Any information that is not public or unclassified

- Personally identifiable information (PII) is:

- Any information about an individual maintained by an agency, including:

1. any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date, and place of birth, mother's maiden name, or biometric records; and

2. any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Any data that helps an organization maintain a competitive edge

identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.

- IDs classification labels used within the organization

- IDs how data owners can determine the proper classification

- IDs how personnel should protect data based on its classification

Top Secret (Exceptional Grave Damage) Confidential/Proprietary

Secret             (Serious Damage)       Private

Confidential        (Damage)               Sensitive

Unclassified     (No Damage)             Public

Any information that isn't public or unclassified

Identity and Access Management

- Data at Rest - stored on media, USB drives, SAN, etc.

- Data in transit (data in motion)- any data transmitted over a network

- Data in use - in memory or temporary storage buffers while an application is using it

Identity Theft Resource Center

Guidelines for Media Sanitization

Data that remained on media after the data was supposedly erased.

- performing a delete operation against a file, a selection of files, or the entire media.

- In most cases, the deletion or removal process removes only the directory or catalog link to the data.

- The removal of sensitive data from storage devices so that there is assurance that the data may not be reconstructed from normal system functions or software file/data recovery utilities

- a more intense form of clearing

- The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique

- a strong magnetic field erases data on some media 

- Common goal of returning the tape to its original state

- Degaussing a HD may damage the elctronics

- Final stage of the lifecycle of media and more secure method of sanitizing media

- incineration, crushing, shredding, disintegration, and dissolving using caustic or acidic chemicals

- any process that purgest media or a system in preparation for reused in an unclassified environment

- Uses the same key to encrypt and decrypt the data

- AES uses key sizes of 128 bits or 192 bits 

- AES 256 uses a key size of 256 bits

- Advanced Encryption Standard (AES)

- Triple DES

- Blowfish

- Advanced Encryption Standard (AES)

- AES supports key sizes of 128, 192, and 256 bits

- MS uses in BitLocker

- US Govt uses for classified data up to Top Secret

- Triple Data Encryption Standard (3DES)

- 1st implementation used 56-bit keys

- Newer 3DES use 112 or 168-bit keys

- used in some implementations of MasterCard, Visa (EMV), and Europay standard

- Developed by Bruce Schneier as DES alternative

- can use 32-448 bit key size

- Linux systems use bcrypt to encrypt passwords and bcrypt is based on blowfish

  -- bcrypt adds 128 additional bits as salt to protect against rainbow table attacks

- Transport Layer Security

- Almost all HTTPS transmissions use TLS 1.1 as underlying encryption protocol

- Replaced Secure Socket Layer (SSL) in 1995

- Virtual Private Network

- Allow employees to access an organization's internal network from their home or while traveling

- VPN traffic goes over a public network

- IPSEC is often combined with Layer 2 Tunneling Protocol (L2TP)

- L2TP/IPsec encrypts data and sends it over the internet using Tunnel mode to protect it while in transit

- Layer 2 Tunneling Protocol

- Secure Shell

- A strong encryption protocol included with other protocols such as Secure Copy (SCP) and Secure File Transfer Protocol (SFTP) 

- Many administrators use SSH when administering remote servers

- Secure Copy

- Secure File Transfer Protocol

- File Transfer Protocol

- Person who has ultimate organizational responsibility for data, typically the CEO, president, or a department head (DH)

- Identify the classification of data and ensure it's labeled properly

- Ensure adequate security controls, based on the classification and the org's security policy requirements

- Owner's may be liable for negligence if they fail to perform due diligence in establishing and enforcing security policies to protect data

- Guide for Developing Security Plans for Information Technology Systems

- the person who owns the asset or system that processes sensitive data

- Typically the data owner

- System owner is responsible for ensuring that data processed on the system remains secure, labeled correctly, and appropriate security controls are in place

- NIST SP 800-18 refers to a business/mission owner as a program manager or a information system owner

- may overlap with responsibilities of system owner or be the same role

- Responsible for ensuring that systems provide value to the organization

- a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller" (data controller is the person or entity that controls the processing of the data)

- GDPR

- Notice - must inform individuals of purpose to collect data

- Choice - opportunity to opt out

- Accountability for Onward Transfer - Orgs can only transfer data to other orgs that comply with Notice & choice

- Security - must protect personal data

- Data integrity and purpose limitation - Orgs only collect data needed for purposes in notice principle.  Accurate, complete, currend 

- Access - individuals must have access, ability to amend/correct/delete info when inaccurate

- Recourse, Enforcement, and Liability - Mechanism to handle compplains

- the process of using pseudonyms to represent other data. (e.g. instead of referring to a patient by name, you could refer to them at Patient 23456)

- the key is to have another resource (such as another database) that allows you to ID the original data using the pseudonym

- the process of removing all relevant data so that it is impossible to identify the original subject or person

- swapping data in individual data columns so that records no longer represent the actual data.  However, the data still maintains aggregate values that can be used for other purposes, such as scientific purposes

- can not be reversed

- Similar to pseudonymization but uses tokens to represent other data instead of pseudonyms.  Neither token or pseudonym has any meaning or value outside of the process

- Responsible for grinding appropriate access to personnel, but not necessarily full administrator rights and privileges.

Typically assign permissions using a Role-Based Access Control (RBAC) model

Role-Based Access Control (RBAC)

- helps protect the integrity and security of data by ensuring that it is properly stored and protected.  Ensure that the data is backed up. Maintain auditing logs

- In practice, personnel within IT Dept or system security admin would typically be the custodians.

- Security Control Baselines

- Appendix D includes a comprehensive list of controls and has prioritized them as low-impact, moderate-impact, and high-impact.

Access Control

- reviewing a list of baseline security controls and selecting only those controls that apply to the IT systems you're trying to protect

- The process of determining which portions of a standard will be employed by an organization

- Scoping is SUBTRACTING and removing security controls that are not applicable, such as removing physical building controls when there is no building because everyone is working from home

- Limiting general baseline recommendations by removing those that do not apply 

- modifying the list of security controls within a baseline so that they align with the mission of the organization

-The process of customizing a standard for an organization. It begins with controls selection, continues with scoping, and finishes with the application of compensating controls

- Altering baselines recommendations to apply more specifically

Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments

Guide for Mapping Types of Information and Information Systems to Security Categories

- The process of determining the impact of the loss of confidentiality, integrity, or availability of the information/asset to an organization

- The purpose of a classification system is to ensure information/assets are marked in such a way that only those with an appropriate level of clearance can have access to them.

- Data classification is the process by which data is evaluated for its risk and sensitivity and then assigned a label that determines the level of security that will be used to protect that data. 

1. Define Requirements

2. Acquire & implement

3. Operations & maintenance

4. Disposal & Decommission

Configuration Management Database (CMDB)

- Quality Control (QC)

- an assessment of quality based on INTERNAL standards, processes, and procedures established to control and monitor quality

- Quality Assurance (QA)

- an assessment of quality based on standards EXTERNAL to the process and involves reviewing of the activities and quality control processes to ensure final products meet predetermined standards of quality

- Determining the impact of the loss of confidentiality, integrity, or availability of the information/asset to an organizaiton

- At rest (storage)

- In motion (transit, on the wire)

- In use (application)

- Establishes a minimum set of safeguards that can be standardized, documented, implemented, monitored, and maintained

- Multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement

- Encryption

- Obfuscation/tokenization

- Archive/dispose/destruct

- Mobile Device Protection

- Physical Media Control

- Encryption 

- Perimeter Security

- Web Content Filtering

- Network Traffic Monitoring

- VPNs

- Encryption 

- User Monitoring

- Workstation Restrictions

- Application Controls (whitelist/blacklist)

- Data Labeling

- create and manage sensitive data within an organization (e.g. HR employees)

- Manage data on behalf of data controllers (e.g. outsources payroll company)

- Identify

- Protect

- Detect

- Respond

- Recover

- Access Control List

- Bound to an OBJECT (e.g. file, folder)

- Data Loss Prevention (DLP)

  -- Unauthorized

  -- External

  -- Sesitive