This chapter covers the third objective of Domain 3.0, Security Architecture of the CompTIA Security+ 701 exam.

It is essential to safeguard valuable information. In this chapter, we will consider this multifaceted challenge of data protection, which encompasses diverse data types such as regulated, trade secrets, and Intellectual Property (IP). These data classifications range from sensitive to critical, demanding varying levels of security. General data considerations add complexity, with data existing in different states (at rest, in transit, and in use) and concerns about data sovereignty and geolocation. To tackle these issues, organizations employ methods such as encryption, hashing, masking, and tokenization. They also restrict access based on geographic locations and permissions.

In the era of cyber-attacks, a tailored combination of these elements is key to robust data protection, ensuring that security aligns with an organization’s unique data profile...

Data is a critical part of modern businesses and needs to be protected from malicious actors. However, there is a range of different data types that cover a number of different concerns, ranging from data about ourselves, including personal and medical, to data surrounding commerce (such as IP and financial data), and even data in between, such as customer data. Much data is subject to specific laws and regulations. This is called regulated data.

Regulated data covers much of the data previously mentioned as it is subject to specific laws and regulations. This data is covered here:

• Personally Identifiable Information (PII): PII is data that is unique to a person, for example, their social security number, biometric data, driving license number, employee records, mobile phone number, or email address.
• Protected Health Information (PHI): PHI is health data that is unique to a person, such as their medical history, including diseases and treatments and various...

Data classifications serve as the foundation for data protection strategies. They categorize data based on its sensitivity and the potential risks associated with its exposure. Risk management starts with the classification of the asset, which determines how we handle, access, store, and destroy data. Data is classified according to factors such as sensitivity, who should have access, and potential damage in case of a breach.

The following figure shows the governmental versus non-governmental descriptions of data:

Figure 12.1: Governmental versus non-governmental data

The preceding figure shows a pyramid of data classifications of government (on the left) and non-government (on the right). Classifications for governmental data go from top secret as the highest classification, followed by secret, confidential, and then unclassified. It corresponds with non-government data starting with confidential or proprietary at the top, followed...

In the realm of information security, understanding the various aspects of data management and protection is crucial. This encompasses not just how data is classified (such as critical, confidential, or restricted data) but also the different states that data can exist in and the legal and geographical implications of data handling. In this section, we will give an overview of some key concepts.

Data states define the context in which data resides and how it is accessed and utilized. There are three possible data states, described as follows:

• Data at rest: Data at rest is data that is not being used and is stored either on a hard drive, storage devices, files, or database servers. While it remains static until accessed, it is still susceptible to breaches if not adequately protected.
• Data in transit: Data in transit is data on the move, traveling across networks or communication channels. This could be the data transmitted during a purchase...

Data is the most valuable asset to any company and protecting information is paramount. As we delve into the intricate landscape of data protection, a myriad of methods and strategies emerges. From geographic restrictions to tokenization, each approach carries its unique attributes and applications.

The more common of these data protection methods can be defined as follows:

• Geographic restrictions: Geographic restrictions limit data access to users or devices based in a specified region. This approach is valuable for ensuring data compliance with specific jurisdictional regulations. However, it may pose challenges for remote work and global collaborations.
• Encryption: Encryption transforms data from plaintext (readable data) to ciphertext (unreadable data) that can only be deciphered with the correct private key, known as the decryption key. It provides a robust defense against unauthorized access, making it a cornerstone of data security across...

Within data protection, various methods protect information security. In this chapter, we explored the multifaceted nature of data in modern businesses, focusing on its various types and the need for protection against malicious actors. We looked at different categories of data, ranging from personal and medical data to commercial information such as IP and financial records. A significant portion of this data falls under regulated categories, subject to specific laws and regulations.

We saw how in the dynamic realm of data protection, understanding the diverse array of data types and classifications is fundamental. From tightly regulated legal and financial data to the intricate realm of IP and trade secrets, each category requires a tailored approach. Recognizing that data can exist in various states—whether at rest, in transit, or in use—enables the deployment of precise security measures at every stage.

Moreover, we looked at how comprehending the distinctions...

Compare and contrast concepts and strategies to protect data.

• Data types: Different types of data require differing concerns
  • Regulated: Governed by specific laws and regulations
  • Trade secret: Proprietary and confidential business information
  • Intellectual property: Unique creations such as patents, copyrights, and trademarks
  • Legal information: Related to the law and legal matters
  • Financial information: Data about monetary transactions
  • Human and non-human readable: Varies in readability and accessibility
• Data classifications: Based on who should be able to access it and the potential consequences of a breach
  • Sensitive: Requires protection due to privacy or security concerns
  • Confidential: Highly restricted access, often legally protected
  • Public: Open and accessible to anyone
  • Restricted: Limited access to authorized users
  • Private: Restricted access, not public
  • Critical: Vital for an organization’s functioning
• General data considerations: The context in which...

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. You are tasked with protecting sensitive information that includes personally identifiable data subject to strict privacy laws. Which data type should you focus on safeguarding?
   1. Regulated
   2. Trade secrets
   3. Intellectual property
   4. The results of an internal audit
2. A multinational corporation stores sensitive customer data. To comply with data privacy regulations, it implements a method to restrict access to this data to the sales team, based on which hotel they are in while they are on national and international sales trips. Which security method are they using?
   1. Geographic restrictions
   2. Encryption...