CCT 276: Data Lifecycle and the CISSP (Domain 2.4)

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

From insecure code causing breaches to proper data destruction, this episode dives deep into the critical world of data lifecycle management—a cornerstone of the CISSP certification and modern cybersecurity practice.

A shocking 74% of organizations have experienced security incidents from insecure code, highlighting why proper data management matters more than ever. Whether you're preparing for the CISSP exam or strengthening your organization's security posture, understanding who's responsible for what is essential. We break down the sometimes confusing differences between data owners (who bear legal liability), data custodians (handling day-to-day operations), data controllers (determining what gets processed and how), and data processors (who handle the actual processing).

The stakes couldn't be higher. With GDPR violations potentially costing organizations up to 4% of global annual revenue, misunderstanding these roles can lead to catastrophic financial consequences. We explore the eight principles driving transborder data flows and why understanding your data's journey matters for compliance and security.

When it comes to data destruction, I share practical wisdom about what really works. While methods like degaussing and various overwriting techniques exist, I explain why physical destruction (the "jaws of death" approach) often makes the most practical and economic sense in today's world of inexpensive storage media.

Throughout the episode, I provide real-world examples from my decades of experience as a CISO and security professional. Whether you're dealing with classified information requiring specialized handling or simply trying to implement sensible data governance in a commercial environment, these principles will help protect your organization's most valuable asset—its information.

Ready to continue your cybersecurity journey? Visit CISSP Cyber Training for free resources, sign up for my email list, or check out my YouTube channel for additional content to help you pass the CISSP exam the first time.

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

Speaker 2: 0:22 

Cybersecurity knowledge All right, let's get started. Good morning everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP Training Monday and we're going to be focused specifically on the CISSP training related to domain 2.4, and this is managing data life cycles, and so, as we've talked in numerous different episodes around data life cycle, it's an important part and today we're going to get into that again.

Speaker 2: 0:49 

This is domain 2, 2.4, but before we do, I had an article I wanted to kind of share with you all and it'd be great to get any opinion from you all. So this is from it pro, and this is based on a report that was done, and this report says that% of the companies admit insecure code caused a security breach or security incident of some kind, and, as we know, this is definitely the case. There's a lot of insecure code that's been done out there. I had a lot of security or I had an IT team, a development team, that worked specifically for me, and because they worked for me, we went through the overall development lifecycle aspects and they struggled with that a lot. They didn't know how to deal with the development lifecycle piece of this, and so this report basically found that 74% of organizations had suffered from an incident as a result of dodgy or bad code, and nearly half of those were hit with a breach of some kind. And so, with AI, people are going well, hey, now that I'm going to develop AI, I'm going to put that into my environment, I'm going to actually have really safe and secure code. But even though AI can code better than developers, there is some suggestions that the code could also be insecure. Code could be replicated by AI as well, so if it doesn't know what is good code, it could actually end up replicating bad code as well. So the point comes really comes right down to is his training, and they recommended that their people are trained at least on a quarterly basis or, if great, if better on a on a monthly basis on what to look for as it relates to insecure code.

Speaker 2: 2:24 

Now, there's different types of products out there that can help you with this.

Speaker 2: 2:28 

There's video-based products, there's e-learning platforms and so forth.

Speaker 2: 2:32 

They have hacking games, such as Capture the Flag, and I think all of those are an invaluable part of your organization and they would be something that you would want to go through and help your people understand how to actually do these aspects.

Speaker 2: 2:45 

So labs and classes are important, but I would also say that, as you're doing this with your folks, make sure that you have a good game plan in place of what is the overall end goal, what you're trying to accomplish, because, when it comes right down to it, training and teaching people as well as working on the AI piece of this is great, but there has to be measurable metrics that come out of anything that you do, because otherwise you're just kind of doing activity, hoping that everything's going to kind of fall into place and work. Now, according to this article, one of the other aspects they had was around return on investment. That was one of the hurdles that became a big problem is, even though you may have this training in place and you may have some level of documentation developed around your overall secure development life cycle, how do you ensure that you're getting your return on your investment for?

Speaker 2: 3:35 

the money that you spend and I would say training is also one of those that is really hard to measure. You want to be able to train people, but be understanding that, hey, if I give you this training, how do I ensure that I'm actually going to get back what I put into it? So, as a challenge, it's imperative that you have good metrics on, at least in the fact that, what people took the training, how many were successfully completing the training, did you have labs involved, did they pass the labs? And all of that may not be pushed up to the board or to the senior levels, but at least then you have metrics on how they have done. It makes it a lot easier to justify the money spent if you can have those metrics, versus just saying, hey, all my people took the training, well, that doesn't really tell you anything. And, realistically, having a good structured plan on how you plan on getting this information to your people and have them use this information and then, in turn around, how is it being pushed within your development environment, those are all really good metrics that need to be tracked and monitored and reported up to your senior leaders. So, again, it's a good eye, a good option, the main thing I wanted to bring up about this article was just the fact that we all know secure development is going to be a bigger factor. Too many people rely on AI and they're just assuming that, well, if AI's got it, it knows how to code. It's coding good. I'm not going to double check the AI, so bad choice if you decide to go down that path.

Speaker 2: 4:58 

Okay, domain 2.4. So let's get into what we're going to talk about today. Okay, so data owners. When we get into the overall fact around, what is a data owner? A data owner is a person that's ultimately responsible within your organization for the overall data that is out there. This person can typically be falls into a couple different buckets, but I've seen them in different ways. One, the CEO, actually, in some cases is the data owner, especially when you're dealing with intellectual property there might be. This person is ultimately responsible for the protection of this IP and therefore it could be the CEO themselves, depending on the size of the organization. If the organization is very large, it probably wouldn't be the CEO. It's probably delegated down to a president or a department head. In the case of some levels of intellectual property, it could be the R&D head or the R&D lead that's running it.

Speaker 2: 5:50 

There's different data requires different types of data owners and they may not just be one person. I've seen it where the data owner may understand, or the engineer may understand, the data specifically around a certain level, but then other parts of the organization don't understand the information and so therefore they're not the data owner for that specific piece of information. It may be around a couple of different people, but at the end of it and that's where it gets real squishy between data owners and data custodians and we'll get into custodian here in just a minute but the data owner is someone who physically is responsible to the organization for that data and it typically is pretty high up within the company because they're the ones that are ultimately responsible if something bad were to happen. There's different data or will require different data owners and it may not just be one person, like we kind of mentioned just a little bit ago, but for liability reasons and negligence reasons it may be down to just one. So I'm giving you kind of a squishy answer on that. It's not really what you want to hear, but it depends. But what you want to understand and the key factor that comes out of this is you need to know who the data owner is specifically around the information, because if you, as a security professional, are trying to put policies in place around data protection, you're going to need to know who this person is, and they are ultimately responsible for the data protection within the company and they need to be aware of that as well. They also need to be aware that they are legally liable for it. They may say, yeah, I understand that, but no, I mean really truly. You are legally liable. If things go bad, you could be sued by the company. You could be sued by other people. There's lots of different things that can go sideways on this. So, as a data owner, you are ultimately responsible for the information. Now there's data order guidance around. This is SP 800-18. This is really good for developing a security plan and it's tied to the federal information systems. It's a really good place to start if you're looking for some sort of guidance around being a data owner. There's rules for appropriate use and how to maintain the management of this data, as well as guidance around security, controls, requirements and everything else that's out there in this guide, this NIST guide, this NIST publication. It does help you decide around privileges and access rights related to the data owner and what is the rights that this person should have, as well as acceptable use or rule behaviors. So it's a really good place to start. If you're trying to develop a security plan and you don't really know where to begin, I would start with this Secure Publication, sp or Special Publication 800-18. That's the NIST SP 800-18.

Speaker 2: 8:23 

Understanding the asset owner business owner, business owner or data owner what does this mean? Well, basically, you have different terms that are being used, but in the business standpoint, you could have it called it as an asset, if you're. They also could say they'll. You know what. This business has a specific data that's tied to it. You'd be the business owner, or you could get very granular and it could be down to the specific data. So it's business asset data. These are all owners of this information. They could be multiple people, they could be one person, but whoever that person or persons are, you need to develop a security plan in with them and in coordination with the data owner. You need to make sure that everybody's aligned with what is the security plan in place. This would be a specific asset that accesses any sensitive data. You would need to call out those specifically, and you need to ensure that those are all defined well within your security plan.

Speaker 2: 9:13 

This ensures systems are updated and properly configured, and this would, in one example, this would be the digital marketing team. They would have a situation where maybe they populate the websites with digital marketing content. This needs to ensure that it's updated and properly configured. Business owners will manage it, but it's not, potentially, the data owner. So what that means is the business owner is, let's say, for the digital marketing team. They're the ones that are managing this website. They're the ones that are managing any sort of digital content that goes in there, but they don't specifically own the data that's going into that content. So you'll need to work with the business owner, and you may have to work with the data owner too in this specific situation. Now, they could be one in the same, but they also could not be, so again, making this extremely challenging for you all.

Speaker 2: 9:56 

When it comes to the CISSP, if they start asking you questions of going, you got to read the question that the business owner, who does not own the data, is making these changes. Is this a good idea? You might be going. Well, no, because they're not the data owner. If they say, the business owner, which is the data owner, is making these changes, then you may answer the question a little bit differently. So the bottom line on all this is you really truly understand? It's all about the data. Always remember that. It's always about the data.

Speaker 2: 10:27 

Now the data controller this is a person or entity that controls the processing of the data and they decide what data is to be processed. Now, dealing with GDPR, you will have different types of data controllers, but, bottom line, this person is the one that will control as far as what data is to be processed. Why is this data should be processed? This is the reason they'll also do that and then how it is to be processed. Those are some key questions and key concepts that the data controller will do so.

Speaker 2: 10:54 

As an example, a company will collect personal information on your employee's payroll this. You want to pass this information on to a third party to submit payroll for you. The data controller will determine what data is passed through to the third party. Not everything may need to be passed to the third party. Some of the more default ways would be just pass it all. Well, but that does not work, especially in a more regulated environment such as the European Union. That would be a bad thing. So the data controller is what's going to determine what needs to be sent to the third party for payroll processing.

Speaker 2: 11:27 

Contracts are in place to ensure that third parties don't use it for anything outside of what they've been called out for, and these contracts are followed and maintained. And they have teeth. If a third party decides to use the data in a way that is inappropriate, it will come back to get them, and it's imperative that you understand this as well as you're putting these in place. Sometimes the security folks have a little bit better handle of what's going on with this data movement, and so, therefore, your wisdom and guidance is going to be very important. Large organizations they will actually hire a data controller specifically to do this work, but if you're in a smaller company, they may not. They may have that person doing multiple different tasks. You are going to have to help them understand what is the difference between a data owner, data controller, and what is the different regulations asking for in relation to those. So, again, it really comes down to you helping them and understanding the key concepts related to data controllers.

Speaker 2: 12:23 

Data custodian Day-to-day tasks are accomplished by the data custodians we kind of mentioned at the beginning the difference between a data owner and a data custodian. You could get confusing and it can, because sometimes the data owners will act like data custodians and then sometimes the data custodians will act like data owners. This is why I need to have clear guidance on who owns which data. This helps protect the integrity and security of the data by ensuring it's properly stored. It also ensures that daily activities are set up so that it can be properly protected and maintained. This would include backups, daily log files and any daily maintenance for the specific data. In and of itself, the custodian is the key factor.

Speaker 2: 13:03 

Now I have seen this where the custodian doesn't understand what's going on with the data. It maybe controls the access to people that are gaining access to the data, but when it comes to the backups and the log files and any daily maintenance that's related to this specific information, they go well, it's got that and that is wrong. That is not correct. You need to make sure that whoever, as a security professional, is your data custodian, that you work hand in glove with them to make sure that they understand what are the backups, what are the log files? Are there any daily maintenance activities that need to occur? If the backups are occurring within a local backup or do they have to be pushed up to, like a glacier, a long-term storage backup? When can you do backup and recovery scenarios?

Speaker 2: 13:49 

All of these things that you, as a security professional, may have to work directly with the data custodian on, and they need to understand that it's not your responsibility, because when someone comes now again, if the CEO says it's your responsibility, well then it's your responsibility. Comes now again, if the CEO says it's your responsibility, well then it's your responsibility. But if the day comes and they're asking for all of this that's going to, you know, if something bad happens, the data custodian if that person is defined, their neck is going to be the one that's going to be out there for the guillotine. So you need to make sure that you, as a security professional, work very closely with them to help them understand the risk and also the things that you have in place to help protect it. Now, it may be a combination of you, it might be the IT guy, it could be a lot of people right that are all involved, but when it comes to the daily activities, do not allow them just to assume that IT's got it, because IT in many cases don't got it. So that's really good English. I know you all are really probably enjoying my English for today.

Speaker 2: 14:46 

All right, so what is a data processor? A data processor? This is everything that relates to processing the data. Right, that makes sense. So, if the data goes from point A to point B, how is it being processed? This could be the systems processing it, it could be individuals processing it, but what it comes right down to is where is this going? What is it doing?

Speaker 2: 15:05 

Well, related to GDPR, a data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data solely on the behalf of the data controller. Okay, that's GDPR. So, as an example, we'll talk about third party. The data controller collects personal data on employees for finance purposes right, payroll and then passes that information on to a data processor. We kind of mentioned earlier in the overall data controller's responsibilities. So a data processor is taking this information, they're managing it, they're massaging it, they're manipulating it. They then, in turn, are doing something with it to help the overall company get done what they want to get done.

Speaker 2: 15:46 

But this is important for you to define who is a data processor, especially dependent upon highly regulated entities and highly regulated industries, because if you don't have this well defined and you're just assuming that it's done, odds are high it's getting done incorrectly or it's not well defined and well documented. If you were to get audited, if you have a deal with a breach, the first thing they're going to ask is okay, who is your data processor? And then who is your data controller and who's your data custodian? And they're going to ask those questions and if you don't have good answers, that is a very, very uncomfortable place to be. So, as it relates to compliance, you must comply with GDPR requirements, especially if you're dealing with the EU or face fines up to 4% of global revenue. So, to put it in perspective, let's say your company does a billion dollars in global sales, global revenue that's what they have coming in Now, that's global right. So that's a billion dollars globally.

Speaker 2: 16:41 

If you're dealing with the EU, you could have up to a $40 million fine. So there's a big issue with this right. You want to make sure that you are doing what you should be doing and a $40 million fine. Let's put this in perspective. A lot of companies, their margins that they make in a year. Let's just say we're guessing, but some are higher, some are lower, but your margin could be anywhere from five to seven to 12%. So if you all of a sudden are cutting out 4% because of some foolishness you now just lost, you're down to maybe making that year 3%. So that's huge and that's just the fine. That doesn't include the legal ramifications that go into this, because you got to pay lawyers to defend yourself. You've got to go out and pay other people for other stuff, so that 4% real quickly could grow to around 6% or maybe even 7%, depending upon what are some of the aspects that go with it. So you must comply. Do not think you don't need to comply. You must comply and you must figure it out.

Speaker 2: 17:38 

The EU and US Privacy Shield Now this was previously called Safe Harbor and just many years ago I had to deal with this. And this is the Privacy Shield piece of this that's in place. Now organizations can self-certify and meet or comply with the Privacy Shield principles. Now there are 16 principles in total and you need to basically vow to uphold at least seven of them and the ultimate goal of this is that saying I will do everything in my power to protect the information that's going to and from my company. One of the things that GDPR does allow for you to do is transfer data from the EU into the United States, but you must do various aspects with the data. In the past, under the safe harbor, you could say I'm a safe harbor company and I vow to maintain these seven things and therefore I will protect the data and do what I need to do to protect it, but that doesn't work anymore. You have to.

Speaker 2: 18:27 

Basically, if you're looking under GDPR, you have to make sure you have in place many of the controls that are there that are outside of the US and EU privacy shield. So, as an example, if you have data coming from the EU into the United States, the data controller must make sure that any data coming out of the EU into the US has been anonymized. It has data that is masked in some level or form. If it is not masked or anonymized in some level or form, then there has to be an exception place that's put in place and that has to be done through works councils, and so that's a huge. It's just a long laundry list of things that have to go on. So, in reality, you want to make sure that you have the right people in place, especially if you're doing any level of EU business.

Speaker 2: 19:13 

Some other key GDPR terms that you need to understand is synonymization. This is a process of basically using pseudonyms. Instead of an Indonesian, I can't say that word. It's pseudonyms, that's it, pseudonyms. I had a friend that we flew F-16s with and his call sign was POSUEDO and they I asked him. I said why they call you POSUADO? And he said because he didn't know how to say pseudonyms, they called him POSUADO. So, yes, so POSUADO or pseudonyms, they will represent other data that's out there. So in the example, bill Smith is patient 12345. So the pseudonym is Bill Smith is patient 12345. So if you looked at it at a glance, without the cipher, you wouldn't know that Bill Smith is patient one, two, three, four, five.

Speaker 2: 19:57 

It's very popular when working to try to obfuscate data. It's again, obfuscation is not a protection. It's more or less just obfuscation and causing drama more than anything else. But Bill Smith is suitified right as a patient one, two, three, four, five. No, no-transcript, it's totally just jacked up. The only way that you can decipher this is if you have logic that is set up to reconnect the dots, that you could figure out what's going on, but in reality it's extremely hard to do. It's just also adds a lot of drama, and I've run into the past where Bill Smith and their social, bill Smith's name would be just XYZ, and then their social would be some random 10-digit number, which then in turn would tie back to this person's Social Security and then you would tie back to Bill Smith and that would be a record within your SQL database that says this. So, again, it adds a lot of drama and a lot of issues if you don't do this. Well, so you need to make sure that if you're going to deploy some sort of pseudonym pseudonyms, yes, that that persuado you're going to add any persuado or anonymization you have a very good plan in place on how you're going to one put it into this anonymized path and then also how to de-anonymize it.

Speaker 2: 21:40 

Data users and subjects okay, a user is any person who accesses data via computing type device. That's a user. This should only have access to the data they need for daily activities, and we talk about this a lot in cissp, cyber training. You have to have, uh, make sure that they have, only the credentials they need for their role. Anything above that is we call credential creep. And too much information or too many credentials is like we mentioned a few weeks back in relating to the individual who put a logic bomb within an organization.

Speaker 2: 22:12 

Once they get these credentials, they don't like to let them go. Especially IT folks and this is a really big part is that IT people, once they get these credentials, they don't like to let them go. Especially IT folks and this is a really big part is that IT people, once they get credentials, especially if they become like godlike credentials, they do not like to relinquish them. So you, as a security professional, need to just go and rip them out of their cold heart, rip them away, tear them apart. Yes, you cannot allow that. And, by the way, if you do that, you better not have good credentials as well, because a lot of times security folks will say, well, I need the credentials because I need to be able to do my job. That's bull, bull, honky.

Speaker 2: 22:43 

You need to make sure that you, as a security professional, do not have those level of credentials, because one you are a target. I would not allow it. They wanted to give me all kinds of credentials as a CISO and I would not take it. I did not want those because, at the end of the day, I didn't want my head to be on a platter and two, I had no business dealing with them. If I needed to get access to some information, I would get it for a temporary purpose and then it would go away Again. You must make sure that you do that. It does add pain and drama to your life, but it's a very important part. So, again, subjects must can be users, programs, processes, services or anything that can access a resource. You got users who access it, you have subjects, and then the data subject is a person who can be identified through an identifier. So you need to understand the differences between data users, subjects and data subjects.

Speaker 2: 23:33 

Now, data collection there's the transborder flows of data personal data. There's previously there's been domains around transborder, but when it focuses right on it, there's key provisions around the oecd, and this is was 30 member nations, including the us, that wanted to be determined around. How do we deal with data that's transferring, going across borders? This all started in 1980, so now, as you can tell, this is when it was issued. Since 1980, which is like a lifetime ago uh, that a lot has changed and data now in the past was it was very specific data flows from to and from organizations and from countries. Today it goes everywhere it is it's it's flying all over the place. So you need to truly understand where are your data flows within your company, because some of these other provisions and all these data flow products that come out like this in this case of this, the Organization for Economic Cooperation and Development may be out there that may affect you. So you need to just truly understand your data flows. And then, what are the member countries that you are focused on specifically?

Speaker 2: 24:34 

Now there's eight driving principles. This is collection limitation. Collection of personal data should be limited. We talk about this a lot. You want to limit all personal data that is collected. It shouldn't be. You shouldn't collect it unless you absolutely need to. It should also be obtained by legal and fair methods. You shouldn't just go hey, oh, look, I found a bunch of data, let's just suck it down. No, you don't want to do that. That's not a good idea. So you want to make sure it's legal and fair and that you understand what data you are collecting. The data quality should be kept complete. You shouldn't be parsing data out and again, the reason is is that it's like the data sprawl we talk about a lot on CISSP, cyber Training. It sprawls. It goes everywhere. You run into data in all different nooks and crannies of your organization, so you need to make sure that it is complete and it's consistent with a purpose that it's being used.

Speaker 2: 25:24 

Another principle around data collection is purpose specification. You need to have notification to the person around the collection and its purpose. You need to have this within your policies of if you are collecting data on people. You need to highlight that you need to have your legal team policies of if you are collecting data on people. You need to highlight that you need to have your legal team go and give you some sort of guidance around this. This at the time it's collected and of its purpose that it's being collected. You also have to have loose or use limitations.

Speaker 2: 25:48 

This is a consent of the person that is allowing you to use this information, and if they're going to declare or disclose any data, that it has to be done through a person in the law and they have to have authority to do so. Now you need to be notified if the data is being used for purposes stated differently than disclosed. What that means is that if you have a document that says if I'm going to collect your data and I'm going to disclose it and it's going to be different than what I have just highlighted in this document from our legal team, then I must let you know that why we're doing that. So the goal is is that I'm collecting this data on you. They don't want you to take the data and say, well, you know what, we've got a subpoena on this and we're just going to use some of this data and send it over here and let them look at that. No, if you do that, you have to give information out to the person who's the owner of it and the individual that's being collected on it that you are doing this. You can't just go and do this willy-nilly and under the table. Now, again, I'm saying all of this. I am not a lawyer and do not take legal advice from me. I am giving you just advice based on experience that has occurred and I would highly recommend that you get with a legal team. If you have that are interested in doing something similar to what I just mentioned, get with your legal team. Do not go. Hey, sean said we could do this. No, don't do that, I will deny it. I will deny it.

Speaker 2: 27:04 

Security safeguards you need to have reasonable safeguards in place to protect the data. Again, this is another part. You must make sure that you have the safeguards, because if you don't, and if you have not looked at this, and then something bad happens, they will come and tap you on the shoulder and say what did you do? And it will be your throat to choke. Openness you need to have developments and practices and policies regarding this should be communicated. It should be open, it should be available, it should be transparent. All of that should be available for people to see if they want to see it, if they're the right person to see it. Now again, you don't just let everybody look at this, but if you have approval from your senior leaders, you have approval from your legal team. Yeah, it should be open and transparent to everyone.

Speaker 2: 27:44 

Individual participations individuals should be able to determine if an organization has personal data. They also have the right to opt out. In certain jurisdictions, they can opt out from any sort of personal data being collected. Now, the downside of that is, in some cases, if you don't give me your personal information, I can't do payroll which can't get paid, so you're going to have to give me something. That's the part. The sticky wicket and all of that is that people need to be able to give information that's personal so that they can get paid. But the goal is that you don't give out any more personal information than you have to, and there are some people that 99.9% of the people don't really pay much attention to this, but the 0.1 that does can make life extremely challenging. Yes, you can consume a whole day in just trying to deal with that and then an ongoing monthly drama that goes with that as well. Accountability Organizations are accountable to ensure that they comply with all these principles and they need to make sure of that. Again, the organization will be accountable in all aspects of data collection.

Speaker 2: 28:48 

Data location this refers to the location of the data backups or copies. It's best practice to have one copy on-site and one copy off-site. That's obviously a best practice. There's a 3-2-1 practice, which we'll get into in other parts of the CISSP, but bottom line is you have at least one copy that's on-site and one copy that is off-site in a stored location somewhere. Now how off-site does this copy need to be? Usually, typically, between 100 miles to over 2,000 miles.

Speaker 2: 29:18 

So here's what the issue runs into. Let's use AWS as an example. Their data centers are all over the place. Well, one situation came up where we had a data center that we had our backup data in and the other data center was probably about 150 miles away, and they said, yeah, we're good. Well, the problem is is that both of those data centers were on the same grid and the same outage that occurred, a communication path that occurred, and it took down both data centers, so you lost your backups. Now, is that unique? Yes, is it rare? Yes, has Amazon tried to figure that out to this point? Yes, however, you need to decide is how far away is far enough? 2,000 miles away and data replication on the West Coast is much better by far. However, it's much more expensive too. So, and then also when you're having to recreate from all of that data from someplace so far away can be even more challenging. So you need to understand what is best for you and your organization and where is the happy medium in between Utilizing cloud backups for storage, what you need to make sure that you ensure that they are geographically in the different regions. Ideally, you want to make sure that that's the case. But again, you got to look at your costs. You got to look at pricing and see if that works for you and your business model.

Speaker 2: 30:35 

Data maintenance this refers to ongoing efforts to organize and care for data throughout the entire lifecycle of the data. We talk about. This a lot is. Data lifecycle is important From the beginning it was created to its death and destruction. So, storing of sensitive data on one server throughout versus throughout the organization do you want to do that? That's the example is if I keep all my data in one central repository, I know where it's all at, which is great, that's awesome. However, if that server goes down and you don't have good backups, life is terrible. So you need to make sure that, which is what you want to do.

Speaker 2: 31:08 

Certain networks can process classified data. Others do not, and you need to understand the level of classification that occurs within your company. Is there some level of your super secret sauce that must stay in a protected network that is segregated from the rest of the environment, and are those servers and those networks protected in a certain way that's different than your normal networks? These you should not commingle. Again, you got to determine what is best for you and your company. If you're dealing with the US government and top secret, secret and all those kind of fun things. They have very different requirements related to protecting the data and therefore they go above and beyond in many cases, probably way beyond what most companies would need. It wouldn't need to be quite so draconian, but that's something you have to decide for you and your company.

Speaker 2: 31:55 

Process control networks that data may be air gapped from other business data. You want to consider that that could be done through the Purdue model. It could be done different ways, but process control environments and their data. If it is segregated and air gapped, how do you get the data to your business environment to basically manage it? Do you hand jam it in with your fingers? That would be a bad idea. Do you have ways to transfer data out? But not being able to transfer data in? All of those different pieces need to be understood around the overall data maintenance Policies should be enabled to ensure that the proper maintenance of the data is set up.

Speaker 2: 32:28 

Again, policies are an important part and data maintenance needs to be called out specifically as it relates to protection of your overall information. Routine audits should occur if the data ensuring policies are being followed. Audits are an important part and you need to make sure that you do follow them. I highly recommend that you at least, if you don't have your audit team come in and do it. You will do a self-audit and do an assessment of your own information. You'd be surprised what you'll find. And you start digging and start digging a little deeper. You'll be going oh no, that's not good. So you just need to make sure that. Start small and then work from there.

Speaker 2: 33:04 

Data retention Organizations no longer need the data. What are you going to do with it? Have it deleted, right? So much we call back to is data sprawl and data hoarding. A lot of people will data hoard. They just keep it going. But I'm going to need it 10 years from now. You're not going to one you may not be with the company, and two when you do leave the company and they go. Why is this here? I have no idea. Obviously you want to set work with your compliance folks around data retention policies. And how long do you keep the data?

Speaker 2: 33:29 

Also, understand that if you keep the data in your environment for long periods of time, it becomes discoverable from a legal standpoint. Your business may not want that. So you have to weigh the challenges between having the data and keeping it long-term versus having it being discoverable. And we all know lawyers they're needed in some cases. In some cases they're not. I do not repeat, do not like lawyers that are the slip and fall lawyers very much. They're not my friends, they're needed. There's a specific need in which I feel that very important, but then there's also times when they're just trying to get rich and so, yeah, I kind of went down a tangent there. I'm sorry it's a little PTSD going on, but bottom line is is that you need to make sure your lawyers are connected with everything you're doing.

Speaker 2: 34:15 

As it relates to data retention, classification levels may require a deletion process that will vary, right? So if you have top secret data, the deletion of top secret data is very, very different than deletion of general type data, and you need to have a good understanding of what is that process. Now in your organization you may not have top secret, but you've got super secret sauce data. You may want to have five different people approve before any data is ever deleted. So you just got to kind of think about all of those things. Organizational deletion policies should be created to help alleviate inconsistencies. So you should create the policies and then the procedures that go along with that. And then the destruction of media types needs to be considered and documented as well CDs, dvds, which aren't really used ever anymore, but you may run into them Email, usb, ssd drives, all of those things, any sort of media that you create. What is the destruction policy around that? And if you know the destruction policy, then is that being maintained? Is it being managed? Who is the data custodian ensuring that this policy is being followed and that the data retention policies are actually being followed as well?

Speaker 2: 35:19 

Data remnants Data remnants is the data remaining on the disk after it's been erased. So this is when you go through and you do your format, your disk. The residual data after full erasure of the disk is a big factor. There is a lot of times data left on there, and some of this can be personal, can be all kinds of things. Now this is dealing with a lot of the hard drives, even the ssds, but the the discs are now to this point, are so inexpensive. If you can even get platter discs anymore, I don't even know if you can. Uh that, destroying that, fully destructing, destroying these is the best course of action in most cases, uh, serious problems, especially with today's tools. What that means is like an SSD drive is so bloody big that overriding it is a bit of a challenge. So obviously one of the big factors is just destroy it. It's just cheaper and it's faster just to do that when you're dealing with data leakage and data loss can be substantial. I think there's somebody mentioned that there's a hard drive somewhere that has a Bitcoin on it that's worth like 18 bazillion dollars. Yeah, that was a bad idea. That's a data leak or data loss. You'd be kicking yourself pretty hard on that.

Speaker 2: 36:21 

One Ghost image on computers or CRT monitors you can get. The CRT is a cathode ray tube type monitor, which, if they still have those and people use those that's craziness because they cost like a fortune to run, but you can have ghost images that are set on there. What does that mean? You didn't go into sleep mode and it just basically burned an image into the cathode ray tube. So, yeah, those can be there and that can divulge information as well. But if you're using CRTs, holy cow, you are. Yeah, that's like really really old school type of segregated crypto something or other.

Speaker 2: 36:53 

I don't know what to even call that it. I would if you saw that. It's probably so old there's nothing of any value on it. But maybe then again it's the super nuclear codes to finding the aliens from the planet x. I don't know. Other things are dealing with data remnants. We've talked about this in various aspects of the cissp uh, degaussing, degaussing, degaussing, uh.

Speaker 2: 37:13 

It's a powerful magnets that are used to destroy a typical magnetic drives Don't work well with SSDs, but they do work well with magnetic platter drives and they will nuke them. Don't go next to it with anything else. Like a pacemaker, you will die. But degausing is an important part and it's designed specifically for magnetic drives. Physical destruction I call these the jaws of death. They basically are like a big chopper. You throw the hard drive in it and it just pulverizes it, it shreds it and it destroys everything that goes into it. So I highly recommend that you just use solid state drives. You throw them into the jaws of death. Don't go in there with a tie because it'll suck you in like something out of James Bond.

Speaker 2: 37:53 

But the jaws of death work really good to destroy stuff. Pretty much any media you'd want destroyed, throw it in there. Erasing this is where you delete the operation of the file or the media type. So you're basically deleting the file that's on it, but it really typically only removes the pointer to the file location, so the data still is sitting on there. It's just now the pointer to where it's at is gone, and so the goal is is that, well, when you remove the pointer now, as you start writing onto the disk, you will overwrite that data, and that's fine for the most part, but that does leave a lot of extra data potentially just sitting out there that could be collected by somebody. So therefore, just throw it in the jaws of death Clearing. This is where your overriding process for media to reuse data cannot be recovered. So basically, the point of this is that you write a single character over every disk. So when you're clearing it, it is instead of just getting rid of the pointers and you're writing in a one specific area, you're writing a one over every single sector, every single location on your disk, and so therefore it's all just written to one and it would overwrite any data that's there. There's various tools that can do this. The challenges is the size of these hard drives now, or these SSDs are so large that it can take like forever to do this. So you really got to ask yourself what's your opportunity costs available for this? What's it worth it to you to just get this $150 drive and just go? You know what? Put it in the jaws of death. We'll just move on, because if you're getting paid 20 bucks an hour and it takes you four days to do this because it's overriding your opportunity costs, for that $150 drive isn't really worth it. So you just got to kind of ask yourself those different types of questions.

Speaker 2: 39:37 

Purging this is a more intensive form of clearing. This is done by the government. Instead of just writing a ones over each of the sectors, you would write a one. Then you'd come back and write a zero and write a one. It goes like a three or four pass type of option. It just depends. I think you can set however many passes you want, but that is what they call purging. So again, degaussing physical destruction, erasing, clearing and purging. So data remnants and automated information systems. So we kind of talked about some of this already. Clearing and purging.

Speaker 2: 40:01 

Declassification this is removing the security classification of the subject media. So if you had top secret and you just go and erase it, it's now not top secret anymore, right Wrong. But there's a process by which you can declassify this information by removing some of the classification in it. Coercivity this is measured in oerstands, yeah, o-e, and this is basically a property of the magnetic material used to measure the magnetic field. Yeah, so bottom line is is that if you see in that that's coercivity yeah, it's a big word, but yeah, it's different types of that. So we're going to go into the different types of tape. So if you're connected to it, tape has magnetic tape has different types of OE. There's a type 1 through type 3 tape. Bottom line is that, depending upon the magnetic materials in each of these tapes, they will then have the measured amount of data that they can store. If you're dealing with magnetic tapes, they will then have the measure amount of data that they can store.

Speaker 2: 40:59 

If you're dealing with magnetic tapes, you're definitely old school. There is magnetic tape still being used. People use them a lot and therefore they are great for keeping certain levels of data. However, the amount of data they can store is much less, obviously, than a disk drive. But you want to understand that if you use magnetic tapes, the degausser will take out the magnetic aspects of it, it will nuke them and it will make them worthless. So do not take your magnetic tapes near, anywhere near or close to a degausser.

Speaker 2: 41:22 

There's a permanent magnet degausser. This is a handheld permanent magnet that can be caused to degauss floppy disks or disk platters. Floppy disks yes, if you still see floppy disks out there, again, you are old school. And yeah, they don't hold much data. I think you can probably hold more data on a very, very, very tiny thumb drive than you can on a floppy drive. Uh, so again, this is it's. If you're dealing with this, you are, you're back in the stone ages. Sorry, uh, but there's a permanent magnet degausser. This is just one where you have magnets. You put it over your hand and use it just to degauss certain types of of media. Now, this will not work. The handheld degausser will not work for degaussing tape, and it's because it's just not strong enough to do that, especially as it's wrapped up in that coil. It's kind of, you know, in the tape side of the house. So that's where you need to have the big degausser go in and nuke it. That's the better option.

Speaker 2: 42:17 

Now there's some considerations for storage, media reuse. Um, when you're dealing with this, one is destination of the release media. Obviously you need to know where is this media going and where what's it's. Where's it going to be stored? Uh, effects of heat and age. Tape media that does not age well. Platters don't age well either. So they have a problem and if you add a lot of heat then they really age quickly.

Speaker 2: 42:41 

Mechanical storage device equipment failure. This is if you have the tape type of reader. They do fail. They don't make that stuff anymore and the software used to run it they don't make that anymore. So you really need to figure out getting off of those types of storage media if possible. Storage device segments are not receptive to overwrite. That's a very important part. Overwrite software and clearing and purging. All that stuff needs to be defined and understood, especially when you're looking at doing media reuse of some kind and then also not understanding your data sensitivity. Is the data that's being reused? Was it highly sensitive data? The media? I should say so. Is there a risk of any sort of accidental disclosure around the media? That's in this.

Speaker 2: 43:22 

And then improper use of degaussing equipment. If you don't use the degaussing equipment correctly, you can leave data on the system. Again, I highly recommend just giving it to the jaws of death. That's the most better option rather than trying to degauss anything. Unless you absolutely have to put it in the jaws of death, you don't ever have to worry about it because it's just because once you degauss a magnetic tape, it's useless. It really is. So just throw it in the jaws of death and then you don't have to worry about anything.

Speaker 2: 43:50 

Storage device segments that are not receptive to overwrite they're unusable tracks on disk drives. They are very difficult to completely wipe, and then you need to really make sure you understand and check the devices for usable or damaged areas before uploading any data to them. This is basically when you're trying to reuse it and you don't know if it actually is going to work or not. An unreceptive system or data device then just degauss it or potentially just throw it in the jaws of death. So again, I'm not a big fan of degaussing and trying to overwrite data. It used to be extremely expensive for hard drives and so people would do it. In today's world they're not that expensive. You're better off just trashing it, and if you don't have the jaws of death, then you get out a saw and saw that sucker in half, get a hammer and just beat the dickens out of it, do all of those things that will do go wonders for taking care of it and making the device not equipped to be able to be used for anything. So again, I highly recommend not degaussing, just throw it in the jaws of death. But if you do have the degauss for the CISSP and you understand, you need to know how to do it. Well, we just went over everything you need to know to how to degauss. Okay, degauss, not degauss, that's taking gauze off your person, but degauss is to actually do the wiping from an electronic magnetic standpoint. Okay, that's all we've got for today.

Speaker 2: 45:12 

Hey, head on over to CISSP Cyber Training. Hope you guys had a wonderful day. Head over there, get some free content. Sign up for my email aspects. I will send you all kinds of great stuff and it's free stuff for your CISSP.

Speaker 2: 45:23 

If you're looking to be mentored and you want to actually grow your cybersecurity career, reach out to me at CISSP Cyber Training. I've got some different programs that are out there specifically for you to help you in your cybersecurity goals and desires. I get a lot of students that ask me hey, my job is going away, what should I do in cyber? I'm here to help you. There's a lot of people out there that can try to teach you how to do cyber. I've done it 20 years. I've done a lot of the different roles that you guys have done, or I've worked with people that are in those roles, so, or I've worked with people that are in those roles, so I can help you with anything you possibly need related to your career. All right, I hope you all have a great day.

Speaker 2: 45:57 

Again, thanks so much for listening and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.