Data security controls and the CISSP exam

Information is one of the most important assets of any organization, and data security controls make every effort to protect systems and networks with confidentiality, integrity and accessibility. Data security controls safeguard sensitive and important information and proactively mitigate countermeasures against unauthorized use. This helps minimize and avoid security risks to systems and data to slow down or completely deter malicious attacks. 

On the CISSP in domain 2, data security controls are assessed within the larger umbrella of asset security. In this article, we’ll explain some concepts in detail. 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Technical control

Technical control refers to the security controls executed by computer systems with automated protection against misuse or unauthorized access. These are both hardware and software-based security measures, also known as logical controls. Popular examples include firewalls, data encryption technologies, endpoint detection and response systems and patch management systems. 

Security system

Information system security is also known as “InfoSec,” which refers to the methodology and processes for maintaining confidentiality, accessibility and integrity (Infosec is also the shorthand name for Infosec Institute, which has been doing security training for more than two decades). This structure, also known as the CIA Triad, makes up the cybersecurity foundation. 

Data security

As more and more sensitive information is kept in electronic data, data security focuses on all data states: at rest and in transit. It involves operational, administrative and architectural controls embedded in the coding of software features. 

The cybersecurity framework

All organizations follow a similar cybersecurity framework but are implemented with different means around using cryptography, error handling and software security architecture. 

The standard cybersecurity framework includes the following: 

• Cryptographic protection 
• Denial of service protection 
• Information on shared resources 
• Protection of information at rest 
• Transmission confidentiality and integrity 
• Transmission of security attributes 

Data at rest

Data at rest often refers to data in storage either electronically or in a physical location. It’s not currently being used, and popular examples could be archived emails, financial information on a server or photographs on a USB port. Data at rest is often protected with encryption as it faces ransomware attacks, data breaches, physical theft or unauthorized access. 

Data in transit

Data in transit is often at its most vulnerable state as it’s being sent from one location to another. This might be over the internet or from one computer to another in a network. Popular data in transit examples include file transfers, video calls or instant messaging over applications. While in transit, data needs the highest level of protection to combat man-in-the-middle attacks or unauthorized access, as it’s extremely sensitive to interception, misuse or theft. 

Scoping and tailoring

Scoping and tailoring are the processes of clarifying and limiting general recommendations in a precise environment. Scoping limits general recommendations by removing aspects, and tailoring involves altering details. These two concepts help align security posture with the overall business strategy by customizing and removing irrelevant elements. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

IT baseline protection

IT baseline protection is a German Federal Office approach toward information security, which involves identifying and implementing computer security measures. The goal is to maintain a suitable level for each individual system, and the framework recommends experienced personnel, technical safeguards and organizational structure in a systematic approach. 

Overview baseline security

Overview baseline security refers to the standard security procedures for any organization and might follow the ISO/IEC 27005 recommendations. This standard involves systematically identifying, assessing, evaluating and treating information security risks. 

IT security standards and frameworks

Information security standards and frameworks are a crucial part of securing any network. With any organization, security teams need to systematically define security requirements and develop strategies to satisfy potential risks and vulnerabilities. Organizations increasingly house sensitive data on company operations, personnel and finances. With the rise of remote work, sensitive files are accessed across local networks, physical headquarters, employees’ homes and potentially vulnerable public Wi-Fi networks. 

Standardized IT security frameworks aim to protect the organization and individual managers from civil liability, financial loss and even criminal repercussions for negligence. 

Cryptography

Cryptography is the science of applying logic and complex mathematics for robust encryption methods. Cryptography leverages algorithms and ciphers to turn data into an unreliable format called cipher text. Only the intended recipient has the secret key to decrypt the information, and this security process helps keep communication and data secure both at rest and in transit. The new Advanced Encryption Standard (AES) is considered the highest level of encryption and is almost nearly unbreakable. 

Early cryptography

Advanced cryptography is used in modern-day cybersecurity, but cryptography has historically been used to securely transmit communication between military forces, government agencies, and individuals. A popular example of early cryptography appears in the movie The Imitation Game, which follows codebreakers and famous mathematician Alan Turing as they try to break the German enigma code during World War II. Ancient civilizations like the Egyptians and Mesopotamians used even earlier examples of cryptography. 

Now, modern-day cryptography protocols appear in the below examples: 

• Digital signatures 
• Encryption algorithms 
• Functions of HMAC or Hashed Message Authentication Code 
• Message digest functions 
• Secret key exchange algorithm 

Public key infrastructure: Basic components

Also known as the PKI, public key infrastructure provides the framework of standards, protocols, services and technology to allow organizations to manage and deploy robust and scalable information security. The structure includes certification authorities, lists of certificate revocation and digital certificates. PKI uses asymmetric cryptography to issue digital certificates to individual users or devices, allowing only authorized access. 

Risk factors associated with cryptography systems

Managing the inherent risk of cryptography systems is multifaceted. They are still vulnerable to brute force, plain text and other cipher attacks. Weak cryptography is more vulnerable to attackers but when it’s done right, it can possibly reduce the likelihood of a spreading data breach or ransomware attack. 

Cyberattackers will attempt to break cryptography systems with known plaintext, such as: 

• Key lifetimes 
• Public key length 
• The randomness of keys generated 
• Private keys’ secure storage 
• Security protocols’ strength 
• Strength of implementation of the security technology 
• Symmetric key length 

Popular medication strategies include using strong encryption algorithms, key management, secure coding and software development procedures, ongoing security audits, access control measures and regular and rigorous employee training. 

Restrictions on cryptography export

Cryptography is a highly valuable asset class; export restrictions apply to cryptography and encryption technology. Knowing what types of cryptography are allowed in your country is important, as security might vary for a different geographical region. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Prep for the CISSP exam 

To prepare for the CISSP exam, you must understand data classification, data retention, data leakage prevention and data encryption. Review popular study methods and materials within the CISSP training hub, and consider taking a live, in-person or online CISSP Boot Camp.