CISSP - Domain 2 - Asset Security
COBIT (Control Objectives for Information and related Technology)
- It is a framework for IT management and governance. - Business Owners are most likely to select and apply COBIT to balance the need for security controls against business requirement. 5 Principles of COBIT are 1. Meeting the stakeholders' needs. ... 2. Covering the enterprise end-to-end. ... 3. Applying a single integrated framework. ... 4. Enabling a holistic approach. ... 5. Separating governance from management.
NFC (Near Field Communication)
- Short-range wireless technology.. - Rooted in RFID technology - NFC is used in contactless card payment such as Apple Pay, Sharing Pix etc. - Range is 20cm (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
How can data retention policy help reduce liabilities?
- The data retention policy can help ensure that outdated data is purged, removing additional costs for discovery. Many organizations have aggressive retention policies both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable.
In a broken authentication attack, this type of account is frequently targeted.
Privileged Accouts.
NFC is rooted in this technology
RFID (Radio Frequency Identification) (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
1. Reduced Instruction Set Computing (RISC) 2. Complex Instruction Set Computing (CISC)
1 — Reduces the Clock cycles per instruction at the cost of the number of instructions per program. - Emphasis on software - Uses more registers - Fewer addressing modes 2—Performs multiple operations for a single instruction. Means, it attempts to minimize the number of instructions per program, sacrificing the number of cycles per instruction. - Emphasis on Hardware - Uses Less Registers - More addressing modes
1. C. Although various information life-cycle models exist, they all begin with the creation or acquisition of the information and end with its ultimate disposal (typically destruction).
1. Which of the following statements is true about the information life cycle? A. The information life cycle begins with its archival and ends with its classification. B. Most information must be retained indefinitely. C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction. D. Preparing information for use does not typically involve adding metadata to it.
10. C. The data owner is the manager in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information. In most situations, this person is not financially liable for the loss of his or her data
10. The data owner is most often described by all of the following except A. Manager in charge of a business unit B. Ultimately responsible for the protection of the data C. Financially liable for the loss of the data D. Ultimately responsible for the use of the data
14. C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it.
14. Who has the primary responsibility of determining the classification level for information? A. The functional manager B. Senior management C. The owner D. The user
15. C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.
15. If different user groups with different security access levels need to access the same information, which of the following actions should management take? A. Decrease the security level on the information to ensure accessibility and usability of the information. B. Require specific written approval each time an individual needs to access the information. C. Increase the security controls on the information. D. Decrease the classification label on the information.
16. B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.
16. What should management consider the most when classifying data? A. The type of employees, contractors, and customers who will be accessing the data B. Availability, integrity, and confidentiality C. Assessing the risk level and disabling countermeasures D. The access controls that will be protecting the data
17. D. The key to this question is the use of the word "ultimately." Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.
17. Who is ultimately responsible for making sure data is classified and protected? A. Data owners B. Users C. Administrators D. Management
18. D. The data retention policy should follow the laws of any jurisdiction within which the organization's data resides. It must similarly comply with any regulatory requirements. Finally, the policy must address the organization's operational requirements.
18. Which of the following requirements should the data retention policy address? A. Legal B. Regulatory C. Operational D. All the above
19. B. The data retention policy should address what data to keep, where to keep it, how to store it, and for how long to keep it. The policy is not concerned with "for whom" the data is kept.
19. Which of the following is not addressed by the data retention policy? A. What data to keep B. For whom data is kept C. How long data is kept D. Where data is kept
2. B. Although it is typically true that multiple data items are needed for a transaction, this has much less to do with the need for data consistency than do the other three options. Consistency is important because we oftentimes keep multiple copies of a given data item.
2. Ensuring data consistency is important for all the following reasons, except A. Replicated data sets can become desynchronized. B. Multiple data items are commonly needed to perform a transaction. C. Data may exist in multiple locations within our information systems. D. Multiple users could attempt to modify data simultaneously.
20. C. Data at rest is best protected using whole-disk encryption on the user workstations or mobile computers. None of the other options apply to data at rest.
20. Which of the following best describes an application of cryptography to protect data at rest? A. VPN B. Degaussing C. Whole-disk encryption D. Up-to-date antivirus software
21. B. Data in motion is best protected by network encryption solutions such as TLS, VPN, or IPSec. None of the other options apply to data in motion.
21. Which of the following best describes an application of cryptography to protect data in motion? A. Testing software against side-channel attacks B. TLS C. Whole-disk encryption D. EDLP
22. D. Two of the most common approaches to destroying data physically involve shredding the storage media or exposing it to corrosive or caustic chemicals. In certain highly sensitive government organizations, these approaches are used in tandem to make the risk of data remanence negligible.
22. Which of the following best describes the mitigation of data remanence by a physical destruction process? A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's B. Converting the 1's and 0's that represent data with the output of a cryptographic function C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes D. Exposing storage media to caustic or corrosive chemicals that render it unusable
23. C. Degaussing is typically accomplished by exposing magnetic media (such as hard disk drives or magnetic tapes) to powerful magnetic fields in order to change the orientation of the particles that physically represent 1's and 0's.
23. Which of the following best describes the mitigation of data remanence by a degaussing destruction process? A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's B. Converting the 1's and 0's that represent data with the output of a cryptographic function C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes D. Exposing storage media to caustic or corrosive chemicals that render it unusable
24. A. Data remanence can be mitigated by overwriting every bit on the storage medium. This is normally accomplished by writing all 0's, or all 1's, or a fixed pattern of them, or a random sequence of them. Better results can be obtained by repeating the process with different patterns multiple times.
24. Which of the following best describes the mitigation of data remanence by an overwriting process? A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's B. Converting the 1's and 0's that represent data with the output of a cryptographic function C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes D. Exposing storage media to caustic or corrosive chemicals that render it unusable
3. A. This is a typical set of classification levels for government and military organizations. Each of the other options has at least two terms that are synonymous or nearly synonymous.
3. Which of the following makes the most sense for a single organization's classification levels for data? A. Unclassified, Secret, Top Secret B. Public, Releasable, Unclassified C. Sensitive, Sensitive But Unclassified (SBU), Proprietary D. Proprietary, Trade Secret, Private
4. A. There are many criteria for classifying information, but it is most important to focus on the value of the data or the potential loss from its disclosure. The likelihood of disclosure, irrelevant jurisdictions, and cost considerations should not be central to the classification process.
4. Which of the following is the most important criterion in determining the classification of data? A. The level of damage that could be caused if the data were disclosed B. The likelihood that the data will be accidentally or maliciously disclosed C. Regulatory requirements in jurisdictions within which the organization is not operating D. The cost of implementing controls for the data
5. D. Data aggregation can become a classification issue whenever someone can combine data items and end up with a higher-classification aggregate. For instance, a person's name, address, phone number, or date of birth are normally not PII by themselves. However, when combined, they do become PII under the definition of most jurisdictions with applicable laws
5. The effect of data aggregation on classification levels is best described by which of the following? A. Data classification standards apply to all the data within an organization. B. Aggregation is a disaster recovery technique with no effect on classification. C. A low-classification aggregation of data can be deconstructed into higher-classification data items. D. Items of low-classification data combine to create a higher-classification set.
C. Senior management
6. Who bears ultimate responsibility for the protection of assets within the organization? A. Data owners B. Cyber insurance providers C. Senior management D. Security professionals
7. D. Cryptography can be an effective control at every phase in the information life cycle. During information acquisition, a cryptographic hash can certify its integrity. When sensitive information is in use or in archives, encryption can protect it from unauthorized access. Finally, encryption can be an effective means of destroying the data.
7. During which phase or phases of the information life cycle can cryptography be an effective control? A. Use B. Archival C. Disposal D. All the above
8. D. Data retention policies should be the primary reason for the disposal of most of our information. Senior management or lack of resources should seldom, if ever, be the reason we dispose of data, while acceptable use policies have little, if anything, to do with it.
8. A transition into the disposal phase of the information life cycle is most commonly triggered by A. Senior management B. Insufficient storage C. Acceptable use policies D. Data retention policies
9. C. Information classification is very strongly related to the information's value and/or risk. For instance, trade secrets that are the key to a business's success are highly valuable, which will lead to a higher classification level. Similarly, information that could severely damage a company's reputation presents a high level of risk and is similarly classified at a higher level.
9. Information classification is most closely related to which of the following? A. The source of the information B. The information's destination C. The information's value D. The information's age
1. superscalar processor, 2. Scalar processor
A ____________________ is one that can execute multiple instructions at the same time, whereas a ___________ can execute only one instruction at a time. You will need to know this distinction for the exam.
TLS (Transport Layer Security)
A security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection. TLS is modern encryption method used to encrypt and protect data in transit.
Natural access control Natural surveillance Territorial reinforcement
A key component of achieving Crime Prevention Through Environmental Design (CPTED) are:
COPPA
California Online Privacy Protection Act, operators of commercial websites post a privacy policy if collecting personal information on CA residents.
Radio Frequency Distributed Network
Cellular (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
Clark-Wilson. features an access control triple, where subjects must access programs before accessing objects (subject-program-object).
This model dictates that the separation of duties must be enforced, subjects must access data through an application, and auditing is required.
Multicast wireless sensor network designed for "wearables"
ANT (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
ANT
ANT is proprietary multicast wireless sensor network technology designed for IoT. - ANT is primarily incorporated into sports and fitness sensors (wearables) like Fitbit - Range 30 miters. - Challenges are eavesdropping, interception and location identification. (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
24. B. Scoping involves selecting only the controls that are appropriate for your IT systems, while tailoring matches your organization's mission and the controls from a selected baseline. Baselining is the process of configuring a system or software to match a baseline or building a baseline itself. Selection isn't a technical term used for any of these processes.
Adjusting the CIS benchmarks to your organization's mission and your specific IT systems would involve what two processes? A. Scoping and selection B. Scoping and tailoring C. Baselining and tailoring D. Tailoring and selection
US Government data classification
Top Secret - Secret - Confidential - Unclassified -
Three states of data
At Rest, In Transit, In Process (Use). (Refer 24.1 Web Vulnerabilities)
CISM What is the best management-level metric for a vulnerability management process?
Average time from availability of a patch to the successful application of a patch. This tells the story about how long servers are unprotected by security patches, which equates to exposure and risk of an intrusion and breach that pose potentially damaging impacts to the organization.
Interrupts can be maskable and non-maskable. Maskable interrupts can be ignored by the application or the system, whereas non-maskable interrupts cannot be ignored by the system. An example of a non-maskable interrupt can be seen in Windows when you enter Ctrl-Alt-Delete.
Types of Interrupts
Sending unsolicited message via bluetooth
Bluejacking (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
Bluejacking/Bluesnarfing/Blueborne
Bluejacking - sending unsolicited messages Bluesnarfing - Unauthorized device pairing Blueborne - Exploits protocol weakness to takeover the device. (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
Unauthorized device access by exploiting a Bluetooth paring option.
Bluesnarfing (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
Shortwave Low Power Technology based on 802.15
Bluetooth (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
Bitlocker and Microsoft EFS
Both these encryption tools use AES (Advanced Encryption Method) which is NIST approved method replacing DES.
The outcome of this attack is user impersonation
Broken Authentication (Refer 24.1 Web Vulnerabilities)
Connection Methods and Exploits on Mobile Technology
Cellular - Radio Frequency distributed Network. - Denial of Service. Wifi - Radio Frequency contained Network - Bluetooth - Shortwave Radio low power network. 802.15 standard - Bluejacking/Bluesnarfing SATCOM - Satellite Communication Network. - Injection, interception, manipulation. NFC* - Near Field Communications. - Eavesdropping/interception ANT*. - Wearable sensor communication - Eavesdropping, interception, impersonation (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
Clearing, Erasing, Purging & sanitization
Clearing - Preparing media for re-use. When media is cleared, unclassified data is written over all addressable location of the media. Once that is completed, the media can be reused. Erasing - It is the deletion of fines or media. This is least effective method of media repurposing. Purging - It is a more intensive form of clearing for reuse in lower-security areas. Sanitization - It is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.
Civilian Data classifications
Confidential (or proprietary) - Trade Secrets Sensitive/Private - Internal business is sensitive/private Public - Information shared with customers is Public
Which attack drive vendors to move away from SSL towards TLS-only by default?
POODLE (Padding Oracle-on Downgraded Encryption) attack helped force to move from SSL 3.0 to TLS.
Unintentional distribution of data
Data Leakage (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
This type of credential should always be changed before putting a system or application into production.
Default Credentials. (Refer 24.1 Web Vulnerabilities)
Methodology of integrating development, operations and security
DevSecOps. (Refer 24.1 Web Vulnerabilities)
CISM Why do we need different Control Frameworks?
Different control frameworks are indeed associated with different industries. For instance, PCI controls are used in organizations that store, process, or transmit credit card information, and NIST 800-53 controls are used in U.S. federal government agencies and organizations that provide information services to those agencies.
Downgrading systems for reuse from Top Secret to lower classification project
Downgrading is not recommended because of data remanence and also the cost of sanitization may exceed the cost of new equipment.
This occurs when the threat agent successfully takes advantage of a vulnerability
Exploit. (Refer 24.1 Web Vulnerabilities)
33. B. Downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe (or destroy) the media that systems use means that the cost of reuse is often significant and may exceed the cost of purchasing a new system or media. The goal of purging is to ensure that no data remains, so commingling data should not be a concern, nor should the exposure of the data; only staff with the proper clearance should handle the systems! Finally, a DLP system should flag data based on labels, not on the system it comes from.
Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret? A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system. B. The cost of the sanitization process may exceed the cost of new equipment. C. The data may be exposed as part of the sanitization process. D. The organization's DLP system may flag the new system due to the difference in data labels.
NIST 800 18
Guide for Developing Security Plans for Federal Information Systems. Documentation Topics
NIST SP 800-122
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Rules associated with making a connection
Handshake (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
6. A. A data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable. Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met
How can a data retention policy help to reduce liabilities? A. By ensuring that unneeded data isn't retained B. By ensuring that incriminating data is destroyed C. By ensuring that data is securely wiped so it cannot be restored for legal discovery D. By reducing the cost of data storage required by law
OWASP Top 5 Mobile Application Flaws
Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems).
CISM Internal Audit Function in US Public Companies
In a U.S. public company, an internal audit function is required to audit the financially relevant business processes and their supporting business applications and IT infrastructure to provide reasonable assurances about the integrity of financial reports produced by the organization to its shareholders. This is required because in 2002, Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises and to improve the accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements.
69 D. Destruction is the final stage in the lifecycle of media and can be done via disintegration, incineration, or a variety of other methods that result in the media and data being nonrecoverable. Sanitization is a combination of processes used when data is being removed from a system or media. Purging is an intense form of clearing, and degaussing uses strong magnetic fields to wipe data from magnetic media.
Incineration, crushing, shredding, and disintegration all describe what stage in the lifecycle of media? A. Sanitization B. Degaussing C. Purging D. Destruction
What the process of restricting input and output based on specific parameters is known as
Input/Output Validation (Refer 24.1 Web Vulnerabilities)
Checking compliance on Windows PC
It can be done through Microsoft Group Policy that provides ability to monitor and apply settings in the security baseline.
Primary purpose of data classification
It identifies the value of data to the organization.
Sherwood Applied Business Security Architecture (SABSA)
It is an EA framework that intersects the six communication questions (What, Why, Where, and so on) with six layers (operational, component, physical, logical, conceptual, and contextual). This model and methodology was developed for risk-driven enterprise information security architectures.
Zachman Framework for Enterprise Architecture
It is an Enterprise Architecture Framework that uses a matrix, the rows categorize the view of different players in the organization based on decision criteria specified in the columns. The column headers describe the What, How, Where, When and Why.
The Open Group Architectural Framework (TOGAF) offering a methodological approach to Enterprise Architecture design, planning, implementation, and governance. The open nature of the framework, allows organizations to prevent a vendor lock-in with proprietary Enterprise Architecture solutions, allowing them to scale and adapt without running into significant cost, security, and technology-integration issues.
It is an enterprise architecture framework that is based on four interrelated domains: technology, applications, data, and business.
CIS Benchmark
It is example of security baseline.
48. D. Electronic signatures, as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are "trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper." Signatures cannot provide confidentiality or integrity and don't ensure that someone has reviewed the data.
Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization's data retention policy. As part of its legal requirements, the organization must comply with the U.S. Food and Drug Administration's Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement? A. It ensures that someone has reviewed the data. B. It provides confidentiality. C. It ensures that the data has not been changed. D. It validates who approved the data.
Purpose of labelling all removable media with Classificaiton
Labeling each removable media means if you find any unlabeled media, it should be considered suspicious. This helps prevent mistakes that might leave sensitive data unlabeled.
84. D. The principle of data portability says that the data subject has the right to receive personal information and to transfer that information to another data controller. The principle of data integrity states that data should be reliable and that information should not be used for purposes other than those that users are made aware of by notice and that they have accepted through choice. Enforcement is aimed at ensuring that compliance with principles is assured. Onward transfer limits transfers to other organizations that comply with the principles of notice and choice.
Lauren's multinational company wants to ensure compliance with the EU GDPR. Which principle of the GDPR states that the individual should have the right to receive personal information concerning himself or herself and share it with another data controller? A. Onward transfer B. Data integrity C. Enforcement D. Data portability
Why organizations require destruction of media after completion of retention period?
Main concern is data remanence and cost of media is lower than the potential cost of data exposure. Also, it is difficult to guarantee that reused media doesn't contain remanent data.
Shortwave wireless technology used in commerce
NFC (Near field Communications) (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
NIST 800 88
NIST guidelines for sanitation and disposition, prevents data remanence
Non-profit that publishes the Top Mobile Application Flaws
OWASP top 5 (Refer Lesson 25 - Assess Mitigate vulnerabilities on Mobile Systems)
OWASP (Open Web Application Security Project)
Open Community dedicated to software safety and security
Scoping and Tailoring
Scoping - involves selection of controls relevant for your IT systems. Tailoring - Adjusting benchmark to your organization mission from a selected baseline.
NIST 800-60
Security Categories/Classification, mapping to
Enterprise Architecture (EA)
Security and governance can be enhanced by implementing an ____________________. plan. This is the practice within information technology of organizing and documenting a company's IT assets to enhance planning, management, and expansion. The primary purpose of using _____________ is to ensure that business strategy and IT investments are aligned.
What issue is common to spare sectors and bad sectors on hard drives as well as over-provisioned space on modern SSD's?
Such drives may contain data that written to the space that will not be cleared when the drive is wiped and it may cause data remanence as most utilities can't clear the data because of OS limitations.
Simple security property (ss property)—subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. Star * security property—Subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. Strong star * property—This property states that a subject cannot read or write to an object of higher or lower sensitivity.
The Bell-LaPadula state machine model enforces confidentiality. This model uses mandatory access control to enforce the DoD multilevel security policy. For subjects to access information, they must have a clear need to know, and must meet or exceed the information's classification level.
Simple integrity property—This property states that a subject at one level of integrity is not permitted to read an object of lower integrity. Star * integrity property—This property states that an object at one level of integrity is not permitted to write to an object of higher integrity. Invocation property—This property prohibits a subject at one level of integrity from invoking a subject at a higher level of integrity.
The Biba model was the first model developed to address the concerns of integrity. Originally published in 1977, this lattice-based model has the following defining properties:
Tokens—Communicate security attributes before requesting access Capability lists—Offer faster lookup than security tokens but are not as flexible Security labels—Used by high-security systems because labels offer permanence. This is provided only by security labels.
The reference monitor design is based on -
fail-safe - Example - It opens up the locks to safely exit the employees in case of fire or loss of power. fail-secure. - Example - It limits & secures the building in case of terrorist activity. or when the system crash, it goes into secure state.
The terms fail-safe and fail-secure have very different meanings when discussed in physical security versus logical security.
Why is it cost effective to purchase high quality media to contain sensitive data?
The value of data often exceed the the cost of media.
DLP software DLP monitor and control endpoint activities, filter data streams on corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in use.
These systems use labels on data to determine the appropriate controls to apply to the data. These are not realtime systems and do not work with Firewalls etc. however ___________ classifies regulated, confidential and business critical data and identifies violations of policies defined by organizations.
SQL Injection
This attack tricks an application into sending unintended commands to the interpreter.
IT Infrastructure Library (ITIL)
This is Governance Framework that specifies a set of processes, procedures, and tasks that can be integrated with the organization's strategy, delivering value and maintaining a minimum level of competency. It can be used to create a baseline from which the organization can plan, implement, and measure its governance progress.
12. D. Spare sectors, bad sectors, and space provided for wear leveling on SSDs (overprovisioned space) may all contain data that was written to the space that will not be cleared when the drive is wiped. Most wiping utilities only deal with currently addressable space on the drive. SSDs cannot be degaussed, and wear leveling space cannot be reliably used to hide data. These spaces are still addressable by the drive, although they may not be seen by the operating system.
What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs? A. They can be used to hide data. B. They can only be degaussed. C. They are not addressable, resulting in data remanence. D. They may not be cleared, resulting in data remanence.
63. A. Sanitization is the combination of processes used to remove data from a system or media. When a PC is disposed of, sanitization includes the removal or destruction of drives, media, and any other storage devices it may have. Purging, destruction, and declassification are all other handling methods.
When a computer is removed from service and disposed of, the process that ensures that all storage media has been removed or destroyed is known as what? A. Sanitization B. Purging C. Destruction D. Declassification
92. C. The cost of the data is not directly included in the classification process. Instead, the impact to the organization if the data were exposed or breached is considered. Who can access the data and what regulatory or compliance requirements cover the data are also important considerations.
Which of the following activities is not a consideration during data classification? A. Who can access the data B. What the impact would be if the data was lost or breached C. How much the data cost to create D. What protection regulations may be required for the data
11 C. The US government uses the label Confidential for data that could cause damage if it was disclosed without authorization. Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data could cause serious damage. Classified is not a level in the US government classification scheme.
Which of the following classification levels is the United States (U.S.) government's classification label for data that could cause damage but wouldn't cause serious or grave damage? A. Top Secret B. Secret C. Confidential D. Classified
60. B. The GDPR does include requirements that data be processed fairly, maintained securely, and maintained accurately. It does not include a requirement that information be deleted within one year, although it does specify that information should not be kept longer than necessary.
Which of the following is not one of the European Union's General Data Protection Regulation (GDPR) principles? A. Information must be processed fairly. B. Information must be deleted within one year of acquisition. C. Information must be maintained securely. D. Information must be accurate.
73. B. The data owner sets the rules for use and protection of data. The remaining options all describe tasks for the system owner, including implementation of security controls.
Which of the following tasks are not performed by a system owner per NIST SP 800-18? A. Develops a system security plan B. Establishes rules for appropriate use and protection of data C. Identifies and implements security controls D. Ensures that system users receive appropriate security training
NIST 800-53
Which regulation defines security and privacy controls for Federal information systems and organizations?
TCB
______ is tasked with enforcing security policy but also it is the sum of all protection mechanisms within a computer system that have also been evaluated for security assurance. This includes hardware, firmware, and software within the ____.
Reference Monitor
____________________ enforces the security requirement for the security kernel. The ___________ job is to validate access to objects by authorized subjects. It operates at the boundary between the trusted and untrusted realm.