CISSP Chapter 2. Green Book. Test Prep

The Personal Information Protection and Electronic Documents Act:

A Canadian Privacy law, while California Civil Code 1798.82 is part of the set of California codes that requires breach notification.

What data role will own responsibility for step 1, the categorization of information systems; to whom will they delegate step 2- select security controls, and what role is responsible for step 3- implementing security controls?

A data owner bears responsibility for categorizing information systems and delegates selection of controls to system owners, while custodians implement the controls.

How can a data retention policy help to reduce liabilities?

A data retention policy can help to ensure outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to reduce storage costs & limit data kept on hand discoverable

Embedded data used to help identify the owner of a file is an example of what type of label?

A digital watermark is used to identify the owner of a file or to otherwise label it.

Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme?

Bcrypt is based on Blowfish. AES and 3DES are both replacements for DES, while Diffie Hellman is a protocol for key exchange.

What is the primary purpose of data classification?

Classification identifies the value of data to an organization. This can help drive IT expenditure prioritization and could help with rough cost estimates if a breach occurred.

Which of the following classification levels is the US government's classification label for data that could cause damage but wouldn't cause serious or grave damage?

Confidential could cause damage if disclosed without authorization. SECRET could cause serious damage. TS could cause potentially grave damage.

Staff in an It department who are delegated responsibility for day to day tasks hold what data role?

Custodians are delegated the role of handling day to day tasks by managing and overseeing how data is handled, stored, and protected. Data processors are systems used to process data. Business owners make sure systems are valuable to users

What data security role is responsible for step 5- monitoring security?

Custodians handle day to day tasks. Monitoring is a custodial task.

What scenario describes data at rest?

Data at rest is inactive data that is physically stored. Data in an IPSec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive.

What is the primary information security risk to data at rest?

Data breach. DAR with a high level of sensitivity is often encrypted to help prevent this.

Data stored in RAM is best characterized as what type of data?

Data in use is data that is in a temporary storage location while an application or process is using it. Data in memory is best described as data in use or ephemeral data.

Alex works for a government agency that is required to meet US federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by classification level. What should he do?

Data labels are crucial to identify the classification level of information contained on the media. DRM tools provide ways to control how data is used, while encrypting can help maintain confidentiality & integrity of the data.

Which of the following does not describe data in motion?

Data on a backup tape being shipped to a storage facility. Data in motion refers to items like data in a TCP packet, in an e-commerce transaction, or in local Ram.

What term describes data that remain after attempts have been made to remove the data?

Data remanence is a term used to describe data left after attempts to erase or remove data. Slack space is unused space in a disk cluster, zero fill is a wiping methodology replacing all bits with zeros.

Which of the following is not one of the European Unions General Data Protection Regulation- GDPR principles?

GDPR includes requirements that data be processed fairly, maintained securely, & maintained accurately. It does not include a requirement that information be deleted in 1 year, although it does specify information should not be kept longer t necessary

See chapter 2

Numbers 57-59

Susan works for an American company that conducts business with customers in the EU. What is she likely to have to do if she is responsible for handling PII for, those customers?

Privacy Shield compliance helps US companies meet EU GDPR. Yearly assessments may be useful but aren't required.

What type of health information is the Health Portability and Accountability Act required to protect?

Protected Health Information - PHI, includes a variety of data in multiple formats, including Oral and recorded data, such as that created and received by healthcare providers, employers and life insurance providers. PHI must be protected by HIPPA

A copyright notice:

Provides information about the copyright asserted on the file.

If the systems being assessed all handle credit card information and no other sensitive data, at what step of the risk management process would the PCI DSS first play an important role?

PCI DSS provides a set of required security controls and standards. Step 2 would be guided by the requirements of PCI DSS. It will not greatly influence step 1, because all of the systems handle credit card info

If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?

PCI DSS, the Payment Card Industry Data Security Standard provides the set of requirements for credit card processing systems. The Microsoft, NSA, and CIS baseline are all useful for building a Windows 10 security standard, but pci is correct

Ed has been asked to send data that his organization classified as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files are attached to the email remain confidential?

PGP, or it's open source alternative- GPG, provides strong encryption of files, which can then be sent via email. Email traverses multiple servers & will be encrypted at rest at multiple points along its path as its stored and forwarded to its destination

Which one of the following is not considered PII under US federal government regulations?

PII includes any information that can uniquely identify and individual. That would include name, SSN, and any other unique identifier, in some states it includes the student ID number. ZIP codes do not alone identify an individual.

Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information?

PII. NIST SP 800-122 defines PII as any info that can be used to trace an individual's identity such as name, ssn, date and place of birth, mother's maiden name, biometric records, etc.

Which attack helped drive vendors to move away from SSL toward TLS-only by default?

POODLE- Padding Oracle on Downgraded Legacy Encryption attack helped force the move from SSL 3.0 to TLS Because it allowed attackers to easily access SSL encrypted messages. Crime & Beast were earlier attacks against SSL.

What are the 5 steps of the NIST process for risk management?

Step 1- categorize systems and data; Step 2- select security controls; Step 3- implement security controls; Step 4- Assess Security Controls; Step 5- Monitor Security

GDPR principle of integrity:

States that data should be reliable and that information should not be used for purposes other than those that users are made aware of by notice and that they have accepted through choice.

Adjusting the CIS benchmarks to your organization's mission and your specific IT systems would involve what two processes?

Scoping and tailoring. Scoping involves electing only the controls that are appropriate for your IT systems, while tailoring matches your organization's mission and the controls from a selected baseline.

What term describes the process of reviewing baseline security controls and selecting only the controls that are appropriate for the IT system you are trying to protect?

Scoping is performed when you match baseline controls to the IT system you're working to secure. Creation of standards is part of the configuration process and can be included in baselining. CIS provides baselines.

Major Hunter has been entrusted with information, that if exposed, could cause serious damage to national security. Under US government classification standards, how should the data be classified?

Secret level could cause serious harm to national security. TS is exceptionally grave. Confidential is less harm.

What type of encryption is typically used for data at rest?

Symmetric encryption like AES is typically used for Data at rest.

How should you determine what controls from the baseline a given system or software package should receive?

The controls implemented from a security baseline should match the data classification of the data used or stored on the system. Custodians are trusted to ensure the day to day security of the data and ensure the baseline is met.

Which of the following activities is not a consideration during data classification?

The cost of the data is not directly included in the classification process. Instead, the impact to the organization if the data were exposed or breached is considered.

Which one of the following data roles bears ultimate organizational responsibility for data?

The data owner has ultimate responsibility for data belonging to an organization and is typically the CEO, president, or another senior employee. Business and mission owners typically own processes or programs. System owners own systems

Steganography:

The science of hiding information, often in images or files.

Which mapping correctly matches data classifications between non government and government classification schemes?

Top secret equals confidential/ proprietary; secret equals private; confidential equals sensitive.

Sues employer asked her to use an IPSec VPN to connect to its network. When Sue connects, what does the IPSec VPN allow her to do?

1 way to use an IPSec VPN is to create a private, encrypted network or tunnel via a public network, allowing users to be a virtual part of the internal network. IPSec is distinct from TLS and provides encryption for integrity & confidentiality

What term is used to describe a set of common security configurations, often provided by a third party?

A baseline is a set of security configurations that can be adopted & modified to fit an organization's security needs. A security policy is written to describe an organization's approach to security. NIST SP 800 address variety computer security

What term is used to describe a starting point for a minimum security standard?

A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority. a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task.

Sanitization:

A combination of processes used when data is being removed from a system or media.

What technology could Lauren's employer implement to help prevent confidential data from being emailed out of the organization?

A data loss prevention system or software is designed to identify labeled data or data that fits specific patterns & descriptions to help prevent it from leaving the organization. An IDS identifies intrusions but can't stop traffic.

Sanitization

A series of processes that removes data from a system or media while ensuring the data is unrecoverable by any means.

What encryption algorithm would provide strong protection for data stored on a USB thumb drive?

AES is a strong encryption cipher that is appropriate for use with data at rest. SHA1 is a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and insecure symmetric encryption method.

Which data role is tasked with granting appropriate access to staff members?

Administrators have the rights to assign permissions to access and handle data.

What tool is used to prevent employees who leave from sharing proprietary information with their new employees?

An NDA is a legal agreement that prevents employees from sharing proprietary data with their new employers. Purging is used on media while classification is used on data. Encryption can help secure data but doesn't stop sharing of it.

What is the best way to secure files sent from a workstation via the internet service, to a remote server?

An encrypted email. Sending the file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach & the file will remain secure until decrypted.

Purging:

An intense form of clearing

Control Objectives for Information and Related Technology (COBIT) is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls?

Business owners have to balance the need and provide value with regulatory, security, and other requirements. Data owners are more likely to ask that those responsible for control selection identify a standard to use.

Data management roles:

Business owners, data owners, data processors: which are required to perform specific actions under regulations like GDPR. And Data stewards are internal roles that oversee how data is used.

What encryption algorithm is used by both Bitlocker and Microsoft's Encrypting File System?

By default, both Bitlocker & Microsoft's Encrypting File System - EFS both use AES, which is NIST approved replacement for DES. Serpent was a competitor of AES, and 3DES was created as a possible replacement for DES.

What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level?

Clearing describes preparing media for reuse. When media is cleared, unclass data is written over all addressable locations on the media. Then it is reusable. Purging is a more intense clearing for reuse in lower security areas.

What Method uses a strong magnetic field to erase media?

Degaussing uses strong magnetic fields to erase magnetic media. Sanitization is a combination of processes used to remove data from a system or media to ensure it can't be recovered. Purging clears media to be reused for lower classification

A data storage policy:

Describes how and why data is stored, while data storage is the process of actually keeping the data.

Incineration, crushing, shredding, & disintegration all describe what stage in the life cycle of media?

Destruction is the final stage in the lifecycle of media and can be done via disintegration, incineration, or a variety of other methods that result in the media and data being non recoverable.

System owner tasks:

Develop security plan; identify and implement security controls; ensure system users receive appropriate security training

Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of systems from his TS project for a future project classified secret?

Downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe or destroy the media means that the cost is often significant. Purging ensures no data remains.

What is the best method to sanitize an SSD?

Due to problems with data remnants, NSA requires physical destruction of SSDs. This process, known as disintegration, results in very small fragments via the shredding process.

Asymmetric encryption is often used:

During transactions or communications when the ability to have public and private keys is necessary.

Joe works for a major pharmaceutical company and has to write a data retention policy. The organization must comply with the FDA Admin Code of Federal regulations title 21. Why must electronic signatures be used to retain records?

Electronic signatures as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that elecrecords are trustworthy, reliable, & generally equivalent to paper rec

What are the handling requirements for Confidential data/ HIPAA?

Encrypt at rest and in transit; full disk encryption required for workstations; files can only be sent encrypted and passwords must be transferred under separate cover. Printed documents must be labeled with HIPAA handling required.

What are the handling requirements for private data/PHI?

Encrypt data at rest and in transit; PHI must be stored on secure servers and copies should not be kept on local workstations; printed documents must be Labeled with private.

Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?

Encrypting and labeling sensitive email will ensure it remains confidential and can be identified. Performing these actions only on sensitive email will reduce the cost and effort of encrypting all email, focusing on the sensitive email.

What are the handling requirements for sensitive data/business confidential?

Encryption is recommended but not required.

Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she attempting to stop and what method?

Encryption is used to protect traffic from sniffing.

Business owner tasks:

Ensuring the systems are fulfilling their business purpose

Which of the following is the least effective method of removing data from media?

Erasing. It typically removes the link to the file and leaves the data that makes up the file itself. The data will remain in place but not indexed until space is needed and overwritten.

Which of the following tasks are not performed by a system owner per NIST SP 800-18?

Establishes rules for appropriate use and protection of data. The data owner sets rules for use and protection of data.

What problem with FTP and Telnet makes using SFTP and SSH better alternatives?

FTP and Telnet don't provide encryption for the data they transmit and should not be used if they can be avoided. SFTP and SSH provide encryption to protect both the data they send and the credentials that are used to log in via both utilities.

Full disk encryption like Microsoft's Bitlocker is used to protect data in what state?

Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.

Chris is responsible for his organization's security standards and has guided the selection & implementation of a security baseline for Windows PCs. How can he most effective ensure the workstations are being checked for compliance?

Group policy provides the ability to monitor & apply settings in a security baseline. Manual checks by users & using startup scripts provide fewer reviews & may be prone to failure, while periodic review of the baseline won't result in comp checks

NIST 800-60 provides diagrams to help asses information systems. What are the steps for identifying information systems?

Identify information types, select provisional impact levels, review provisional impact levels, adjust/finalize information impact levels, assign system security category.

What are the handling requirements for public data?

Information can be sent unencrypted

DLP- data loss prevention:

Is a solution designed to prevent data loss

GDPR Enforcement:

Is aimed at ensuring that compliance with principles is assured.

Why is declassification rarely chosen as an option for media reuse?

It is more expensive than new media and may still fail. Ensuring that data cannot be recovered is difficult, and the time and effort required to securely and completely wipe media for declassification exceeds the cost of new media.

Which of the following concerns should not be part of the decision when classifying data?

It should be conducted based on the value of the data to the organization, it's sensitivity, & the amount of harm that could result from data exposure. Cost should be considered when implementing controls weighed against exposure damage

When media is labeled based on classification of the data it contains, what rule is typically applied regarding labels?

Media is typically labeled with the highest classification level of data it contains. This prevents the data from being handled or assessed at a lower classification level. Data integrity requirements don't independently drive the labeling process.

Susan's organization performs a zero fill on hard drives before they are sent to a third party to be shredded. What issue is her organization attempting to avoid?

Mishandling of drives by a third party. The organization is limiting risks by sending sanitized drives before they are destroyed.

Spare sectors, bad sectors and space provided for wear leveling on SSDs overprovisioned space may all contain data that was written to the space that will not be cleared when the disk is wiped:

Most wiping utilities only deal with currently addressable space on the drive. SSDs can't be degaussed, & wear leveling space can't be reliably used to hide data. These spaces are still addressable by the drive although they aren't seen by the OS.

Steve is concerned about the fact that employees leaving his organization were often privy to proprietary information. Which one of the following controls is most effective against this threat?

NDAs are used to enforce confidentiality agreements with employers & may remain in effect even after an employee leaves the organization.

Lauren's employee asks her to classify patient X-ray data that has an internal patient identifier associated with it but not a way to directly identify the patient. The data owner believes exposure could cause damage but not exceptional.

Private. The classification can't be confidential because data loss wouldn't cause severe damage. The private classification due to patients personal health information fits the classification scheme.

Ben is following NIST 800-88 - guidelines for sanitization and disposition. He is handling information that is classified as sensitive, which is a moderate security category in the NIST model. Media sold as surplus follows what process.

Purge, document, validate

Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?

Purging should be used for downgrading media, then the media should be relabeled. Degaussing works for magnetic media but not all media types.

Retaining and maintaining information for as long as it is needed is known as what?

Record retention is the process of retaining and maintaining information for as long as it is needed.

What type of policy describes how long data is retained and maintained before destruction?

Record retention policies describe how long an organization should retain data & may also specify how & when destruction should occur.

Susan works in an organization that labels removable media with the classification level of the data it contains, including public data. Why would Susan's employer label all media instead of labeling on the media that contains data that causing harm

Requiring all media to be labeled means that when unlabeled media is found, it should be treated as suspicious. This helps prevent mistakes that might leave sensitive data unlabeled.

A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this?

Review its data classification and classify the data appropriately. When the value of data changes due to legal, compliance, or business reasons, reviewing classifications and reclassifying data is an appropriate response.

What protocol is preferred over Telnet for remote server administration via the command line?

SSH is an encrypted protocol for remote login and command line access, SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities Win OS

Chris is responsible for workstations throughout his company & knows some of them handle proprietary info. Which option best describes what should happen at the end of their lifecycle?

Sanitization is a combination of processes that ensure that data from a system can't be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data.

When a computer is removed from service and disposed of, the process that ensures that all storage media has been removed or destroyed is known as what?

Sanitization is the combination of processes used to remove data from a system or media. When a PC is disposed of, sanitization includes the removal or destruction of drives, media, & other storage devices it may have.

Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline?

Security baselines provide a starting point to scope and tailor security controls to your organization's needs. They aren't always appropriate to specific organizational needs, they can't ensure systems are in a secure state and don't prevent liability.

What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?

Spare sectors, bad sectors and space provided for wear leveling on SSDs overprovisioned space may all contain data that was written to the space that will not be cleared when the disk is wiped. SSDs cannot be degassed.

What data role does a system that is used to process data have?

Systems used to process data are called data processors. Data owners are typically CEOs, or senior staff; custodians are granted rights to perform day to day tasks; mission owners are typically program or information system owners.

What would be the best way to secure data in transit between workstation, server, and the internet?

TLS provides the best security for data in motion. AES 256 and 3DES are both symmetric ciphers and are more likely to be used for data in motion.

What methods are often used to protect data in transit?

TLS, VPNs, and IPSec tunnels are all techniques used to protect data in transit. AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, & UDP are all protocols. Bitlocker & FileVault both encrypt data, but only protect stored data.

What encryption technology would be appropriate for HIPAA documents in transit?

TLS. It's a modern encryption method used to encrypt and protect data in transit. Bitlocker is a full disk encryption technology used for DAR. DES and SSL are both outdated encryption methods & should not be used for high level security.

Fred is preparing to send backup tapes offsite to a secure third party storage facility. What steps should Fred take before sending the tapes to that facility?

Tapes are frequently exposed due to theft and loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization's classification schemes and handling requirements.

Which California law requires conspicuously posted privacy policies on commercial websites that collect the personal information of California residents?

The California Online Privacy Protection Act - COPPA requires that operators of commercial website services post a prominently displayed privacy policy if they collect personal information on California residents.

What US government agency oversees compliance with the Privacy Shield framework for organizations wishing to use the personal data of EU citizens?

The US department of Commerce oversees Privacy Shield. Only US organizations subject to the jurisdiction of the FTC or US air carriers & ticket agents subject to the jurisdiction of the DoT are permitted to participate in Safe Harbor.

The EU GDPR does not include which of the following key elements?

The need to encrypt information at rest. It does not include the need to collect info for specified, explicit, and legitimate purposes; need to protect data against accidental destruction

Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?

The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data.

Lauren's multinational company wants to ensure compliance with GDPR. Which principle of GDPR states that the individual should have the right to receive personal information concerning themselves and share it with another data controller?

The principle of Data portability says the data subject has the right to receive personal info and transfer it to another data controller.

Baselining:

The process of creating a security baseline or configuring systems to meet baselines

The Center for Internet Security- CIS works with subject matter experts from a variety of industries to create lists of security controls for OSs, mobile devices, server software, and network devices. The CIS benchmarks are an example of what

They are an example of a security Baseline. A risk assessment wou,d help identify which controls were needed, and proper system ownership is an important part of making sure baselines are implemented and maintained.

Rearrange the following US government classification labels in order, from least sensitive to most sensitive:

Unclassified, confidential, secret, top secret

Ben's company, based in the EU, hires a third party organization that processes data for it. Who has responsibility to protect the privacy of the data and ensure that it isn't used for anything other than its intended purpose?

Under EU regulations, both the organization sharing data and the third party data processor bear responsibility for maintaining the privacy and security of personal information.

Degaussing:

Uses strong magnetic fields to wipe data from media

What security measure can provide an additional security control in the event that backup tapes are lost or stolen?

Using strong encryption like AES 256 can help ensure that loss of removable media like tapes doesn't result in a data breach.

What issue is the validation portion of the NIST 800-88 sample certification of sanitization intended to help prevent?

Validation processes are conducted to ensure the sanitization process was completed, avoiding data remanence. The form verified devices were properly wiped, purged or sanitized. This allows reuse, but doesn't prevent destruction, attrb

Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels?

Visual indicators like a distinctive screen background can help employees remember what level of classification they are dealing with and thus the handling requirements that they are expected to follow.

Your organization handles 3 types of data: info shared with customers, internal business, & trade secret info. Info shared with customers is stored on web servers, and internal and trade secret info is stored on internal file systems & workstations

What civilian data classification best fits this data? Info shared with customers is public. Internal business could be sensitive or private. Trade secrets are proprietary. Thus public, sensitive, proprietary matches this situation more closely.

Your organization handles 3 types of data: info shared with customers, internal business, & trade secret info. Info shared with customers is stored on web servers, and internal and trade secret info is stored on internal file systems & workstations

What does labeling data allow a DLP system to do? DLP can use labels on data to determine he appropriate controls to apply to the data. DLP systems won't modify labels in real time & typically don't work direct with firewalls to stop traffic.

Your organization handles 3 types of data: info shared with customers, internal business, & trade secret info. Info shared with customers is stored on web servers, and internal and trade secret info is stored on internal file systems & workstations

What technique could you use to mark your trade secret info in case it was released or stolen and you need to identify it? A watermark is used to digitally label and can be used to indicate ownership.

Your organization handles 3 types of data: info shared with customers, internal business, & trade secret info. Info shared with customers is stored on web servers, and internal and trade secret info is stored on internal file systems & workstations

What type of encryption should you use om file servers for the proprietary data, and how might you secure the data when in motion? AES is a string modern symmetric alogorithm appropriate for encrypting DAR. TLS is for in transit. VPN for in motion.

A US government database contains secret, confidential, and top secret data. How should it be classified?

When data is stored in a mixed classification environment, it is typically classified based on the highest classification of data included. In this case, the US governments highest classification is Top Secret.

Your organization handles 3 types of data: info shared with customers, internal business, & trade secret info. Info shared with customers is stored on web servers, and internal and trade secret info is stored on internal file systems & workstations

Why is it cost effective to purchase high quality media to contain sensitive data? The value of the data contained on media often exceeds the cost of the media, making more extensive media that may have longer life spans a good choice.

A Network topology consists of a user workstation, a server, and internet cloud. Which location would you find data at rest?

Workstations and servers most always have data at rest. The internet cloud is unknown.

GDPR onward transfer:

limits transfers to other organizations that comply with the principles of notice and choice

Match data elements with corresponding categories:

medical records = PHI; credit card numbers = PCI DSS; ssn's = PII; drivers license numbers = PII