RCR 062: Understanding Asset Ownership - CISSP Training and Study!

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam.

• CISSP Article – Best Practices for Data Management
• CISSP Training –  Determine and maintain information and asset ownership
• CISSP Exam Questions

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ 

CISSP Exam Questions

Question:  069

You work as an IT professional for a defense contractor that handles classified military information. Which one of the following data classifications applies to information that could be expected to cause serious damage to national security if disclosed in an unauthorized fashion? ✔

1. SBU
2. Top Secret
3. Secret
4. Confidential - Given

Top Secret classification is \"applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.\" Confidential classification is \"applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.\" Sensitive But Unclassified (SBU) information is protected information that does not reach the threshold for classified information

From <https://www.techveze.com/cissp-asset-security/>

------------------------------------

Question:  070

You are using symmetric encryption to protect data stored on a hard drive that will be shipped across the country. What key(s) are involved in the protection of this information? ✖

1. Shared secret
2. Public key 
3. Public and private keys
4. Private key

Public keys are used to encrypt information intended for a specific recipient in asymmetric cryptography. They are not used in symmetric cryptography. Private keys are used to decrypt information in asymmetric cryptography. They are not used in symmetric cryptography. Public and private keypairs are used in asymmetric cryptography. They are not used in symmetric cryptography.

From <https://www.techveze.com/cissp-asset-security/

------------------------------------

Question:  071

Which one of the following is NOT a European Union data handling principle required for participation in the Safe Harbor program? ✔

1. Onward Transfer
2. Choice 
3. Encryption
4. Notice

The Notice principle states that organizations must inform individuals about the purpose and scope of data collection efforts. The Choice principle states that organizations must offer individuals the ability to opt out of information collection and storage programs. The Onward Transfer principle states that organizations must only share information with other organizations that comply with the data privacy directive

From <https://www.techveze.com/cissp-asset-security/>

------------------------------------

Want to find Shon elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• https://www.isc2.org/Training/Self-Study-Resources
• Online Article
• https://www.simplilearn.com/asset-security-tutorial-video
• CISSP Exam Questions
• https://www.techveze.com/cissp-asset-security/

TRANSCRIPT:

  Welcome to do Cyrus podcast episode 62 understanding asset ownership welcome to reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host of this action-packed informative podcast join me each week cuz I provide the information you need to grow your knowledge so that you're better prepared to pass the cissp exam all right well good morning everyone I hope everybody's doing great this beautiful day they are moving fast and very quickly through 2020 it's hard to believe that till we're now in the January and actually channel is almost over things are just smoking it just blows my mind how fast 20/20 is moving so good stuff is going to be happening if you guys are studying for all your cissp exam 20/20 to get that pass and done and go to your cyber-security career things are just incredibly growing in the cybersecurity space and as you see it on a daily basis there's always something in the news as a relates to dealing with cyber-security so the good thing is you have chosen the right location to get what you need to pass the cissp and help enhance your career there's a lot of things we talked about here that are just extremely viable for the cissp but they are also extremely valuable for your daily activities so it's good today we're going to asset ownership and how do you deal with data management and so some people will look at this and think about how do I how do I do this and I'll come back to you as a friend of mine once said when I first started dealing with cybersecurity and the corporate world it's of you can focus on the data and what you going to do with the data then that will help alleviate a lot of the problems and on a daily basis I deal with lots of situations where the information is is it out there they've created information but they don't know who owns it because the person who did create it is long since left the company how do I manage it they don't know even really even the data exists in many cases so the best practices were going to focus on how do you deal with data management and data ownership simply learn.com and they have a tutorial out there on some best practices around data management but before we do want to put a plug out there for Sean gerber.com at s h o n g e r b e r and adieu to my website and with a bunch of information that is available for you along with some mini course I've provided for people that want to start learning how to pass cissp exam questions that are going to be available that are available for you as well large amounts of data available for you to study the cissp the great part about reduce ever risk is the fact that I just don't just give you cissp exam questions and answers to the test it is also adding some real life spin to it because the simple fact of it is is taking the test is only the first part in this arduous ongoing journey of cybersecurity so let's roll into the data management aspects please learn.com best practices for but now we're going to get into this and they had a couple bullets out there that they put out around data management data policies and so forth now when they're talking about data management they said some of the best practices that you should follow revolve around having a data management policy which will guide the overall data management program in an organization now I can't stress this enough that having the data management policy is very important I've been in multiple organizations with a policy piece of paperwork piece has not been as significant as it probably should be and so therefore you don't really have something to Anchor back to when you have that data management policy built and available and it's been vetted through leadership then it makes it easy to come back to and provide it to you your employees within a company or to your customers the policy have Define clear roles and responsibilities for managing the data this would be a data provider in a donor and a custodian and all these questions you will see these terms and questions you will see on the cissp exam so it's important to have a data provider id to owner and a custodian that you're going to see that because if you don't Define those roles and what their rot what they're supposed to do it does get really waqiah specials are trying to put some level of data management into your organization company consider if you're in a small company it's a whole lot easier than if you're in a very large company that never had this to begin with so those are just considerations effectiveness of controlled processes and practices for data management they need to also as you put these things in place you need to audit and assess what are the controls processes in practicing but with all just practicing in the auditing around it it's important that you build this into a quarterly or a semi annually amount of time that you go back and do these audits teachers in quality control and assurance do you want to create that some level QA and procedures around that established processes for verifying and validating the accuracy and integrity of the data and this is a really good point that you need to have something to verify that the data is actually being created in his it is valid because we're going to happen potentially as you have lots of Orphan data that is out there and if there isn't some sort of change management process around that or for data then you could really question whether or not the data is even valid Pacific data management practices Cryptid metadata and this one's really important descriptive metadata in the past we didn't really have a whole lot of capability around this now you can add and embed multiple levels of metadata into each of these actual data streams then what you do with it you can have a much better contextual description of what it was dance for so and now this can get very cumbersome as well as the simple fact is that most people don't deal with them really actually get in around it so it's important that you baby steps is kind of an important piece follow later approached four-digit Security on handset protection of the data and then you have in place clearly Define criteria for the date is access that's a good part right there is if you have just willy-nilly all kinds of different types of access for the data you will then have a hard time managing it it will just put people are coming to get it from various Avenues it can make it challenging now that also that you can only get this information from one specific location that is really kind of right for challenge however having two or three different ways to get to the data is much better than having 35 so just saying now that's the next day that they had their own similar to say what is your data policy now this is important that you have this especially for dealing with senior leadership and they're buying they need to be aware of what you're trying to do with their information handling legal custodial duties Acquisitions and so forth how is your due date of four individuals how do you want to deal with data's for Acquisitions and divestitures how do you want to deal with various other aspects around your data management and I also want a have a security perfect practitioner should address the following this what they had in your data policy data privacy requirements you want to work with your compliance folks on data privacy around their laws and regulations the ownership of the data got to go out saying cost and considerations for with such as the cost of providing data for access to the user okay so what was it going to cost around all this so like him in case you have you want to make this the super hard for anybody to get access to it your costs are going to go up if you add levels of information Rights Management something like that you will had additional cost to protecting your data the sensitivity criticality of the data do you want it to have a tiered approach such as unclassified secret top secret so forth that will also be going to be a fine policies and procedures for managing the data legal liability of the organization in case of data mishandling again you wanted to find all that ahead of time before you do have a breach because you will have something at some point and if you have these things documented and better to find it's much easier to roll through them when that time does occur that's what you Latina ownership did ownership is extremely important for all creatine acquired and we kind of talked about this you get you got to have something in place to deal with your owner who owns the data this person was a person that should be defined that creates the data classification aspects around it so if I'm the owner say you come up with a tiered approach it is a unclassified secret and top-secret let's just say for example those three tears as a data or you would look at that data and decide what do I fall under the top-secret bucket or if all of the unclassified bucket and in only the data owner can really Define that deal with intellectual property various aspects of it and one of the issues that comes up is data ownership and then is that information top secret or is it just really kind of secret is sensitive but it's important but it's not really like at the data owner is so important now the only thing about data ordering transmission and strategic goals will be impacted determine the cost of this I've done with this in the fact that you're dealing with high intellectual property High aspects of that what people you asked them and they said will what is it worth one person says this person says that but when you get to the data owner they can tell you pretty succinctly how much is it going to cost and effect the company so that's a really really important understand the requirements of the entities within and outside the organization and recognize when the information reaches the end of its life cycle and then go to destroying it hoarders out there where at they'll start their data the Builder data and then they realize you know what I just want to hold onto this cuz it makes me happy I feel comfortable with it it's just something that makes me feel good that a bit after the end of its life cycle and is not needed anymore get rid of it because as you move to Amazon or these other locations you will find real quickly that it with all of that data that is out there it will just cost you more more money to maintain it all right. Ownership other some other best practices around this is along with the ownership of intellectual property rights for their data need to be Define okay so you understand the difference but you'll get your data and then you'll have people that will have intellectual property that will create something for you you need to find what is IP and that needs to be defined from your senior leaders your data owner and your legal department I need to find what is the property rights around it and if so if you create something is that information for you do you get to keep it or is that something specifically that I mean IES I know right now the Philippines has a private Privacy Law that they're pushing and all of those pieces are a factor now as far as go. is are responsible for the following safe custody storage transportation of data implementing the business rules and then technical environment and database structure so those are what the custodians are supposed to do they basically the ones taking care of the data and they're not the owners that the ones that actually created it they're not the ones that can Define it they are the ones that are responsible for caretaking of it responsibility of data custodians as well only allow authorized and control access to the data so it isn't some cases it may not be the dealer order me allow that access they may be the person is actually did a custodian or it could be somebody that is managing a large group of data for the organization and they would control the access to the data ensure that no unauthorized access granted maintain versions of Master data and history of changes this is something I've talked about management of change how important that really truly is because if you have multiple versions of this data it will get lost and you will have all kinds of issues mydata stewards for everyday to see set ensure data Integrity is maintained in technical processes the data the content in the changes and then maintain consistency with accommodating models while adding data to dataset bottom line is is the ones that manage the state and they need to be able to maintain it and control it in a way that meets with what your love your company are now there's a point that outside of data custodial data Steward you kind of heard me talk about that just a little bit they're responsible for the content context and Associated business rules for the data they're kind of like the Handler she got your data owner that is the one that creates the data is responsible for data classification you didn't have the data custodian who manages the data and takes care of it then you'll have someone who may be designated as a steward which may have the ability to add all that that has all the background knowledge but isn't the physical owner of the date of themselves so as an example I've got it will take care of our data custodian aspects in many cases most cases that all but a mini property that they're the ones that maintain that then you have your stewards and they're the ones that are working with the IP owners the data owners to understand the context around the data and they provide that information to the custodians when they're looking at helping to ensure that is protect best protected so if possible data custodian rules are as a data manager project leader database administrator geographic information systems manager never heard long title IT specialist and the application developer those are ones that they had on the website around simply learn but it's just kind of a hierarchical approach to data control so get your data owner data custodian data Steward all of them have three is key aspects in relating to protecting the intellectual property okay so we're going to roll into DSP training a child gerber.com around determining and maintaining information and asset ownership and so this we're not just taking what we learn here when I roll into specific objectives that the cissp is talked about and those objectives fall under 2.2 and that's attorney maintaining information and asset ownership all right so let's get going into this so again to some key considerations a lot of stuff maybe a little bit of a repeat of what we talked about it earlier but the 2.2 objective and that you will need to know to pass the cissp exam so some key considerations data ownership will change over time which we've talked about your going to the people are going to come people going to go but you do to find that data ownership at the beginning or at least you know what draw a line in the sand say now I'm going to deal with theater ownership then you at least can begin from there in most cases i t does not own the data and I would definitely concur with that is usually not the it are they the owner in this situation they are usually the custodians or the Stewart other may be responsible for protecting but no ownership pants that's what I deal with on a daily basis a door hand into certain aspects such as APR your Chinese Cyber Law and excetera and and those all have various pieces to the gdpr will forces you to find very specifically what you're looking for Chinese Cyber Law is more around privacy and protection of national Secrets but bottom line is they want somebody to be the actual owner the belly button that if I got a side issue I'm coming to you and that's what needs me to find in most cases around the privacy and data protection strategies responsible of data unless it is formally and that is true and so you VIP owners are the data owners May acquiesce to this up going I don't really want to learn this or I don't want to manage this I'm going to go ahead and send it to somebody else to let them deal with it that is fine but there needs to be a form of Delegation otherwise it gets into a he-said-she-said and it just doesn't go well important first step what about is who owns has dated. Nobody says everyone to stand up you may have to escalate to higher levels and then you just for somebody to own the data that it's just really really important you do that utilize active directory Global groups those are not active directory is a great tool for managing access as a great security to Lowe's been put in place and as we move to the cloud the active directory will be changing and moving to a different model but active directory steel is an important part of most organizations so if you're going to be a cyber-security person that's going to graduate and passion only has active directory groups now you may have a Marmot that is more around security groups and which is basically a firewall rules and access control groups but what's going to happen is you're probably going to have Legacy aspects on your on-prem environment that is going to be dealing with active directory so you're not going to get away from it anytime soon so far is an example of an active directory Global Group you could have the New York City plant floor group or the I don't know nuclear waste group but anything else but it's in that group will have that level of access the folder names and possible owners you can have it as the R&D group 3 - Bill Smith as the owner now you can Define the metadata who is the actual owner but you should find it in the folder names themselves and it's very important the challenges is maintaining that overtime can be a bit arduous but that is the responsibility of the custodian of the stewards to help ensure that that is properly completed reach out to business owners that is a great way for you to start learning who is the actual owner and is a security professional guess what the art jobs are primarily around influence roll up the the proverbial chain in two different roles you go from being Hands-On flipping switches and making things happen to more of an influence her within an within an organization so therefore it is important that you begin those relationships immediately by reaching out to the business owners and understanding from them their data there's problems with not having owners data may not adequate yeah that happens a lot of the data is just sitting out there or in some cases actually was so protected that nobody could actually get into it if somebody put data put some protections on it with the company and there's no way of getting into the data very challenging but again I've seen it where the secret sauce and you hear about this routinely on the Internet is that your intellectual property was shared on a network drive which then and turned its share to the cloud which then turned its share to the world because we moved to various architectures as an example you know SharePoint within Microsoft SharePoint online is just you you are on the Internet it's the only a stop in the Internet is just the rules that are in place that are allowing people access to your content so it sits out there available she going to have to be very very prescriptive with how you protect your data I understand there's probably not having orders because nobody owns it it's a common space since no then therefore it isn't taken care of classic tragedy of the commons iTunes responsibility is to protect the data per the data owners direction if there is no Direction then you gotta protect the dead it was a best knowledge you have you can't say if you're 90 it's not my problem so you have to be able to protect the data and you got to do what's right to to do it so I can't do no harm you you have to make sure that you are and you're part of your i c squared ethics is that you have to be able to to do no harm and manage this data in a way that would best protect it CIO and it leadership must take ownership if it's not available and that's something you might want to work with your CIO on a leadership responsibility that their Security leaders must be engaged with leaders and then wouldn't doubt Drive the leadership cuz it again as many will not make a decision and you're going to have to drive it as a straight person you may have to if nobody's taken up ownership you may have to just drive it and make it happen due care due diligence we talked about ensuring that you take care of this data is best that you possibly can and that you drive that and make sure that all the data is protected in the best for my deposit account Last Resort options using network laws will also be useful to determine you know who owns data but whoever last used it that would be a great place to start to find out who the heck is possibly owns it if it hasn't been used in a while then you got to ask yourself why do I just archived it see if nobody screams nobody screams that I delete it IT professional for a defense contractor that handles classified military information which of the following data classification is applied to information that could be expected to cause serious damage to National Security if disclosed in a non authorized fashion okay hey it is sbu B is top secret see secret and is it D confidential welding put in perspective seek focus on the serious damage secret would cause serious damage your talkin top-secret it's exceptionally grave damage queso confidential is just basically saying it will cause damage those are key things to consider with that question is coming from Tech viz.com you are using asymmetric encryption to protect data stored on a hard drive that will be shipped across the country what key or keys are involved in the protection of this information shared secret be a public key see public and private Keys d a private key so you're dealing with this which one would it be as your aspect is think about this you can do it in a couple different ways it could be assured secret that if you actually have a secret between two that is keeping that data protected that would be the logical choice but you're dealing with an actual just so that you have one private key that is kept it true that you take it with you as you're going across the country then that would be that situation the bottom line it would be letter D private key is you just keeping that data if shipping it over there then you will then provide that information to them question 3 which of the following is not a European Union data handling principal required for participation in the safe harbor program key part on that is or Safe Harbor call transfer B choice encryption D notice which one is it be choice choice principle that states an organization must offer individuals ability to opt out of information collection and storage program it's not part of the European Union data Handley principal around Safe Harbor alright thank you so much you can you can go to Sean gerber.com and check out all the cool stuff I've got there and we can definitely help you in multiple ways that you can pass the cissp the first time all right we'll catch you on the flip side thanks so much for joining me today on my podcast head over to Shawn gerber.com and look at all the free content that I have available for you there is a cissp mini course free cissp exam questions podcast and so much more it's all available to my email subscriber so sign up if you want my personalized cissp training purchase my training courses and I'll be there to help you with your cissp need so you can pass the test the first time thanks so much for listening will catch you on the flip side