CISSP® - Asset Security

This course covers topics that are related to the CISSP® Asset Security domain.
Course info
Rating
(69)
Level
Intermediate
Updated
Oct 15, 2015
Duration
1h 4m
Table of contents
Introduction
Information and Asset Classification
Data and System Ownership
Privacy Protection
Appropriate Retention
Data Security Controls
Handling Requirements
Description
Course info
Rating
(69)
Level
Intermediate
Updated
Oct 15, 2015
Duration
1h 4m
Description

Earn your CISSP! Dive deep into the Asset Security domain of the CISSP, including information and asset classification, data and system ownership, protecting privacy, appropriate retention, data security controls, and handling requirements.

About the author
About the author

Evan is an engineer by nature and a security professional by trade with over a decade of experience in technology and security. He enjoys learning new technologies and how to get more out of existing technologies through integration, enrichment, and innovation of new use cases.

Section Introduction Transcripts
Section Introduction Transcripts

Introduction
Hi, I'm Evan Morgan, and in this course I'll be discussing Asset Security. Asset Security is one of the eight domains of the Certified Information Systems Security Professional certification, or as it's commonly referred to -- the CISSP. Asset Security also has six domains, which is broken down into the other modules of this course. In this course, we'll start off with information and asset classification, followed by data and system ownership, then we'll talk about privacy protection, followed by appropriate retention, then we'll talk about data security controls, and lastly, handling requirements.

Data and System Ownership
Hi, I'm Evan Morgan, and in this module I'll be discussing Data and System Ownership. Data and system ownership is one of the six subdomains of the Asset Security domain of the Certified Information Systems Security Professional certification, or as it is commonly referred to -- the CISSP. Data and system ownership is a key concept to understand for any information security program, but especially for the CISSP exam. There are a lot of downstream impacts that data and system ownership information can drive around controls, increased security for the organization, as well as reduce risks and things of that nature. In this module, we'll start off with an introduction to data and system ownership. Then, we'll dive in a little deeper on what data and system ownership really is. What does it mean to own data and systems, as well as how does that relate to other aspects. Then we'll talk about how to identify data and system owners. Modern organizations typically have lots of systems and even larger amounts of data, but how do you really determine who the owners of that data and those systems are? We'll also talk about how identifying the owners of structured data can be a lot easier than unstructured data, but identifying the owners of unstructured data is by no means an impossible task, it's just typically a little more difficult due to the nature of it. Lastly, we'll talk about Configuration Management Database and how it relates to the system and data ownership.

Appropriate Retention
Hi, I'm Evan Morgan, and in this module I'll be discussing Appropriate Retention. Appropriate retention is one of the six subdomains of the Asset Security domain of the Certified Information Systems Security Professional certification, or as it is commonly referred to, the CISSP. Appropriate retention is a key concept to understand for any information security program, but especially for the CISSP exam. Depending on the legal requirements your organization has from the related regulations, you may be exposing yourself to litigation if you do not retain certain data for the minimum required amount of time for that data, or even if you retain it for too long. In this module, we'll start off with an introduction to appropriate retention, then we'll dive in a little deeper on what appropriate retention really is, what does it mean to retain data for the appropriate amount of time, and why not retaining at all or retaining excessively are both options that should be avoided from a legal standpoint. Then we'll talk about common data requirements that organizations face today and why is it important to implement similar models for your organization. We'll also talk about why you should not keep your organization's data forever. Not only are there operational costs associated with continuously increasing the amount of storage your organization has to house this data, but also doing so could expose your organization to a far greater cost from a legal standpoint. Another item we'll discuss is how to properly destroy data when it is no longer needed. Simply throwing away documents with sensitive data on them can expose the organization to unnecessary risk from third-party discovery of those documents. Lastly, we'll talk about Configuration Management Database and how it relates to appropriate retention.

Data Security Controls
Hi, I'm Evan Morgan, and in this module I'll be discussing Data Security Controls. Data security controls is one of the six subdomains of the Asset Security domain of the Certified Information Systems Security Professional certification, or as it is commonly referred to, the CISSP. Data security controls is a key concept to understand for any information security program, but especially for the CISSP exam, as effective controls are the cornerstone of any information security program. In this module, we'll start off with an introduction to data security controls, then we'll dive in a little deeper on what data security controls really are. What does it mean to secure data with a control? Then we'll talk about how data classification and data security controls relate to each other. We'll also discuss a few access control methodologies, followed by common cryptography methods used by organizations today. Lastly, we'll talk about how automation can be considered the Holy Grail for some, but it's critical to enabling an information securities program to scale, as the business grows.

Handling Requirements
Hi, I'm Evan Morgan, and in this module I'll be discussing Handling Requirements. Handling requirements is one of the six subdomains of the Asset Security Domain of the Certified Information System Security Professional's Certification, or as it is commonly referred to, the CISSP. Handling requirements is a key concept to understand for any information security program, but especially for the CISSP exam. In this module, we'll start off with an introduction to handling requirements. Then we'll dive in a little deeper on what requirements really are. What does it mean to properly handle data, and why does it matter? Then we'll talk about how data classification directly ties to handling requirements. Lastly, we'll talk about what some of the more common handling requirements are for organizations.