you want to create that some level of QA and a procedures around that [00:04:00] establish processes for verifying and validating the accuracy and integrity of the data.

And this is a really good point, that you need to have something to verify that the data is actually being created and it is. Valid because what can happen potentially is you have lots of orphan data that is out there, and if there isn't some sort of change management process around that orphan data, then you could really question whether or not the data's even valid document specific data management practices, descriptive metadata, and this one's really important, the descriptive metadata.

In the past we didn't really have a whole lot of capability around this. Now that you can add and embed multiple levels of metadata into each of these actual. Data streams then you deal with is you can have a much better contextual description of what it's, what it stands for. So now this can get very cumbersome as well.

The simple fact of it is that most people don't deal with the metadata and they don't want to really actually get in and have a strategy around it. So it's important that you help [00:05:00] start this off very slowly and baby steps is an important piece. You follow a later approach for data security, enhance the protection of the data, and then you have in place clearly define criteria for the data's access.

Now that's a good part right there is if you have just willy-nilly all kinds of different types of. Access for the data, you will then have a hard time managing it. It will just, if people are coming to get it from various avenues, it can make it challenging. Now, that also doesn't wanna make it that you can only get this information from one specific location that is really ripe for challenge, however, Having two or three different ways to get the data is much better than having 35.

So just kind of saying data policy now. That's the next statement that they had there on Simply Learn is what is your data policy? Now, this is important that you have this, especially for dealing with senior leadership and their buy-in. They need to be aware of what you're trying to do with their information.

Also, consider a framework for data management, data handling, legal custodial duties, [00:06:00] AC acquisitions, and so forth. Now when you're dealing with the framework, we've talked about this on reduced cyber risk, you have various frameworks that you will deal with, and these frameworks are basically your instructions.

They're the skeleton, as my daughter from Uganda would say, the skeleton. It's the skeleton that you put meat on that allows you to follow a specific path. Now, there's various frameworks that are out there right now that you get, you can see from nist. To ISO and so forth. However, it's important that you come up with what is your framework, but the main thing is to start small, start little.

Don't add a lot to it at the beginning and just begin what is the main piece things that you want to build out of this framework and, and then is it, how's you gonna deal with data for individuals? How do you wanna deal with datas for acquisitions or divestitures? How do you wanna deal with various other aspects around your data management?

Now you also want a have a security. Profe practitioner should address the following. This is what they had in [00:07:00] your data policy, data privacy requirements. You wanna work with your compliance folks on data privacy around their laws and regulations. The ownership of the data kinda goes without saying cost and considerations for.

Such as the cost of providing data for access to the user. Okay. But what's it gonna cost on around all this? So in case you have, you wanna make this super hard for anybody to get access to it, well, your costs are gonna go up. If you add levels of information, rights management, something like that, you will add additional cost to protecting your data, the sensitivity and criticality of the data.

Do you want it to have a. Tiered approach, such as unclassified, secret, top secret, so forth, that will also be deeming to be a fine policies and procedures for managing the data, any existing laws and regulations you may have to deal with. And then legal liability of the organization in case of data mishandling.

Again, you wanna define all that ahead of time before you do have a breach, because you will have something at some point. And if you [00:08:00] have these things documented and better defined, it's much easier to roll through them when that time does occur. Now as we're dealing with data ownership. Data ownership is extremely important for all created and acquired or yeah, acquired organizations, and we talked about this.

You get, you gotta have something in place to deal with your owner. Who owns the data? This person was the person that's should be defined. That creates the data classification aspects around it. If I'm the owner, say, you come up with a tiered approach, it is a unclassified secret and top secret. Let's just say, for example, those three tiers.

As the data owner, you then would look at that data and decide, do I fall into the top secret bucket, or do I fall into the unclassified bucket? And only the data owner can really define that. I've dealt with intellectual property, various aspects of it, and one of the is issues that comes up is data ownership.

And then is that information. Top secret, or is it just really secret? It's sensitive, but eh, it's important, but it's not really gonna crush the company kind of thing. [00:09:00] That is where the data owner is so important. Now, the only thing about the data owner and their responsibilities they need to do is that they need to understand the organization's mission and strategic goals will be impacted.

They also need to. Determine the cost of this information. I've dealt with this in the fact that you're dealing with high intellectual property, high aspects of that people. You ask them and they say, what is it worth? I yet one person says this and another person says that, but when you get to the data owner, they can tell you pretty succinctly how much is it going to cost and affect the company.

So that's really important. Understand the requirements of the entities. Within and outside the organization and recognize when the information reaches the end of its life cycle and then quote unquote destroying it. That's what ends up happening a lot is it's like we got everybody's hoarders. There's so many hoarders out there where they'll start their data, they'll build their data, and then they realize, you know what?

I just wanna hold onto this cuz it makes me happy. I feel comfortable with it. It's just something that. Makes me feel good [00:10:00] now. No, you want to delete it. You wanna make sure that if it, after the end of its life cycle and it's not needed anymore, get rid of it. Because as you move to Amazon or these other locations, you will find real quickly that with all of that data that is out there, it will just cost you more and more money to maintain it.

All right. Data ownership. Other, some other best practices around this is along with data ownership, intellectual property rights for their data need to be defined. Okay. So you understand the difference was you'll get your data and then you'll have people that'll have intellectual property that will create something for you.

Do you need to define what is ip? And that needs to be defined from your senior leaders, your data owner, and your legal department. They need to define what is the property rights around it. And so if you create something, is that information for you? Do you get to keep it? Or is that spun thing specifically that is an individual, do you to keep it or does a company own it?

Owners are responsible for creating and documenting policies for their specific data. Again, [00:11:00] You need to have one overarching policy around it, but then they may have something very specific for their needs. Now, what I would recommend that you avoid is bureaucratic policies for the sake of policies.

What ends up happening is you just make busy work and you make all this work, but at the end of the day, nobody ever goes back and looks at it. So those of important aspects around your data ownership. They should also incorporate with debt laws and regulations, obviously, and then they should in ensuring proper agreements for data usage are in place.

And that would be NDAs. It could be data usage within various countries as like the first or the last bullet I talked about, where you have laws for such as gdpr, any other privacy aspects that you may have within the comp or country that you live. I e, I know right now the Philippines has a pri, big privacy law that they're pushing and all of those pieces are a factor.

Now as far as data custodians go, data custodians are responsible for the following, safe custody. Storage, transportation of [00:12:00] data, implementing the business rules, and then technical environment and database structure. So those are what the custodians are supposed to do. They're basically the ones taking care of the data, and they're not the owners.

They're not the ones that actually created it. They're not the ones that can define it. They're the ones that are responsible for care taking of it, the important responsibility of data custodians as well only allow authorized and controlled access to the data. So it is, in some cases it may not be, the data owner may allow that access.

They may be the person that is actual the data custodian, or it could be somebody that is managing a large group of data for the organization and then they would control the access to the data, ensure that no unauthorized access is granted. Maintain versions of master data and history of changes. This is something that's, like you've talked about, CH Man or management of change, how important that really truly is because if you have multiple versions of this data, it will get lost and you will have all kinds of issues.[00:13:00] 

You also wanna identify data stewards for every data seat set. Ensure data integrity is maintained in technical processes. Audit the data, the content, and the changes, and then maintain consistency with the common data models while adding data to data sets. Bottom line is your custodians need are the ones that manage this data, and they need to be able to maintain it and control it in a way that meets with what your policies and your wishes of your company are.

Now there's another. Point that outside of data custodians, data stewards, and you heard me talk about that just a little bit. They're responsible for the content context and the associated business rules for the data. So they're kinda like the handler. So you got your data owner that is the one that creates the data that is responsible for data classification.

You then have the data custodian who manages the data and takes care of it. Then you'll have someone who might be designated as a steward, which would may have the ability to add alt, has all the background knowledge, but isn't the physical. Owner of the data themselves. So as an [00:14:00] example, I've got, it will take care of our data custodian aspects in many cases.

Most cases, not all, but in many. And then you have your data owner, which is a person who controls the intellectual property. They're the ones that maintain that. Then you have your stewards, and they're the ones that are working with the. IP owners, the data owners to understand the context around the data and they provide that information to the custodians when they're looking at helping to ensure that it's prote best protected.

So possible data custodian roles are as a data manager. Project leader, database administrator, geographic information systems manager. Never heard of that one. That's pretty cool. It's kinda a long title IT specialist and the application developer, those are ones that they had on the website around Simply Learn, but again, you can use, it's just a hierarchal approach to data control.

So again, you got your data owner, data custodian, data stewards, all of them have various key aspects in relating to protecting the intellectual [00:15:00] property. Okay, so we're gonna roll into my CISSP around determining and maintaining information and asset ownership. And so this, we're now just taking for what we learned here, we're gonna roll into specific objectives that the CISSP peak is talked about, and those, the objectives fall under 2.2, and that's determining and maintaining information and asset.

Ownership. All right, so let's get going into this. Again, there's some key considerations and a lot of this stuff may be a little bit of repeat of what we talked about just a little bit earlier, but again, this follows under the 2.2 objective that you will need to know to pass the CISSP exam. So some key considerations.

Data ownership will change over time, which we've talked about. You're gonna, people are gonna come, people are gonna go, but you define that data ownership at the beginning, or at least you know what, draw a line in the sand and say, now I'm going to deal with data ownership. Then you at least can begin from there.

In most cases it does not own the data, and I would definitely [00:16:00] concur with that. It is usually not the IT or the data owner in this situation. They are usually the custodians or the stewards. They may be responsible for protecting but no ownership. Hence, that's what I deal with is protecting the data on a daily basis.

Regulation and requirements may force your hand into certain spa aspects such as your gdpr, your Chinese cyber law, and et cetera, and those all have. Various pieces to them. Now, GDPR will forces you to define very specifically what you're looking for. Chinese cyber law is more around privacy and protection of national secrets, but bottom line is they want somebody to be the actual owner, the belly button that if I got an issue, I'm coming to you.

And that's what needs to be defined in most cases around these. Privacy and data protection strategies are the owners responsible for the data unless it is formally delegated, and that is true. And so you, the IP owners or the data owners may kinda acquiesce to this of going, I don't [00:17:00] really want to learn this, or I don't wanna manage this.

I'm going to go ahead and send it to somebody else to let them deal with it. That is fine, but there needs to be a formal delegation. Otherwise it gets into he said, she said, and it just doesn't go well. Determining who owns the data. Now, it's an imp important first step, which we talked about is who owns this data.

Now, if nobody says nobody wants to stand up, you may have to escalate it to higher levels, and then you just force somebody to own the data that it's just really important that you do that. Utilize active directory global groups. Those are now Active Directory is a great tool for managing access. That's a great security tool that has been put in place.

And as we move to the cloud, the active directory will be changing and moving to a different model. But active directory still is an important part of most organizations. So if you're gonna be a cybersecurity person that's gonna graduate and pass your CISSP exam, you're gonna move into an organization that most likely has active directory groups.

Now, you may have a. Uh, a cloud [00:18:00] environment that is more around security groups and which is basically firewall rules and access control groups. But what's gonna happen is you're just probably gonna have legacy aspects on your on-prem environment that is going to be dealing with active directory. So you're not gonna get away from it anytime soon.

Uh, so far as an example of an active directory global group, you could have the New York City plant floor. Group or the, I don't know, nuclear waste group, but anything, anybody that's in that group will have that level of access. Now, folder names impossible owners. You could have it as the r and d group, three dash Bill Smith as the owner.

Now you can define the metadata, who is the actual owner, but you should define it in the folder names themselves. I think it's very important. The challenges is maintaining that over time can be a bit. Arduous, but that is the responsibility of the custodian or the stewards to help ensure that is properly completed.

Now, you reach out to business owners, that is a great way for you to start learning who is the actual owner, and [00:19:00] as a security professional, guess what? The art jobs are primarily around influence. There's gonna be technical aspects when you get started, but as you roll, as you move up the proverbial chain into different roles, you go from being hands-on, flipping switches and making things happen.

To more of an influencer within an, within an organization. So therefore it is important that you begin those relationships immediately by reaching out to the business owners and understanding from them their data. Now prob, there's problems with not having owners data may not adequately be protected.

Yeah, that happens a lot. The data is just sitting out there. Or in some cases actually it was so protected that no one could actually get into it. Cuz somebody put data, put some protections on it, but then they left the company and then there's no way of getting into the data. It makes it very challenging.

But again, I've seen it where the secret sauce, and you hear about this routinely on the internet, is that your intellectual property was shared on a network drive, which then in turn gets shared to the cloud, which then in turn gets shared to the world. Because as we move to [00:20:00] various architectures as an SharePoint within Microsoft SharePoint, online is just, you are on the internet.

It's the only thing that's stopping the internet is just the rules that are in place that. Are allowing people access to your contents. It, it is out there and available, so you're gonna have to be very prescriptive with how you protect your data. Now you also need to understand there's problems with not having owners around who to contact in the event of a breach.

So the data leaves the building and then you go who's in charge of it? I don't know. It's really a bad time to try to figure out who's the owner after your data has left the building. Impact of data loss is not fully understood. The security person's strategy will come into question, and that if you are the security person, that would be you.

So that would come into question on what the heck you're doing. And then I've seen it where the tragedy of the commons, it's what it's called, and commons like your commons, where you go eat dinner or whatever it might be, is the fact that if everybody, it's all out there in front of everybody, but no one takes care of it.

So as an example, you have [00:21:00] a, let's just say it's a. Break room where everybody goes and in that break room they have coffee and they have water and tea and all these aspects. What ends up happening is that there's somebody spill something, they wipe it up, something else gets spilled a little bit here, a little bit there, and before you know it, you have this entire mess that is just absolutely in.

Incredibly hard to manage well because nobody owns it. It's a common space. Since nobody owns it, then therefore it isn't taken care of. So that's a tragedy of the commons. It, it's responsibility is to protect the data per the data owner's direction. If there is no direction. Then you gotta protect the data with the best knowledge you have.

You can't say if you're not, it's not my problem. The IP owner didn't tell me, yeah, that's not gonna work. So you have to be able to protect the data and you gotta do what's right to do it again, do no harm. You have to make sure that you are, and you're part of your ISC squared ethics is that you have to be able to do no harm and manage this data in a way that will best [00:22:00] protect it.

Your CIO and IT leadership must take ownership if it's not available, and that's something you might wanna work with your CIO on. A leadership's responsibility, their security leaders must be engaged with the business leaders and then when in doubt, drive the leadership. Cuz again, as many will not make a decision and you're gonna have to drive it.

As a security person, you may have to, if nobody's taken up ownership, you may have to just drive it and make it happen. Do care due diligence, we talked about ensuring that you take care of this data as best as you possibly can, and that you drive that and make sure that it all the data is protected in the best format it possibly can.

Last resort options. Using network logs will also be useful to determine who owns the data. Now, whoever la I didn't say who owns it, but whoever Lash used it, that would be a great place to start to find out who the heck possibly owns it. I, if it hasn't been used in a wow, well then you gotta ask yourself, why don't I just archive it?

See if nobody screams, then I delete it. So that's something to consider. You work as an IT [00:23:00] professional for a defense contractor that handles classified military information. Which of the following data classifications applies to information that could be expected to cause serious damage to national security if disclosed in an unauthorized fashion?

Okay. A, it is S B U B is top secret. I don't know the top secret. Don't know. Is it three or C secret, and is it D Confidential? Okay. If you put it in perspective secret, if you focus on the serious damage secret will cause serious damage. If you're talking top secret, it's exceptionally grave damage. Okay, so confidential is just basically saying it will cause damage.

Those are key things to consider with that question. This comes from tevez.com. All right, so next question. Question two. You are using asymmetric encryption to protect data stored on a hard drive that will be shipped across the country. What key or keys are [00:24:00] involved in the protection of this information?

A shared secret. B, a public key. C, public and private keys. D. A private key. All right, so as you're dealing with this, which one would it be? So, as your aspect is, think about this, you can do this in a couple different ways. It could be a shared secret that if you actually have a secret between two parties that is keeping that data protected.

That would be that logical choice. But if you're dealing with an actual, just so that you have one private key that is kept between that you take it with you as you're going across the country, then that would be that situation. But bottom line, it would be, Letter D, private key. As you're just keeping that data, you're shipping it over there, then you'll then provide that information to them.

Question three, which of the following is not a European Union data handling principle required for participation in the Safe Harbor program? Key part on that is for Safe Harbor A, onward transfer, B, choice [00:25:00] C encryption. D. Notice which one is it? It is. B Choice. Choice Principle that states and organization must offer individuals the ability to opt out of information collection and storage programs.

It's not part of the European Union's data handling principle around safe harbor. All right. Thank you so much all for joining me today on my podcast. Again, you can go to sean gerber.com and check out all the cool stuff I've got there, and we can definitely help you in multiple ways so that you can pass the C I SS P the first time.

All right, we'll catch you on the flip side. See?