This chapter is about classifying your data and assets. We covered classifying data according to the impact level of its loss in Chapter 10. A fully developed mature advanced information security program has an asset inventory and has classified those assets as critical. If you have a large-scale environment, this task can be daunting.

You should start with the assets that have critical data on them. Think about the critical data your company needs to protect and any device, server, or host on which information is processed, transferred, and stored. No problem, right?

In this chapter, we’re going to cover the following main topics:

• Start with your data
• Classifying your assets
• Training
• Monitoring
• Subnetting
• Segmentation

I covered how to classify the risk of loss of data and its impact in Chapter 10. When you are thinking about classifying your data, you need to consider the impact of the loss of the data. As a quick refresher, let’s review impact:

• Low impact is considered a minor inconvenience if the data is released. It could be names and telephone numbers that are already public in a telephone book or white pages.
• Moderate impact can be more substantial, such as financial losses due to identity theft, denial of benefits, or public humiliation.
• High impact could be catastrophic, with serious financial losses and even loss of life. High impact typically has to do with law enforcement.

Defining data classification should not fall on the Chief Information Security Officer (CISO). Rather, it is the responsibility of the data privacy officer, compliance, or legal teams to establish data classification levels and data protection strategies. The CISO’...

Once you understand the critical data your company stores, you have to figure out where it resides. To do this, you may need to collaborate with the information technology department to figure out where the human resources data is stored and the development teams if you are a software development company to figure out where the source code is stored. You may already know if your company uses Salesforce or HubSpot, so you only need to review the access controls around those programs.

The hard truth is that many businesses do not know the location of their data. While they typically understand where the majority of their data resides, they are often unaware of the number of copies hidden within various laptops and servers. Hopefully, some products will help you automatically discover where your critical data resides. Products such as Varonis, Securiti, and Cloudwize.io. Data Security Posture Management (DSPM) products will provide the following features:

Implement monitoring tools and procedures to continuously track compliance with data classification policies. This includes regular audits of data access, handling, and storage practices.

Use the insights gained from monitoring and auditing to identify areas for improvement and adjust policies as necessary to address new threats or changes in the regulatory landscape.

If you have Microsoft 365 with the proper license, you can activate Microsoft Purview. Microsoft Purview will allow you to trigger alerts if confidential information is manipulated unencrypted. Data Security Posture Management (DSPM) tools can also scan your storage repositories in the cloud and report if sensitive PII data is unencrypted or unintentionally exposed to the internet. CloudWize.io provides this feature. Its better to scan your cloud to understand the misconfigurations and fix these issues versus a hacker finding them.

Before we get into segmentation, let’s discuss subnetting. It is easy to confuse subnetting and segmentation. Yes, most likely your network has multiple subnets, but this is not segmentation. Subnets ensure the broadcast domain of devices on the network is smaller. A broadcast domain is essentially the set of all devices on a network subnet that can reach each other by broadcasts at the data link layer (Layer 2 of the OSI model). When your computer connects to the network, your network interface card typically performs certain network discovery operations that involve broadcasting or multicasting. For example, it might use Address Resolution Protocol (ARP) broadcasts to resolve IP addresses to MAC addresses within its subnet. When a network is divided into subnets, each subnet forms its broadcast domain. This means broadcasts sent by a device in one subnet are not propagated to devices in other subnets. If a network has large subnets, then potential network congestion...

Now that you know what subnetting is, let’s discuss segmentation. PCI-DSS specifically requires that the CDE is segmented from the rest of the network. Segmentation is enforced with firewall rules. Firewalls are used to control the traffic that is allowed to enter or leave each segment, based on defined firewall rules. Segmentation is an advanced way to ensure that simply because a hacker is on your network, they won’t be able to gain access to a critical asset or, even more importantly, critical data on a segmented subnet. You can segment a subnet from the regular network using a firewall. It’s not a simple task because you have to evaluate all of the traffic traversing your firewall to ensure you segment only specific subnets. Segmentation is not only an important safeguard for critical assets but will also protect your network from easily hacked Internet of Things (IoT) devices. Segmenting your IoT devices ensures they are separated from your regular...

In summary, taking your security program to the next level includes categorizing your critical data and assets. As the saying goes, you can’t protect what you don’t know about. As part of your asset management and inventory, you should categorize your critical assets and data. Once you know where your critical data resides, you need to also categorize the assets, whether on-premises or in the cloud, as critical and understand how data flows. Once you know what your critical assets are, you can then implement controls to secure the data.

In the next chapter, we will be covering Artificial Intelligence (AI) and cybersecurity. With AI being the next big thing and the huge move toward it, we need to consider security measures around AI and how it can be used both by hackers and for defense.