Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our data security controls module. One of the most important things that we need to do in computer security is controlling access to our critical resources. It's important that we protect the confidentiality, the integrity and the availability of our resources. If we're going to put an access control in place there are certain requirements that we should consider.
First, the control needs to function appropriately when necessary. We would like the control to be as transparent as possible to the user to make their job easier. It should be scalable so we have room to grow as our organization gets larger. The control must ensure the integrity of our data.
We have to be confident that our data is not being changed without authorization. It must be maintainable with very little administration or maintenance if possible. It must be protectable so it cannot be stolen or over written or disabled. And also it needs to be auditable so we can verify that it is functioning properly.
And we should have some type of metric to measure it against to make sure its living up to our expectations. Two important concepts that you need to be familiar with for your corporate security as well as for the CISSP examination are need to know and least privilege. Need to know is the concept of only providing your users with the access to the resources they need to perform their job functions.
And this focuses primarily on controlling access to sensitive data. We can use a white list to determine which users are allowed to access what type of content resources or systems. Privilege is simply a right that we are granting to either an individual, a process or a program, that authorizes them to interact with an object and perform some type of function with that object.
The concept of least privilege means that we should only give users the access they need to perform their official duties. So here we want to make sure that we're protecting our resources throughout their entire lifecycle and it's also important to control both access and the ability to make changers.
Some users may be permitted to access the data but not be permitted to make changes, whereas other users are permitted to make changes. Separation of duties is a security control that requires multiple people to perform a critical or sensitive task. This can help us to protect our critical systems, our data or financial transactions, and helps us to reduce the amount of fraud or abuse that we have in our organization.
This can also be called a dual control, or a two man rule. An example here is when an employee is going to issue a refund to a customer, taking money out of the cash drawer, a manager needs to walk over the register and enter their credentials to approve the transaction. So we're not allowing one employee to do all fo the functions of processing a return. When two employees agree to work around the controls put in place by separation of duties, we call this collusion. Collusion is an important term to be familiar with for the CISSP exam. You will most likely see a question that asks for the name of the term when two employees work together to defeat the controls put in place with separation of duties.
It is very important to monitor accounts with special privileges such as system administrator and network administrator accounts, which are also known as root accounts. These accounts have the highest level of access on a system or a network. And therefore, it is very important to make sure that they are used appropriately and that a very minimal number of individuals have this type of access.
Security administrators are responsible for overseeing the security of your system on a daily basis. Operators are responsible for performing tasks with your software and hardware such as monitoring the devices or backing up data. Data owners are responsible for determining the security level of objects, and determining who has access to those objects.
Privileged users have much more control than traditional users, so their activities could impact your security much more than a normal user would. You should consider using a privileged user acceptable use policy that has additional controls in place from what you would use for a traditional employee. Typically in Department of Defense and military environments where they use CAC or Common Access Cards to access systems.
Users will maintain two CACs, one for their traditional work functions and one that they will use only when they need to perform elevated functions. Users or processors are responsible for retrieving data or entering data into the system. They are assigned to certain rights by the security administrator. So that they are able to access the data that they need for their job.
But they also must have a need to know. We do not want to assign users access to all of the data on our system if they do not need access. When we have a privilege escalation this is where users are able to gain more access than they are supposed to have.
And this can happen for a variety of reasons, but we want to make sure that this does not occur otherwise users may take advantage of these additional privileges to perform unwanted activities. It is also important to perform auditing to make sure that privileges are assigned appropriately for all user accounts.
And it is important to monitor the system to determine if anyone is misusing their credentials, attempting to escalate their privileges or accessing sensitive data that they should not be accessing. This concludes our Data Security Controls module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!