Welcome to Cyber Aires. Video Siris on the copy of Security Plus 5 +01 Certification and Exam.
I'm your instructor around Werner,
Please cease. I bury Dad, I t for more information on this and many other certifications.
Section five dot aid of the risk management domain is about data security and privacy practices.
How are you protecting the data? Do you know what data you need to protect with its label on classifications?
Who's responsible for each level of data? We'll also talk about privacy practices. How do you keep personal information from being inadvertently disclosed?
Let's dive into the topics.
Ensuring the confidentiality, integrity and availability of data is that the fundamental core oven information security Risk Management program
organizations are tasked with many data security and privacy practices that need to be carried out as defined within data handling and data management policies.
Thes data policies, air based on organizational requirements
and regulatory compliance
data policies Air also used to govern Overall I T administrative tasks
in this session will cover those ideas, including data definitions, classifications, sensitivity,
data rolls, data retention. How long do you keep that information or data, which is often associated with a legal matter
and then data disposal destruction, media, sanitation. How do you get rid of it?
Information must be classified according to its value and level of sensitivity. That appropriate level of security can be used and access to data can be controlled.
You want to develop a system of classification
where you are labeling the data that particularly is most sensitive. That way, you have appropriate handling of your most sensitive data defined by the data owner. The process for data classification labeling and handling should be easy to apply,
consistent across all different types of data
and within your organization.
And lastly, it should be visible.
Let's look at some common data classifications. Labels
on the screen are common data classification labels. You may see an industry or in use within the U. S. Government.
First is public or unclassified data. This is information where, if it's disclosed, no harm is done.
Confidential data, though its data that might cause damage to the organization if it were exposed so some damage will occur. We're focused mostly, though, on the disclosure of data. So the confidentiality of data you might have that label of confidential
secret, maybe grave harm or damage is done to the organization. If it's a inadvertently disclosed,
you may also see terms like propriety proprietary,
which is usually kept within an organization or organizational unit. You don't want to disclose to other businesses. Label it, then is proprietary.
could be a label assigned to personally identifiable information
that information which is associated with a person's identity or their health information label. It is private. These were just common data sensitivity classifications you may see
in a previous session. We talked about
some common labels associated with data privacy, such as P II and pH. I personally identifiable information information associated with a person's identity first name, last name. Some identify are like a credit card number. So security number.
The other type to be aware of is pH. I Personal health information as defined within the health laws about a person's health status provision of health care, et cetera.
Be aware of these definitions for the security plus exam, and then also as you're working as a security professional,
all data within your organization should have assigned data rolls.
This starts with data ownership.
The owner is responsible for determining how much risk to accept.
They determined the data sensitivity and therefore that data labeling
the data custodian is the one who's responsible for administering it. They don't assign the levels,
make sure it's secure according to the directions provided by the data owner.
The third date, a role you need to be aware of is that privacy officer this is a person often associate it with. The legal department was responsible for ensuring the privacy of personal information within the organization may be dictated. Required roll by HIPPA or GDP are
sensitive, and privacy related data should be managed within an organization's retention and disposal policies.
You should have a policy that explains how long you keep different types of data. For example, some banking or financial information may need to be kept for seven years.
This all should be stated within the policy as set by the data owner
industry. Best practices in laws can also affect the retention of and storage of data lock fought files, an audit files.
For example, the United States Federal Rules of Civil Procedure or F R. C. P. Have implications for data retention policies.
Concept with data retention is keep the information on Lee as long as you need to,
and then no longer
get rid of it if it's no longer needed or required for legal reasons.
Lastly, with disposal of data, you want to properly get rid of that data and potentially any associated hardware.
Let's talk about some of those methods.
There are many different ways to get rid of data when it's no longer needed within an organization.
Trust Third party To do It, you'll see that this with shred bins. Many organizations will have this locked shred been,
and then the company brings their shredding truck to the premise. If you're doing this, you want to observe the destruction process.
You shouldn't just assume that it's actually occurring.
How is the media may be being transported to that destruction facility?
Can you use that media after it's destroyed? For example, Ah, hard drive.
The best practice is really to combine multiple methods for effective data destruction and media sanitation.
Some specific methods for getting rid of the data are shown on your screen.
One. Burning use of heat or fire. This may not be environmentally friendly. You think about a paper even if you burn it. You could still potentially read What's on it.
Shredding very common hope. You have your own personal cross cut shredder. You don't want to just read vertically. Be also shred horizontally to make sure the pieces cannot easily be put together.
Pulping is another method, which reduces paper toe a liquid slurry so therefore it can't be put back together.
Another method of removing data
and media sanitation is pulverizing. It's using hydraulic or pneumatic action to reduce the materials to loose fibers and shards.
This could be quite expensive, but it's a great way, particularly with hardware meeting. Sure, it cannot be reused.
De Gau sing another technique associated normally with magnetic media hard drives. USB drives. It's using a large magnet to remove data from that magnetic storage media
purging is removing files and all traces of the data also known a sanitation
and, lastly, data wiping, say, on a hard drive or other magnetic media that's overwriting the data with zeros and ones.
The data is therefore replaced and non recoverable.
Consider each of these data destruction methods and come up with your own examples for each to prepare for the company of Security plus exam. Let's practice with a question.
This method of data destruction is a cost effective method to reduce the size of objects with the tent of making them no longer usable.
The answer is a shredding.
This concluded Section five Diet aid on data security and privacy practices.
Please refer to your study material form or information.