CISSP Domain 2 Refresh: Asset Security - Security Boulevard

CISSP Domain 2 Refresh: Asset Security

The Certified Information Systems Security Professional (CISSP) cert is the perfect credential, for Security professionals. In fact, the CISSP is a mandatory cert to have to land any senior level position, as depicted below:

This article covers the second of those eight domains, Asset Security.  In this article, we will focus on each topic covered in the first domain. Topics which are covered under this domain are:

Data Security

The most valuable asset of an organization is its data when security professionals begin thinking about data security; they normally start thinking about the security controls used to protect confidentiality, integrity, and availability of assets holding the data of an organization.

  1. Securing data at rest: Data at rest is data stored somewhere for later use. Although the data sets are not being used at the current time, Security professionals must be able to protect against all the schemes the attacker tries to steal data.
  2. Data in motion is data that is being used and is traversing across a network medium. Data in motion must be protected against eavesdropping attacks.

Things to do to protect your organization’s data

  • Have clear policies and procedures surrounding the appropriate use of data.
  • Different types of encryption for different environments to protect sensitive information
  • Access controls to restrict access to information

Data security policy key criteria

  • Policies should provide the foundational authority for data security efforts adding legitimacy to your work and providing hammer if needed to ensure compliance.
  • Policies provide guidance on the appropriate paths to follow when requesting access to data for business purposes.
  • Policies should also have an exception process for formally requesting policy exceptions when necessary to meet business requirements.

Key issues data security policy should cover

  • Data classification policies:
    Describes the security levels of information used in an organization (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Sumit Bhattacharya. Read the original post at: