CISSP- Domain 2: Asset Security
What tool is used to prevent employees who leave from sharing proprietary information with their new employers?
A non-disclosure agreement (NDA)
Which letters should be associated with data at rest?
A & E.
The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Using the table, answer the following questions. What technology could Lauren's employer implement to help prevent confidential data from being emailed out of the organization?
A DLP system or software. designed to id labeled data or data the fits specific criteria
What term is used to describe a set of common security configurations, often provided by a 3rd party?
A baseline
What term is used to secribe a starting point for a minimum security standard?
A baseline is used to ensure minimum security standard.
Your organization regularly handaled three types of data: information that is shares with customers, informaton that is used internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with custoemrs is used and stored on web servers, while both the internal business data and trade secret information are stored on internal file servers and employee workstations. What technique could you use to mark your trade secret information in case it was relaeased or stolen and you need to identify it?
A watermark. used to digitally id and indicate ownership.
What encryption algorithm would provide strong protection for data stored on a USB thumb drive?
AES, appropriate for use with data at rest.
Which data role is tasked with granting appropriate access to staff members?
Administrators
What encryption algorithm is used by both BitLocker and Microsoft's Encrypting File System?
Advanced Encryption Standard (AES)
What does labeling data allow a DLP system to do?
Allows for appropriate application of controls to the data
COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?
Business owners have to balance the need to provide value with regulatory, security, and other requirements
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. The CIS benchmarks are an example of what practice?
CIS benchmarks are an example of a security baseline
Which California law requires conspicously posted privacy policies on commerical websites that collect the personal information of California residents?
California Online Privacy Protection Act (COPPA)
NISP SP 800-60 provides a process shown in the following diagram to assess information systesm. What process does this diagram show?
Categorizing and selecting controls
If Chris is one of the data owners for the organization, what steps in this process is he most likely responsibile for?
Chris is most likely responsible for steps 3(data is classified), 4(Required controls for each classification), 5 (Baseline security stds are selected for org)
What term in used to describe overwriting media to allow for its resue in an environment operating at the same sensitvity level?
Clearing preprares media for reuse.
Susan works for an American company that conducts business with customrers in the EU. What is she likely to have to do if she is respoonsible for handling PII from those customers?
Comply with Safe Harbor US-EU requirements
Which of the following classification levels is the US government's classification label for data that could cause damage but wouldn't cause seriou ro grave damage?
Confidential
Which is the proper order from least to most sensitive for US government classifications?
Confidential, Secret, Top Secret
Sue's employer has aked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do?
Create a private encrypted network carried via a public network and act like she is on her employer's internal network.
What data security role is primarily responsible for step 5?
Custodians
Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?
Follow the ogranization's purgining process, and then downgrade and replace labels
Lauren's multinational compnay wants to ensure compliance with the EU Data Protection Directive. If she allows data to be used against the requirements of teh notice principle and against what users slected in the choice principle, what principle has her organization violated?
Data Integrity. reliability of data and data used for its intended purpose.
Which data role is described as the person who has ultimate organizational responsibility for data?
Data Owners (CEO, etc)
Full disk encryption like Microsoft's Bit Locker is used to protect data in what state?
Data at rest
What is the primary information security risk to data at rest?
Data breach
Staff in an IT department who are delegated responsibility for day-to-day tasks hold what data role?
Data custodians are delegated the role of handling day-to-day tasks by managing overseeing how data is handled, stored and protected.
Data stored in RAM is best characterized as what type of data?
Data in use. Data stored in memory is referred to this or ephermal data (temporary storage, ie. RAM)
Which of the following does not describe data in motion?
Data on a backup tape that is being shipped to a storage facility
What data role will own responsibility for step 1, the categorization of information system, to whom will they delegate step 2, and what data role will be responsible for step 3?
Data owners, System owners, custodians
What data role does a system that is used to process data have?
Data processor
If Chris' complay operates in the EU and has been contracted to handle the data for a 3rd party, what role is his company operating in when it uses this process to classify and handle data?
Data processors (handling of data, being contracted by a company)
What term describes data that remains after attempts have been made to remove the data?
Data remanence
The government defense contractor that Saria works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Sari reviews teh company's internal processes, she finds that she can't reuse the tapes and that the manual says thaey should be destroyed. Whay isn't Saria allowed to deauss and then reuse the tapes to save her employer money?
Data remanence is a concern
What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization intended to help prevent?
Data remanence. Ensures that device was properly sanitized.
The EU Data Protection Directive's seven principles do not include which of the following key elements?
Data retention time periods.
What primary issue does personnel retention deal with?
Deals with knowledge gained during employment
What method uses a strong magnetic field to erase media?
Degaussing, uses strong magnetic fields to erase data
Incineration, crushing, shredding and disintegration all describe what stage in the life cycle of media?
Destruction. Final stage of life cycle media
Embedded data used to help identify the owner of a file is an example of what type of label?
Digital watermark
What is the best method to sanitize a solid-state drive (SSD)?
Disintegration. The NSA recommended way to destroy SSDs.
What is the best way to secure files that are sent from workstation A via the Internet service (C) to remote server E?
Encrypt the data files and send them.
Fred is preparing to send backup tapes off site to a secure 3rd party storage facility. What steps should Fred take before sending the tapes to that facility?
Ensure that the tapes are handled the same way the orginal media would be handled based on their classification
Which of the following is the least effective method of removing data from media?
Erasing
Which of the following tasks are not performed by a system owner per NIST SP 800-18?
Established rules for appropriated use and protection of data. Data owner set rules and protection.
What problem with FTP and Telnet makes using SFTP and SSH better alternatives?
FTP and Telnet do not encrypt data
Which of the following activities is not a consideration during data classification?
How much the data cost to create
What is the primary purpose of data classification?
Identifies value of data to an organization
What scenario describes data at rest?
Inactive data that is physically stored
Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels?
Indicate classification level of data or system. Visual indicators assists with identification classification
The need to protect sensitive data drives what administrative process?
Information process . allows organizations to focus on data that needs to be protected.
Why is declassification rarely chosen as an option for media reuse?
It is more expensive that new media and still may fail.
Susan works in an organization that lables all removable media with the classifcation level of the data it contains, included public data. WHy would Susan's employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed?
It prevents reuse of public media for senstive data
Joe works at a major pharaceutical research and development company and has been taasked with writing his organization's data retention policy. As part of its legal requirements, the organizations must comply with US FDA Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement?
It validates who approved the data
Alex works for a government agency that is required to meet US Federal governement requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level. What should Alex do to the data?
Label the data
Whaen media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels?
Media is typically labeled with the highest classification level of data it contains.
Susan's organization peforms a zero fill on hard drives before they are sent to a 3rd party organization to be shredded. What issue is her oganization attempting to avoid?
Mishandling of drives by 3rd party
If you selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?
PCI DSS, Payment Card Industry Data Security Standard, provides the set of requirements for credit card processing systems
Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contenst of the files attasched to the email remain condiedential as they traverse the Internet?
PGP-Pretty Good Privacy. Provides strong encryption of files, which can be sent via email.
What type of health information is the Heath Information Portability and Accountability Act required to protect?
PHI-Protected Health Information
Which attack helped drive vendors to move away from SSL toward TLS-only by default?
POODLE (Padding Oracle On Downgraded Legacy Encryption). Allowed attackers to easily access SSL encrypted msgs
Information maintained about an individual that can be used to distinguish or trace their idenitity is known as what type of information?
Personally Identifiable information
The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Using the table, answer the following questions. Lauren's employer asks Lauren to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company's data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Lauren classify the data?
Private
Benn has been tasked with identifying security controls for systems covered by his orgaization's information classification system. Why migh Ben choose to use a security baseline?
Provide a good starting point to scope and tailor security controls towards organization's needs
Ben is following the NIST SP 800-88 guidelines for sanitization and disposition as shown in the following diagram. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?
Purge, validate and document (NIST 800-88)
Which of the following is not a part of the EU Data Protection principles?
Reason. Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement are the correct choices
Retaining and maintaining information for as long as it is needed is known as what?
Record retention
What type of policy dsecribes how long data is retained and maintained before destruction?
Record retention. describe how long an org should retain data and specify when destruction should occur
A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this?
Review its data classifications and classify the data appropriately
What protocol is preferred over Telnet for remove server administration via command line?
SSH
Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsibile for?
Sanitization
When a computer is removed from service and dispoed of, the process that ensures that all storage media has been removed or destroyed is known as what?
Sanitization, combination of processes used to remove data from a system or media
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Adjusting the CIS benchmarks to your organizations' mission and your specific IT systems would involve what two processes?
Scoping (selecting appropriate controls for your IT systems) and Tailoring (matches org's mission and controls from selected baseline)
What term describes the process of reviewing baseline security controls and selecting only the controls that are appropriate for the IT system you are trying to protect?
Scoping. Occurs when you match baseline controls to IT system you want to secure.
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. How should you determine what controls from the baseline give system or software package should receive?
Select based o the data classification of the data it stores or handles
Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?
Sensitive email should be encrypted and labeled
Angela is an information security architect at at bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all tranactions us TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?
Sniffing, encryption
If the systems that are being assessed all handle credit card informatin (and no other sensitive data), at what step would the PCI DSS first play an important role?
Step 2
What type of encryption is typically used for data at rest?
Symmetric encryption. AES is an example
What would be the best wasy to secure data at points B, D and F?
TLS
The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Using the table, answer the following questions. What type of encryption would be appropriate for HIPAA documents in transit?
TLS (protects data in transit)
Your organization regularly handaled three types of data: information that is shares with customers, informaton that is used internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with custoemrs is used and stored on web servers, while both the internal business data and trade secret information are stored on internal file servers and employee workstations. What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion?
TLS (used for protecting data in transit)
What methods are often used to protect data in transit?
TLS, VPN, IPSec
Ben's company, which is based in the EU, hires a 3rd party organization that processes data for it. Who has responsibility to protect the privacy of the data and ensure that is not used for anyting other than its intended purpose?
The 3rd party data processor is responsible. In accordance to EU DPD.
What US government agency oversees compliance with the Safe Harbor framework for organizations wishing to use the personal data of EU citizens?
The Dept. of Commerce
Which of the following will be superceded in 2018 by the EU General Data Protection Regulation?
The EU Data Protection Directive
Fred's organization allows downgrading of systems for resue after projects have been finished and the systems have been purged. What concern should Fred raise about the resue of the systems from his Top Secret classified project for a future project classified as Secret?
The cost of sanitization may exceed the cost of new equipment
Which of the following concerns should not be part of the decision when classifying data?
The cost to classify the data
What is it cost effective to purchase high-quality media to contain sensitive data?
The value of teh data often far exceeds the cost of the media.
Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process?
They are administrators and custodians. Steps 6-8 are all roles for sysadmin/custodians
What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?
They may not be cleared, resulting in data remanence
Major Hunter, a member of the US aremed forces, has been entrusted with information that, if exosed, could cause serious damage to national security. Under the US govt. classification standards, who should this data be classifed?
Top Secret
Which mapping correctly matches data classifications between nongovernment and government classification schemes?
Top Secret -Confidential/Proprietary Secret-Private Confidential-Sensitive
A US government database contains Secret, Confidential, and Top Secret data. How should it be classified?
Top Secret. Highest level of classification of the mixed data.
Safe Harbor is part of a US program to meet what EU law?
US Dept of Commerce
What security measure can provide an addtional security control in the event that backup tapes are stolen or lost?
Using AES256 encryption.
Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsibile for are being checked for compliance and that settings are being applied as necessary?
Using Microsoft Group Policy
Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme?
bcrypt is based on Blowfish algotrithm.
How can data retention policy help reduce liabilities?
ensures outdated data is purged, removing potential additional costs for discovery.
Your organization regularly handaled three types of data: information that is shares with customers, informaton that is used internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with custoemrs is used and stored on web servers, while both the internal business data and trade secret information are stored on internal file servers and employee workstations. What civilian data classifications best fit this data?
public (information shared w/customers), sensitive, proprietary
