- Information goes through a life cycle that starts with its acquisition and ends with its disposal.
- Each phase of the information life cycle requires different considerations when assessing risks and selecting controls.
- New information is prepared for use by adding metadata, including classification labels.
- Ensuring the consistency of data must be a deliberate process in organizations that use data replication.
- Data aggregation may lead to an increase in classification levels.
- Cryptography can be an effective control at all phases of the information life cycle.
- The data retention policy drives the timeframe at which information transitions from the archival phase to the disposal phase of its life cycle.
- Information classification corresponds to the information’s value to the organization.
- Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed.
- Senior executives are ultimately responsible to the shareholders for the successes and failures of their corporations, including security issues.
- The data owner is the manager in charge of a specific business unit and is ultimately responsible for the protection and use of a specific subset of information.
- Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.
- The data retention policy must consider legal, regulatory, and operational requirements.
- The data retention policy should address what data is to be retained, where, how, and for how long.
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:2.8 快速提示
本文同步分享在 博客“debugeeker”(CSDN)。
如有侵权,请联系 support@oschina.cn 删除。
本文参与“OSC源创计划”,欢迎正在阅读的你也加入,一起分享。