Domain 3

3.3 Protecting Data

Compare and contrast concepts and strategies to protect data.

0% Complete

1

3.3.1 Data Types & Classifications

Data classification and categorization ensure that security controls are applied proportionally to the sensitivity and legal requirements of information throughout its lifecycle.

Data Classifications and Sensitivity Organizations classify data based on the potential impact of a breach, focusing on Confidentiality, Integrity, and Availability (CIA). - Public: Information with no risk if disclosed; often intended for marketing or public consumption. - Private/Internal: Information for employee use only; disclosure may cause minor inconvenience or loss of competitive advantage. - Confidential/Proprietary: Highly sensitive data like trade secrets, source code, or intellectual property; unauthorized access could cause severe damage. - Restricted/Critical: Highest level of sensitivity; breach leads to significant financial, legal, or reputational ruin. - Government/Military Levels: Specific tiers including Unclassified, Confidential, Secret, and Top Secret (where disclosure causes "grave damage").

Sensitive Data Types Protecting data requires identifying regulated information that carries legal or compliance penalties if exposed. - PII (Personally Identifiable Information): Data that can uniquely identify an individual, such as Social Security numbers, addresses, or biometric records. - PHI (Protected Health Information): Medical records, health insurance details, and hospital visit history (governed by HIPAA). - PCI (Payment Card Industry): Credit card numbers, CVVs, and transaction data; regulated by the PCI DSS standard. - Intellectual Property (IP): Patents, trademarks, and proprietary business processes that constitute an organization's "lifeblood."

Data Roles and Responsibilities Clear accountability ensures that data is managed according to compliance and security policies. - Data Owner: Typically a senior executive or the organization itself; holds legal responsibility and determines classification levels. - Data Controller: A role defined by GDPR; the entity that determines the "why" and "how" of data processing and ensures compliance with privacy regulations. - Data Processor: An entity (often a third-party service) that handles data on behalf of the controller; they follow the controller’s instructions. - Data Custodian: The technical role (IT staff) responsible for maintaining data integrity, performing backups, and implementing encryption. - Data Steward: Focuses on data quality, labeling, and ensuring metadata is accurate for business use.

Quick recall - GDPR Trigger: Look for Controller (determiner) vs. Processor (actor/vendor). - Impact-Based: NIST FIPS 199 categorizes impact as Low, Moderate, or High. - Data Exfiltration: The unauthorized transfer of data out of an organization. - Role Distinction: The Owner decides classification; the Custodian implements the actual security controls.

2

3.3.2 Data States

At rest, in transit, in use.

3

3.3.3 Data Sovereignty & Geolocation

4

3.3.4 Methods to Secure Data

Encryption, hashing, masking, tokenization.