CYS401 · Chapter 4

Protection of
Information Assets

A complete study guide with explanations, examples, tips & exam prep - based on your lecture slides.

🗂️
What Is an Information Asset?
Foundation - know this cold.
Definition

An information asset is any information that has value to an organization, regardless of its form. Information assets support organizational missions and decision-making.

Primary Information Assets

These are the actual data itself:

Customer/student records · Financial records · Research data · Intellectual property · Source code · Emails & reports · Databases

Supporting Information Assets

The infrastructure that stores or processes it:

Software: OS, ERP, LMS, databases
Hardware: Servers, PCs, USBs, mobiles
Network: Routers, VPNs, firewalls
People: Employees, admins, contractors
Physical: Data centers, offices, power

Student records at PSU = information asset. The Oracle database storing them + the server running it = supporting assets.
Primary assets are what you protect. Supporting assets are what you use to protect them.
🛡️
Why Protect Information Assets?
The CIA Triad drives every reason.

🔒 Confidentiality Loss

Privacy violations, legal penalties, and reputational damage. A leaked student database violates PDPL and FERPA.

⚠️ Integrity Loss

Incorrect decisions, operational failures. An attacker modifying financial records could lead to wrong business decisions.

🌐 Availability Loss

Service disruption, business continuity failure. A DDoS attack taking down online banking costs millions per hour.

📌 Key Point: Security is a Business Issue, Not Just IT

Protecting information assets is a strategic, legal, and governance requirement, not merely a technical concern. Senior leadership must be involved - you can't delegate this entirely to the IT department.

On an exam, if asked "why protect information assets?" - always mention ALL three: business value, legal compliance, and reputation. Don't just say "hackers."

Information Lifecycle

Creation
Storage
Retrieval
Usage
Disposal

Security controls must be applied at every stage of the lifecycle.

🏛️
Security Governance
Governance vs. Management - a classic exam distinction.
Security Governance

The collection of practices related to supporting, defining, and directing the security efforts of an organization. Corporate governance = "Doing the right things for the organization and doing things the right way, independent of personal interests."

🏛️ Cybersecurity Governance

Focus: Direction, accountability, oversight, control - strategic.

Who: Board of Directors, Senior Leadership, Governance Committees

Key questions:

▸ Are we doing the right things?
▸ Are investments aligned with business risk?
▸ Are roles & responsibilities defined?

Examples: Approving enterprise security policies · Defining acceptable risk levels.

⚙️ Cybersecurity Management

Focus: Execution, operations, monitoring, incident response - tactical.

Who: CISOs, Security Managers, Analysts, Technical Staff

Key questions:

▸ Are we doing things right?
▸ Are controls implemented & maintained?
▸ Are we responding to threats effectively?

Examples: Deploying firewalls · Monitoring incidents · Running vulnerability scans.

Which of the following is an example of governance (not management)?
a) Running a vulnerability scan   b) Approving enterprise security policy   c) Deploying a firewall   d) Monitoring logs
b) Approving enterprise security policy - Governance = oversight/direction at board level.

Third-Party & Cloud Governance

When using ASPs (Application Service Providers) or cloud providers:

▸ Organizations remain accountable for data protection even when outsourcing.
Due diligence must be performed before engaging any vendor.
▸ Contracts and SLAs must clearly define security responsibilities.

✅ Due Care

Reasonable steps to protect assets by following accepted security practices.

Examples: Enforcing strong password policies · Applying security patches · Using antivirus & firewalls.

Demonstrates responsible operation.

🔍 Due Diligence

Actively identifying and analyzing risks - goes further than due care.

Examples: Conducting risk assessments · Auditing third-party providers · Reviewing incident history & vulnerabilities.

Demonstrates proactive risk management.

Due Care = "we did the basics." Due Diligence = "we actively investigated risks." Both are needed to avoid legal negligence.

📐 Governance Frameworks

Organizations use formal frameworks to structure governance:

NIST 800-53 NIST 800-100 - primarily for government/military, but widely adopted.
ISO/IEC 27014 - Governance processes: Evaluate → Direct → Monitor → Communicate → Assure.

🏷️
Information Classification
Classify based on sensitivity & impact.

Why Classify?

Classification helps apply appropriate security controls - not too little (risk) and not too much (waste). The guiding question is always: "What is the worst possible impact if this information is disclosed, altered, or destroyed?"

🏛️ Government / Military Classification

Top Secret

Disclosure causes exceptionally grave damage to national security

Secret

Disclosure causes serious damage to national security

Confidential

Disclosure causes damage to national security

Unclassified

Can generally be distributed publicly

🏢 Commercial Classification (4 Common Levels)

Public

Freely disclosed

Marketing materials, price lists, public website

Internal Only

Not for public

Org charts, sales playbooks, battlecards

Confidential

Sensitive - ops impact

Vendor contracts, employee reviews

Restricted

Highest sensitivity

IP, credit cards (PCI), SSNs, PHI

Commercial systems have no universal standard. Each company creates its own. The more regulated the industry (e.g., healthcare, banking), the more complex the classification.

🔒 Special Data Types - Always Restricted

PII

Personally Identifiable Information - any info that can identify an individual: name, SSN, biometrics, date of birth, mother's maiden name.

PHI

Protected Health Information - health-related data linked to a specific person. Received by healthcare providers, health plans, insurers.

Proprietary Data

Data that gives competitive advantage: source code, technical plans, internal processes, trade secrets, patents, copyrights.

🏷️ Marking Sensitive Data

Physical Labels

Stickers or stamps on physical media/folders indicating classification level. Example: a binder labeled "CONFIDENTIAL DATA".

Electronic Labels

Headers/footers in documents, watermarks embedded in files. Benefit: they also appear on printed copies automatically.

Which classification level would a hospital's patient records fall under in a commercial system?
Restricted - PHI is highly sensitive data that if compromised puts the organization at financial and legal risk (HIPAA).

Security Requirements by Class

ClassificationExample DataKey Controls
Sensitive/CriticalBiometrics, Medical DataEncrypted storage, no email transfer, authorized access only, weekly backups in locked safe
ConfidentialNames, addresses (GDPR)Encrypted storage & transfer, no unencrypted email, password-protected access
Private/InternalResearch commsAgreed storage (Email/OneDrive), username+password, email to authorized staff only
Public/UnclassifiedStaff job titles, project websitePublic use authorized, encryption not required, backed up weekly
💾
Protecting Data in All States
At Rest · In Transit · In Use

💽 Data at Rest

Stored data: hard drives, databases, backup tapes, USB drives, NAS systems.

Controls:

▸ Encryption (e.g., AES-256)
▸ Strong access controls & authentication
▸ Secure storage facilities
▸ Environmental controls: HVAC, fire suppression
▸ Physical locks & security

🌐 Data in Transit

Data moving across a network, being uploaded/downloaded or emailed.

Controls:

▸ Encrypted communication channels (TLS/SSL)
▸ Secure network protocols (HTTPS, SFTP, VPN)
▸ Network monitoring & IDS/IPS
▸ Digital signatures for integrity

🖥️ Data in Use

Data actively being processed in memory/RAM, currently opened by a user.

Controls:

▸ Access control & authentication
▸ Endpoint security (EDR, antivirus)
▸ Memory protection
▸ Screen privacy filters
▸ User activity monitoring

These three states are a popular exam topic. For each state, know at least two specific controls. Data in transit = always think encryption protocols.
A hospital's patient database stored on a server = data at rest (AES-256 encryption). A doctor emailing a prescription = data in transit (TLS). A doctor currently reading the file = data in use (access control, screen lock).
🗑️
Data Retention & Secure Disposal
Deleting a file is NOT enough - know the difference between all methods.

Record Retention

Organizations must retain records for as long as needed for business operations, legal compliance, and audits. Retention periods are set by: organizational policy, industry standards, or law (e.g., 3, 7, or indefinitely). Once the period expires → securely destroy.

⚠️ Two Key Risks of Improper Disposal

Data Recovery: The process of retrieving lost/deleted data from storage - a forensic attacker can recover deleted files.
Data Remanence: Residual data that remains on media after it was "supposedly" erased - even formatting doesn't eliminate it.

Digital Disposal Methods (Least → Most Secure)

1

Erasing

Simply performing a delete operation. Everything is still recoverable. Equivalent to dragging to the trash bin.

2

Formatting

Puts a new file structure over old data. Still recoverable in most cases. Slightly better than erasing but not secure enough for sensitive data.

3

Clearing (Overwriting)

Prepares media for reuse. Cleared data cannot be recovered using traditional tools. Overwrites storage with random data (e.g., DoD 5220.22-M standard).

4

Purging (Degaussing / Multiple Overwrites)

More intense form of clearing. Prepares media for reuse in less-secure environments. Degaussing uses magnetic fields to erase magnetic media (HDDs, tapes). ⚠️ Degaussing does NOT work on SSDs.

5

Destruction

Final stage - physically destroying the media (shredding, crushing, incineration). Most secure method. Used for highly sensitive data that must never be recovered.

6

Declassification

Any process that purges media or a system in preparation for reuse in an unclassified environment. Must be formally approved.

Trick: Erasing & Formatting = still recoverable. Clearing = safe for reuse internally. Purging = safe for reuse externally. Destruction = final/permanent.
A hospital is disposing of old hard drives containing patient records. Which method should they use?
Destruction (physical shredding/crushing) - PHI is Restricted data and must be permanently destroyed. Degaussing only works on magnetic drives, not SSDs.

📄 Paper Disposal

Cross-cut shredding is recommended for paper documents containing any sensitive data. Regular bin disposal is never acceptable for classified or confidential paper records.

⚖️
Data Protection Laws & Regulations
Know the big three: GDPR, PDPL, and US sectoral laws.

Why Laws Matter for Governance

Laws and regulations require organizations to: protect personal & sensitive data, implement security controls, and report breaches. Non-compliance leads to heavy fines, criminal penalties, and loss of stakeholder trust.

EU · GDPR

General Data Protection Regulation

Legal framework for collecting & processing personal data of EU residents. Applies globally - any website with EU visitors must comply, regardless of where it's based.

▸ Heavy fines for non-compliance
▸ Covers names, location, IP, health info, financial data
▸ Requires explicit consent & breach notification

Saudi Arabia · PDPL

Personal Data Protection Law

In force since 14 September 2023. Applies to all personal data processing of individuals in Saudi Arabia, including by foreign entities.

▸ Covers electronic & non-electronic data
▸ Regulator: SDAIA
▸ Fines up to SAR 5 million (doubled for repeats)
▸ Criminal: up to 2 years imprisonment + fines

USA · Sectoral

US Data Laws (No Single Federal Law)

US uses a sectoral approach - different laws for different industries.

HIPAA: Health data (PHI) protection
GLBA: Financial institutions' data
CCPA/CPRA: California consumer privacy
▸ Generally more business-friendly than GDPR

GDPR = EU personal data law with global reach. PDPL = Saudi equivalent, active since 2023. HIPAA = US health data only. If an exam asks about Saudi law, it's PDPL enforced by SDAIA.
👤
Asset Ownership & Roles
Who owns, who guards, who uses - get the hierarchy right.
Information Ownership

Assigning clear responsibility and authority for a specific information asset to a person or role. The owner is accountable for how information is classified, protected, used, shared, retained, and disposed of.

👑

Information Owner

Typically a business/department head. Determines classification, approves access rights, ensures protection.

🔧

Information Custodian

IT Department. Implements technical controls, manages servers, applies access controls, performs backups.

📊

Information Steward

Owns technical accountability for how data supports business processes. Ensures data quality and proper usage.

👥

Information User

Faculty, analysts, staff who use data. Responsible for using information according to its classification level.

University Student Records:
Owner = Registrar's Office (decides who accesses, how long records kept, what's shared with accreditors)
Custodian = IT Department (manages database server, applies access controls, does backups)
Steward = Academic Records Librarian (ensures data quality, proper categorization)
Users = Faculty & Academic Advisors (view records per their permission level)

📋 Data Owner Responsibilities (NIST SP 800-18)

✔ Establishes rules for appropriate use and protection of data
✔ Provides security requirements input to information system owners
✔ Decides who has access and with what privileges
✔ Assists in identifying and assessing security controls

🖥️ System/Asset Owner Responsibilities (NIST SP 800-18)

✔ Develops the system security plan with information owners, admins, and end users
✔ Maintains the plan and ensures the system meets security requirements
✔ Ensures users receive appropriate security training
✔ Updates the security plan whenever significant changes occur

Key distinction: The data owner decides WHAT is protected and WHO can access it. The custodian actually implements those decisions technically. Don't mix them up!
Who is ultimately accountable for the protection of organizational data?
The CISO (Chief Information Security Officer) - who must report directly to senior management. Individual data owners are accountable for their specific data assets.
📋
Security Planning & Policy
Three plan types + the top-down approach.

Alignment of Security to Business Strategy

Security management planning ensures security policies are aligned with business strategy, goals, mission, and objectives. Security does not operate in isolation - it enables safe business operations. The most effective approach is the Top-Down Approach: senior management initiates policies, defines acceptable risk, and approves objectives.

The Three Security Plan Types

Long-Term · 3 - 5 Years

Strategic

"WHY are we securing assets?"
  • Aligns security with business mission
  • Includes risk assessment
  • Defines security priorities & governance
  • Establishes CISO role
  • Reviewed & updated annually
Mid-Term · ~1 Year

Tactical

"WHAT controls do we implement?"
  • Translates strategy into actions
  • Project, acquisition, hiring plans
  • Budget & maintenance plans
  • System development plans
  • Can be created ad hoc for incidents
Short-Term · Monthly/Quarterly

Operational

"HOW do we apply controls daily?"
  • Step-by-step implementation procedures
  • Resource allocation & budgets
  • Staffing & scheduling
  • How controls comply with policies
  • Updated frequently
LevelQuestionWhoExample (Banking)
Strategic"Why protect?"Senior Management / BoardAdopt ISO/IEC 27001, establish CISO role, protect customer trust
Tactical"What to implement?"Middle ManagementDeploy MFA, SIEM, encrypt customer data, hire SOC analysts
Operational"How to operate?"Implementation TeamSOC monitors 24/7, weekly vulnerability scans, monthly access reviews
Remember the mnemonic: S-T-O = Strategy (WHY) → Tactics (WHAT) → Operations (HOW). This maps to: Senior Mgmt → Middle Mgmt → Implementation Team.

👔 The InfoSec Team

The security team must be autonomous - not buried inside IT. The CISO leads the team and must report directly to senior management. Their security management plan includes: defining security roles, how security will be managed, who is responsible, how to test effectiveness, developing policies, performing risk analysis, and requiring security education.

What is the main objective of security management planning?
To align security functions with the organization's strategy, goals, mission, and objectives - ensuring security supports business operations rather than operating in isolation.

✅ Best Practices Checklist

Technical Controls

▸ Identify and classify all data & assets correctly
▸ Apply Principle of Least Privilege
▸ Encrypt sensitive data at rest and in transit
▸ Implement strong authentication (MFA)
▸ Deploy Data Loss Prevention (DLP) tools
▸ Monitor & log all access to critical assets

Governance Controls

▸ Assign clear ownership for every information asset
▸ Conduct regular audits & penetration testing
▸ Provide user awareness training
▸ Maintain strategic, tactical, and operational plans
▸ Ensure compliance with PDPL, GDPR, HIPAA as applicable
▸ Perform due diligence on all third-party vendors