1: Security and Risk Management
2: Asset Security
3: Security Architecture and Engineering
4: Communication and Network Security
5: Identity and Access Management
6: Security Assessment and Testing
7: Security Operations
8: Software Development Security

2: Asset Security

#1 Q: What are some responsibilities of a data(information) custodian?

A: The data custodian is responsible for verifying the availability of data. The data custodian is also responsible for maintaining and protecting data as dictated by the data owner. This includes performing regular backups of data, restoring data from backup media, retaining records of activity, and fulfilling information security and data protection requirements in the company’s policies, guidelines, and standards.

#2 Q: Is it possible data owners work at a higher level than the data custodians? What are some of their responsibilities?

A: Data owners should be(for starters): assigning information classifications, dictating how data should be protected, and determining how long to retain data.
The data owners basically state, “This is the level of integrity, availability, and confidentiality that needs to be provided—now go do it.” The data custodian must then carry out these mandates and follow up with the installed controls to make sure they are working properly.

#3 Q: Why do we classify data?

A: Data classification can be used to dictate who has access to read and write data that is stored in a database. Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed. For example, in a corporation, confidential information may only beaccessed by senior management. Auditing could be very detailed and its results monitored daily, and degaussing or overwriting procedures may be required to erasethe data. On the other hand, information classified as public may be accessed by allemployees, with no special auditing or destruction methods required.

#4 Q: What if you were a CPO? What are your duties?

A: The chief privacy officer (CPO) position is responsible for ensuring the security of customer, company,and employee data, which keeps the company free from legal prosecution and—hopefully—out of the headlines. Thus, the CPO is directly involved with setting policies on how data is collected, protected, and distributed to third parties. The CPO is usually an attorney and reports to the chief security officer (CSO). In addition, the CPO is responsible for knowing how the company’s suppliers, partners, and other third parties areprotecting its sensitive information. Many times, companies will need to review these other parties (which have copies of data needing protection)

#5 Q: What exactly is a data user anyway?

A: Any individual who uses data for work-related tasks is a data user. Users must have the necessary level of access to the data to perform the duties within their position and are responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others. This means that users must practice due care and act in accordance with both security policy and data classification rules.

#6 Q: What's the first step in a data classification program?

A: First, one will define the different levels of protection that must be provided. Only then can the necessary classification levels and criteria be developed. Regardless of how many classification levels are chosen; there should be no overlap in the criteria definitions between classification levels, and classification levels should be developed for both data and software.

#7 Q: Is the sensitivity of data contingent of how it will be used?

A: Oh, gosh. No way. What if this aforementioned data isn't used at all? It could still be sensitive. Data sensitivity should be decided by: who should be accessing the data, the value of the data, and the level of damage that could be caused if it were exposed.

#8 Q: Does setting the classification for the data drive all other decisions about the data? Also, would you be so kind as to remind me who is incharge of such a task?

A: Heck ya! And that would be the data owner. how the data will be used and determining who should use it are responsibilities within the scope of the data owner, but they are functional rather than security responsibilities. The owner may participate in determining the value of the data, but since its value is a measure relative to all other corporate data assets, it is not usually something the data owner is solely responsible for.
And also, did you know?: Determining how the data will be preserved falls to the role of the data custodian. Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: