Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our managing sensitive data module. It is important to develop clear policies in order to manage data appropriately, and protect your organization. You should define roles and responsibilities for those individuals responsible for maintaining and using data. Make sure that you define quality procedures that are appropriate for your business.
And design efficient storage using data deduplication, which is a technology that allows you to reduce the number of copies of a specific file. Therefore, reducing your storage footprint. When using databases, you should have user requirements based on a user's need to know, and user should only be able access data that they need to perform their job functions.
Your data base administrators should check data base access to make sure that users are not attempting to access data that they should not be accessing. You should have procedures in place for backing up your data, storing the data, updating to newer technologies and managing the data. You should be monitoring and auditing the use of the data, maintaining its integrity, and checking the effectiveness of your data management systems.
You should have policies in place for controlling access to data. And your employees should be aware that they are not to have extra copies of data on their personal computers, or personal thumb drives, or cloud storage. And that they should only maintain data on your systems as appropriate.
You also must make sure that data is properly destroyed at its end of life. This is important to avoid data remnants where data remains on a piece of hardware after you are finished with it. And an unauthorized person is able to access the data. Depending on the sensitivity of your data, you will have to determine the cost versus convenience necessary to ensure that your data stays secure.
But that your employees are still able to access the data. You will need to establish data owners who are responsible for labeling data appropriately, and protecting it. And data custodians who are responsible for backing up the data, and making sure it's available when necessary. You should have established guidelines on private data versus publicly available data and have special guidelines in place for handling PII, or Personally Identifiable Information.
All data should be labeled with its sensitivity, and you should control that data based on its sensitivity. You'll have to consider legal considerations, such as liability, any legislative actions or policies and laws that you are required to comply with, and how you will process legal requests or court orders requesting copies of your data.
Everyone involved in the process should be trained appropriately on security procedures to ensure that your data is not compromised, and you should never allow your employees to maintain personal use copies of your data. All data should be stored on your system where you have full control of it.
In order to determine what you have and where you're keeping it, you may wanna use a configuration management database, or CMDB. This is an inventory that allows you to properly document your data, where you're storing it, and who has access to it. You need to know where to be able to find data when you need it, and data is a very valuable asset that you need to control.
If you have a proper configuration management database, that will contain the information you need. The ITIL or IT Infrastructure model defines a configuration management database within their model. And provides reasons why it can be helpful to your organization. Data ownership is a governance process that details your organization's legal ownership of all the data contained within your enterprise.
You will then assign individual data owners to maintain different types of data. And those individuals are responsible for setting the sensitivity on those pieces of data, and making sure that it is managed appropriately. It is important to protect your media where you are storing your data. This could be a physical device, such as a hard drive, could be an optical disc, a solid state drive, and you should not forget printed material like paper, with sensitive data that has been printed on it.
You should review the laws in your area in order to determine how long you should save archive copies, but you should make sure that all archives are properly labeled. And these will generally be available offline, meaning that someone cannot access them without going into a storage environment and retrieving that data.
Based on your security policy, you should secure the media, or perhaps lock it in some type of vault or other secure storage area. You should maintain access logs in case of an incident or an investigation. To determine who had access to different pieces of information. CISLog is a standard that you can use to centrally record log files and you should remember CISLog for the CISSP examination.
Another important point is that no one should be able to modify the log files. Even your system administrator's access should be read-only. They should not be able to modify or delete the logs. You should also consider the security of your archive or back-up copies. You can place a lot of security controls on your systems.
But if you then make a backup of the system and don't control the backup tape, then any unauthorized individuals may be able to access that data. You should also be aware of overwriting issues where you may be overriding previously stored data that may be important and once you override it, you will no longer be able to recover it.
Your data owner is typically a management employee and will be responsible for the data and the proper handling of the data. And they may designate a custodian to implement a task such as backing up data or destroying physical media. But the owner is ultimately responsible to make sure that it is getting done appropriately.
In order to ensure the integrity of your data, you should have quality control and quality assurance processes in place. Quality control, or QC is responsible for monitoring, and evaluating your systems based on you internal standards, procedures, and processes. Quality assurance, or QA Is a process where final products are inspected to make sure that they meet predetermined external quality standards.
And we review the activities and quality control throughout the development process. It is critical to have a records retention policy. A records retention policy dictates the minimum amount of time that you are required to keep data, and the maximum period of time that you will keep records before destroying them.
For your records retention policy to be effective, all data and storage devices must be properly labelled, so that you can find data when authorized parties need to access it. The record retention policy will dictate the amount of time that data must be maintained, both the minimum and the maximum.
For different types of data, such as sales records, log files, tax information, personally identifiable information, video surveillance recordings, and so on. One important note for the CISSP exam is that if we have a legal hold such as a court order ordering us to preserve records, we should not follow our destruction policy, and destroy those records that we know the court has ordered us to keep.
This is the only legitimate reason for you to violate your records retention policy, and keep data longer than you are supposed to. You should always talk with your lawyers, and accountants, and other staff members to determine what the law requires. And make sure that you're documenting your compliance by having a written records retention policy.
And logs of the data being properly stored, and then deleted once the records retention policy expires. The data destruction process is the process of securely disposing data when we no longer need it. It is critical that we securely dispose it. Because if we simply throw away a hard drive, and unauthorized person may be able to recover data that we thought we deleted.
So making sure that data is properly destroyed is critical. This concludes our managing sensitive data module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!