Domain 2 of 8 · Chapter 6 of 6

Data Security Controls

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The three data states, and the control that fits each
  • Baselines, scoping and tailoring, and standards selection
  • DRM, DLP, and CASB: the data-protection technology families
  • Exam-pattern recognition

Data-protection technology families: what each one governs

TechnologyWhat it protectsWhere it actsPrimary gap it closesKey limitation
DRM (Digital Rights Management)The data object, persistentlyBound to the file/document itselfControl survives after data leaves the perimeter (no-print, no-forward, expiry)Requires a client/agent to enforce rights; can frustrate legitimate use
DLP (Data Loss Prevention)Sensitive content trying to exitNetwork egress, endpoint, and storage (data-in-motion / -at-rest / -in-use modes)Stops exfiltration by inspecting content against policyContent inspection is defeated by strong encryption and misses what it can't read
CASB (Cloud Access Security Broker)How data is used in cloud servicesBetween users and cloud apps (inline proxy or API mode)Visibility + policy enforcement over sanctioned and shadow cloud useInline mode adds a chokepoint; API mode acts after the fact, not in real time
Encryption (at rest / in transit)Confidentiality of the data itselfStorage media/DB (at rest) and the network path (in transit)Renders intercepted or stolen data unreadable without the keyProtects neither data in use nor against an authorized key holder misusing access

Cheat sheet

  • Choose the control by the data's state, not once for the whole asset
  • Data at rest is protected by storage encryption layered over access control
  • At-rest encryption only protects data while the volume is locked
  • Data in transit is protected by transport encryption: TLS or IPsec
  • Data in use is the hard state because the CPU needs cleartext
  • Start control selection from a baseline keyed to the impact level
  • The FIPS 199 high-water-mark picks which baseline applies
  • Scoping removes controls that don't apply to your system
  • Tailoring is the whole process of adjusting a baseline to fit
  • Organization-defined parameters are the values a control leaves to you
  • Document every deviation from the baseline with its rationale
  • Standards selection picks the catalog the data's obligations demand
  • Map one control catalog to overlapping standards instead of rebuilding each
  • DRM binds usage policy to the object so control survives the perimeter
  • DLP stops sensitive data leaving by inspecting content against policy
  • DLP can only act on content it can read
  • A CASB is the policy control point between users and cloud services
  • Know the CASB four pillars: visibility, compliance, data security, threat protection
  • CASB inline mode blocks in real time; API mode acts out-of-band
  • Envelope encryption wraps a data key (DEK) with a key-encryption key (KEK)
  • TLS 1.3 makes forward secrecy mandatory via ephemeral key exchange
  • IPsec tunnel mode protects the entire original packet, including its IP header
  • Exact Data Match and document fingerprinting beat pattern matching on precision
  • Roll DLP out in simulation mode first, then tune enforcement with policy tips and overrides

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST Cryptographic Standards and Guidelines
  2. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices Whitepaper
  3. NIST SP 800-53B: Control Baselines for Information Systems and Organizations Whitepaper
  4. FIPS 199: Standards for Security Categorization of Federal Information and Information Systems Whitepaper
  5. NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations Whitepaper