CCT 242: CISSP and Information and Asset Handling Requirements (Domain 2.2)

Show Notes

Four million people affected by a single data breach. Let that sink in. This sobering reality frames today's deep dive into Domain 2 of the CISSP exam: Asset Security. As cybersecurity professionals, understanding how to establish proper information and asset handling requirements isn't just academic—it's essential for preventing exactly these types of incidents.

The podcast tackles the complete data security lifecycle, beginning with the foundations of asset security and the vital importance of having documented processes from data creation through destruction. Sean emphasizes repeatedly that security professionals must work hand-in-hand with legal and compliance teams when developing these frameworks to ensure proper protection for both the organization and themselves professionally.

Data Loss Prevention (DLP) strategies take center stage as we explore different approaches—from content-aware systems that analyze specific data patterns to endpoint protections that stop information from leaving devices unauthorized. The discussion moves into practical application with data classification schemes, where Sean advises starting small and building gradually to prevent overwhelming complexity. Physical markings, electronic tagging, and watermarking all serve as methods to identify sensitive information, but these tools only work when paired with comprehensive employee training.

Perhaps most compelling is the straightforward approach to data retention and destruction. "Don't be a data hoarder," Sean cautions, highlighting how unnecessary retention increases both storage costs and legal liability. The podcast outlines specific destruction methods including clearing, purging, degaussing, and crypto erasure—each with particular applications depending on data sensitivity and storage media. Throughout the episode, practical examples from real-world scenarios illustrate how these principles apply in actual cybersecurity practice.

Ready to master these essential CISSP concepts? Visit CISSP Cyber Training to access Sean's comprehensive blueprint for exam preparation and explore mentorship options to accelerate your cybersecurity career. Whether you're preparing for certification or strengthening your organization's security posture, these methodical approaches to asset security provide the foundation you need.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Episode Introduction
• 0:28: Recent Cybersecurity Breach News
• 5:13: Asset Security Overview
• 8:18: Data Maintenance and DLP
• 15:54: Data Classification and Marking
• 21:33: Handling Sensitive Information
• 27:07: Data Destruction Methods
• 36:05: Data Retention Requirements
• 47:43: Episode Conclusion and Resources

Transcript

Speaker 1: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go cybersecurity knowledge.

Speaker 2: 0:28

All right, let's get started, hey y'all, sean Gerber, with CISSP, cyber Training, and hope you all are having a beautifully blessed day today. Today's domain two and we're going to be getting into asset security, and that'll be the subsection of 2.2, which is establishing information and asset handling requirements. That's what we're going to be talking about today, but before we do, I had a quick article I wanted to share with you, and it's nothing more that you've already dealt with, but the point that I'm trying to bring home is the fact that the importance of what you guys do is extremely valuable for your employees. So this came out of the Daily Hoodle. I'm not really sure what the H-O-D-L means, but I'm sure it's something that is way beyond my intellect and knowledge. But they the daily hoodl.

Speaker 2: 1:04

This was a major cyber security breach that affected around four million people. This includes names and addresses and social security numbers of individuals that are affected by this. Uh, this was filed by the attorney general of maine and probably because of the fact there's a large subset of people that are in maine that are dealing with this, and it's through a company called vsi, vera source services incorporated, and they detected this breach affecting potentially four million people. Now, the interesting part around this is the fact that it's it's just four million people at one time, which I guess really isn't that interesting because we've all dealt with large breaches. But I wanted to kind of bring home the fact that how important it is for you as a security professional to make sure that you come up with some level of training for your people. So one, if you're a person trying to find a job as a security professional, that might be one of the areas that, when they ask you interview questions, you may want to answer of going, hey, you know what. This is what I would do with X, with employees. Now, what I want to caveat that with is one you want to make sure that you consult with legal and compliance before you do any of these things. That would also be a really good interview question if someone were to ask you that of going you know what I would do these things. However, because of the fact that I feel it's really important that you have good legal advice and compliance advice on this, you would want to go and consult with them prior to doing anything like this within your organization. But the bottom line is, you want to teach your people how to freeze their credit, and this is just an ongoing event that we're going to deal with forever as it relates to breaches and dealing with information that's stolen.

Speaker 2: 2:36

Now, what they said in this whole situation was that people's names, social security numbers, their date of birth, gender and so forth were all involved in this. Now what VSI offers is employee administrative benefit data management services. I always use these big $10 words that do you really know what they mean? But they offer more or less for COBRAs, for Affordable Care Act, all that kind of stuff from reporting eligibility, so on and so forth. All of that is tied into it. So that's why they would have your name, social security numbers, date of birth, addresses, all those fun things, because they need all that to verify who you are.

Speaker 2: 3:11

But the bottom line on all of this is is I really truly kind of strive that it's important for you to create some level of training and education for your people? This becomes to you all very ah, yeah, yawn, boring, and it is. But for most of your people, they have absolutely no flipping clue what they're doing and they're scared they don't know. I dealt with this with some nonprofits that I'm working with. They are pulling me in to kind of ask some key questions around their IT infrastructure, but they don't know how to even educate their employees, and so I think it's really important for you guys to provide this level of knowledge and guidance for people. Even if, at a minimum, they don't use it, you at least have provided it for them. So this is something to consider as you're going forward Again. Also, if you're looking for a job, great way to deal with dealing with the HR person who's interviewing you they go.

Speaker 2: 4:00

Do you have anything that you would recommend that you would do as a cybersecurity professional for our organization? What would you do? And this is where you could come in and go. Do you have anything that you would recommend that you would do as a cybersecurity professional for our organization? What would you do? And this is where you could come in and go. Well, you know what? What I really would do is that, working with compliance and legal, I would come up with a security awareness program, obviously working with my security leader whoever that might be, unless it's you and then I would come up with legal and compliance, and I would then develop a security awareness training around freezing your credit, legal and compliance, and I would then develop a security awareness training around freezing your credit and the point of all these breaches that are occurring, ways to help my employees so that they don't have to deal with issues and because we know that when they have to deal with their information being stolen, it now causes all kinds of potential work issues they can't come to work, they're not thinking clearly, so on and so on and so forth. That's the kind of question that if you answer that to the HR person, they're going to go oh, this is a person we want to hire. So just something for you to consider. I think it's a great way. I think it's something that you can think about and put in your quiver of different options for you when you go for the interview. Okay, that's all I really wanted to bring up. Again, 4 million people. It was filed through the main adjutant general and it's with Verisource Services. So if you have that, if you know that you have Verisource Services, you may want to consider figuring out how to deal with that issue.

Speaker 2: 5:13

All right, so let's move on to the training that we're going to talk about today. Okay, so domain two asset security 2.2, establishing information and asset handling requirements. So when we're dealing with information or asset security of any kind, we really need to kind of go through the entire process of data security, life cycle management and so forth, and so we're going to kind of focus a little bit around that today. When you're dealing with asset security, this focuses on protecting the organization's assets. This includes your information, your overall your devices, the data that's sitting on them, who is the owner of those, and then what are the various protection mechanisms that are tied to that. So that is an important part of the overall plot plan.

Speaker 2: 5:51

When you're dealing with data security and lifecycle management, now, data is a vital part of any organization and we know this from all the things we've talked about at CISSP Cyber Training and you need to understand that. You need to protect it and put safeguards in place for unauthorized access, modification or destruction. We know that there's malware out there that will do all of these things, and so, therefore, you need to make sure that you have things in place, controls in place, to manage these situations. So data follows this typical life cycle. So we talk about life cycle.

Speaker 2: 6:22

One thing I deal with when I go to different companies I realize this more than ever is that they don't have the life cycle management of their data or their assets in general. A lot of times, what they will do is they will just be targeting. I need to create this procedure, I need to create this plan, I need to create this program, but they don't think of the overall life cycle, and this includes creation, storage, usage, sharing, archiving, destruction. All of those areas need to have, from beginning to end, need to have a plan, because if you don't have a plan, what's going to happen is this information is going to get lost. There's just going to be all kinds of issues with it, and so it's imperative that you have a good plan, and some of these areas could be DLP, data marketing, eliminating data remnants. We're going to talk about data destruction and all those different pieces as well. So all of that is wrapped up in this overall lifecycle, so we're going to get into each of those.

Speaker 2: 7:13

If you're looking at this video, each of these topics step by step, one by one. So, data maintenance so what exactly is that? This is the process by which you're ensuring data accuracy and consistency is available, with all of this different data, making it as most efficient as you possibly can and making it available for people so that they can make good possible decisions around the information that's available to them. Now, some key activities you're going to be dealing with in data maintenance is data integrity checks. We talk about this in business continuity and disaster recovery. You need to ensure that the data is accurate and consistent through techniques such as checksums and validations. Now, checksum obviously, you're checking the data integrity itself and that's based off an MB5 hash. You want to verify that the data has not been compromised or it has been modified in any way. Data cleansing this is where you're correcting errors and standardizing the formats for uniformity to ensure that the data is good. Now, this again is one of the areas that you'll run into when you're trying to build out a data lifecycle management piece is that if you don't have good data going in, you will have bad data coming out. It's garbage in, garbage out concept, right, and this is where you're data cleansing to make sure everything is where it's supposed to be. All the data going in matches what you would want to expect to see the data coming out.

Speaker 2: 8:30

Backup and recovery obviously, creating data copies and restoration processes for this to happen. This is an important part of any data creation, any data maintenance. You want to have a good backup and recovery. Now, this doesn't mean it needs to be tier one, two and three type of data it could be you have just a. You do a backup once a year. Maybe that's all you need in this situation Probably not likely, but let's just say it is.

Speaker 2: 8:54

You want to have at least that you've considered backup and recovery, data archiving. This is where you store the inactive data in a location that is in a secure spot so that you potentially could get it back at a later time. You need to have a really good data archiving plan. What does that mean? It means if you're backing up data and you know that for regulation purposes, I need to keep it for, let's just say, three months, then you will archive that at a minimum of three months. If it's not on your main systems. Sometimes data storage that's active storage is very expensive storage, so it's smart to move this into a data archiving spot. The reason is also is the risk that you're going to need to pull it down is probably pretty slim. So you want to take that really expensive data that's costing you lots of money and move it to an area that is not as expensive. So that's data archiving and you really want to do that and consider it. Your security leader is going to be very happy that you're thinking of this. So, again, very big kudos if you can do this and you're working for somebody, or if you're the leader, your CIO is going to be very happy to the fact that you're thinking about a financial standpoint.

Speaker 2: 9:52

Data auditing you want to monitor the data access and changes, to maintain your accountability. And then the roles in data maintenance. You need to make sure that you have some sort of responsibilities designed specifically who are the data owners, some sort of responsibilities designed specifically who are the data owners, the custodians and who owns it within the IT department. So who are all these people? You really want to make sure that you have all of that defined. If you don't, you're going to get a lot of orphan data and what that means. It's going to be looking for a mommy or a daddy and it can't find them, and if it can't find them, then it gets lost, and so we don't want our orphans to be lost. We want to keep them by mommy and daddies.

Speaker 2: 10:26

Tools and technologies this is where software solutions for data management, backup, archiving and logging are set up. What are the tools you're going to use, what is the different types of controls you're going to have in place? How are you going to archive it? How are you going to log it? All of those things need to be thought out. Ideally, what you would do is you would work with your architects to make sure that all that is in place and you have a good plan. Okay, so data loss prevention. So DLP is one of the areas that you're going to be having.

Speaker 2: 10:52

I mean, if you have an organization that has any sort of sensitive data, you're going to want to consider a DLP program for your organization, and this is the goal of this is that to prevent sensitive data from leaving your company to. Obviously, when you're dealing with some sort of breach that may occur, you want to have the ensure that the data that does leave isn't going to be used by somebody. It also helps around compliance and as well as your overall data visibility within your organization. So a DLP strategy is an important part of pretty much any organization, even if you don't have what you consider IP or really super sensitive intellectual property or data. You want to have a DLP strategy because in many cases, the information may not be as super Gucci sexy, as many people would say but it's important to your company to inform the fact that any data that's there could be extremely valuable to people that don't have your best interests in mind. So the importance of this is that you need to put safeguards in place to ensure that this asset is protected from any unauthorized access, alteration, destruction and any of those aspects, so it's an important part that you do this.

Speaker 2: 11:58

There are some key components of DLP type systems. This includes agents, the servers, the SaaS providers that provide all of that, different management consoles, the single pane of glass. All of those pieces are there and any of those are available for you. Now, the point of this all comes down to is this is that you want to have a DLP system that manages your entire infrastructure or not infrastructure, but your entire data sequences from beginning to end, and in this overall, there's some different techniques to be aware of when you're dealing with DLP. So you have content-aware DLP. Now this will analyze data using rules, patterns and so forth to detect any sort of sensitive information that may be within that data. That's leaving your organization Context-aware. This will enforce the policies based on the context of the data that is being presented. So if there's specific types of data that is focused on the say you're talking about a certain algorithm or you're talking about a certain process, it will be aware of that, based on the policy that you may have put in place that it's going to be focusing on this type of information. The content aware would be if you're trying to share a secret formula, that is, a secret sauce that you would say, hey, if it's got any of this content, flag on that.

Speaker 2: 13:14

Now, endpoint DLP. This will manage the data on the user's devices to prevent leaks, and what that basically comes down to is you have a deployed tool that's sitting there and it's watching for anything that occurs. Now, the thing I like about endpoint DLP is the fact that it can be controlled immediately at the endpoint. I can stop it before it even goes out the door. When, sometimes, you're dealing with context-aware DLP, it needs to understand what the content is going out, and sometimes that information may have already left your organization before the rules are actually enabled. Endpoint DLP can do that right away at the user. The downside on something like that, though, is it can cause your own denial of service to your people and start blocking all kinds of stuff. So Endpoint DLP you've got to use it very judiciously. You also have to have a really good plan when you bring it out Network DLP this will monitor traffic and block any sensitive data transmissions that might be leaving. And then your cloud your CASB type of things, where that protects data in cloud environments. So there's different types of DLP situations.

Speaker 2: 14:13

You just need to determine for your organization which one is best for you, and so, when it comes to the CISSP, they're going to ask you different ones context, content, endpoint, network and cloud. You need to understand what is the different scenarios related to each of those. If they ask you a question related about it, you need to kind of understand the overall concept. Now, when you're dealing with policy creation and enforcement, this will help create rules based on the data classification schema that you've come up with and, potentially, any regulations that you may have that are affecting that. Now, if you're in a financial industry, you will have to come up with and, potentially, any regulations that you may have that are affecting that. Now, if you're in a financial industry, you will have to come up with some sort of data classification schema that's going to be important for your organization.

Speaker 2: 14:51

I would recommend starting off small If you haven't done it already. Start off very small with a data scheme, very tiny, and then build upon it, because you don't want to get overly complex at the beginning and then try to have to figure out how to put that thing. We just opened the lid of Pandora's box and now you've got to try to figure out how to close it. You can't get the genie back in the bottle. There's another one of those things I'm trying to relate with. The point of it is start small and then build from there.

Speaker 2: 15:18

Monitoring an incident response you want to track your data, have alerts for any policy breaches and then outlines in your response procedures on how this would work. Again, you want to monitor what's going on. You want to have an incident response plan that deals with it and you want to be able to react quickly in the event something were to happen. There's challenges of DLP implementation. This includes accurate data identification, risk of false positives. All of these things can affect the productivity and the necessity of ongoing policy adjustments. What that basically means is that you're going to have to accurately understand what's there. You're going to have to modify and tweak your policies based on how everything goes on a daily basis. So that's just one thing to keep in mind is that you're always monitoring and paying attention to this. It's a never-ending process. It's a never-ending story Now marking sensitive data and the assets.

Speaker 2: 16:08

It's important for you to really truly get this, that you have a good strategy, like I mentioned before, around data classification. It's imperative that you have this in place to protect the data. So if you don't have a good understanding of what's in your organization, then you need to really sit back, talk to your security leaders, talk to your senior management and come up with a data classification scheme, and this comes down to creating confidential, restricted, public labeling a specific set of data to ensure that it's properly protected. Now there's hierarchical categories, which we've talked about on CISSP, cyber Training many, many times, and around the sensitivity related to the data you're trying to protect. This comes down to confidential, restricted and public as just one example of that, but it could be secret, top secret, unclassified. You just have to decide which is best for you and your organization. You also need to have some level of asset classification, and this goes with going physical and logical assets specifically, and their ongoing importance to your company.

Speaker 2: 17:10

Now, this has to be an ongoing process. What I mean by that is it's another life cycle, right, it's the ecosystem, it's a life cycle of the tundra. I don't know. You're constantly any new asset that's coming into your organization. You need to truly understand what kind of data is going into it. A friend of mine said many years ago it's all about the data. If you understand where the data is going, you understand the sensitivity of the data. It's much easier to protect the asset that the data is actually touching. So you have to understand what is your data, what is the importance and what physical systems does it touch. And then how are those systems decommissioned in the future?

Speaker 2: 17:47

So there's different methods for labeling sensitive data. This includes physical markings, electronic tagging, watermarking or two different types of tools that you can use. So physical markings this is putting a sticker on it saying hey, this is a top secret computer. Electronic tagging means that you have metadata that's tied to the data that is floating around in your network. Is this something you would consider, as I don't know, restricted or it would be legal? Only that would be electronic tagging. Types of tools that would work with that is your Microsoft DLP. It will actually put labels on whatever documentation you're dealing with Watermarking. This adds visible or hidden marks in your digital content as well, so that you can one. You know that if you hit print, it will print a watermark as far as where it was printed at and the date and the time. So that's aspects that can be added to it as well. Tools for data classification these could be set up for discovery, classifying and labeling.

Speaker 2: 18:42

I just kind of already mentioned Microsoft DLP product. There's many other tools that are out there to help you. Some of them are better than others. Some of them are very niche. You need to decide for your organization which ones you want to use. Working with engineers, you may want to use a different type of solution than Microsoft DLP product. It just depends, right, it depends on your organization. I had when I was working with a bunch of really smart engineers. They had this super complicated data classification program. Okay, it worked really well, did a great job, but it was complicated and as soon as the company got sold, I ended up having to deprecate it and it dealt with all kinds of challenges. So sticking with something that maybe isn't as Gucci could be valuable, because the long-term viability of this product you got to understand this is going to.

Speaker 2: 19:28

Any data classification that you put in place now, if it hasn't already been done so, is going to outlive you Not, hopefully, not physically, but outlive your tenure at this organization. So it's imperative that you really have a good plan before you deploy this Because, like I say, once you set this genie out of the bottle, it's really hard to put it back in. Basically, it's impossible Now ensuring compliance with data marking policies. You need to train your users and establish mechanisms to adhere to ensure that they understand what they're doing when it deals with data classification. Again, it doesn't do any good to put labels on anything if you don't teach your people how to use it, and then you're going to have problems. So you should have, honestly, before you even dream of rolling out the labels, the different stickers that you would put on your different assets, before you even do any data marking as far as your overall metadata, as it relates to the data classification, you need to have developed a training program on what you're trying to teach your people and that should actually be going out before you even do the data model or the data classification labeling piece of this. I did my training probably six months. It was probably about six months before it actually came out saying, hey, this is where we're going to do this, it's coming. Month X, it's coming again, month Y, it's coming again. And you keep saying that over and over again. And then, finally, when it does roll out, it's people are still going to go. I didn't know this was coming. You're still going to get that, but at least you have done your part to try to get the education out there.

Speaker 2: 20:53

Handling sensitive information and assets. What are some ways to do this right? You need to implement a secure procedures throughout the data life cycle to ensure that you are protecting the data in all phases and all stages of its life, right From being born to it goes to the grave. As an old fart like myself, you need to have the ability for those secure procedures from beginning to end. You need to follow the principles of least privilege and need to know. This includes granting access to sensitive data only as necessary for specific job roles. That is an important part. Need to know and least privilege. Drill that into your brain. You're going to need it. You will need it every day in the cybersecurity space. You do it all the time. Ensure secure transportation, obviously, the data using? What are you using? Tls, ipsec, ssl? What are you doing in regards to protecting the data?

Speaker 2: 21:40

Going from point A to point B, you need to really truly plan that. You have a concept, an idea about how you're going to ensure the data is protected and the entire process. Use both physical and logical controls for storing your sensitive data, and then apply strong authentication. You've got to do it. Authentication authorization any access control needs to be deployed and available to your people. And then the last thing is a secure data destruction method. You need to have a good plan in place for data destruction. It needs to be documented. You need to have the ability to train your people on how they do it and you need to step them through the entire process. And again, this can be done really simply. I mean, obviously, you can have a document, write up the document. You then create a training, just like I'm doing with this podcast. You can create a video and then you educate people through email and through posting on your web links to go. Hey, go, look at this. This is how we do this, this is how we do this, and if you do that over and over again, at least you have provided the kind of skills and tools that these people need to ensure that you have proper data destruction when it comes to it.

Speaker 2: 22:44

Last thing, though, I want to make sure a point is known consult legal and compliance. Again, I cannot stress this. I dealt with a client a while back security guy, super nice guy, super good guy. However, he's like legal has given us the ability to do this. I'm like dude, don't do that. You do not have the decision rights to do that. He goes yeah, I do. I'm like no, you don't, because the moment that you do it and it goes sideways, yeah, they're giving you those air quotes, decision rights right now, but the moment this thing goes sideways and something bad happens, they're going to hang you out to dry, guaranteed. So I want to make sure that you guys understand this Anything you do as a security leader, you need to make sure you have data destruction and you need to make sure you have legal and compliance involved in any of these big, monumental aspects, to include dealing with training of individuals and users.

Speaker 2: 23:36

You've got to get them involved. I hate to say it, it's like the CYA or cover your hiney kind of thing. It's like the CYA or cover your hiney kind of thing, but it is because, if you don't do it, when the ball goes up, the balloon goes up and people go, hey, what's happened here? They're going to start pointing fingers and they're going to come right back to you and if you did everything you could, then they're going to go try to find somebody else to point fingers on, because I've been there, done that, lived it, got the T-shirt and I did this and when they started pointing fingers I was able to point them right back and it was awesome, it worked out great. But again, I hope I've stressed that enough, because it's a big deal.

Speaker 2: 24:13

Data collection and limitations Data minimization process. You need to gather only the essential data for legitimate purposes. Don't be a data hoarder. Okay, you see what happens in people who are hoarders and they can't find anything in their house, but they have a path that walks through their house. Do not be a data hoarder. Get rid of data if you do not need it. It limits your legal requirements if you get rid of it. That being said, make sure you get rid of the right stuff. Hence contacting legal and compliance. So again, the legal folks are not the maharashis that understand everything there is to know about the legal aspects and they may not know if this fits within the data collection requirements.

Speaker 2: 24:52

However, through conversations with legal and compliance, you can come to at least an agreement on what you should be keeping and what you should not be keeping. You need to have policies in place to restrict data collection, again, collecting only the necessary data. Set clear data requirements beforehand. You don't want somebody to be collecting data on social security numbers and emails and all this stuff because they want to keep it for a rainy day. Don't do it, just say no. It opens you up to legal issues and plus, I wouldn't want you to do that because you most likely somebody's done that with my data and hence. And plus, I wouldn't want you to do that because you most likely somebody's done that with my data and hence that's why I've got credit protection on everything you got to do that. You need to again, just find specific purposes, the reasons for collecting the data, why are you doing it? And again, legal compliance Obtain consent when necessary.

Speaker 2: 25:37

Now, this may not always be necessary that you have to obtain consent. One example around this might be is that if you have a policy in place for all new employees when they're hired, you can have this little bullet in there that I'm going to collect information on you X, y and Z and unless it meets this criteria, I'm not going to come back and tell you about it. And so as long as legal is aligned with that, as long as the employee signs it, then you can head on down that path. Now that doesn't give you the ability to go well, see, I've got this document, so now I can collect what I want. No, you need to make sure that it fits within the guidelines of what's defined within legal and privacy people. So again, I can't stress this enough.

Speaker 2: 26:16

I hope you guys are understanding the part around data. It can get really squishy, really quick. Do not assume anything, nothing. Privacy risk for excessive data collection Again, we talked about that. If you have too much data, it can cause legal issues, fines and also potentially lose your job, and it's bad. It's really bad. So just don't do that.

Speaker 2: 26:37

Data collection some key concepts around data location. So some data location is a location of sensitive data. What is it vital for security, compliance and incident management? Where is it being stored? Now there's residency laws that are saying specific types of data may need to stay in certain locations. I dealt with this with China. I dealt with the EU. You have to keep specific data within country. Now, there's ways to get the data out, but you have to do certain things, certain hoops you have to jump through to ensure that the data is best protected when it leaves the region that it's in. Now, data tracking and distributing cloud settings does present challenges to this. Again, if you have a so let's say, for example, you have a cloud environment within the EU say it's in Scotland and in Scotland you now, though, have it replicated the data to a data center in the United States, can you do that? Well, maybe, maybe not. It just depends on the company. It depends on the data that's there. It depends on the legal advice, and, like I've said before on this podcast you've heard me say it time and again is the fact that anybody that is a legal person. If you have eight legal people in the room, you're going to get nine different opinions on what is the legal status. So, if you do it, you just need to make sure that everybody's aligned legal compliance, hr they're all aligned privacy in what your plans are going to do, and making sure that it's meeting what the residency laws for that location are stating, either tracking data and distributing cloud environments. We talked about that.

Speaker 2: 28:02

Data mapping involves identifying and documenting where sensitive data is stored and transmitted. So stored is one thing, but then where is it transmitted? Apis oh, I love APIs and I don't really like APIs. They are hard because you've got to identify the data that's going out and coming in through those APIs. It's a mapping nightmare and you need to make sure you're ahead of that before you start deploying APIs throughout your environment. If you already started deploying APIs, well then here's a recommendation One.

Speaker 2: 28:30

Any new API has to go through a process by which you have to see the data coming in, going out. You need to know what it is. Your privacy people should be involved in all of that, so should your legal and compliance. Then, once you get all that done, you got that process worked out. Any old APIs you go through systematically, step by step, and figure out what data is coming and going out of those APIs. Then you will get yourself back to a state of nirvana. That may take you two or three years, but at least at that point you've done what you need to do Create the process first, then come back and fix what's broken.

Speaker 2: 29:08

Various tools exist for discovering and tracking obviously data locations, and then security measures should be adapted for the specific requirements depending upon if it's on-prem, cloud or any sort of mobile data storage processes. If you're dealing with mobile, you should have a mobile device management tool in place and your policies that are set up that are specific for your mobile devices should be outlined in your MDM policies. Storing of sensitive data. Now the principles of secure storage. You need to really focus on confidentiality, integrity and availability in data storage.

Speaker 2: 29:33

Since CIA is such a big factor of anything out there, you can be willing to bet that if there's a question on ISCs or on the CISSP, it's going to be focused around CIA. And what are you doing with the physical security? So, some physical security measures. This could be using access controls, surveillance and secure facilities, depending upon what kind of data is being stored. If you have where all the big, big eyed green alien people are, you're going to have a secure facility in the middle of nowhere so that people don't find the big bug eyed green people. That being said, I'm not really sure why they do that they are. If they exist, why do they put them in some place, someplace else? Just hey, come on out there, just everybody, let's all dress up and go have fun. No, but some of the things you've got to deal with you've got to secure facility. Is it top secret? Is it restricted? How does that work? Do you have certain restrictions? Going in and out of the facility that you need to maintain Access, going in and out of the facility that you need to maintain Access, control, surveillance all of those things are a key part of any sort of physical security measures.

Speaker 2: 30:28

As a cybersecurity professional, your world blends into the physical security and so, guess what? If it deals with physical security, you're going to have to know it and you need to understand it. That doesn't mean you're going to be the expert at it, but you have to be able to communicate with the physical security folks the gap between cyber and physical and you need to be able to communicate with them and able to give them options to help protect whatever they're trying to protect. Logical security for data again, encryption at rest. You want to have some sort of encryption for any data that is sitting there at rest, which we've talked about over and again. Data almost never is at rest. Access control list to manage user permissions. Going in and out. Again, that's on firewalls or on any sort of ACL that allows people in and out of a SharePoint environment.

Speaker 2: 31:10

Database security again, authentication and auditing. You want to make sure that everybody is authenticated and you go back and you audit and find out what kind of permissions do these people have? When you're dealing with databases, it's an imperative part. I hate to say this, but one of the things that's missed so often is the auditing and you go and you deploy these things in place and you don't ever go back. You say, go, fix, done. Moving on, I got something else I got to deal with and it's really hard and I know in the regulated industries people don't like having regulators show up and asking them very pointed questions. But they're doing that because they know you can't do everything and you have a hard time thinking of everything. So they're in there to kind of poke you in the chest and say, hey, are you thinking of this? Take that as a good thing and go, hey, okay, cool, let me go fix that. I know you have limited resources, but it's an important part and this is why I believe the regulations are valuable. The challenge with it is sometimes they get into minutiae and they get into stuff that really isn't that big of a deal, but you have to still work through it. So there's pros and cons with all of that.

Speaker 2: 32:11

Secure configurations One of the biggest vulnerabilities we see all the time is the configuration of whatever you're trying to protect, and this again unnecessary services and applying updates. I've seen this in web applications all the time and I can't stress this enough your web developers creating features, creating new ideas, and they turn this stuff on and they don't tell you about it and then you get burned. This happens a lot. So you need to really have a good, secure SSDLC program in place to ensure that any data that is being secured or any data that's going out there is being properly secured and managed. Cloud storage requirements this is recognizing shared responsibility, choosing secure providers and ensuring proper configuration and encryption. So again, all of those are big factors when you're dealing with the cloud and secure configurations. So storing sensitive data is an important part.

Speaker 2: 33:04

Now data destruction, like I mentioned earlier. What is this? How does this work? So you need to have a secure data destruction plan in place. This is crucial to prevent any unauthorized access by ensuring data is irretrievable when no longer needed. So it's an important part. What do you do if it's stuff is? You got to get rid of it. I don't want to have to deal with it at a later time. So you need to have a really good plan in place to ensure that you can't get it back so that could be put it in the jaws of death and it just shreds it. Or it could be where you have some level of mechanism, some digital mechanism, to go and erase all of this data.

Speaker 2: 33:42

So these destruction stages involved identifying when should the destruction occur, such as end of retention periods or during hardware decommissioning. One thing that happened a long time ago I mean not terribly long ago, but a while ago is when people had copy machines and the hard drives that would be in copy machines. These hard drives would be left when the copy machines are basically shut down with gobs of data on them. Now, same concept, right, it's just moved fast forward.

Speaker 2: 34:08

Now to you have a phone and your phone has data on it. Is it in a secure container? Is it something that can be easily destroyed by the company? Can the company mash a button and it nukes that container? Not the phone, but the container. Those are important parts about data destruction. Developing policies for data destruction includes creating guidelines and procedures, responsibilities, all of those acceptable methods. All of those things are an important part when you're dealing with data destruction policies. What is the plan for doing it? How are you if the container that you have that you can nuke doesn't nuke? How do you handle that? Do you have a policy in place for with BYOD that states to the employee if for some reason, I need to confiscate your phone, I'm going to confiscate your phone. Do you have that policy there? Now, those are important pieces that guess what? You, as a security professional, you don't know the right legal language to do that and I wouldn't want to do that. So what am I coming back to? Again, talk to legal and compliance. They will help you in this space. Verification of data destruction to ensure the data has been effectively and securely destroyed. Then you may have a destruction company that they then send you a letter saying that X, y and Z was destroyed on this date, at this time great way of doing it.

Speaker 2: 35:22

If you are doing it yourself, you need to document when you did it, where you did it and what was actually destroyed. Documentation is imperative. You just don't go and lob the thing in the jaws of death and say, yep, it was done. How do you confirm that? Again, you could have had an employee that didn't, instead of lobbing it in there, put it in his pocket, his or her pocket, and walks out the door. That can happen. So you need to have a good destruction process in place. Legal requirements dictate somehow the disposal is done, and this could be legal hold information. It could be the fact that you one of the processes you need is you need to have two person destruction. I highly recommend that if you are doing destruction of any sort of classified not classified, well, just any data within your organization and you have a plan, you should have two people helping you destroy that. It shouldn't just be one person. It makes it too easy for that one individual to take that information and walk off.

Speaker 2: 36:15

Eliminating data remnants so data remnants this refers to leftover data on devices after attempts to delete it. So there's now a situation where you could have unauthorized recovery. This can also happen in the cache memory right. So your cache memory has the ability to glean information out of it. Again, it's very volatile, very fragile. It's a very limited situation in which that could happen. That being said it's any leftover data that is on these devices.

Speaker 2: 36:41

Okay, so your different storage media can be magnetic disks, again, the floppy disks, not the floppies, the ones that are spinning the platters. It could be like your hard drives, your metal disk that sits on a computer. It could be your SSDs, which is your solid state drives. It's just a wafer chip, right, that's got your data stored on it, and potentially RAM as well. Again, varying levels of data remnants happens in each of these, depending upon which ones you're using. The magnetic disks, those are ones that you probably get run into. Some of the bigger issues of data that's kind of hiding in these platters somewhere.

Speaker 2: 37:13

Best thing to do with a magnetic disk shred it through the jaws of death. That's just the best way to do it, and I would even do your SSDs as well. I mean, you need to shred everything, to be honest, or a hammer that works good too, but they need to be physically destroyed. It's crucial to use suitable data destruction methods tailored for this type and the sensitivity of the data. Again, if you want to have your top secret information, that sucker hits the jaws of death. If you are just dealing with normal personal information and you're a company that just has normal personal information. Get your toddler out there with a hammer and let them just have fun with it. That will work as well, but use probably a toy hammer, not a real hammer Something to consider.

Speaker 2: 37:50

All right, common data destruction methods you want to deal with. We're going to deal with clearing. What is clearing? This is where it involves overriding data with non-sensitive information. This is using single or multiple passes. This works really well for low sensitive data within an untrusted environment and it does not completely get rid of all the data remnants that are out there. The different data types is when you're overriding it. Now the DoD has its overriding protocols that they can work with. I go through it like seven different times. You just have to weigh out is that something that you're willing to deal with? If it's unclassified, probably. If you're dealing with any sort of classified information now, just put it in the jaws of death. It's relatively inexpensive for data storage in today's mindset and today's cost perspective. So if it's that inexpensive, you're better off just shredding it and not worrying about it.

Speaker 2: 38:39

Purging this is a more rigorous method. Ensures data remnants is eliminated, involves multiple overwrites with varied patterns this where I'm talking about the dod aspects of it and it involves guidelines such as 888 revision one. So different purging that's out there. This is where, if you're going to be doing the over overwrite, that is your best solution. I did that when I was dealing with our intellectual property protection. I would do overwrites because I didn't. In the case where I was at, I didn't have the ability for them to destroy the, the hard drives, and I wouldn't order what I really want them to, because if they left the facility I lose the contact of these devices. So therefore, I forced them to do a purge of the and I watched them do the purge specifically so important part there. The gousing. This is a fun one, right? You just put it into.

Speaker 2: 39:24

They use magneto, the man on marvel and he comes up and he zaps it all with his hands. No, you use big magnets and this will then read the data unreadable. Now, this does not work for solid state devices. They just kind of go yeah, that's not a big deal. That's where the hammer and the toddler come into play. You need to use those, uh, but where they works really well for magnetic tapes or hard drives, that's where the degaussing will work. It does require a certified degausser to ensure that they meet the guidelines, because you can't just go out and grab a couple magnets from the garage and try to do this. They don't have enough strength to basically what it does is the magnetic tape that's there. All the iron phosphate I can't remember the term that they use All the iron phosphate I can't remember the term that they use but all the iron particles that are there. It more or less puts those to a neutral state. It makes them all messed up. So the point of it comes down to is degaussing works great for magnetic tapes and hard drives.

Speaker 2: 40:19

Crypto erasure this involves destroying encryption keys to make the encrypted data inaccessible. This works only for strongly encrypted data. Obviously, if it's not encrypted, this won't work. You'll delete your keys and go. I deleted my keys and now you deleted the keys to the wrong data. That would be bad. So this is one of those where I've dealt with this. So I'll give you an example where this could be valuable. I had encrypted data sitting in an area that was not accessible by, I would say, in an untrusted environment, and the data was encrypted, and so I didn't want somebody from a government coming in and stealing the data, saying, aha, I have it. So all of the data was encrypted. In the event that I got wind that this government was coming in to steal this data or to liberate it, depending on what term you want to deal with then I would flip a switch and the encryption keys would be removed. Once the encryption keys are removed, then I have crypto erasure. They get the data, but they can't do anything with it because the keys are gone. That's an important part of understanding this overall plan. So you need to ensure that the data and asset retention you need to have a good plan when you're dealing with these.

Speaker 2: 41:25

Okay, so what are some different factors affecting retention periods? So legal and regulatory requirements will help mandate some of these specific retention durations that you have to have. I was dealing with the Chinese government. They had a certain retention. Eu had certain retention. Dealing in the United States, you're dealing with HIPAA or SOX. You're going to have certain retention requirements as well. You also have operational needs. Does the data need to be kept for an ongoing reason Operations analysis, customer support how long does the data need to be kept for? Or are there industry standards, suggestions, basically based on whatever industry, in that you should keep this information If you are in the R&D space, you probably never get rid of the information, because the fact is you never know if they'll go back and get it.

Speaker 2: 42:13

I dealt with this a lot. These guys are hoarders my engineers super hoarders they keep everything and you can't protect it. Creating retention schedules this is developing clear schedules that specify retention durations for the various data and the asset types. So all of that stuff is available. Again, it helps you to ensure that you have the data and asset retention requirements based on what the legal, operational or industrial standards may have. Another thing to consider is managing the diverse data and asset retention needs. Again, you need to understand all the different periods based on the sensitivity, labor requirements and the business importance. You may have various levels of that within your company. So one part of your organization may have to keep it indefinitely say it's your R&D. You may have another part of your organization that wants to keep it for three years because it's a financial requirement, and then you may have another area that says you know what, I just need to have it for 90 days. You are going to have to understand each of those working with the different data folks to come up with a good plan related to overall retention strategy.

Speaker 2: 43:17

Now, tools for retention management, software solutions that help automate and enforce retention policies. That is a part that you need to really truly understand. And then how do you enforce that, that those are policies as well. The tools will help you with this. You, as an individual, need to come up with a strategy, a policy, and then have the tools deploy it and manage it. Otherwise, it's going to be way too much for one person to try to manage even small team and and but it comes down to what is the strategic vision and then deploying that strategic vision. So how? Data and asset retention reduces your liabilities. So if you don't have a plan around this, your liabilities will increase. If you have a plan, your liabilities will decrease.

Speaker 2: 43:56

This is all based on risk, part of the CISSP. We focus specifically around risk because you, as a security professional, need to understand one one what is your operational needs for your company? And then how do you reduce the risk to your organization? So, again, complying with legal requirements to avoid fines for improper data handling. Yes, right, if you are have good data handling and there are fines associated with improper use of this, then your fines will go down or become non-existent. This is where legal will be a big factor in how you do this. So it's important Retaining records for legal proceedings and e-discovery purposes.

Speaker 2: 44:34

So you have to keep this data for a period of time. Especially when you get an organization, you may have legal aspects that are going on and you may have to have the data on what they call legal hold, which means it's being held off to the side. If it's on a legal hold status, what ends up happening is then now it has to be available for any sort of legal action. They can go get this data and look at it. You have to keep this for a period typically of around seven years. I think is what I always had to deal with. It could be longer, it could be shorter, I don't know. I just know that it has to be there for a period. I dealt with it for a period of seven years. So once that's done, you can't destroy it and you have to keep it.

Speaker 2: 45:10

Now, if you also were looking at investigating some of your people for e-discovery, you may want to keep that data for another period of time. So you're finding out that Sean is stealing data from the company and I don't really know what's going to happen of it. So I'm going to keep all this data for however long and say most legal proceedings take years, so you'll probably keep that for a couple of years. So the point of it is you want to keep those things. Now, the moment that those are done, you want to get rid of them. You want to breach their breach, you want to purge them from your organization. You don't want to keep this stuff over and over again, because one of the things that happens is if you keep all this data for significant periods of time, it now becomes what they would call legal discovery and it means a company could come in and say, hey, I want anything that's related to xyz event and because you've been hoarding data, now you have to legally give this information to them. If you decide not to give it to them, that that's really bad. If you decide to destroy it, that's even worse. So the point of it comes into is you have to give them this information if they want it. So therefore, once that term is up and you've stored the data for whatever period, get rid of it, purge it, do not keep it, because the longer you keep it, your liabilities potentially can keep going up.

Speaker 2: 46:25

Prevent penalties for premature data destruction Again, like I talked about deleting it too soon Oops, I accidentally deleted it. Yeah, no, don't do that. That's bad. That costs you a lot of money and you can end up breaking big rocks into little rocks. You don't want that.

Speaker 2: 46:39

Reducing the risk of data breaches by minimizing outdated information Again, if you have outdated information, unless you want to just confuse the hackers, which they really don't care because they're just sucking everything down you don't want to keep a bunch of outdated data because, again, it can also confuse your people, your people going back and getting this information and start asking questions of going is this legit or is this old? And because most of the people, especially if you're in a R&D type facility, these guys are coming and going all the time and so, therefore, this data, you don't know if you had good data or bad data. Lowering storage costs, like I mentioned earlier, is that anytime you keep data for a period of time, if you're keeping it in active storage, it's expensive. If you keep it in archival storage, it's not as expensive, but it's still costing you money. So do you need to keep this data for any period of time Once it really goes beyond the area that you need it. Delete it, get it gone. You don't need it anymore. It's really. I keep coming back to the R&D folks. They struggle with getting rid of the data. They really do. Okay, so that's all I have for you today. Thanks you so much for joining me at CISSP Cyber Training.

Speaker 2: 47:47

Go on out to CISSP Cyber Training. Get all the information you need. Get my blueprint. I can't stress it enough. My blueprint will help you with your CISSP studying. It will get you everything you need to help you get through this entire process. It's step by step by step.

Speaker 2: 48:03

If you are on a self-study plan and you're trying to figure out how to get your cisp completed, it is there for you. I mean it. You can't beat it. If you need mentorship, right? So you're now in a situation going I need somebody to help me with my resume. I need somebody to help me with overall understanding how the security stuff works. I need someone to act as my ciso for a period of time because of X, y and Z. Going out to CISSP Cyber Training, there are different options specifically for you. Again, I have a base tier where you are trying to get your CISSP. I have a mentorship, where if you're trying to build your career. And then third one is I have something if you're looking for a CISO or for more security guidance, one-on-one, I'm there available for you as well. So all of those three are available for you at any point in time. So just go check it out at CISSP, semper Training. All right, I hope you guys have a wonderful day and we'll catch you all on the flip side, see ya.