DOMAIN 2 Asset Security
Data security roles
1 Data Owner/Controller - senior official, sets policies and guidelines for data sets. can be business leaders most closely related mission area (HR VP might be owner for employment info) - EU uses data controller 2 Data Steward -handles policy and governance 3. Data custodians/processors - store and process information and are often IT staff members 4 Data users - analysts, representatives, managers others in org who work with data every day. DATA SUBJECT - person referred to the in collected data System owner vs Data owner
Match each of the numbered data elements shown here with one of the lettered categories. You may used the categories once, more than once, or not at all. If a data element matches more than one category, choose the one that is most specific. Data elements 1 Medical records 2. Trade secrets 3. Social Security numbers 4. Driver's license numbers Categories A. Proprietary data b. protected health information c. personally identifiable information.
1-b 2-a 3-c 4-c
Trusted Platform Module (TPM)
A chip on the motherboard of the computer that provides cryptographic services.
Hardware Security Module (HSM)
A device that can safely store and MANAGE encryption keys. This can be used in servers, data transmission, protecting log files, etc.
Megan wants to prepare media to allow for its reuse in an environment operating at the same sensitivity level. Which of the following is the best option to meet her needs? A. Clearing B. Erasing C. Purging D. Sanitization
A. Clearing (overwriting) - unclassified data written over all addressable locations on the media Erasing is the deletion of files or media. its the worst choice here purging is more intensive form of clearing for reuse in "less secure environments" sanitizing is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.
Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information? A. Data classification B. Remanence C. Transmitting Data D. Clearing
A. Data Classification. Remanence describes data left on media after an attempt is made to remove the data. Transmitting Data isn't a driver for admin process to protect sensitive data Clearing is technical process for removing data from media.
Which of the following data roles are typically found inside of a company instead of as a third-party contracting relationship? (Select all that apply) A. Data owners b. data controllers c. data custodians d. data processors
A. Data owners b. data controllers c. data custodians data processors are usually third party
Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. 56. If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for? A. He is responsible for steps 3, 4, and 5. B. He is responsible for steps 1, 2, and 3. C. He is responsible for steps 5, 6, and 7. D. All of the steps are his direct responsibility.
A. He is responsible for steps 3, 4, and 5.
Information maintained about an individual that can be used to distinguished or trace their identity is known as what type of information? A. Personally identifiable information (PII) b Personal health information (PHI) c social security number (SSN) d. Secure identity information (SII)
A. Personally identifiable information (PII)
What does labeling data allow a DLP system to do? A. The DLP system can detect labels and apply appropriate protections based rules B. The DLP system can adjust labels based on changes in the classification scheme. C. The DLP system can modify labels to permit requested actions. D. The DLP system can delete unlabeled data.
A. The DLP system can detect labels and apply appropriate protections based rules
Control Objectives for Information and Related Technology (COBIT) is a framework for information technology (IT) management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements? A. Business Owners b data processors C data owners d. Data stewards
A. business owners. They have to balance the need to provide value with regulatory, security, and other requirements. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are required to perform specific actions under regulations like the EU GDPR. Data stewards are internal roles that oversee how data is used.
As a DBA, Amy's data role in her organization includes technical implementations of the data policies and standards, as well as managing the data structures that the data is stored in. What data role best fits what Amy does? A. data custodian b data owner c data processor d data user
A. data custodian - Database Administrator (DBA) - technical implementations. Day to day is custodian data controller/stewards sometimes overlaps but this is custodian nonetheless. data user is the end user data processor is who uses the data on behalf of the controller
How can data retention policy help reduce liabilities? A. By ensuring that unneeded data isn't retained B. By ensuring that incriminating data is destroyed C. By ensuring that incriminating is securely wiped so it cannot be restored for legal discovery D. By by reducing the cost of data storage required by law
A. data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations
Nadia's company is operating a hybrid cloud environment with some on-site systems and some cloud-based systems. She has satisfactory monitoring on-site, but needs to apply security policies to both the activities her users engage in and to report on exceptions with her growing number of cloud services. What type of tool is best suited to this purpose? A. A NGFW B. A CASB C. An IDS D. A SOAR
B. CASB. (Cloud access security broker) It's designed to sit between a cloud environment and the user who uses it. And it provides monitoring and policy enforcement capabilities. NGFW,IDS and security operations and response tool could each provide insight on what's going on but they are not purpose build and designed for this like the CASB is. The NGW and IDS are most likely to provide insight into traffic patterns. and behaviors. And SOAR is intended to monitor other systems and centralize data for response, making it potentially the least useful in this specific scenario.
Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. 57. Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process? A. They are system owners and administrators. B. They are administrators and custodians. C. They are data owners and administrators. D. They are custodians and users.
B. They are administrators and custodians.
Mikayla wants to identify data that should be classified that already exists in her environment. What type of tool is best suited to identifying data like social security numbers, credit card numbers, and similar well-understood data formats? A. Manual searching B. a sensitive data scanning tool C an asset metadata search tool D. A data loss prevention system (DLP)
B. a sensitive data scanning tool - designed to scan for and flag sensitive data using known formatting and structure. socials, credit card numbers, and other regularly structured data. Manual searching is massive underrating with even small amount of data. asset metadata needs to be set first and would have already been identified DLP system looks for data that is in transit using rules rather than hunting down data at rest and storage.
Data stored in RAM is best characterized as what type of data? A. data at rest B. data in use c. data in transit d. data at large
B. data in use data at large is not real
Chris has been put in charge of his organization's IT service management effort, and part of that effort includes creating an inventory of both tangible and intangible assets. As a security professional, you have been asked to provide Chris with security-related guidance on each of the following topics. Your goal is to provide Chris with the best answer from each of the options, knowing that in some cases more than one of the answers could be acceptable. 60. Chris knows that his inventory is only accurate at the moment it was completed. How can he best ensure that it remains up-to-date? A. perform a point-in-time query of network connected devices and update the list based on what is found B. ensure that procurement and acquisition processes add new devices to the inventory before they are deployed. C. require every employee to provide an updated inventory of devices they are responsible for on a quarterly basis D. manually verify every device in sever at each organizational location on a yearly basis.
B. ensure that procurement and acquisition processes add new devices to the inventory before they are deployed. yearly or quarterly is to infrequent, can lead to gaps some stuff isn't connected to network yet.
When media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels? A. The data is labeled based on its integrity requirements. B. The media is labeled based on the highest classification level of the data it contains. C. The media is labeled with all levels of classification of the data it contains. D. The media is labeled with the lowest level of classification of the data it contains.
B. media is labeled based on highest classification of the data it contains.
Network-Based CASB
Broker intercepts traffic between the user and the cloud service, monitoring for security issues. Broker can block requests.
Which one of the following data roles bears ultimate organizational responsibility for the data? A. System owners B. Business owners C. Data Owners D. Mission Owners
C. Data Owners - CEO, president or senior employees business and mission owners typically own processes and programs system owners own system that processes sensitive data
Helen's company uses simple data lifecycle as shown in the figure here. What stage should come first in their data lifecycle? See diagram for 9 ?????-> analysis -> usage -> retention -> destruction A. Data policy creation B. data labeling C. Data collection D. Data analysis
C. Data collection Policies may be made any time Labels are added to data during analysis, usage, retention
What scenario describes date at rest? A. Data in an IPsec tunnel B. Data in an e-commerce transaction C. Data stored on a hard drive D. Data stored in RAM
C. Data stored on a hard drive
Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow? A. degauss the drives, and then relabel them with a lower classification level b pulverize the drives, and then reclassify them based on the data they contain. C. Follow the organization's purging process, and then downgrade and replace labels. d. relabel the media, and then follow the organization's purging process to ensure that the media matches the label.
C. Follow the organization's purging process, and then downgrade and replace labels.
Naomi knows that commercial data is typically classified based on different criteria than government data. Which of the following is not a common criterion for commercial data classification? A. Useful lifespan B. Data Value C. Impact to national security D. Regulatory for legal requirements
C. Impact to national security
Ben has tasked with identifying security controls for systems by his organization's information classification system. Why might Ben choose to use a security baseline? A. It applies in all circumstances, allowing consistent security controls. B. they are approved by industry standard bodies, preventing liability. C. They provide a good starting point that can be tailored to organizational needs d. they ensure that systems are always in a secure state
C. They provide a good starting point that can be tailored to organizational needs
Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it? A. Man-in-the-middle, VPN B. Packet injection, encryption C. Sniffing, encryption D. Sniffing, TEMPEST
C. threat is sniffing. method to protect is encryption. often used to protect traffic like bank transactions from sniffing. Packet injection and MIM attacks are possible they are far less likely to occur. and VPN would use it would be encryption.
question 73
Categorizing and selecting controls
Data Life Cycle
Create (create, collecting, modification of data) Store (places into storage on prem or cloud/ make inventory) Use (systems view and process, maintainence) Share (made available through links, ACLs) Archive (retained in long term storage, can be restored) Destroy (secure disposal methods)
Staff in an information technology (IT) department who are delegated responsibility for day-to- day tasks hold what data role? A. Business owner B. User C. Data Processor D. Custodian
D. Custodian data custodian is DAY TO DAY data processor - NATURAL or LEGAL person, public authority, or other body, which processes personal data solely on behalf of the data controller
Which of the following is not a common requirement for the collection of data under data privacy laws and statutes? A. Only data that is needed is collected. B. Data should be obtained lawfully and via fair methods C. Data should only be collected with the consent of the individual whose data is being collected D. Data should be collected form all individuals equally.
D. Data should be collected form all individuals equally.
Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle both proprietary information and highly sensitive trade secrets. Which option best describes what should happen at the end of their life (EOL) for workstations he is responsible for? A. Erasing B. Clearing C. Sanitization D. Destruction
D. Destruction
Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization's data retention policy. As part of its legal requirements, the organization must comply with the US Food and Drug Administration's Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement? A. It ensures that someone has reviewed the data. B. It provides confidentiality. C. It ensures that the data has not been changed. D. It validates who approved the data.
D. It validates who approved the data.
Fred wants to classify his organization's data using common labels: private, sensitive, public, and propriety. Which of the following should he apply to his highest classification level based on common industry practices? A. Private B. Sensitive C. Public D. Proprietary
D. Proprietary Confidential/Proprietary Private Sensitive Public
What methods are often used to protect data in transit? A. Telnet, ISDN, UDP B. Bitlocker, FileVault C. AES, Serpent, IDEA D. TLS, VPN, IPsec
D. TLS, VPN, IPsec AES,serpanty,IDEA are all symmetric algorithms bitlocker,filevault is data at rest telnet,udp,isdn are protocols
What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs? A. They can be used to hide data. B. They can only be degaussed. C. They are not addressable, resulting in data remanence D. They may not be cleared, resulting in data remanence.
D. They may not be cleared, resulting in data remanence.
API-based CASB
Solutions that do not interact directly with a user but rather interact directly with the cloud provider through the providers API.
Self-Encrypting Drive (SED)
Storage device that performs whole disk encryption by using embedded hardware - performs it automatically
Baseline Security
The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.
Question 85
a
Big Data
a broad term for datasets so large or complex that traditional data processing applications are inadequate. rarely uses relational databases, key-value of NoSQL databases
What technology could amand's employer implement to help prevent confidential data from being emailed out of the organizaiton? a. dlp b. ids c. a firewall d. UDP
a dlp
What element of asset security is often determined by identifying an asset's owner? a it identifies the individuals responsible for protecting the asset b. it provides a law enforcement in case of theft. c. it helps establish the value of the asset d. it determines the security classification of the asset.
a it identifies the individuals responsible for protecting the asset - tells you who is responsible for protecting the asset
configuration managment
a system by which a product's planned and changing components are accurately identified naming convention ip convention artifacts like diagrams
Full Disk Encryption (FDE)
a technology that encrypts everything stored on a storage medium automatically, without any user interaction
Fred is preparing to send backup tapes off site to a secure 3rd party storage facility. What steps should Fred take before sending the tapes to that facility? a. Ensure that the tapes are handled the same way the original media would be handled based on their classification b. increase the classification level of the tapes because they are leaving the possession of the company c. purge the tapes to ensure that classified data is not lost d. decrypt the tapes in case they are lost in transit
a. Ensure that the tapes are handled the same way the original media would be handled based on their classification
What term is used to describe information like prescriptions and x-rays? a. PHI b. Proprietary data c. PID d. PII
a. PHI
Which of the following does not describe data in motion? a. data on a back up take that is being shipped to a storage facility b. data in a TCP packet c. data in an e-commerce transaction d. data in files being copied between locations.
a. data on a back up take that is being shipped to a storage facility
Which of the following concerns should not be part of the decision when classifying data? a. the cost to classify the data b. the sensitivity of the data c. the amount of harm that exposure of the data could cause d. the value of the data to the organization
a. the cost to classify the data
Jacob's organization uses the US government's data classification system, which includes Top secret, Secret, confidential, unclassified ratings (from most sensitive to least). Jacob encounters a system that contains Secret, confidential and top secret. how should it be classified? a. top secret b. confidential c. secret d. mixed classification
a. top secret
Watermarking
apply electronic tags to files and stuff
questions 86
b
Steve is concerned about the fact that employees leaving his organization were often privy to proprietary information. Which one of the following controls is most effective against this threat? a. sanitization b NDAs c clearing d encryption
b NDAs
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customer is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations What type of encryption is best suited for use on the file servers for the proprietary data, and how might you secure the data when it is in motion? a. tls at rest, aes in motion b aes at rest and tls in motion c. vpn at rest and tls in motion d. des at rest and aes in motion
b aes at rest and tls in motion
Frank is reviewing his company's data lifecycle and wants to place appropriate controls around the data collection phase. Which of the following ensures that data subjects agree to the processing of their data? a retention b consent c certification d remanence
b consent remanence occurs when data remains in place, sometimes inadvertently, after it should have been removed retention is the international process of keeping and managing data. certification is not a data lifecycle process element.
Which of the following information security risks to data at rest would result in the greatest reputational impact to an organization. A. Improper classification b data breach c decryption d an intentional insider threat
b data breach its the most embarrasing
question 76
b encrypt the data files and send them file will remain secure until decrypted.
The center for Internet security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision. Adjusting the CIS benchmarks to your org's mission and you rpsecific IT systems would involve what two processes? a scoping and selection b scoping and tailoring c baselining and tailoring d tailoring and selection
b scoping and tailoring scoping involves selecting only the controls that are appropriate for your IT system, while tailoring matches your org's mission and the controls from a selected baseline. baselining is the process of configuring or building a baseline itself selection isnt a technical term used for any of these processes
The center for Internet security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision. How should you determine which controls from the baseline should be applied to a given system or software package? a. consult the custodians of the data b. selected based on the data classification of the data it stores or handles c apply the same controls to all systems d consult the business owner of the process the system or data supports
b select based on the data classification of the data it stores or handles
Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary? A. assign users to spot-check compliance b use Microsoft group policy c create startup scripts to apply policy at system start d periodically review the baselines with the data owner and system owners
b use Microsoft group policy group policy provides the ability to monitor and apply settings in a security baseline. manual checks by users and using startup scripts provide fewer reviews and may be prone to failure periodic reviews of the baseline won't result in compliance being checked, at all
The company Jim works for suffered from a major data breach in the past year and now wants to ensure that it knows where data is located and if it is being transferred, is being copied to a thumb drive, or is in a network file share where it should not be. Which of the following solutions is best suited to tagging, monitoring, and limiting where files are transferred to? A. DRM b. DLP c. a network IPS c. antiivirus
b. DLP DLP - can tag monitor and limit where files are transferred to. DRM - Digital Rights Management - controls how data can be used not where it is transferred. IPS can detect files that are being sent but it wont stop files from being put on workstations or thumb drives antivirus is not designed for this purpose
Full disk encryption like Microsoft bit locker is used to protect data in what state? a. Data in transit b. Data at rest c. Unlabeled Data D. Labeled data
b. Data at rest
Elle is planning her organization's asset retention efforts and wants to establish when the company will remove assets from use. Which of the following is typically the last event in a manufacturer or software provider's lifecycle? A. End of life b. End of support C. End of sales D. general availability
b. End of support - occurs after end of of life and end of sales support may still continue for months even years. general availability is around the main part of the lifecycle rather than end.
Susan works in an organization that labels all removable media with the classification level of the data it contains, included public data. Why would Susan's employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed? a. It is cheaper to order all prelabeled media b. It prevents sensitive media from not being marked by mistake. c it prevents reuse of public media for sensitive data d labeling all media is required by HIPAA
b. It prevents sensitive media from not being marked by mistake. - requiring all media to have a label means that when unlabeled is found it should be suspicious.
Juanita's company processes credit cards and wants to select appropriate data security standards. What data security standard is she most likely to need to use and comply with? a. CC-comply b. PCI-dss c GLBA d. GDPR
b. PCI-dss
What type of health information is the Health Insurance Portability and Accountability Act required to protect? a. PII b. PHI c. SHI d. HPHI
b. PHI
Why is it cost effective to purchase high-quality media to contain sensitive data? A. Expensive media is less likely to fail b. The value of the data often far exceeds the cost of the media. c. Expensive media is easier to encrypt d. More expensive media typically improves data integrity
b. The value of the data often far exceeds the cost of the media.
The system that Ian has built replaces data in a database field with a randomized string of characters that remains the same for each instance of that data. What technique has he used? A. Data masking b. Tokenization c. anonymization d. DES
b. Tokenization - replaces data with random strings. then they are matched to actual values for secure lookups anonymization removes all PII to ensure that original subject cannot be identified data masking obscures some but not all data pseudonymization pseudonym or alias to replace other info
Ben has been asked to scrub data to remove data that is no longer needed by his organization. What phase of the data lifecycle is Ben most likely operating in? A. Data retention b. data maintenance c data remanence d data collection
b. data maintenance - maintenance phase is typical data lifecycle, activities like data scrubbing occur. data retention - is not phase, its s decision that orgs make based on requirements, laws or own needs. data remanence is also not phase, describes data left over. data collection is acquisition.
The company that Henry works for operates in the EU and collects data about their customers. They send that data to a third party to analyze and provide reports to help the company make better business decisions. What term best describes the third-party analysis company? A. data permanence may be an issue b. data remanence is a concern. c. the tapes may suffer from bitrot d. data from tapes can't be erased by degaussing
b. data remanence is a concern. permanence is about data lifespan bitrot is about slow loss of data on aging media
Which of the following tasks is not performed by a system owner per NIST SP 800-18? A. develops a system security plan b. establishes rules for appropriate use and protection of data c. identifies and implements security controls d. ensures that system users receive appropriate security training
b. establishes rules for appropriate use and protection of data - data owner does this
Susan's organization performs a secure disk wipe process on hard drives before they are sent to a third party organization to be shredded. What issue is her organization attempting to avoid? a. date retention that is longer than defined in policy b. mishandled of drives by the thirds party c. classification mistakes d. data permanence
b. mishandled of drives by the thirds party
What type of encryption is typically used for data at rest? a. asymmetric encryption b. symmetric encryption c. DES d. OTP
b. symmetric encryption like AES is used for data at rest asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is OUTDATED!!
Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret? a. the top secret data may be commingled with the secret data, resulting in a need to relabel the system. b. the cost of the sanitization process may exceed the cost of new equipment c. the data may be exposed as part of the sanitization process. d. the organization's DLP system may flag the new system due to the difference in data labels
b. the cost of the sanitization process may exceed the cost of new equipment. downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe (or destroy) the media that systems use means that the cost of reuse is often significant and may exceed the cost of purchasing a new system or media. purging is to ensure no data remains, so commingling data should not bea concern not should the exposure of the data; only staff wit the proper clearance should handle the systems! DLP system should flag data based on labels not the system it comes from
question 74
c
question 75
c
question 87
c
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customer is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What term best describes data that is resident in system memory? A. data at rest b buffered data c data in use d data in motion
c - data in use - data is often considered base on the data state that it is in data can be at rest (on a drive or other storage medium), in use and thus in memory or a buffer and often decrypted for use. or in transit over the network. data that is resident in system memory is data in use.
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customer is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it? a classification b symmetric encryption c watermarks d metadata
c - water marks - used to digitally label and can be used to indicative ownership as well as to assist t a digital rights management system (DRM) in identifying data that should be protected encryption would would prevented data from being accessed if it was lost classification is part of the set of practices to make sure right controls are in place META DATA is used to label data and might help a DLP flag it before it leaves org
What encryption technology would be appropriate for HIPAA documents in transit? a. bit locker b. DES c. TLS d. SSL
c TLS
How can a data retention policy reduce liabilities? A. by reducing the amount of storage in use b. by limiting the number of data classifications c by reducing the amount of data that may need to be produced for lawsuits. d. by reducing the legal penalties for noncompliance
c by reducing the amount of data that may need to be produced for lawsuits. - reducing storage in use does not reduce liability but i can reduce financial cost data retention policies don't tend to limit the number of classifications in use legal penalties are not impact by a retention policy
What data role does a system that is used to process data have? A. Mission owner B data owner c data processor d. data custodian
c data processor
What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization intended to help prevent? A. destruction b. reuse c data remanence d attribution
c data remanence - validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence.
Alex works for a government agency that is required to meet US federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level when it is created. What should Alex do to the data? A. classify the data B encrypt the data c label the data d apply DRM to the data
c label the data - used to identify classification levels. DRM digital rights management provide tools how data is used encrypting data can help confidentiality and integrity. classifying the data is necessary to label it but you still have to label it
Amanda's employer asks Amanda to classify patient x-ray data that has internal patient identifier associated tih it but does not have nay way to directly identify a patient. The company's data owner believes that exposure of the data could cause damage (but no exception damage) to the organization. How should Amanda classify the data? a. public b. sensitive c. private d. confidential
c private
The company that Katie works for provides its staff with mobile phones for employee use, with new phones issued every two years. What scenario best describes this type of practice when the phones themselves are still usable and receiving operating system updates? A. EOL B. planned obsolesces c. EOS d. Device risk management
c. EOS - end of service
If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice? A. Microsoft's Windows 10 security baseline B. The CIS Windows 10 baseline c. PCI DSS D NSA Windows 10 Secure Host Baseline
c. PCI DSS
Mike wants to track hardware assets as devices and equipment are moved throughout his organization. What type of system can help do this without requiring staff to individually check bar codes or serial numbers? A. a visual inventory. b. WiFi MAC address tracking c. RFID tags d. Steganography
c. RFID tags - can be queried wirelessly at varying ranges. as they leave or enter. visual inventory relies on staff checking items, mac addresses are for networked devices and not everything has network capability.
Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. 58. If Chris's company operates in the EU and has been contracted to handle the data for a third party, what roles is his company operating in when it uses this process to classify and handle data? a. business owners b. mission owners c. data processors d. data admins
c. data processors
What is the best method to sanitize a solid-state drive (SSD)? a. clearing b. zero fill c. disintegration d. degaussing
c. disintegration due to problems with remanent data, NSA requires physical description to SSDs. its called disintegration. so shredding into small pieces zero fill wipes a drive by replacing with zeros degaussing uses magnetic wipe to wipe magnetic data clearing is the process of preparing media for resuse
Which of the following is the least effective method of removing data from media? a. degaussing b. purging c. erasing d. clearing
c. erasing - deletes link to the file & and leaves the data degaussing works only on magnetic data purging and clearing both describe more elaborate removal processes
Which of the following activities is not a consideration during data classification? A. who can access the data? b. what the impact would be if the data was lost or breached c. how much the data cost to create d. what protection regulations may be required for the data
c. how much the data cost to create
Shandra wants to secure an encryption key. Which location would be the most difficult to protect, if the key was kept and used in that location? A. on a local network b. on disk c. in memory d. on a public network
c. in memory - data needs to be decrypted to be used when data is at rest on a drive or in transit vie either a LOCAL or PUBLIC network it can be encrypted until it reaches its destination or you can use strong encryption in each of those circumstances
Why is declassification rarely chosen as an option for media reuse? a. purging is sufficient for sensitive data b. sanitization is the preferred method of data removal c. it is more expensive than new media and may still fail d. clearing is the required first.
c. it is more expensive than new media and may still fail - its usually cheaper to buy new media then ensuring the data is gone.
What commercial data classification is most appropriate for data contained on corporate websites? a. private b. sensitive c. public d. proprietary
c. public
Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure? a. all email should be encrypted. b. all email should be encrypted and labeled c. sensitive email should be encrypted and labeled d. only highly sensitive email should be encrypted
c. sensitive email should be encrypted and labeled
Chris has been put in charge of his organization's IT service management effort, and part of that effort includes creating an inventory of both tangible and intangible assets. As a security professional, you have been asked to provide Chris with security-related guidance on each of the following topics. Your goal is to provide Chris with the best answer from each of the options, knowing that in some cases more than one of the answers could be acceptable. Chris knows that his organization has more than just physical assets. In fact, his organization's business involves significant intellectually property assets, including designs and formulas. Chris needs to track inventory those assets as well. How can he most effectively ensure that he can identify and manage data throughout his organization based on its classification or type? A. track file extensions for common data types b ensure that data is collected in specific network share locations based on the data type and group that works with it c. use metadata tagging based on data type or security level d. automatically tag data by file extension type
c. use metadata tagging based on data type or security level - use tools like DLP and DRM to handle and track data based on its type and content. file extensions do not reveal data security or type relying on network share locations to secure data or inventory will lead to gaps in security as files are moved, copied and or stored locally.
Data Sanitization
clearing - overwrites sensitive information purging - similar but takes longer (degaussing or cryptographic functions) destroying - (shred, pulverize, melt, burn)
question 52
d
Susan wants to manage her data's lifecycle based on retention rules. What technique can she use to ensure that data has reached the end of its lifecycle can be identified and disposed of based on her organization's disposal process? a rotation b DRM c DLP d tagging
d tagging - tags that include information abut the life span of the data and when it has expired can help with management Tags can be a simple as timestamps or can include meta data like data type, creator rotation of files like logs is commonly done to limit how much space they take up, but rotation itself does not address disposal requirements drm digital rights management or dlp both address data security but not disposal.
Amanda has been asked to ensure that her organization's controls assessment procedures match the specific systems that the company uses. What activity best matches this task? A. asset management b compliance c scoping d tailoring
d tailoring scoping is related but involves setting the boundaries of security control implementations asset management involves how assets are overseen throughout their lifecycle compliance is broad term describing ensuring that regulations contract terms are met.
What security measure can provide an additional security control in the event that back up tapes are stolen or lost? A. keep multiple copies of the tapes b replace tape media with hard drives. c use appropriate security labels d use AES-256 encryption
d use AES-256 encryption
The center for Internet security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision. The CIS benchmarks are an example of what practice? a. conducting a risk assessment b. implementing data labeling c proper system ownership d. using security baselines
d using security baselines
What is the primary purpose of data classification? A. It quantifies the cost of a data breach b It prioritizes IT expenditures c. It allows compliance with breach notification laws. d. It identifies the value of the data to the organization
d. It identifies the value of the data to the organization
Which one of the following is not considered PII under US federal government regulations? a. name b. social security number c. student ID number d. ZIP code
d. ZIP code
Which data role is tasked with apply rights that provide appropriate access to staff members? A. data processors b. business owners c. custodians d. administrators
d. administrators - have rights to apply the permissions to access and handle data. custodians are with day-to-day of HANDLING business owners are typically system or project owners, and ata processors are system use to process data.
How should you determine which controls from the baseline should applied to a given system or software package? A. The data controller b. data owner c. data subject d. data processor
d. data processor third party company is a data processor - they process data on behalf of henry's computer. which is a data controller. data is collected about data subjects data owners are tasked with making decisions about data such as who can access and receive it.
Incineration, crushing, shredding and disintegration all describe what stage in the life cycle of media? a. sanitization b. degaussing c. purging d. destruction
d. destruction
Chris has been put in charge of his organization's IT service management effort, and part of that effort includes creating an inventory of both tangible and intangible assets. As a security professional, you have been asked to provide Chris with security-related guidance on each of the following topics. Your goal is to provide Chris with the best answer from each of the options, knowing that in some cases more than one of the answers could be acceptable. Chris has been tasked with identifying intangible assets but needs to provide his team with a list of the assets they will be inventorying. Which of the following is not an example of an intangible asset? a. parents b. databases c. formulas d. employees
d. employees. patents, databases and formulas are intangible.
Retaining and maintaining information for as long as it is needed is known as what? a. data storage policy b. data storage c. asset maintenance d. record retention
d. record retention - retaining maintaining information for as long as it is needed. data storage policy describes how and why data is stored data storage is the process of actually keeping the data asset maintenance is a noninformation security related process
A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this? A. select a new security baseline b. relabel the data c. encrypt all of the data at rest and in transit. d. review its data classifications and classify the data appropriately
d. review its data classifications and classify the data appropriately
Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels? A. To indicate the software version in use B. To promote a corporate message c. to promote availability d. to indicate the classification level of the data or system.
d. to indicate the classification level of the data or system.
Chris has been put in charge of his organization's IT service management effort, and part of that effort includes creating an inventory of both tangible and intangible assets. As a security professional, you have been asked to provide Chris with security-related guidance on each of the following topics. Your goal is to provide Chris with the best answer from each of the options, knowing that in some cases more than one of the answers could be acceptable. 59. Chris needs to identify all of the active systems and devices on the network. Which of the following techniques will give him the most complete list of connected devices? A. query Active Directory for a list of all computer objects b. perform a port scan of all systems on the network c. ask all staff members to fill out a form listing all of their system and devices d. use network logs to identify all connected devices and track them down from there
d. use network logs to identify all connected devices and track them down from there staff might not know and might assume others are getting other "types" active directory is for accounts necessarily systems/devices port scans can help but firewalls and other security will get in the way
Information Rights Management (IRM)
enforce data rights provisioning access implementing access control models
Change Management
ensures that an organization follows a standard process for requesting, reviewing, approving, and implementing changes to information systems
Network-based DLP
monitors outgoing data looking for sensitive data, specified by an admin
Digital Rights Management (DRM)
provides content owners of IP with technical means to prevent the unauthorized use of their content through the use of encryption technology music, movies, books, video games subscription based music services use DRM today trade secrets, revoke right to access after expiration date
pattern matching
top secret, confidential, ss numbers, credit card numbers, banking, passwords
host-based dlp (spirion)
uses software agents installed on systems that search those systems for the presence of sensitive information. detecting that information allows the organization to take action to either remove or secure the data. Can also monitor system configuration and user actions, blocking undesirable actions.