CCT 276: Data Lifecycle and the CISSP (Domain 2.4)

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.

(00:20):
Alright, let's get started.

Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today is CISSP Training Mondayand we're going to be focused
specifically on the CISSPtraining related to domain 2.4,
and this is managing data lifecycles, and so, as we've talked

(00:44):
in numerous different episodesaround data life cycle, it's an
important part and today we'regoing to get into that again.
This is domain 2, 2.4, butbefore we do, I had an article I
wanted to kind of share withyou all and it'd be great to get
any opinion from you all.
So this is from it pro, andthis is based on a report that
was done, and this report saysthat% of the companies admit

(01:04):
insecure code caused a securitybreach or security incident of
some kind, and, as we know, thisis definitely the case.
There's a lot of insecure codethat's been done out there.
I had a lot of security or Ihad an IT team, a development
team, that worked specificallyfor me, and because they worked
for me, we went through theoverall development lifecycle

(01:25):
aspects and they struggled withthat a lot.
They didn't know how to dealwith the development lifecycle
piece of this, and so thisreport basically found that 74%
of organizations had sufferedfrom an incident as a result of
dodgy or bad code, and nearlyhalf of those were hit with a
breach of some kind.
And so, with AI, people aregoing well, hey, now that I'm

(01:46):
going to develop AI, I'm goingto put that into my environment,
I'm going to actually havereally safe and secure code.
But even though AI can codebetter than developers, there is
some suggestions that the codecould also be insecure.
Code could be replicated by AIas well, so if it doesn't know
what is good code, it couldactually end up replicating bad

(02:08):
code as well.
So the point comes really comesright down to is his training,
and they recommended that theirpeople are trained at least on a
quarterly basis or, if great,if better on a on a monthly
basis on what to look for as itrelates to insecure code.
Now, there's different types ofproducts out there that can help
you with this.

(02:28):
There's video-based products,there's e-learning platforms and
so forth.
They have hacking games, such asCapture the Flag, and I think
all of those are an invaluablepart of your organization and
they would be something that youwould want to go through and
help your people understand howto actually do these aspects.
So labs and classes areimportant, but I would also say

(02:49):
that, as you're doing this withyour folks, make sure that you
have a good game plan in placeof what is the overall end goal,
what you're trying toaccomplish, because, when it
comes right down to it, trainingand teaching people as well as
working on the AI piece of thisis great, but there has to be
measurable metrics that come outof anything that you do,
because otherwise you're justkind of doing activity, hoping

(03:11):
that everything's going to kindof fall into place and work.
Now, according to this article,one of the other aspects they
had was around return oninvestment.
That was one of the hurdlesthat became a big problem is,
even though you may have thistraining in place and you may
have some level of documentationdeveloped around your overall
secure development life cycle,how do you ensure that you're

(03:33):
getting your return on yourinvestment for?
the money that you spend and Iwould say training is also one
of those that is really hard tomeasure.
You want to be able to trainpeople, but be understanding
that, hey, if I give you thistraining, how do I ensure that
I'm actually going to get backwhat I put into it?
So, as a challenge, it'simperative that you have good
metrics on, at least in the factthat, what people took the

(03:56):
training, how many weresuccessfully completing the
training, did you have labsinvolved, did they pass the labs
?
And all of that may not bepushed up to the board or to the
senior levels, but at leastthen you have metrics on how
they have done.
It makes it a lot easier tojustify the money spent if you
can have those metrics, versusjust saying, hey, all my people

(04:16):
took the training, well, thatdoesn't really tell you anything
.
And, realistically, having agood structured plan on how you
plan on getting this informationto your people and have them
use this information and then,in turn around, how is it being
pushed within your developmentenvironment, those are all
really good metrics that need tobe tracked and monitored and

(04:36):
reported up to your seniorleaders.
So, again, it's a good eye, agood option, the main thing I
wanted to bring up about thisarticle was just the fact that
we all know secure developmentis going to be a bigger factor.
Too many people rely on AI andthey're just assuming that, well
, if AI's got it, it knows howto code.
It's coding good.
I'm not going to double checkthe AI, so bad choice if you
decide to go down that path.

(04:58):
Okay, domain 2.4.
So let's get into what we'regoing to talk about today.
Okay, so data owners.
When we get into the overallfact around, what is a data
owner?
A data owner is a person that'sultimately responsible within
your organization for theoverall data that is out there.
This person can typically befalls into a couple different

(05:18):
buckets, but I've seen them indifferent ways.
One, the CEO, actually, in somecases is the data owner,
especially when you're dealingwith intellectual property there
might be.
This person is ultimatelyresponsible for the protection
of this IP and therefore itcould be the CEO themselves,
depending on the size of theorganization.
If the organization is verylarge, it probably wouldn't be
the CEO.
It's probably delegated down toa president or a department

(05:41):
head.
In the case of some levels ofintellectual property, it could
be the R&D head or the R&D leadthat's running it.
There's different data requiresdifferent types of data owners
and they may not just be oneperson.
I've seen it where the dataowner may understand, or the
engineer may understand, thedata specifically around a

(06:02):
certain level, but then otherparts of the organization don't
understand the information andso therefore they're not the
data owner for that specificpiece of information.
It may be around a couple ofdifferent people, but at the end
of it and that's where it getsreal squishy between data owners
and data custodians and we'llget into custodian here in just
a minute but the data owner issomeone who physically is

(06:22):
responsible to the organizationfor that data and it typically
is pretty high up within thecompany because they're the ones
that are ultimately responsibleif something bad were to happen
.
There's different data or willrequire different data owners
and it may not just be oneperson, like we kind of
mentioned just a little bit ago,but for liability reasons and
negligence reasons it may bedown to just one.

(06:45):
So I'm giving you kind of asquishy answer on that.
It's not really what you wantto hear, but it depends.
But what you want to understandand the key factor that comes
out of this is you need to knowwho the data owner is
specifically around theinformation, because if you, as
a security professional, aretrying to put policies in place
around data protection, you'regoing to need to know who this

(07:05):
person is, and they areultimately responsible for the
data protection within thecompany and they need to be
aware of that as well.
They also need to be aware thatthey are legally liable for it.
They may say, yeah, Iunderstand that, but no, I mean
really truly.
You are legally liable.
If things go bad, you could besued by the company.
You could be sued by otherpeople.

(07:25):
There's lots of differentthings that can go sideways on
this.
So, as a data owner, you areultimately responsible for the
information.
Now there's data order guidancearound.
This is SP 800-18.
This is really good fordeveloping a security plan and
it's tied to the federalinformation systems.
It's a really good place tostart if you're looking for some
sort of guidance around being adata owner.
There's rules for appropriateuse and how to maintain the

(07:48):
management of this data, as wellas guidance around security,
controls, requirements andeverything else that's out there
in this guide, this NIST guide,this NIST publication.
It does help you decide aroundprivileges and access rights
related to the data owner andwhat is the rights that this
person should have, as well asacceptable use or rule behaviors
.
So it's a really good place tostart.

(08:10):
If you're trying to develop asecurity plan and you don't
really know where to begin, Iwould start with this Secure
Publication, sp or SpecialPublication 800-18.
That's the NIST SP 800-18.
Understanding the asset ownerbusiness owner, business owner
or data owner what does thismean?
Well, basically, you havedifferent terms that are being

(08:30):
used, but in the businessstandpoint, you could have it
called it as an asset, if you're.
They also could say they'll.
You know what.
This business has a specificdata that's tied to it.
You'd be the business owner, oryou could get very granular and
it could be down to thespecific data.
So it's business asset data.
These are all owners of thisinformation.
They could be multiple people,they could be one person, but

(08:51):
whoever that person or personsare, you need to develop a
security plan in with them andin coordination with the data
owner.
You need to make sure thateverybody's aligned with what is
the security plan in place.
This would be a specific assetthat accesses any sensitive data
.
You would need to call outthose specifically, and you need
to ensure that those are alldefined well within your

(09:12):
security plan.
This ensures systems are updatedand properly configured, and
this would, in one example, thiswould be the digital marketing
team.
They would have a situationwhere maybe they populate the
websites with digital marketingcontent.
This needs to ensure that it'supdated and properly configured.
Business owners will manage it,but it's not, potentially, the
data owner.
So what that means is thebusiness owner is, let's say,

(09:33):
for the digital marketing team.
They're the ones that aremanaging this website.
They're the ones that aremanaging any sort of digital
content that goes in there, butthey don't specifically own the
data that's going into thatcontent.
So you'll need to work with thebusiness owner, and you may
have to work with the data ownertoo in this specific situation.
Now, they could be one in thesame, but they also could not be
, so again, making thisextremely challenging for you

(09:56):
all.
When it comes to the CISSP, ifthey start asking you questions
of going, you got to read thequestion that the business owner
, who does not own the data, ismaking these changes.
Is this a good idea?
You might be going.
Well, no, because they're notthe data owner.
If they say, the business owner, which is the data owner, is
making these changes, then youmay answer the question a little

(10:17):
bit differently.
So the bottom line on all thisis you really truly understand?
It's all about the data.
Always remember that.
It's always about the data.
Now the data controller this isa person or entity that controls
the processing of the data andthey decide what data is to be
processed.
Now, dealing with GDPR, youwill have different types of

(10:38):
data controllers, but, bottomline, this person is the one
that will control as far as whatdata is to be processed.
Why is this data should beprocessed?
This is the reason they'll alsodo that and then how it is to
be processed.
Those are some key questionsand key concepts that the data
controller will do so.
As an example, a company willcollect personal information on
your employee's payroll this.

(11:03):
You want to pass thisinformation on to a third party
to submit payroll for you.
The data controller willdetermine what data is passed
through to the third party.
Not everything may need to bepassed to the third party.
Some of the more default wayswould be just pass it all.
Well, but that does not work,especially in a more regulated
environment such as the EuropeanUnion.
That would be a bad thing.
So the data controller iswhat's going to determine what

(11:24):
needs to be sent to the thirdparty for payroll processing.
Contracts are in place to ensurethat third parties don't use it
for anything outside of whatthey've been called out for, and
these contracts are followedand maintained.
And they have teeth.
If a third party decides to usethe data in a way that is
inappropriate, it will come backto get them, and it's
imperative that you understandthis as well as you're putting

(11:46):
these in place.
Sometimes the security folkshave a little bit better handle
of what's going on with thisdata movement, and so, therefore
, your wisdom and guidance isgoing to be very important.
Large organizations they willactually hire a data controller
specifically to do this work,but if you're in a smaller
company, they may not.
They may have that person doingmultiple different tasks.

(12:06):
You are going to have to helpthem understand what is the
difference between a data owner,data controller, and what is
the different regulations askingfor in relation to those.
So, again, it really comes downto you helping them and
understanding the key conceptsrelated to data controllers.
Data custodian Day-to-day tasksare accomplished by the data

(12:27):
custodians we kind of mentionedat the beginning the difference
between a data owner and a datacustodian.
You could get confusing and itcan, because sometimes the data
owners will act like datacustodians and then sometimes
the data custodians will actlike data owners.
This is why I need to haveclear guidance on who owns which
data.
This helps protect theintegrity and security of the
data by ensuring it's properlystored.

(12:48):
It also ensures that dailyactivities are set up so that it
can be properly protected andmaintained.
This would include backups,daily log files and any daily
maintenance for the specificdata.
In and of itself, the custodianis the key factor.
Now I have seen this where thecustodian doesn't understand

(13:08):
what's going on with the data.
It maybe controls the access topeople that are gaining access
to the data, but when it comesto the backups and the log files
and any daily maintenancethat's related to this specific
information, they go well, it'sgot that and that is wrong.
That is not correct.
You need to make sure thatwhoever, as a security

(13:28):
professional, is your datacustodian, that you work hand in
glove with them to make surethat they understand what are
the backups, what are the logfiles?
Are there any daily maintenanceactivities that need to occur?
If the backups are occurringwithin a local backup or do they
have to be pushed up to, like aglacier, a long-term storage
backup?
When can you do backup andrecovery scenarios?

(13:49):
All of these things that you, asa security professional, may
have to work directly with thedata custodian on, and they need
to understand that it's notyour responsibility, because
when someone comes now again, ifthe CEO says it's your
responsibility, well then it'syour responsibility.
Comes now again, if the CEOsays it's your responsibility,
well then it's yourresponsibility.
But if the day comes andthey're asking for all of this

(14:10):
that's going to, you know, ifsomething bad happens, the data
custodian if that person isdefined, their neck is going to
be the one that's going to beout there for the guillotine.
So you need to make sure thatyou, as a security professional,
work very closely with them tohelp them understand the risk
and also the things that youhave in place to help protect it
.
Now, it may be a combination ofyou, it might be the IT guy, it
could be a lot of people rightthat are all involved, but when

(14:32):
it comes to the daily activities, do not allow them just to
assume that IT's got it, becauseIT in many cases don't got it.
So that's really good English.
I know you all are reallyprobably enjoying my English for
today.
All right, so what is a dataprocessor?
A data processor?
This is everything that relatesto processing the data.
Right, that makes sense.

(14:52):
So, if the data goes from pointA to point B, how is it being
processed?
This could be the systemsprocessing it, it could be
individuals processing it, butwhat it comes right down to is
where is this going?
What is it doing?
Well, related to GDPR, a dataprocessor is defined as a
natural or legal person, publicauthority, agency or other body
which processes personal datasolely on the behalf of the data

(15:15):
controller.
Okay, that's GDPR.
So, as an example, we'll talkabout third party.
The data controller collectspersonal data on employees for
finance purposes right, payrolland then passes that information
on to a data processor.
We kind of mentioned earlier inthe overall data controller's
responsibilities.
So a data processor is takingthis information, they're

(15:36):
managing it, they're massagingit, they're manipulating it.
They then, in turn, are doingsomething with it to help the
overall company get done whatthey want to get done.
But this is important for you todefine who is a data processor,
especially dependent uponhighly regulated entities and
highly regulated industries,because if you don't have this

(15:58):
well defined and you're justassuming that it's done, odds
are high it's getting doneincorrectly or it's not well
defined and well documented.
If you were to get audited, ifyou have a deal with a breach,
the first thing they're going toask is okay, who is your data
processor?
And then who is your datacontroller and who's your data
custodian?
And they're going to ask thosequestions and if you don't have

(16:18):
good answers, that is a very,very uncomfortable place to be.
So, as it relates to compliance, you must comply with GDPR
requirements, especially ifyou're dealing with the EU or
face fines up to 4% of globalrevenue.
So, to put it in perspective,let's say your company does a
billion dollars in global sales,global revenue that's what they
have coming in Now, that'sglobal right.

(16:39):
So that's a billion dollarsglobally.
If you're dealing with the EU,you could have up to a $40
million fine.
So there's a big issue withthis right.
You want to make sure that youare doing what you should be
doing and a $40 million fine.
Let's put this in perspective.
A lot of companies, theirmargins that they make in a year
.
Let's just say we're guessing,but some are higher, some are
lower, but your margin could beanywhere from five to seven to

(17:04):
12%.
So if you all of a sudden arecutting out 4% because of some
foolishness you now just lost,you're down to maybe making that
year 3%.
So that's huge and that's justthe fine.
That doesn't include the legalramifications that go into this,
because you got to pay lawyersto defend yourself.
You've got to go out and payother people for other stuff, so

(17:24):
that 4% real quickly could growto around 6% or maybe even 7%,
depending upon what are some ofthe aspects that go with it.
So you must comply.
Do not think you don't need tocomply.
You must comply and you mustfigure it out.
The EU and US Privacy Shield Nowthis was previously called Safe
Harbor and just many years agoI had to deal with this.
And this is the Privacy Shieldpiece of this that's in place.

(17:46):
Now organizations canself-certify and meet or comply
with the Privacy Shieldprinciples.
Now there are 16 principles intotal and you need to basically
vow to uphold at least seven ofthem and the ultimate goal of
this is that saying I will doeverything in my power to
protect the information that'sgoing to and from my company.
One of the things that GDPRdoes allow for you to do is

(18:08):
transfer data from the EU intothe United States, but you must
do various aspects with the data.
In the past, under the safeharbor, you could say I'm a safe
harbor company and I vow tomaintain these seven things and
therefore I will protect thedata and do what I need to do to
protect it, but that doesn'twork anymore.
You have to.
Basically, if you're lookingunder GDPR, you have to make

(18:32):
sure you have in place many ofthe controls that are there that
are outside of the US and EUprivacy shield.
So, as an example, if you havedata coming from the EU into the
United States, the datacontroller must make sure that
any data coming out of the EUinto the US has been anonymized.
It has data that is masked insome level or form.
If it is not masked oranonymized in some level or form

(18:55):
, then there has to be anexception place that's put in
place and that has to be donethrough works councils, and so
that's a huge.
It's just a long laundry listof things that have to go on.
So, in reality, you want tomake sure that you have the
right people in place,especially if you're doing any
level of EU business.
Some other key GDPR terms thatyou need to understand is

(19:16):
synonymization.
This is a process of basicallyusing pseudonyms.
Instead of an Indonesian, Ican't say that word.
It's pseudonyms, that's it,pseudonyms.
I had a friend that we flewF-16s with and his call sign was
POSUEDO and they I asked him.
I said why they call youPOSUADO?
And he said because he didn'tknow how to say pseudonyms, they

(19:37):
called him POSUADO.
So, yes, so POSUADO orpseudonyms, they will represent
other data that's out there.
So in the example, bill Smithis patient 12345.
So the pseudonym is Bill Smithis patient 12345.
So if you looked at it at aglance, without the cipher, you
wouldn't know that Bill Smith ispatient one, two, three, four,
five.

(19:57):
It's very popular when workingto try to obfuscate data.
It's again, obfuscation is nota protection.
It's more or less justobfuscation and causing drama
more than anything else.
But Bill Smith is suitifiedright as a patient one, two,
three, four, five.
No, no-transcript, it's totallyjust jacked up.

(20:42):
The only way that you candecipher this is if you have
logic that is set up toreconnect the dots, that you
could figure out what's going on, but in reality it's extremely
hard to do.
It's just also adds a lot ofdrama, and I've run into the
past where Bill Smith and theirsocial, bill Smith's name would

(21:02):
be just XYZ, and then theirsocial would be some random
10-digit number, which then inturn would tie back to this
person's Social Security andthen you would tie back to Bill
Smith and that would be a recordwithin your SQL database that
says this.
So, again, it adds a lot ofdrama and a lot of issues if you

(21:22):
don't do this.
Well, so you need to make surethat if you're going to deploy
some sort of pseudonympseudonyms, yes, that that
persuado you're going to add anypersuado or anonymization you
have a very good plan in placeon how you're going to one put
it into this anonymized path andthen also how to de-anonymize
it.
Data users and subjects okay, auser is any person who accesses

(21:43):
data via computing type device.
That's a user.
This should only have access tothe data they need for daily
activities, and we talk aboutthis a lot in cissp, cyber
training.
You have to have, uh, make surethat they have, only the
credentials they need for theirrole.
Anything above that is we callcredential creep.
And too much information or toomany credentials is like we

(22:05):
mentioned a few weeks back inrelating to the individual who
put a logic bomb within anorganization.
Once they get these credentials,they don't like to let them go.
Especially IT folks and this isa really big part is that IT
people, once they get thesecredentials, they don't like to
let them go.
Especially IT folks and this isa really big part is that IT
people, once they getcredentials, especially if they
become like godlike credentials,they do not like to relinquish
them.
So you, as a securityprofessional, need to just go

(22:27):
and rip them out of their coldheart, rip them away, tear them
apart.
Yes, you cannot allow that.
And, by the way, if you do that, you better not have good
credentials as well, because alot of times security folks will
say, well, I need thecredentials because I need to be
able to do my job.
That's bull, bull, honky.
You need to make sure that you,as a security professional, do
not have those level ofcredentials, because one you are

(22:49):
a target.
I would not allow it.
They wanted to give me allkinds of credentials as a CISO
and I would not take it.
I did not want those because,at the end of the day, I didn't
want my head to be on a platterand two, I had no business
dealing with them.
If I needed to get access tosome information, I would get it
for a temporary purpose andthen it would go away Again.
You must make sure that you dothat.

(23:10):
It does add pain and drama toyour life, but it's a very
important part.
So, again, subjects must can beusers, programs, processes,
services or anything that canaccess a resource.
You got users who access it,you have subjects, and then the
data subject is a person who canbe identified through an
identifier.
So you need to understand thedifferences between data users,
subjects and data subjects.

(23:33):
Now, data collection there's thetransborder flows of data
personal data.
There's previously there's beendomains around transborder, but
when it focuses right on it,there's key provisions around
the oecd, and this is was 30member nations, including the us
, that wanted to be determinedaround.
How do we deal with data that'stransferring, going across
borders?
This all started in 1980, sonow, as you can tell, this is

(23:55):
when it was issued.
Since 1980, which is like alifetime ago uh, that a lot has
changed and data now in the pastwas it was very specific data
flows from to and fromorganizations and from countries
.
Today it goes everywhere it isit's it's flying all over the
place.
So you need to truly understandwhere are your data flows

(24:15):
within your company, becausesome of these other provisions
and all these data flow productsthat come out like this in this
case of this, the Organizationfor Economic Cooperation and
Development may be out therethat may affect you.
So you need to just trulyunderstand your data flows.
And then, what are the membercountries that you are focused
on specifically?
Now there's eight drivingprinciples.

(24:35):
This is collection limitation.
Collection of personal datashould be limited.
We talk about this a lot.
You want to limit all personaldata that is collected.
It shouldn't be.
You shouldn't collect it unlessyou absolutely need to.
It should also be obtained bylegal and fair methods.
You shouldn't just go hey, oh,look, I found a bunch of data,
let's just suck it down.
No, you don't want to do that.

(24:56):
That's not a good idea.
So you want to make sure it'slegal and fair and that you
understand what data you arecollecting.
The data quality should be keptcomplete.
You shouldn't be parsing dataout and again, the reason is is
that it's like the data sprawlwe talk about a lot on CISSP,
cyber Training.
It sprawls.
It goes everywhere.
You run into data in alldifferent nooks and crannies of

(25:17):
your organization, so you needto make sure that it is complete
and it's consistent with apurpose that it's being used.
Another principle around datacollection is purpose
specification.
You need to have notificationto the person around the
collection and its purpose.
You need to have this withinyour policies of if you are
collecting data on people.
You need to highlight that youneed to have your legal team
policies of if you arecollecting data on people.
You need to highlight that youneed to have your legal team go

(25:38):
and give you some sort ofguidance around this.
This at the time it's collectedand of its purpose that it's
being collected.
You also have to have loose oruse limitations.
This is a consent of the personthat is allowing you to use this
information, and if they'regoing to declare or disclose any

(25:59):
data, that it has to be donethrough a person in the law and
they have to have authority todo so.
Now you need to be notified ifthe data is being used for
purposes stated differently thandisclosed.
What that means is that if youhave a document that says if I'm
going to collect your data andI'm going to disclose it and
it's going to be different thanwhat I have just highlighted in
this document from our legalteam, then I must let you know
that why we're doing that.

(26:19):
So the goal is is that I'mcollecting this data on you.
They don't want you to take thedata and say, well, you know
what, we've got a subpoena onthis and we're just going to use
some of this data and send itover here and let them look at
that.
No, if you do that, you have togive information out to the
person who's the owner of it andthe individual that's being
collected on it that you aredoing this.

(26:40):
You can't just go and do thiswilly-nilly and under the table.
Now, again, I'm saying all ofthis.
I am not a lawyer and do nottake legal advice from me.
I am giving you just advicebased on experience that has
occurred and I would highlyrecommend that you get with a
legal team.
If you have that are interestedin doing something similar to
what I just mentioned, get withyour legal team.
Do not go.
Hey, sean said we could do this.
No, don't do that, I will denyit.

(27:02):
I will deny it.
Security safeguards you need tohave reasonable safeguards in
place to protect the data.
Again, this is another part.
You must make sure that youhave the safeguards, because if
you don't, and if you have notlooked at this, and then
something bad happens, they willcome and tap you on the
shoulder and say what did you do?
And it will be your throat tochoke.
Openness you need to havedevelopments and practices and

(27:24):
policies regarding this shouldbe communicated.
It should be open, it should beavailable, it should be
transparent.
All of that should be availablefor people to see if they want
to see it, if they're the rightperson to see it.
Now again, you don't just leteverybody look at this, but if
you have approval from yoursenior leaders, you have
approval from your legal team.
Yeah, it should be open andtransparent to everyone.
Individual participationsindividuals should be able to

(27:46):
determine if an organization haspersonal data.
They also have the right to optout.
In certain jurisdictions, theycan opt out from any sort of
personal data being collected.
Now, the downside of that is,in some cases, if you don't give
me your personal information, Ican't do payroll which can't
get paid, so you're going tohave to give me something.
That's the part.
The sticky wicket and all ofthat is that people need to be

(28:09):
able to give information that'spersonal so that they can get
paid.
But the goal is that you don'tgive out any more personal
information than you have to,and there are some people that
99.9% of the people don't reallypay much attention to this, but
the 0.1 that does can make lifeextremely challenging.
Yes, you can consume a wholeday in just trying to deal with

(28:31):
that and then an ongoing monthlydrama that goes with that as
well.
Accountability Organizationsare accountable to ensure that
they comply with all theseprinciples and they need to make
sure of that.
Again, the organization will beaccountable in all aspects of
data collection.
Data location this refers to thelocation of the data backups or
copies.
It's best practice to have onecopy on-site and one copy

(28:55):
off-site.
That's obviously a bestpractice.
There's a 3-2-1 practice, whichwe'll get into in other parts
of the CISSP, but bottom line isyou have at least one copy
that's on-site and one copy thatis off-site in a stored
location somewhere.
Now how off-site does this copyneed to be?
Usually, typically, between 100miles to over 2,000 miles.

(29:18):
So here's what the issue runsinto.
Let's use AWS as an example.
Their data centers are all overthe place.
Well, one situation came upwhere we had a data center that
we had our backup data in andthe other data center was
probably about 150 miles away,and they said, yeah, we're good.
Well, the problem is is thatboth of those data centers were
on the same grid and the sameoutage that occurred, a

(29:41):
communication path that occurred, and it took down both data
centers, so you lost yourbackups.
Now, is that unique?
Yes, is it rare?
Yes, has Amazon tried to figurethat out to this point?
Yes, however, you need todecide is how far away is far
enough?
2,000 miles away and datareplication on the West Coast is

(30:02):
much better by far.
However, it's much moreexpensive too.
So, and then also when you'rehaving to recreate from all of
that data from someplace so faraway can be even more
challenging.
So you need to understand whatis best for you and your
organization and where is thehappy medium in between
Utilizing cloud backups forstorage, what you need to make

(30:22):
sure that you ensure that theyare geographically in the
different regions.
Ideally, you want to make surethat that's the case.
But again, you got to look atyour costs.
You got to look at pricing andsee if that works for you and
your business model.
Data maintenance this refers toongoing efforts to organize and
care for data throughout theentire lifecycle of the data.
We talk about.
This a lot is.

(30:43):
Data lifecycle is importantFrom the beginning it was
created to its death anddestruction.
So, storing of sensitive dataon one server throughout versus
throughout the organization doyou want to do that?
That's the example is if I keepall my data in one central
repository, I know where it'sall at, which is great, that's
awesome.
However, if that server goesdown and you don't have good
backups, life is terrible.

(31:03):
So you need to make sure that,which is what you want to do.
Certain networks can processclassified data.
Others do not, and you need tounderstand the level of
classification that occurswithin your company.
Is there some level of yoursuper secret sauce that must
stay in a protected network thatis segregated from the rest of
the environment, and are thoseservers and those networks

(31:26):
protected in a certain waythat's different than your
normal networks?
These you should not commingle.
Again, you got to determinewhat is best for you and your
company.
If you're dealing with the USgovernment and top secret,
secret and all those kind of funthings.
They have very differentrequirements related to
protecting the data andtherefore they go above and
beyond in many cases, probablyway beyond what most companies

(31:48):
would need.
It wouldn't need to be quite sodraconian, but that's something
you have to decide for you andyour company.
Process control networks thatdata may be air gapped from
other business data.
You want to consider that thatcould be done through the Purdue
model.
It could be done different ways, but process control
environments and their data.
If it is segregated and airgapped, how do you get the data

(32:09):
to your business environment tobasically manage it?
Do you hand jam it in with yourfingers?
That would be a bad idea.
Do you have ways to transferdata out?
But not being able to transferdata in?
All of those different piecesneed to be understood around the
overall data maintenancePolicies should be enabled to
ensure that the propermaintenance of the data is set
up.
Again, policies are an importantpart and data maintenance needs

(32:31):
to be called out specificallyas it relates to protection of
your overall information.
Routine audits should occur ifthe data ensuring policies are
being followed.
Audits are an important partand you need to make sure that
you do follow them.
I highly recommend that you atleast, if you don't have your
audit team come in and do it.
You will do a self-audit and doan assessment of your own

(32:51):
information.
You'd be surprised what you'llfind.
And you start digging and startdigging a little deeper.
You'll be going oh no, that'snot good.
So you just need to make surethat.
Start small and then work fromthere.
Data retention Organizations nolonger need the data.
What are you going to do withit?
Have it deleted, right?
So much we call back to is datasprawl and data hoarding.

(33:12):
A lot of people will data hoard.
They just keep it going.
But I'm going to need it 10years from now.
You're not going to one you maynot be with the company, and
two when you do leave thecompany and they go.
Why is this here?
I have no idea.
Obviously you want to set workwith your compliance folks
around data retention policies.
And how long do you keep thedata?
Also, understand that if youkeep the data in your
environment for long periods oftime, it becomes discoverable

(33:34):
from a legal standpoint.
Your business may not want that.
So you have to weigh thechallenges between having the
data and keeping it long-termversus having it being
discoverable.
And we all know lawyers they'reneeded in some cases.
In some cases they're not.
I do not repeat, do not likelawyers that are the slip and

(33:55):
fall lawyers very much.
They're not my friends, they'reneeded.
There's a specific need inwhich I feel that very important
, but then there's also timeswhen they're just trying to get
rich and so, yeah, I kind ofwent down a tangent there.
I'm sorry it's a little PTSDgoing on, but bottom line is is
that you need to make sure yourlawyers are connected with
everything you're doing.

(34:15):
As it relates to data retention,classification levels may
require a deletion process thatwill vary, right?
So if you have top secret data,the deletion of top secret data
is very, very different thandeletion of general type data,
and you need to have a goodunderstanding of what is that
process.
Now in your organization youmay not have top secret, but
you've got super secret saucedata.

(34:35):
You may want to have fivedifferent people approve before
any data is ever deleted.
So you just got to kind ofthink about all of those things.
Organizational deletionpolicies should be created to
help alleviate inconsistencies.
So you should create thepolicies and then the procedures
that go along with that.
And then the destruction ofmedia types needs to be
considered and documented aswell CDs, dvds, which aren't

(34:56):
really used ever anymore, butyou may run into them Email, usb
, ssd drives, all of thosethings, any sort of media that
you create.
What is the destruction policyaround that?
And if you know the destructionpolicy, then is that being
maintained?
Is it being managed?
Who is the data custodianensuring that this policy is
being followed and that the dataretention policies are actually

(35:17):
being followed as well?
Data remnants Data remnants isthe data remaining on the disk
after it's been erased.
So this is when you go throughand you do your format, your
disk.
The residual data after fullerasure of the disk is a big
factor.
There is a lot of times dataleft on there, and some of this
can be personal, can be allkinds of things.
Now this is dealing with a lotof the hard drives, even the

(35:37):
ssds, but the the discs are nowto this point, are so
inexpensive.
If you can even get platterdiscs anymore, I don't even know
if you can.
Uh that, destroying that, fullydestructing, destroying these
is the best course of action inmost cases, uh, serious problems
, especially with today's tools.
What that means is like an SSDdrive is so bloody big that

(35:58):
overriding it is a bit of achallenge.
So obviously one of the bigfactors is just destroy it.
It's just cheaper and it'sfaster just to do that when
you're dealing with data leakageand data loss can be
substantial.
I think there's somebodymentioned that there's a hard
drive somewhere that has aBitcoin on it that's worth like
18 bazillion dollars.
Yeah, that was a bad idea.

(36:18):
That's a data leak or data loss.
You'd be kicking yourselfpretty hard on that.
One Ghost image on computers orCRT monitors you can get.
The CRT is a cathode ray tubetype monitor, which, if they
still have those and people usethose that's craziness because
they cost like a fortune to run,but you can have ghost images
that are set on there.
What does that mean?
You didn't go into sleep modeand it just basically burned an
image into the cathode ray tube.

(36:39):
So, yeah, those can be thereand that can divulge information
as well.
But if you're using CRTs, holycow, you are.
Yeah, that's like really reallyold school type of segregated
crypto something or other.
I don't know what to even callthat it.
I would if you saw that.
It's probably so old there'snothing of any value on it.
But maybe then again it's thesuper nuclear codes to finding

(37:02):
the aliens from the planet x.
I don't know.
Other things are dealing withdata remnants.
We've talked about this invarious aspects of the cissp uh,
degaussing, degaussing,degaussing, uh.
It's a powerful magnets that areused to destroy a typical
magnetic drives Don't work wellwith SSDs, but they do work well
with magnetic platter drivesand they will nuke them.
Don't go next to it withanything else.

(37:23):
Like a pacemaker, you will die.
But degausing is an importantpart and it's designed
specifically for magnetic drives.
Physical destruction I callthese the jaws of death.
They basically are like a bigchopper.
You throw the hard drive in itand it just pulverizes it, it
shreds it and it destroyseverything that goes into it.
So I highly recommend that youjust use solid state drives.

(37:44):
You throw them into the jaws ofdeath.
Don't go in there with a tiebecause it'll suck you in like
something out of James Bond.
But the jaws of death workreally good to destroy stuff.
Pretty much any media you'dwant destroyed, throw it in
there.
Erasing this is where youdelete the operation of the file
or the media type.
So you're basically deletingthe file that's on it, but it
really typically only removesthe pointer to the file location

(38:06):
, so the data still is sittingon there.
It's just now the pointer towhere it's at is gone, and so
the goal is is that, well, whenyou remove the pointer now, as
you start writing onto the disk,you will overwrite that data,
and that's fine for the mostpart, but that does leave a lot
of extra data potentially justsitting out there that could be
collected by somebody.
So therefore, just throw it inthe jaws of death Clearing.

(38:29):
This is where your overridingprocess for media to reuse data
cannot be recovered.
So basically, the point of thisis that you write a single
character over every disk.
So when you're clearing it, itis instead of just getting rid
of the pointers and you'rewriting in a one specific area,
you're writing a one over everysingle sector, every single
location on your disk, and sotherefore it's all just written

(38:53):
to one and it would overwriteany data that's there.
There's various tools that cando this.
The challenges is the size ofthese hard drives now, or these
SSDs are so large that it cantake like forever to do this.
So you really got to askyourself what's your opportunity
costs available for this?
What's it worth it to you tojust get this $150 drive and

(39:15):
just go?
You know what?
Put it in the jaws of death.
We'll just move on, because ifyou're getting paid 20 bucks an
hour and it takes you four daysto do this because it's
overriding your opportunitycosts, for that $150 drive isn't
really worth it.
So you just got to kind of askyourself those different types
of questions.

(39:37):
Purging this is a more intensiveform of clearing.
This is done by the government.
Instead of just writing a onesover each of the sectors, you
would write a one.
Then you'd come back and writea zero and write a one.
It goes like a three or fourpass type of option.
It just depends.
I think you can set howevermany passes you want, but that
is what they call purging.
So again, degaussing physicaldestruction, erasing, clearing
and purging.
So data remnants and automatedinformation systems.

(39:58):
So we kind of talked about someof this already.
Clearing and purging.
Declassification this isremoving the security
classification of the subjectmedia.
So if you had top secret andyou just go and erase it, it's
now not top secret anymore,right Wrong.
But there's a process by whichyou can declassify this
information by removing some ofthe classification in it.

(40:18):
Coercivity this is measured inoerstands, yeah, o-e, and this
is basically a property of themagnetic material used to
measure the magnetic field.
Yeah, so bottom line is is thatif you see in that that's
coercivity yeah, it's a big word, but yeah, it's different types
of that.
So we're going to go into thedifferent types of tape.
So if you're connected to it,tape has magnetic tape has

(40:40):
different types of OE.
There's a type 1 through type 3tape.
Bottom line is that, dependingupon the magnetic materials in
each of these tapes, they willthen have the measured amount of
data that they can store.
If you're dealing with magnetictapes, they will then have the
measure amount of data that theycan store.
If you're dealing with magnetictapes, you're definitely old

(41:01):
school.
There is magnetic tape stillbeing used.
People use them a lot andtherefore they are great for
keeping certain levels of data.
However, the amount of datathey can store is much less,
obviously, than a disk drive.
But you want to understand thatif you use magnetic tapes, the
degausser will take out themagnetic aspects of it, it will
nuke them and it will make themworthless.
So do not take your magnetictapes near, anywhere near or
close to a degausser.

(41:22):
There's a permanent magnetdegausser.
This is a handheld permanentmagnet that can be caused to
degauss floppy disks or diskplatters.
Floppy disks yes, if you stillsee floppy disks out there,
again, you are old school.
And yeah, they don't hold muchdata.
I think you can probably holdmore data on a very, very, very
tiny thumb drive than you can ona floppy drive.
Uh, so again, this is it's.

(41:45):
If you're dealing with this,you are, you're back in the
stone ages.
Sorry, uh, but there's apermanent magnet degausser.
This is just one where you havemagnets.
You put it over your hand anduse it just to degauss certain
types of of media.
Now, this will not work.
The handheld degausser will notwork for degaussing tape, and
it's because it's just notstrong enough to do that,

(42:07):
especially as it's wrapped up inthat coil.
It's kind of, you know, in thetape side of the house.
So that's where you need tohave the big degausser go in and
nuke it.
That's the better option.
Now there's some considerationsfor storage, media reuse.
Um, when you're dealing withthis, one is destination of the
release media.
Obviously you need to knowwhere is this media going and
where what's it's.

(42:27):
Where's it going to be stored?
Uh, effects of heat and age.
Tape media that does not agewell.
Platters don't age well either.
So they have a problem and ifyou add a lot of heat then they
really age quickly.
Mechanical storage deviceequipment failure.
This is if you have the tapetype of reader.
They do fail.
They don't make that stuffanymore and the software used to

(42:48):
run it they don't make thatanymore.
So you really need to figureout getting off of those types
of storage media if possible.
Storage device segments are notreceptive to overwrite.
That's a very important part.
Overwrite software and clearingand purging.
All that stuff needs to bedefined and understood,
especially when you're lookingat doing media reuse of some

(43:08):
kind and then also notunderstanding your data
sensitivity.
Is the data that's being reused?
Was it highly sensitive data?
The media?
I should say so.
Is there a risk of any sort ofaccidental disclosure around the
media?
That's in this.
And then improper use ofdegaussing equipment.
If you don't use the degaussingequipment correctly, you can
leave data on the system.
Again, I highly recommend justgiving it to the jaws of death.

(43:32):
That's the most better optionrather than trying to degauss
anything.
Unless you absolutely have toput it in the jaws of death, you
don't ever have to worry aboutit because it's just because
once you degauss a magnetic tape, it's useless.
It really is.
So just throw it in the jaws ofdeath and then you don't have
to worry about anything.
Storage device segments that arenot receptive to overwrite
they're unusable tracks on diskdrives.

(43:55):
They are very difficult tocompletely wipe, and then you
need to really make sure youunderstand and check the devices
for usable or damaged areasbefore uploading any data to
them.
This is basically when you'retrying to reuse it and you don't
know if it actually is going towork or not.
An unreceptive system or datadevice then just degauss it or
potentially just throw it in thejaws of death.

(44:16):
So again, I'm not a big fan ofdegaussing and trying to
overwrite data.
It used to be extremelyexpensive for hard drives and so
people would do it.
In today's world they're notthat expensive.
You're better off just trashingit, and if you don't have the
jaws of death, then you get outa saw and saw that sucker in
half, get a hammer and just beatthe dickens out of it, do all

(44:38):
of those things that will do gowonders for taking care of it
and making the device notequipped to be able to be used
for anything.
So again, I highly recommendnot degaussing, just throw it in
the jaws of death.
But if you do have the degaussfor the CISSP and you understand
, you need to know how to do it.
Well, we just went overeverything you need to know to
how to degauss.

(44:59):
Okay, degauss, not degauss,that's taking gauze off your
person, but degauss is toactually do the wiping from an
electronic magnetic standpoint.
Okay, that's all we've got fortoday.
Hey, head on over to CISSP CyberTraining.
Hope you guys had a wonderfulday.
Head over there, get some freecontent.
Sign up for my email aspects.

(45:19):
I will send you all kinds ofgreat stuff and it's free stuff
for your CISSP.
If you're looking to be mentoredand you want to actually grow
your cybersecurity career, reachout to me at CISSP Cyber
Training.
I've got some differentprograms that are out there
specifically for you to help youin your cybersecurity goals and
desires.
I get a lot of students thatask me hey, my job is going away
, what should I do in cyber?

(45:40):
I'm here to help you.
There's a lot of people outthere that can try to teach you
how to do cyber.
I've done it 20 years.
I've done a lot of thedifferent roles that you guys
have done, or I've worked withpeople that are in those roles,
so, or I've worked with peoplethat are in those roles, so I
can help you with anything youpossibly need related to your
career.
All right, I hope you all havea great day.
Again, thanks so much forlistening and we will catch you
all on the flip side, see ya.

(46:00):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.

(46:21):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Breakfast Club

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}CCT 276: Data Lifecycle and the CISSP (Domain 2.4)

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

The Breakfast Club

All Episodes

CCT 276: Data Lifecycle and the CISSP (Domain 2.4)

Stuff You Should Know