BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The following video is from the Official (ISC)² CISSP OnDemand Training.
Unlike other parts of IT, the concept of "set it and forget it" is completely incompatible with information security requirements. After determining the ownership of data and under what conditions it should be accessed, infosec pros must continually ensure that its integrity, confidentiality and proper use is maintained.
Ongoing data audits, overlapping controls and thoughtful documentation are among the many tools CISSPs should call upon to promote good data management, explains Adam Gordon, lead editor of the Official (ISC)² Guide to the CBK, Fourth Edition, in this video.
CISSP® is a registered mark of (ISC)².
Transcript - Identify and maintain ownership of data: A guide for CISSPs
The following is a full transcript of Adam Gordon's video.
Let's talk a bit about determining and maintaining ownership and what that may mean from a CISSP's perspective. When we think about good data management practices and how we determine and maintain ownership of data, we have to really understand what it means to define data in the context of the organization, to then create policies that help to drive that definition down to all users of the data. And then we have to classify, as we've already talked about, and categorize data in such ways that authorized use is encouraged, unauthorized use is prevented, and ensure integrity, confidentiality, and availability are always going to be, not only as part of any architecture taken on, discussed, and implemented, but that we are monitoring and ensuring that we are understanding that integrity is intact, confidentiality is assured, and availability is going to be something that we monitor for, and whenever there is a disruption around availability we are notified.
So good data management practices involve all these things. A data policy that defines strategic long-term goals, helps with good data management, helps us to understand how to clearly enunciate clearly in our mind, announce and therefore define for everybody who uses the data in the system what the rules of engagement will be, and the means required to use that data as well as the necessary requirements around why that data is being made available. So these are things to consider. Clearly defining roles and responsibilities, who is going to have ownership of data, be able to use the data, under what conditions, with what rights, what rules and what responsibilities.
Ensuring data integrity, availability and confidentiality
Data quality procedures, how do we QA the data? How do we ensure integrity of the data? How do we ensure availability of it? Documentation is always very important. We've talked a lot about the importance of it. Adherence to agreed upon data management best practices, whatever they may be. Standardizing data taxonomies and naming conventions, using categorization and classification schemes that are broadly communicated and widely accepted are all parts of good data management practices. Carefully planning and documenting database specifications to make sure that we understand how to store data, how we educate users around the use of data, how they can gain access to data using standard methodologies and standard structures all become important.
In addition, defining procedures for updates to the information system infrastructure. How often do we patch? How often do we update a normalized data, under what circumstances, managing all of that and communicating that becomes important. Ongoing data audits to make sure we, again, can ensure integrity, availability, and confidentiality. Ongoing and evolving data security approach of tested layered controls to reduce risks to data.
Overlapping controls that are layered to this defense and depth thought process. We've talked about becomes important under good data management practices here. If we have only one access control mechanism used to safeguard data, that may be okay, but that may not be as good as having several different layers of control on the front end. So instead of single factor authentication, using a username and a password, we may switch to a dual or multi-factor solution that involves the username and a password and a biometric authentication element to further enhance data access controls and data management. And that would be an additional layer, and that would be ongoing and evolving data security, and that's the kind of thing we're talking about.
Defining data ownership
Clear statements of criteria for data access, who has ownership of data and rights to data under what circumstances and for what reasons, should be clearly enunciated and made available to all users of the system. Clear and documented published data that is available and usable to users with consistent delivery procedures. What data can be expected to be used, under what conditions and how well be access and all those things should be documented, should be clearly made available, and should be, in the case of a system that is classified in some way, very clearly evident to those that are authorized to use it, even though it may not be clearly evident to users that are not authorized to use it. We do want to make sure users that have rights to the data clearly understand what the value of the data is, and we don't want to expose that value to people that don't belong seeing it. So this is all important.
Considerations around data classification, data management, and good data stewardship, and custodianship, and ownership of data. Things like the cost to operate and maintain the data, the liabilities associated with owning and maintaining the data, these are considerations. Ownership of data and custodianship, what is it going to mean from responsibility and right accountability perspective to be a data owner or be a data custodian? Sensitivity, policy and process, privacy and existing law, and policy requirements. All of these things are things that we have to consider as CISSPs as we embark on our career around managing data inside of a system. We are being given the right and being given the responsibility by either the data owner and/or by the business to maintain and build systems that will help to manage and implement management of access to data. We have to bear in mind these considerations to ensure that as we do so, we are doing so from a cost-effective liability, sensitivity, privacy awareness, and existing law and policy requirements awareness capability.
So we're thinking about what laws we have to ascribe to and align with, making sure we implement the procedures and solutions that impact, and therefore positively reinforce privacy, and protect and therefore reinforce elements of privacy and confidentiality as well as integrity around data in the system. And we have to ensure we create policies and processes in order to, not only do those things, but also more broadly and more generally, to safeguard usage of the system for those that are authorized to do so, and channel that usage into ways and into mechanisms, and through policies and procedures, into solutions that allow them to do so cost-effectively, but also in a way that optimizes the availability of that data. We have to make sure that data's not just available, but that we really try to optimize usage of that data through availability constraints that allow authorized users to use data in ways that make sense for them, speed up productivity, speed up access to data. Don't get in the way, in other words of performance, as much as possible. But also safeguard access to the data and making sure that we are doing both of those things simultaneously to the degree possible is all about policy and process and the governing of them.
A CISSP’s work is never done
All of these things are around the considerations we must have in our mind as CISSPs as we think about data, think about access to data, ownership of data and good data management thought processes that we as CISSPs have to bring to bear around the conversation with data in the organization. We will be asked, time and again, in our roles as CISSPs to provide guidance and thought leadership around how we can better do things. We may not have answers all the time, and the answers we have may not be the answers the business is willing to entertain, take on, and/or understand. But ultimately, as we go through and we think about monitoring, and we think about usage of this data and the management of it. We do have to understand that we have to come back to the table time and again, and continue to have the dialogue, continue to make recommendations and ultimately, continue to try to find ways forward that marry the requirements of the business, and the requirements of the individual user and protections of data, and the safeguarding of privacy, certainly confidentiality, integrity, and availability. We have to put all those things together and still try to come up with innovative solutions that allow us to move forward. This is the job that CISSPs take on. This is the place that we live. This is the requirements that we have to adhere to and ultimately strive to meet and exceed if possible in the business.
We must be, in other words, the thought leaders that provide guidance around security and implementation of secure solutions, both in data management and in many other areas of the business. It is a challenge that you hopefully as CISSPs in the coming days, weeks, and months, as you go through this course and ultimately certify will embrace fully and take on. It is probably something that you're already doing at some level in your organization, whether you have the title and credential associated with it as a CISSP or not, and it's something that I hope you will continue to do as you become a CISSP. But whether you do that today or not, or whether you will do that as a CISSP in the future, at the end of the day, it is part of what security management and good security management around ownership of data is going to entail. And because of that, it's something that we often focus on as a CISSP and something that as a CISSP you should be thinking about and should be aware of in terms of how you're going to go out and ultimately drive classification, drive good data management, and drive ultimately availability, confidentiality, and integrity of data into the systems you manage and through defense, and depth, and layered architectures, reinforce those thought processes inside the organization and the enterprise.