Domain 2 Asset Security

A backup policy would address which systems and media we would use, the retention policy would only deal with what, how long, where and similar topics.

RAM (Random Access memory) is volatile memory. It loses the memory content after a power loss or within a few minutes. ROM (Read Only memory) is nonvolatile it retains memory after power loss.

Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).

A data destruction policy would address how we deal with data no longer needed, the retention policy would only deal with what, how long, where and similar topics.

Certification is when a system has been certified to meet the security requirements of the data owner. Certification considers the system, the security measures taken to protect the system, and the residual risk represented by the system.

Flash memory: Small portable drives (USB sticks are an example); they are a type of EEPROM.

Formatting puts a new file structure over the old one, the data is still recoverable in most cases.

Under the US Health Insurance Portability and Accountability Act (HIPAA), Protected Health Information (PHI) that is linked based on the following list of 18 identifiers must be treated with special care: 1 Names. 2 All geographical identifiers smaller than a state. 3 Dates (other than year). 4 Phone numbers. 5 Fax numbers. 6 Email addresses. 7 Social Security numbers. 8 Medical record numbers. 9 Health insurance beneficiary numbers. 10 Account numbers. 11 Certificate/license numbers. 12 Vehicle identifiers and serial numbers, including license plate numbers. 13 Device identifiers and serial numbers. 14 Web Uniform Resource Locators (URLs). 15 Internet Protocol (IP) address numbers. 16 Biometric identifiers, including finger, retinal and voice prints. 17 Full face photographic images and any comparable images. 18 Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

If we do not encrypt our laptops which uses the data from our database, it is a very good attack vector for someone wanting to steal our data.

Where do we keep our sensitive data? It should be kept in a secure, climate-controlled facility, preferably geographically distant or at least far enough away that potential incidents will not affect that facility too. Many older breaches were from bad policies around tape backups. Tapes were kept at the homes of employees instead of at a proper storage facility or in a storage room with no access logs and no access restrictions (often unencrypted).