ISC - S3M4 - Confidentiality and Privacy

31. Which of the following safeguards should a company implement to mitigate the risk of accidental deletion or modification by a user? A. Physical security controls B. Digital security controls C. Change management controls D. Backup controls

Backup controls - Backup and recovery controls are redundancy defenses that protect data so it is not lost and can be restored in the event of a disaster, cyberattack, or accidental deletion or modification.

14. What is a major disadvantage to using symmetric encryption to encrypt data? A. The private key cannot be broken into fragments and distributed to the receiver. B. Both sender and receiver must have the private key before this encryption method will work. C. The private key is used by the sender for encryption but not by the receiver for decryption. D. The private key is used by the receiver for decryption but not by the sender for encryption.

Both sender and receiver must have the private key before this encryption method will work - With symmetric encryption, both parties use the same key to encrypt and decrypt the message so that the key must be shared. This would require a unique private key for each entity with which one wanted to share encrypted data. In asymmetric encryption, the private key is not shared and the public key provides the other half necessary to encrypt/decrypt.

22. If an organization wants to securely send confidential information by scrambling plaintext found in the message into ciphertext to make it unreadable for anyone other than the recipient, it is implementing: A. Data encryption. B. A digital certificate. C. A default-deny policy. D. Network intrusion detection.

Data encryption - Encryption is an essential foundation for electronic commerce. Encryption involves using a password or a digital key to scramble a readable (plaintext) message into an unreadable (ciphertext) message. The intended recipient of the message then uses another digital key to decrypt or decipher the ciphertext message back into plaintext.

11. When new systems are being designed, developed, tested, and implemented, which of the following best describes the general process of replacing production data or sensitive information with data that is less valuable to unauthorized users? A. Data storage B. Data processing C. Data obfuscation D. Data purging

Data obfuscation - The process of replacing production data or sensitive information with data that is less valuable to unauthorized users is called data obfuscation. Methods of data obfuscation include encryption, tokenization, and masking.

23. A digital signature is used primarily to determine that a message is: A. Not intercepted in route. B. From an authentic sender. C. Received by the intended recipient. D. Sent to the correct address.

From an authentic sender - A digital signature is a means of ensuring that the sender of a message is authentic. The digital signature uses encryption so that the recipient of a message can be assured that it is from the sender that is shown.

13. Pearlin Corporation has the following unaltered data used in a research study: Riley Smith SSN 123-45-6789. A transformation method was used to create the following: R. Smith SSN ****-**-6789. Which of the following terms best describes the specific transformation method used by the researcher? A. Tokenization B. Encryption C. Obfuscation D. Masking

Masking - Masking swaps data with other like data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set. The modified data set's aggregate value remains intact, allowing insights and the data to be extracted. There are different forms of masking, including shuffling, scrambling, substitution, nullifying, and masking out, in which all or part of the data's value is swapped with a single character, such as an asterisk.

28. Which of the following best describes the primary function of data loss prevention (DLP) systems? A. Prevent external cyberattacks on organizational networks. B. Identify where sensitive data is stored. C. Encrypt sensitive data stored within organizational databases. D. Monitor and prevent attempts to transfer sensitive information out of the organization electronically.

Monitor and prevent attempts to transfer sensitive information out of the organization electronically - The primary function of data loss prevention (DLP) systems is to monitor and prevent attempts to transfer sensitive information out of the organization electronically.

7. Barlings Co. is an organization specializing in providing payroll services to other businesses. As part of Barlings Co.'s safeguarding of data, the organization wishes to create policies and procedures related to the collection of data. As part of the development of comprehensive policies and procedures, each of the following would likely be included except for which of the following? A. Incident response B. Lifecycle of personal identifiable information (PII) C. Payroll best practices D. Consequences of violations

Payroll best practices - Best practices related to payroll processes are more relevant to Barlings Co.'s customers and would not be considered to be a part of the development of the data collection policies and procedures.

20. Which of the following describes how a document is encrypted? A. A system verifies the identity of the person or device attempting access. B. A sender uses an algorithm to convert cleartext to ciphertext. C. A system issues pairs of public and private keys and corresponding digital certificates. D. A sender transforms plaintext into a hash for the recipient to compare to the document.

A sender uses an algorithm to convert cleartext to ciphertext - Data encryption is a method of mitigating the risk of data breaches and data loss through the application of cryptography so that data is protected during its collection, processing, and storage. Cryptography involves applying an algorithm to transform or encrypt plaintext data into ciphertext. Using an algorithm to convert cleartext in a document to ciphertext meets the definition of encryption.

26. Which of the following examples would be considered types of data loss prevention (DLP) systems? A. Cloud-based B. Network-based C. Endpoint-based D. All of the above

All of the above - Data loss prevention (DLP) systems enable organizations to detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization electronically across multiple protocols, ports, and communication methods. Common DLP systems would include network-based, cloud-based, and endpoint-based.

1. When a law firm sends its client an electronic form with sensitive information to sign, it seeks the most secure method of encryption. Which method of encryption is most likely used to enhance the security of transmitted information? A. No encryption B. Password protection C. Symmetric encryption D. Asymmetric encryption

Asymmetric encryption - Asymmetric encryption would most likely be used by a law firm to send a client an electronic form for digital signature. This data encryption method uses two keys, a public key and a private key. The public key is used to encrypt the message (similar to acting as a lock), and the private key to decrypt it (unlock the lock)—or vice versa. This adds extra security because only the two opposite keys can be used in tandem, which would make it ideal for a digital signature of an electronic document with sensitive information.

30. When protecting and storing sensitive data, safeguards should be in place to protect data during collection, processing, storage, transmission, and purging. Which safeguard would utilize mechanisms such as role-based controls, rule-based controls, discretionary controls, and multifactor authentication? A. Change management controls B. Authorization and user access controls C. Digital security controls D. Backup and recovery mechanisms

Authorization and user access controls - Authorization and user access controls include control mechanisms, such as role-based access controls, rule-based access controls, discretionary access controls, and multifactor authentication.

4. In the context of cybersecurity, which term best describes the protection of unauthorized access to information gathered by a company? A. Privacy B. Authentication C. Confidentiality D. Conversion

Confidentiality - NIST defines confidentiality as preserving authorized restrictions on access and disclosure of data, including means for protecting personal privacy and proprietary information. In essence, it means confidentiality protects unauthorized access to information gathered by a company.

5. Which of the following scenarios best illustrates the concept of confidentiality in the context of cybersecurity? A. Confidentiality protects unauthorized access to publicly available information gathered by the company. B. Confidentiality does not require organizations to protect all personal information that they collect or maintain during normal business. C. Confidentiality is the process of increasing the reliance on automation related to data collection. D. Confidentiality preserves authorized restrictions on access and disclosure of data, including means for protecting personal privacy.

Confidentiality preserves authorized restrictions on access and disclosure of data, including means for protecting personal privacy - . NIST defines confidentiality as preserving authorized restrictions on access and disclosure of data, including means for protecting personal privacy and proprietary information.

18. Which of the following best describes the primary purpose of encrypting data, whether it is stored on a server or being transmitted across networks? A. Compress data and optimize storage capacity. B. Convert data into an unreadable format using industry-standard algorithms, preventing unauthorized access. C. Delete data permanently to prevent any potential breaches. D. Simplify data access for authorized users and facilitate efficient retrieval and use.

Convert data into an unreadable format using industry-standard algorithms, preventing unauthorized access - The primary purpose of encrypting data, whether stored on a server or transmitted across networks, is to convert data into an unreadable format using industry-standard algorithms, preventing unauthorized access.

27. Each of the following would be considered main objectives and best practices of data loss prevention (DLP), except which of the following? A. Developing a program to monitor the use of sensitive data, understand sensitive data usage patterns, and gain enterprise visibility B. Developing a program to implement a centralized DLP program, with collaboration from various departments, which oversees data for the entire organization C. Developing a program to implement a decentralized DLP program, with limited oversight of data for the entire organization, and spreading responsibility across various departments D. Developing a program to implement employee education programs

Developing a program to implement a decentralized DLP program, with limited oversight of data for the entire organization, and spreading responsibility across various departments - DLP systems enable organizations to detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization electronically across multiple protocols, ports, and communication methods. Implementing a decentralized DLP program with limited oversight of data for the organization would make detecting data loss more difficult. Therefore, it would be the least likely to be considered a main objective and best practice of data loss prevention.

9. A multinational corporation stores and processes large volumes of sensitive customer data, including personally identifiable information (PII). To ensure compliance with privacy regulations and mitigate potential risks, the organization has implemented various controls and data management practices. Which of the following actions would be most effective for the organization to securely manage the collected data? A. Sharing customer data with third-party vendors without proper contractual agreements in place. B. Encouraging employees to store sensitive data on their personal devices to facilitate remote work. C. Employing access control mechanisms to restrict unauthorized access to personal information. D. Conducting regular audits of employee workstations to ensure compliance with data handling policies.

Employing access control mechanisms to restrict unauthorized access to personal information - Employing access control mechanisms to restrict unauthorized access to personal information is the most effective measure of the answer choices for securely managing collected data, as it ensures that only authorized individuals can access sensitive information, thereby mitigating the risk of data breaches and maintaining compliance with privacy regulations.

21. During the process of electronically transmitting data, which of the following IT controls would provide the most assurance that unauthorized disclosure of sensitive information would be prevented? A. Restricted access B. Encryption C. A strongly worded confidentiality warning D. Separate transmission of the data file and its password

Encryption - Encryption as an IT control involves using a digital key or password to scramble a readable message into something that is unreadable. The recipient of the transmitted data then uses another digital key or password to unscramble the message back into readable form. The use of separate keys or passwords provides more assurance that the intended recipient receives the message.

10. Which of the following actions is essential for organizations to ensure compliance with data management practices regarding data deletion and purging? A. Providing employees with unrestricted access to delete or modify data sets as needed. B. Establishing policies to regularly back up all data sets to prevent accidental loss. C. Relying solely on physical destruction methods, such as shredding, for data purging purposes. D. Establishing criteria to identify which data should be retained based on relevance and required duration of storage.

Establishing criteria to identify which data should be retained based on relevance and required duration of storage. - The practice of establishing criteria to identify which data should be retained based on relevance and required duration of storage: 1) aligns with proper data management practices regarding data deletion and purging and 2) ensures that only necessary data is retained. Both of these reasons help reduce the risk of unnecessary data accumulation and facilitate compliance with regulations.

Which of the following pairs of techniques best provides for roughly the same level of assurance about the enforceability of a digitally signed transaction as an inked signature provides for a paper-based transaction? A. Hashing and asymmetric encryption B. Hashing and symmetric encryption C. Data masking and symmetric encryption D. Data masking and asymmetric encryption

Hashing and asymmetric encryption - Hashing involves mapping large quantities of data into a smaller table for the purpose of recovering data more rapidly. It is also utilized in the encryption of advanced and digital signatures. Data masking involves breaking the linkage between data and the individual to whom the data is associated through the removal of personal identifiers. Encryption involves using a password or digital key to scramble readable information into unreadable information. The two types of encryption are symmetric (the sender and the recipient use the same shared key) and asymmetric (two keys, one public and the other private, are used). Asymmetric encryption is considered to be more secure.

15. When considering the impacts of a data breach on an organization, which of the following best describes a financial implication of the data breach? A. Impact from existing customers who no longer wish to use the organization's services due to the data breach B. Time lost due to delays in communication with the organization's vendors C. Reallocation of internal resources from focusing on other organization tasks to focus on resolving the data breach issues D. Delays in the ability to process customer orders by a few hours while the data breach is being resolved

Impact from existing customers who no longer wish to use the organization's services due to the data breach - Revenue lost from existing customers who no longer use the organization's services and instead use a competitor's services is an example of temporary or permanent lost revenue that may be a financial implication from a data breach.

HideIt Company uses data encryption for certain key data in its application systems. Which of the following statements is correct with respect to data encryption? A. In asymmetric encryption, a public key is used to encrypt messages. The same public key is transmitted along with the message and is used to decrypt the message at the other end. B. Data encryption is based on the concept of keys. With data encryption, the sophistication of the encryption algorithm is important and the length of the key is not significant. C. In asymmetric encryption, a public key is used to encrypt messages. A private key is normally used to decrypt the message at the other end. D. Symmetric encryption techniques are much more computationally intensive than asymmetric encryption techniques.

In asymmetric encryption, a public key is used to encrypt messages. A private key is normally used to decrypt the message at the other end - n asymmetric encryption, a public key is used to encrypt messages. A private key (which is never transmitted) is used to decrypt the message at the other end. There are two keys. Effectively, anyone can encrypt a message, but only the intended recipient can decrypt the message.

8. Potenza Corporation collects and manages data subject to privacy regulations. As part of Potenza Corporation's data processing using sensitive data Potenza Corporation contracted with Michelle to provide recommendations on helping Potenza Corporation reduce its risks while processing data. Which of the following recommendations w processing sensitive data? A. Potenza Corporation should remove or obfuscate personal information from the dataset so that the information and data remaining would not identify an individual. B. Potenza Corporation should prohibit or strictly limit access to personal information from mobile devices such as cell phones and laptops. C. Potenza Corporation should establish the policies to determine the datasets subject to being archived or purged. D. Potenza Corporation should require that all individuals within the organization receive appropriate training to understand relevant guidelines.

Potenza Corporation should remove or obfuscate personal information from the dataset so that the information and data remaining would not identify an individual - Removing enough personal information such that the remaining information does not identify an individual would be an example of de-identifying sensitive data. This practice helps reduce the risk of personal identifiable information from being inappropriately accessed since such key personal information would be removed or obfuscated prior to processing data.

2. Which of the following best describes confidentiality in accordance with the National Institute of Standards and Technology (NIST)? A. The removal of production data and replacement with a surrogate value or token, which may be generated using random number generators by hashing B. Scrambling of unencrypted data using cryptography so that the data can generally only be deciphered with a key C. The right of a party to maintain control and concealment of information about itself D. Preserving authorized restrictions on access and disclosure of data, including means for protecting personal privacy and proprietary information

Preserving authorized restrictions on access and disclosure of data, including means for protecting personal privacy and proprietary information - NIST defines confidentiality as preserving authorized restrictions on access and disclosure of data, including means for protecting personal privacy and proprietary information.

3. Within the context of cybersecurity, which of the following is best described as the protection of the rights of an individual, giving the individual control over what information they are willing to share with others? A. Confidentiality B. Personal identifiable information (PII) C. Privacy D. Data loss prevention (DLP) systems

Privacy - NIST defines privacy as the right of a party to maintain control and confidentiality of information about itself. Privacy protects the rights of an individual and gives the individual control over what information they are willing to share with others.

6. A company's client database contains sensitive information that, if compromised, would damage the company's reputation. Each of the following is an example of a preventive control that would protect such sensitive information, except: A. Implementing network access controls within the internal IT environment to act as deterrents to intruders. B. Managing user identity and logical access to protect from unauthorized use and access by employees. C. Reporting incident alerts to the IT manager when an external party unsuccessfully tries to log on to the network. D. Using encryption to protect data in transit and to provide a barrier to someone who has obtained unauthorized access to sensitive information.

Reporting incident alerts to the IT manager when an external party unsuccessfully tries to log on to the network - Reporting an incident of unsuccessful access is a form of detective control. Detective controls are designed to detect irregularities that may have occurred.

19. When a user connects to a VPN server to access resources and browse the internet securely, what type of encryption is employed to protect the data exchanged between the user's device and the VPN server? A. Hashing B. Masking C. Ciphers D. Symmetric

Symmetric - Symmetric encryption involves a single shared or private key for encryption and decryption of data within a group. The private key is used by all members of the group to both encrypt and decrypt data. It can be in the form of a number, a letter, or a string of random numbers and letters. Symmetric encryption is employed to protect the data exchanged between a user's device and the VPN server.

29. Which of the following is not a true statement of user access? A. The Information Officer does not need to know about position promotions, demotions, or lateral moves. B. Human Resources and Information Technology should coordinate to monitor changes in position and thereby control user access. C. Involvement of an Information Security Officer may depend upon the level of security granted to an account. D. User accounts are often the first target of a hacker who has gained access to an organization's network.

The Information Officer does not need to know about position promotions, demotions, or lateral moves - The information officer needs to know about position promotions, demotions or lateral moves. From a productivity standpoint, it is important to have procedures in place to address promotions, lateral moves, or demotions within the company. If job/roles change and access doesn't, the employee may not be able to perform new job functions since unrevised access rights associated may no longer be appropriate.Also, if access needed for a previous position is not removed, a single individual could have access to incompatible areas of the system, thus compromising segregation of duties.

Which of the following reasons would mostly likely result in an organization emphasizing the importance of mitigating risk over potential data breaches? A. The increase in time needed to establish and update data breach policies B. The resource management required to monitor and address a data breach C. The financial and operational implications of a data breach D. The regulatory environment and changes to applicable laws pertaining to the organization

The financial and operational implications of a data breach - Data breaches have both financial and operational implications, for which an organization will likely want to emphasize a reduction in risk through management of data breaches.

17. Which of the following is true regarding asymmetric and symmetric encryption? A. They act as a "tree of trust" that's checked each time a certificate is presented as proof of one's identity. B. They are intended for commercial use and typically use an electronic stamp of authentication. C. They create legally-binding electronic documents. D. They are a system and process that use public, private, or shared keys to protect data.

They are a system and process that use public, private, or shared keys to protect data - Encryption methods are used to protect data at rest and data in transmit by using algorithms to convert plaintext into ciphertext. The two most common forms of encryption are symmetric and asymmetric encryption. Messages transmitted or stored using encryption are encrypted and decrypted by using a combination of shared, private, or public keys. A sender either encrypts a plaintext message using a shared or private key and a receiver decrypts the ciphertext using the shared key or a private key.

12. Which of the following most appropriately matches a common data obfuscation method with the correct definition? A. Tokenization removes production data and replaces it with a surrogate value. B. Masking scrambles unencrypted data using cryptography so that it can generally only be deciphered with a key. C. Encryption swaps data with other like data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set. D. Data loss prevention systems enable organizations to detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization electronically across multiple protocols, ports, and communication methods.

Tokenization removes production data and replaces it with a surrogate value - Tokenization removes production data and replaces it with a surrogate value or token. Tokens can be generated using random number generators; by hashing, which transforms data using mathematical algorithms; or by encryption.