CISSP - Asset Security Domain - Review & Practice Questions

Ace your homework & exams now with Quizwiz!

How can a data retention policy help to reduce liabilities? A. By ensuring that unneeded data isn't retained B. By ensuring that incriminating data is destroyed C. By ensuring that data is securely wiped so it cannot be restored for legal discovery D. By reducing the cost of data storage required by law

A. A data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable. Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met.

What term is used to describe a set of common security configurations, often provided by a third party? A. Security policy B. Baseline C. DSS D. SP 800

B. A baseline is a set of security configurations that can be adopted and modified to fit an organization's security needs. A security policy is written to describe an organization's approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP-800 series of documents address computer security in a variety of areas.

What term is used to describe a starting point for a minimum security standard? A. Outline B. Baseline C. Policy D. Configuration guide

B. A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority, and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isn't the term you're looking for here.

What method uses a strong magnetic field to erase media? A. Magwipe B. Degaussing C. Sanitization D. Purging

B. Degaussing uses strong magnetic fields to erase magnetic media. Magwipe is a madeup term. Sanitization is a combination of processes used to remove data from a system or media to ensure that it cannot be recovered. Purging is a form of clearing used on media that will be reused in a lower classification or lower security environment.

What problem with FTP and Telnet makes using SFTP and SSH better alternatives? A. FTP and Telnet aren't installed on many systems. B. FTP and Telnet do not encrypt data. C. FTP and Telnet have known bugs and are no longer maintained. D. FTP and Telnet are difficult to use, making SFTP and SSH the preferred solution.

B. FTP and Telnet do not provide encryption for the data they transmit and should not be used if they can be avoided. SFTP and SSH provide encryption to protect both the data they send and the credentials that are used to log in via both utilities.

Sue's employer has asked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do? A. Send decrypted data over a public network and act like she is on her employer's internal network . B. Create a private encrypted network carried via a public network and act like she is on her employer's internal network . C. Create a virtual private network using TLS while on her employer's internal network . D. Create a tunneled network that connects her employer's network to her internal home network .

B. One way to use an IPsec VPN is to create a private, encrypted network (or tunnel) via a public network, allowing users to be a virtual part of their employer's internal network. IPsec is distinct from TLS, provides encryption for confidentiality and integrity, and of course, in this scenario Sue is connecting to her employer's network rather than the employer connecting to hers.

Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it? A. Man-in-the-middle, VPN B. Packet injection, encryption C. Sniffing, encryption D. Sniffing, TEMPEST

C. Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn't be used to stop attacks at any normal bank.

Which one of the following tasks would a custodian most likely perform? A. Access the data B. Classify the data C. Assign permissions to the data D. Back up data

D. A data custodian performs day to day tasks to protect the integrity security of data and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.

Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels? A. To indicate the software version in use B. To promote a corporate message C. To promote availability D. To indicate the classification level of the data or system

D. Visual indicators like a distinctive screen background can help employees remember what level of classification they are dealing with and thus the handling requirements that they are expected to follow.

What does labeling data allow a DLP system to do? A. The DLP system can detect labels and apply appropriate protections. B. The DLP system can adjust labels based on changes in the classification scheme. C. The DLP system can notify the firewall that traffic should be allowed through. D. The DLP system can delete unlabeled data.

A. Data loss prevention (DLP) systems can use labels on data to determine the appropriate controls to apply to the data. DLP systems won't modify labels in real time and typically don't work directly with firewalls to stop traffic. Deleting unlabeled data would cause big problems for organizations that haven't labeled every piece of data!

What is the primary information security risk to data at rest? A. Improper classification B. Data breach C. Decryption D. Loss of data integrity

B. The biggest threat to data at rest is typically a data breach. Data at rest with a high level of sensitivity is often encrypted to help prevent this. Decryption is not as significant of a threat if strong encryption is used and encryption keys are well secured. Data integrity issues could occur, but proper backups can help prevent this, and of course data could be improperly classified, but this is not the primary threat to the data.

Susan works for an American company that conducts business with customers in the European Union. What is she likely to have to do if she is responsible for handling PII from those customers? A. Encrypt the data at all times . B. Label and classify the data according to HIPAA . C. Conduct yearly assessments to the EU DPD baseline . D. Comply with the US-EU Safe Harbor requirements .

D. Safe Harbor compliance helps US companies meet the EU Data Protection Directive. Yearly assessments may be useful, but they aren't required. HIPAA is a US law that applies specifically to healthcare and related organizations, and encrypting all data all the time is impossible (at least if you want to use the data!).

Which one of the following would administrators use to connect to a remote server securely for administration? A. Telnet B. Secure File Transfer Protocol (SFTP) C. Secure Copy (SCP) D. Secure Shell (SSH)

D. SSH is a secure alternative to Telnet because it encrypts data transmitted over a network. In contrast, Telnet transmits data in cleartext. SFTP and SCP are good methods for transmitting sensitive data over a network, but not for administration purposes.

What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level? A. Clearing B. Erasing C. Purging D. Sanitization

A. Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that's completed, the media can be reused. Erasing is the deletion of files or media. Purging is a more intensive form of clearing for reuse in lower security areas, and sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Confidential (HIPAA) Encrypt at rest and in transit. Full disk encryption required for all workstations. Files can only be sent in encrypted form, and passwords must be transferred under separate cover. Printed documents must be labeled with "HIPAA handling required." Private (PHI) Encrypt at rest and in transit. PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with "Private." Sensitive (business confidential) Encryption is recommended but not required. Public Information can be sent unencrypted. What technology could Lauren's employer implement to help prevent confidential data from being emailed out of the organization? A. DLP B. IDS C. A firewall D. UDP

A. A data loss prevention (DLP) system or software is designed to identify labeled data or data that fits specific patterns and descriptions to help prevent it from leaving the organization. An IDS is designed to identify intrusions. Although some IDS systems can detect specific types of sensitive data using pattern matching, they have no ability to stop traffic. A firewall uses rules to control traffic routing, while UDP is a network protocol.

Which one of the following identifies the primary a purpose of information classification processes? A. Define the requirements for protecting sensitive data. B. Define the requirements for backing up data. C. Define the requirements for storing data. D. Define the requirements for transmitting data.

A. A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing any data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit, but not any data.

COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements? A. Business owners B. Data processors C. Data owners D. Data stewards

A. Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are required to perform specific actions under regulations like the EU DPD. Finally, in many organizations, data stewards are internal roles that oversee how data is used.

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for? A. He is responsible for steps 3, 4, and 5. B. He is responsible for steps 1, 2, and 3. C. He is responsible for steps 5, 6, and 7. D. All of the steps are his direct responsibility.

A. Chris is most likely to be responsible for classifying the data that he owns as well as assisting with or advising the system owners on security requirements and control selection. In an organization with multiple data owners, Chris is unlikely to set criteria for classifying data on his own. As a data owner, Chris will also not typically have direct responsibility for scoping, tailoring, applying, or enforcing those controls.

Which of the following concerns should not be part of the decision when classifying data? A. The cost to classify the data B. The sensitivity of the data C. The amount of harm that exposure of the data could cause D. The value of the data to the organization

A. Classification should be conducted based on the value of the data to the organization, its sensitivity, and the amount of harm that could result from exposure of the data. Cost should be considered when implementing controls and is weighed against the damage that exposure would create.

An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data. Which of the following administrator actions might have prevented this incident? A. Mark the tapes before sending them to the warehouse. B. Purge the tapes before backing up data to them. C. Degauss the tapes before backing up data to them. D. Add the tapes to an asset management database.

A. If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unmanned warehouse. Purging or degaussing the tapes before using them will erase previously held data but won't help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn't prevent this incident.

Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information? A. Personally identifiable information (PII) B. Personal health information (PHI) C. Social Security number (SSN) D. Secure identity information (SII)

A. NIST Special Publication 800-122 defines PII as any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, biometric records, and other information that is linked or linkable to an individual such as medical, educational, financial, and employment information. PHI is health-related information about a specific person, Social Security numbers are issued to individuals in the United States, and SII is a madeup term.

When a computer is removed from service and disposed of, the process that ensures that all storage media has been removed or destroyed is known as what? A. Sanitization B. Purging C. Destruction D. Declassification

A. Sanitization is the combination of processes used to remove data from a system or media. When a PC is disposed of, sanitization includes the removal or destruction of drives, media, and any other storage devices it may have. Purging, destruction, and declassification are all other handling methods.

Fred is preparing to send backup tapes off site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility? A. Ensure that the tapes are handled the same way the original media would be handled based on their classification. B. Increase the classification level of the tapes because they are leaving the possession of the company. C. Purge the tapes to ensure that classified data is not lost. D. Encrypt the tapes in case they are lost in transit.

A. Tapes are frequently exposed due to theft or loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization's classification schemes and handling requirements. Purging the tapes would cause the loss of data, while increasing the classification level of the tapes or encrypting them may create extra work that isn't required by the classification level of the tapes.

Within the context of the European Union (EU) Data Protection law, what is a data processor? A. The entity that processes personal data on behalf of the data controller B. The entity that controls processing of data C. The computing system that processes data D. The network that processes data

A. The EU Data Protection law defines a data processor as "a natural or legal person which processes personal data solely on behalf of the data controller." The data controller is the entity that controls processing of the data and directs the data processor. Within the context of the EU Data Protection law, the data processor is not a computing system or network.

Which of the following will be superceded in 2018 by the European Union's General Data Protection Regulation (GDPR) A. The EU Data Protection Directive B. NIST SP 800-12 C. The EU Personal Data Protection Regulation D. COBIT

A. The EU GDPR is slated to replace the EU DPD, with adoption starting in 2015 and 2016 and full enforcement occurring in 2017 and 2018. NIST standards and special publications apply to the United States, while COBIT is an IT management framework. There is no EU Personal Data Protection Regulation.

Which attack helped drive vendors to move away from SSL toward TLS-only by default? A. POODLE B. Stuxnet C. BEAST D. CRIME

A. The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while CRIME and BEAST were earlier attacks against SSL.

Which is the proper order from least to most sensitive for US government classifications? A. Confidential, Secret, Top Secret B. Confidential, Classified, Secret C. Top Secret, Secret, Classified, Public, Classified, Top Secret D. Public, Unclassified, Classified, Top Secret

A. The US government's classification levels from least to most sensitive are Confidential, Secret, and Top Secret.

Which one of the following data roles is most likely to assign permissions to grant users access to data? A. Administrator B. Custodian C. Owner D. User

A. The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.

Which of the following does not describe data in motion? A. Data on a backup tape that is being shipped to a storage facility B. Data in a TCP packet C. Data in an e-commerce transaction D. Data in files being copied between locations

A. The correct answer is the tape that is being shipped to a storage facility. You might think that the tape in shipment is "in motion," but the key concept is that the data is not being accessed and is instead in storage. Data in a TCP packet, in an e-commerce transaction, or in local RAM is in motion and is actively being used.

As shown in the following security life cycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Step 1 - Categorize Systems & Data Step 2 - Select Security Controls Step 3 - Implement Security Controls Step 4 - Access Security Controls Step 5 - Monitor Security What data role will own responsibility for step 1, the categorization of information systems, to whom will they delegate step 2, and what data role will be responsible for step 3? A. Data owners, system owners, custodians B. Data processors, custodians, users C. Business owners, administrators, custodians D. System owners, business owners, administrators

A. The data owner bears responsibility for categorizing information systems and delegates selection of controls to system owners, while custodians implement the controls. Users don't perform any of these actions, while business owners are tasked with ensuring that systems are fulfilling their business purpose.

The need to protect sensitive data drives what administrative process? A. Information classification B. Remanence C. Transmitting data D. Clearing

A. The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn't a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.

What do the principles of notice, choice, onward transfer, and access closely apply to? A. Privacy B. Identification C. Retention D. Classification

A. These are the first four principles in the Safe Harbor principles and they apply to maintaining the privacy of data. They do not address identification or retention of data. They primarily refer to privacy data such as personally identifiable information (PII), and while that may be considered a classification, classification isn't the primary purpose of the seven Safe Harbor principles.

A US government database contains Secret, Confidential, and Top Secret data. How should it be classified? A. Top Secret B. Confidential C. Secret D. Mixed classification

A. When data is stored in a mixed classification environment, it is typically classified based on the highest classification of data included. In this case, the US government's highest classification is Top Secret. Mixed classification is not a valid classification in this scheme.

Which mapping correctly matches data classifications between nongovernment and government classification schemes? A. Top Secret - Confidential/Proprietary Secret - Private Confidential - Sensitive B. Secret - Business confidential Classifed - Proprietary Confidential - Business Internal C. Top Secret - Business sensitive Secret - Business internal Confidential - Business proprietary D. Secret - Proprietary Classified - Private Unclassified - Public

A. While many non-government organizations create their own classification schemes, a common model with levels that align with the U.S. government's classification labels is shown below. In the given options, B and D do not match the US government's Top Secret, Secret, Confidential scheme, and C incorrectly matches business proprietary data with confidential data as well as Top Secret data with business sensitive data. Business internal is often another term for business sensitive, meaning that it is used to match two classifications!

What tool is used to prevent employees who leave from sharing proprietary information with their new employers? A. Encryption B. NDA C. Classification D. Purging

B. A non-disclosure agreement, or NDA, is a legal agreement that prevents employees from sharing proprietary data with their new employers. Purging is used on media, while classification is used on data. Encryption can help secure data, but it doesn't stop employees who can decrypt or copy the data from sharing it.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion? A. TLS at rest and AES in motion B. AES at rest and TLS in motion C. VPN at rest and TLS in motion D. DES at rest and AES in motion

B. AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.

Data stored in RAM is best characterized as what type of data? A. Data at rest B. Data in use C. Data in transit D. Data at large

B. Data in use is data that is in a temporary storage location while an application or process is using it. Thus, data in memory is best described as data in use or ephemeral data. Data at rest is in storage, while data in transit is traveling over a network or other channel. Data at large is a made-up term.

When determining the classification of data, which one of the following is the most important consideration? A. Processing system B. Value C. Storage media D. Accessibility

B. Data is classified based on its value to the organization. In some cases, it is classified based on the potential negative impact if unauthorized personnel can access it, which represents a negative value. It is not classified based on the processing system, but the processing system is classified based on the data it processes. Similarly, the storage media is classified based on the data classification, but the data is not classified based on where it is stored. Accessibility is affected by the classification, but the accessibility does not determine the classification. Personnel implement controls to limit accessibility of sensitive data.

What term describes data that remains after attempts have been made to remove the data? A. Residual bytes B. Data remanence C. Slack space D. Zero fill

B. Data remanence is a term used to describe data left after attempts to erase or remove data. Slack space describes unused space in a disk cluster, zero fill is a wiping methodology that replaces all data bits with zeroes, and residual bytes is a made-up term.

Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret? A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system. B. The cost of the sanitization process may exceed the cost of new equipment. C. The data may be exposed as part of the sanitization process. D. The organization's DLP system may flag the new system due to the difference in data labels.

B. Downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe (or destroy) the media that systems use means that the cost of reuse is often significant and may exceed the cost of purchasing a new system or media. The goal of purging is to ensure that no data remains, so commingling data should not be a concern, nor should the exposure of the data; only staff with the proper clearance should handle the systems! Finally, a DLP system should flag data based on labels, not on the system it comes from.

Full disk encryption like Microsoft's BitLocker is used to protect data in what state? A. Data in transit B. Data at rest C. Unlabeled data D. Labeled data

B. Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.

Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary? A. Assign users to spot-check baseline compliance. B. Use Microsoft Group Policy. C. Create startup scripts to apply policy at system start. D. Periodically review the baselines with the data owner and system owners.

B. Group Policy provides the ability to monitor and apply settings in a security baseline. Manual checks by users or using startup scripts provide fewer reviews and may be prone to failure, while periodic review of the baseline won't result in compliance being checked.

What process does this diagram show? A. Selecting a standard and implementing it B. Categorizing and selecting controls C. Baselining and selecting controls D. Categorizing and sanitizing 1. Identify Information Types 2. Select Provisional Tables 3. Review Provisional Impact Levels Adjust/Finalize Information Impact Levels 4. Assign System Security Category

B. In the NIST SP 800-60 diagram, the process determines appropriate categorization levels resulting in security categorization and then uses that as an input to determine controls. Standard selection would occur at an organizational level, while baselining occurs when systems are configured to meet a baseline. Sanitization would require the intentional removal of data from machines or media.

The government defense contractor that Saria works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Saria reviews the company's internal processes, she finds that she can't reuse the tapes and that the manual says they should be destroyed. Why isn't Saria allowed to degauss and then reuse the tapes to save her employer money? A. Data permanence may be an issue. B. Data remanence is a concern. C. The tapes may suffer from bitrot. D. Data from tapes can't be erased by degaussing.

B. Many organizations require the destruction of media that contains data at higher levels of classification. Often the cost of the media is lower than the potential costs of data exposure, and it is difficult to guarantee that reused media doesn't contain remnant data. Tapes can be erased by degaussing, but degaussing is not always fully effective. Bitrot describes the slow loss of data on aging media, while data permanence is a term sometimes used to describe the life span of data and media.

When media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels? A. The data is labeled based on its integrity requirements. B. The media is labeled based on the highest classification level of the data it contains. C. The media is labeled with all levels of classification of the data it contains. D. The media is labeled with the lowest level of classification of the data it contains.

B. Media is typically labeled with the highest classification level of data it contains. This prevents the data from being handled or accessible at a lower classification level. Data integrity requirements may be part of a classification process but don't independently drive labeling in a classification scheme.

As shown in the following security life cycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Step 1 - Categorize Systems & Data Step 2 - Select Security Controls Step 3 - Implement Security Controls Step 4 - Access Security Controls Step 5 - Monitor Security If the systems that are being assessed all handle credit card information (and no other sensitive data), at what step would the PCI DSS first play an important role? A. Step 1 B. Step 2 C. Step 3 D. Step 4

B. PCI DSS provides a set of required security controls and standards. Step 2 would be guided by the requirements of PCI DSS. PCI DSS will not greatly influence step 1 because all of the systems handle credit card information, making PCI DSS apply to all systems covered. Steps 3 and 4 will be conducted after PCI DSS has guided the decisions in step 2.

The European Union (EU) Data Protection Directive's seven principles do not include which of the following key elements? A. The need to inform subjects when their data is being collected B. The need to set a limit on how long data is retained C. The need to keep the data secure D. The need to allow data subjects to be able to access and correct their data

B. The Data Protection Directive's principles do not address data retention time periods. The seven principles are notice, purpose, consent, security, disclosure, access, and accountability.

Which of the following is not a part of the European Union's Data Protection principles? A. Notice B. Reason C. Security D. Access

B. The European Data Protection Directive has seven primary tenets: ■ Notice ■ Choice ■ Onward transfer ■ Security ■ Data integrity ■ Access ■ Enforcement Reason is not included in this list.

Retaining and maintaining information for as long as it is needed is known as what? A. Data storage policy B. Data storage C. Asset maintenance D. Record retention

D. Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a non-informationsecurity- related process for maintaining physical assets.

An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data. Of the following choices, what policy was not followed regarding the backup media? A. Media destruction B. Record retention C. Configuration management D. Versioning

B. Personnel did not follow the record retention policy. The scenario states that administrators purge onsite email older than six months to comply with the organization's security policy, but offsite backups included backups for the last 20 years. Personnel should follow media destruction policies when the organization no longer needs the media, but some backups are needed. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning is applied to applications, not backup tapes.

What type of health information is the Health Insurance Portability and Accountability Act required to protect? A. PII B. PHI C. SHI D. HPHI

B. Protected health information, or PHI, includes a variety of data in multiple formats, including oral and recorded data, such as that created or received by healthcare providers, employers, and life insurance providers. PHI must be protected by HIPAA. PII is personally identifiable information. SHI and HPHI are both made-up acronyms.

Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan's employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed? A. It is cheaper to order all prelabeled media. B. It prevents sensitive media from not being marked by mistake. C. It prevents reuse of public media for sensitive data. D. Labeling all media is required by HIPAA.

B. Requiring all media to have a label means that when unlabeled media is found, it should immediately be considered suspicious. This helps to prevent mistakes that might leave sensitive data un-labeled. Prelabeled media is not necessarily cheaper (nor may it make sense to buy!), while reusing public media simply means that it must be classified based on the data it now contains. HIPAA does not have specific media labeling requirements.

The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Adjusting the CIS benchmarks to your organization's mission and your specific IT systems would involve what two processes? A. Scoping and selection B. Scoping and tailoring C. Baselining and tailoring D. Tailoring and selection

B. Scoping involves selecting only the controls that are appropriate for your IT systems, while tailoring matches your organization's mission and the controls from a selected baseline. Baselining is the process of configuring a system or software to match a baseline, or building a baseline itself. Selection isn't a technical term used for any of these processes.

(A) User workstation <-> (C) Internet (A) User workstation <-> (E) Server (E) Server <-> (C) Internet What is the best way to secure files that are sent from workstation A via the Internet service (C) to remote server E? A. Use AES at rest at point A, and TLS in transit via B and D. B. Encrypt the data files and send them. C. Use 3DES and TLS to provide double security. D. Use full disk encryption at A and E, and use SSL at B and D.

B. Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach and the file will remain secure until decrypted at location E. Since answers A, C, and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form.

Susan's organization performs a zero fill on hard drives before they are sent to a thirdparty organization to be shredded. What issue is her organization attempting to avoid? A. Data remanence while at the third-party site B. Mishandling of drives by the third party C. Classification mistakes D. Data permanence

B. Susan's organization is limiting its risk by sending drives that have been sanitized before they are destroyed. This limits the possibility of a data breach if drives are mishandled by the third party, allowing them to be stolen, resold, or simply copied. The destruction of the drives will handle any issues with data remanence, while classification mistakes are not important if the drives have been destroyed. Data permanence and the life span of the data are not important on a destroyed drive.

What type of encryption is typically used for data at rest? A. Asymmetric encryption B. Symmetric encryption C. DES D. OTP

B. Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is an outdated encryption standard, and OTP is the acronym for one-time password .

Which California law requires conspicuously posted privacy policies on commercial websites that collect the personal information of California residents? A. The Personal Information Protection and Electronic Documents Act B. The California Online Privacy Protection Act C. California Online Web Privacy Act D. California Civil Code 1798.82

B. The California Online Privacy Protection Act (COPPA) requires that operators of commercial websites and services post a prominently displayed privacy policy if they collect personal information on California residents. The Personal Information Protection and Electronic Documents Act is a Canadian privacy law, while California Civil Code 1798.82 is part of the set of California codes that requires breach notification. The California Online Web Privacy Act does not exist.

What encryption algorithm would provide strong protection for data stored on a USB thumb drive? A. TLS B. SHA1 C. AES D. DES

C. AES is a strong symmetric cipher that is appropriate for use with data at rest. SHA1 is a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and insecure symmetric encryption method.

The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. How should you determine what controls from the baseline a given system or software package should receive? A. Consult the custodians of the data. B. Select based on the data classification of the data it stores or handles. C. Apply the same controls to all systems. D. Consult the business owner of the process the system or data supports.

B. The controls implemented from a security baseline should match the data classification of the data used or stored on the system. Custodians are trusted to ensure the day-to-day security of the data and should do so by ensuring that the baseline is met and maintained. Business owners often have a conflict of interest between functionality and data security, and of course, applying the same controls everywhere is expensive and may not meet business needs or be a responsible use of resources.

Which of the following tasks are not performed by a system owner per NIST SP 800-18? A. Develops a system security plan B. Establishes rules for appropriate use and protection of data C. Identifies and implements security controls D. Ensures that system users receive appropriate security training

B. The data owner sets the rules for use and protection of data. The remaining options all describe tasks for the system owner, including implementation of security controls.

Lauren's multinational company wants to ensure compliance with the EU Data Protection Directive. If she allows data to be used against the requirements of the notice principle and against what users selected in the choice principle, what principle has her organization violated? A. Onward transfer B. Data integrity C. Enforcement D. Access

B. The principle of data integrity states that data should be reliable and that information should not be used for purposes other than those that users are made aware of by notice and that they have accepted through choice. Enforcement is aimed at ensuring that compliance with principles is assured. Access allows individuals to correct, change, or delete their information, while onward transfer limits transfers to other organizations that comply with the principles of notice and choice.

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process? A. They are system owners and administrators. B. They are administrators and custodians. C. They are data owners and administrators. D. They are custodians and users.

B. The system administrators are acting in the roles of data administrators who grant access and will also act as custodians who are tasked with the day-to-day application of security controls. They are not acting as data owners who own the data itself. Typically, system administrators are delegated authority by system owners, such as a department head, and of course they are tasked with providing access to users.

Why is it cost effective to purchase high-quality media to contain sensitive data? A. Expensive media is less likely to fail. B. The value of the data often far exceeds the cost of the media. C. Expensive media is easier to encrypt. D. More expensive media typically improves data integrity.

B. The value of the data contained on media often exceeds the cost of the media, making more expensive media that may have a longer life span or additional capabilities like encryption support a good choice. While expensive media may be less likely to fail, the reason it makes sense is the value of the data, not just that it is less likely to fail. In general, the cost of the media doesn't have anything to do with the ease of encryption, and data integrity isn't ensured by better media.

Ben's company, which is based in the EU, hires a third-party organization that processes data for it. Who has responsibility to protect the privacy of the data and ensure that it isn't used for anything other than its intended purpose? A. Ben's company is responsible. B. The third-party data processor is responsible. C. The data controller is responsible. D. Both organizations bear equal responsibility.

B. Under the EU's DPD, data processors like the third-party company in this question bear responsibility for ensuring that the data is not used for anything other than the purpose for which it is intended. Ben's company is the data controller, while the third party is the data processor, leaving the third party with that role.

(A) User workstation <-> (C) Internet (A) User workstation <-> (E) Server (E) Server <-> (C) Internet Which letters should be associated with data at rest? A. A, B, and C B. C and E C. A and E D. B, D, and F

C. A and E can both be expected to have data at rest. C, the Internet, is an unknown, and the data can't be guaranteed to be at rest. B, D, and F are all data in transit across network links.

Embedded data used to help identify the owner of a file is an example of what type of label? A. Copyright notice B. DLP C. Digital watermark D. Steganography

C. A digital watermark is used to identify the owner of a file or to otherwise label it. A copyright notice provides information about the copyright asserted on the file, while data loss prevention (DLP) is a solution designed to prevent data loss. Steganography is the science of hiding information, often in images or files.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it? A. Classification B. Symmetric encryption C. Watermarks D. Metadata

C. A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria are set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified. 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and tailored. 7. Controls are applied and enforced. 8. Access is granted and managed. If Chris's company operates in the European Union and has been contracted to handle the data for a third party, what role is his company operating in when it uses this process to classify and handle data? A. Business owners B. Mission owners C. Data processors D. Data administrators

C. According to the European Union's Data Protection Directive, third-party organizations that process personal data on behalf of a data controller are known as data processors. The organization that they are contracting with would act in the role of the business or mission owners, and others within Chris's organization would have the role of data administrators, granting access as needed to the data based on their operational procedures and data classification.

(A) User workstation <-> (C) Internet (A) User workstation <-> (E) Server (E) Server <-> (C) Internet What would be the best way to secure data at points B, D, and F? A. AES256 B. SSL C. TLS D. 3DES

C. B, D, and F all show network links. Of the answers provided, Transport Layer Security (TLS) provides the best security for data in motion. AES256 and 3DES are both symmetric ciphers and are more likely to be used for data at rest. SSL has been replaced with TLS and should not be a preferred solution.

What encryption algorithm is used by both BitLocker and Microsoft's Encrypting File System? A. Blowfish B. Serpent C. AES D. 3DES

C. By default, BitLocker and Microsoft's Encrypting File System (EFS) both use AES (Advanced Encryption Standard), which is the NIST-approved replacement for DES (Data Encryption Standard). Serpent was a competitor of AES, and 3DES was created as a possible replacement for DES.

As shown in the following security life cycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Step 1 - Categorize Systems & Data Step 2 - Select Security Controls Step 3 - Implement Security Controls Step 4 - Access Security Controls Step 5 - Monitor Security What data security role is primarily responsible for step 5? A. Data owners B. Data processors C. Custodians D. Users

C. Custodians are tasked with the day-to-day monitoring of the integrity and security of data. Step 5 requires monitoring, which is a custodial task. A data owner may grant rights to custodians but will not be responsible for conducting monitoring. Data processors process data on behalf of the data controller, and a user simply uses the data via a computing system.

What scenario describes data at rest? A. Data in an IPsec tunnel B. Data in an e-commerce transaction C. Data stored on a hard drive D. Data stored in RAM

C. Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive

What is the best method to sanitize a solid-state drive SSD)? A. Clearing B. Zero fill C. Disintegration D. Degaussing

C. Due to problems with remnant data, the US National Security Agency requires physical destruction of SSDs. This process, known as disintegration, results in very small fragments via a shredding process. Zero fill wipes a drive by replacing data with zeros, degaussing uses magnets to wipe magnetic media, and clearing is the process of preparing media for reuse.

Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure? A. All email should be encrypted. B. All email should be encrypted and labeled. C. Sensitive email should be encrypted and labeled. D. Only highly sensitive email should be encrypted.

C. Encrypting and labeling sensitive email will ensure that it remains confidential and can be identified. Performing these actions only on sensitive email will reduce the cost and effort of encrypting all email, allowing only sensitive email to be the focus of the organization's efforts. Only encrypting highly sensitive email not only skips labeling but might expose other classifications of email that shouldn't be exposed.

Why is declassification rarely chosen as an option for media reuse? A. Purging is sufficient for sensitive data. B. Sanitization is the preferred method of data removal. C. It is more expensive than new media and may still fail. D. Clearing is required first.

C. Ensuring that data cannot be recovered is difficult, and the time and effort required to securely and completely wipe media as part of declassification can exceed the cost of new media. Sanitization, purging, and clearing may be part of declassification, but they are not reasons that it is not frequently chosen as an option for organizations with data security concerns.

Which of the following is the least effective method of removing data from media? A. Degaussing B. Purging C. Erasing D. Clearing

C. Erasing, which describes a typical deletion process in many operating systems, typically removes only the link to the file, and leaves the data that makes up the file itself. The data will remain in place but not indexed until the space is needed and it is overwritten. Degaussing works only on magnetic media, but it can be quite effective on it. Purging and clearing both describe more elaborate removal processes.

Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow? A. Degauss the drives, and then relabel them with a lower classification level. B. Pulverize the drives, and then reclassify them based on the data they contain. C. Follow the organization's purging process, and then downgrade and replace labels. D. Relabel the media, and then follow the organization's purging process to ensure that the media matches the label.

C. If an organization allows media to be downgraded, the purging process should be followed, and then the media should be relabeled. Degaussing may be used for magnetic media but won't handle all types of media. Pulverizing would destroy the media, preventing reuse, while relabeling first could lead to mistakes that result in media that hasn't been purged entering use.

Which data role is tasked with granting appropriate access to staff members? A. Data processors B. Business owners C. Custodians D. Administrators

D. Administrators have the rights to assign permissions to access and handle data. Custodians are trusted to handle day-to-day data handling tasks. Business owners are typically system or project owners, and data processors are systems used to process data.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What civilian data classifications best fit this data? A. Unclassified, confidential, top secret B. Public, sensitive, private C. Public, sensitive, proprietary D. Public, confidential, private

C. Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary. Thus public, sensitive, proprietary matches this most closely. Confidential is a military classification, which removes two of the remaining options, and trade secrets are more damaging to lose than a private classification would allow.

Which one of the following is based on Blowfish and helps protect against rainbow table attacks? A. 3DES B. AES C. Bcrypt D. SCP

C. Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy (SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.

Alex works for a government agency that is required to meet US federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level. What should Alex do to the data? A. Classify the data. B. Encrypt the data. C. Label the data. D. Apply DRM to the data.

C. One of the most important parts of labeling the data is ensuring that it receives a mark or label that provides the classification of the data. Digital rights management (DRM) tools provide ways to control how data is used, while encrypting it can help maintain the confidentiality and integrity of the data. Classifying the data is necessary to label it, but it doesn't automatically place a label on the data.

If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice? A. Microsoft's Windows 10 security baseline B. The CIS Windows 10 baseline C. PCI DSS D. The NSA Windows 10 baseline

C. PCI DSS, the Payment Card Industry Data Security Standard, provides the set of requirements for credit card processing systems. The Microsoft, NSA, and CIS baseline are all useful for building a Windows 10 security standard, but they aren't as good of an answer as the PCI DSS standard itself.

Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files attached to the email remain confidential as they traverse the Internet? A. SSL B. TLS C. PGP D. VPN

C. PGP, or Pretty Good Privacy (or its open-source alternative, GPG) provide strong encryption of files, which can then be sent via email. Email traverses multiple servers and will be unencrypted at rest at multiple points along its path as it is stored and forwarded to its destination.

Which of the following is the most secure method of deleting data on a DVD? A. Formatting B. Deleting C. Destruction D. Degaussing

C. Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux so degaussing a DVD doesn't destroy data.

Which would an administrator do to classified media before reusing it in a less secure environment? A. Erasing B. Clearing C. Purging D. Overwriting

C. Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

What type of policy describes how long data is retained and maintained before destruction? A. Classification B. Audit C. Record retention D. Availability

C. Record retention policies describe how long an organization should retain data and may also specify how and when destruction should occur. Classification policies describe how and why classification should occur and who is responsible, while availability and audit policies may be created for specific purposes.

Which of the following statements correctly identifies a problem with sanitization methods? A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data. B. Even fully incinerated media can offer extractable data. C. Personnel can perform sanitization steps improperly. D. Stored data is physically etched into the media.

C. Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.

Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for? A. Erasing B. Clearing C. Sanitization D. Destruction

C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don't make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution due to the cost involved.

Which of the following choices is the most reliable method of destroying data on a solid state drive? A. Erasing B. Degaussing C. Deleting D. Purging

D. Purging is the most reliable method of the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure data is removed. While not an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting processes rarely remove the data from media, but instead mark it for deletion. Solid state drives (SSDs) do not have magnetic flux so degaussing an SSD doesn't destroy data.

Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline? A. It applies in all circumstances, allowing consistent security controls. B. They are approved by industry standards bodies, preventing liability. C. They provide a good starting point that can be tailored to organizational needs. D. They ensure that systems are always in a secure state.

C. Security baselines provide a starting point to scope and tailor security controls to your organization's needs. They aren't always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, nor do they prevent liability.

What data role does a system that is used to process data have? A. Mission owner B. Data owner C. Data processor D. Custodian

C. Systems used to process data are data processors. Data owners are typically CEOs or other very senior staff, custodians are granted rights to perform day-to-day tasks when handling data, and mission owners are typically program or information system owners.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Confidential (HIPAA) Encrypt at rest and in transit. Full disk encryption required for all workstations. Files can only be sent in encrypted form, and passwords must be transferred under separate cover. Printed documents must be labeled with "HIPAA handling required." Private (PHI) Encrypt at rest and in transit. PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with "Private." Sensitive (business confidential) Encryption is recommended but not required. Public Information can be sent unencrypted. What type of encryption would be appropriate for HIPAA documents in transit? A. AES256 B. DES C. TLS D. SSL

C. TLS is a modern encryption method used to encrypt and protect data in transit. AES256 is a symmetric cipher often used to protect data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security.

Which of the following classification levels is the US government's classification label for data that could cause damage but wouldn't cause serious or grave damage? A. Top Secret B. Secret C. Confidential D. Classified

C. The US government uses the label Confidential for data that could cause damage if it was disclosed without authorization. Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data could cause serious damage. Classified is not a level in the US government classification scheme.

Which of the following activities is not a consideration during data classification? A. Who can access the data B. What the impact would be if the data was lost or breached C. How much the data cost to create D. What protection regulations may be required for the data

C. The cost of the data is not directly included in the classification process. Instead, the impact to the organization if the data were exposed or breached is considered. Who can access the data and what regulatory or compliance requirements cover the data are also important considerations.

Which data role is described as the person who has ultimate organizational responsibility for data? A. System owners B. Business owners C. Data owners D. Mission owners

C. The data owner has ultimate responsibility for data belonging to an organization and is typically the CEO, president, or another senior employee. Business and mission owners typically own processes or programs. System owners own a system that processes sensitive data.

Which of the following best defines "rules of behavior" established by a data owner? A. Ensuring users are granted access to only what they need B. Determining who has access to a system C. Identifying appropriate use and protection of data D. Applying security controls to a system

C. The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.

What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization intended to help prevent? A. Destruction B. Reuse C. Data remanence D. Attribution

C. Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence. A form like this one helps to ensure that each device has been checked and that it was properly wiped, purged, or sanitized. This can allow reuse, does not prevent destruction, and does not help with attribution, which is a concept used with encryption to prove who created or sent a file.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. Confidential (HIPAA) Encrypt at rest and in transit. Full disk encryption required for all workstations. Files can only be sent in encrypted form, and passwords must be transferred under separate cover. Printed documents must be labeled with "HIPAA handling required." Private (PHI) Encrypt at rest and in transit. PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with "Private." Sensitive (business confidential) Encryption is recommended but not required. Public Information can be sent unencrypted. Lauren's employer asks Lauren to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company's data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Lauren classify the data? A. Public B. Sensitive C. Private D. Confidential

C. We know that the data classification will not be the top level classification, "Confidential" because the loss of the data would not cause severe damage. This means we have to choose between private (PHI) and sensitive (confidential). Calling this private due to the patient's personal health information fits the classification scheme, giving us the correct answer.

An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data. Of the following choices, what would have prevented this loss without sacrificing security? A. Mark the media kept offsite. B. Don't store data offsite. C. Destroy the backups offsite. D. Use a secure offsite storage facility.

D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won't protect it if it is stored in an unmanned warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite, or offsite backups are destroyed, security is sacrificed by risking availability.

Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme? A. 3DES B. AES C. Diffie-Hellman D. Blowfish

D. Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie-Hellman is a protocol for key exchange.

What is the primary purpose of data classification? A. It quantifies the cost of a data breach. B. It prioritizes IT expenditures. C. It allows compliance with breach notification laws. D. It identifies the value of the data to the organization.

D. Classification identifies the value of data to an organization. This can often help drive IT expenditure prioritization and could help with rough cost estimates if a breach occurred, but that's not the primary purpose. Finally, most breach laws call out specific data types for notification rather than requiring organizations to classify data themselves.

What is the most important aspect of marking media? A. Date labeling B. Content description C. Electronic labeling D. Classification

D. Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn't as important as marking the classification. Electronic labels or marks can be used, but when they are used, the most important information is still the classification of the data.

Staff in an IT department who are delegated responsibility for day-to-day tasks hold what data role? A. Business owner B. User C. Data processor D. Custodian

D. Custodians are delegated the role of handling day-to-day tasks by managing and overseeing how data is handled, stored, and protected. Data processors are systems used to process data. Business owners are typically project or system owners who are tasked with making sure systems provide value to their users or customers.

What methods are often used to protect data in transit? A. Telnet, ISDN, UDP B. Encrypted storage media C. AES, Serpent, IDEA D. TLS, VPN, IPsec

D. Data in transit is data that is traversing a network or is otherwise in motion. TLS, VPNs, and IPsec tunnels are all techniques used to protect data in transit. AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols. Encrypting your storage media before it is transported is a good practice, but transporting media isn't the type of transit that is meant by the phrase.

Which of the following answers would not be included as sensitive data? A. Personally identifiable information (PII) B. Protected health information (PHI) C. Proprietary data D. Data posted on a website

D. Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.

Which of the following does not erase data? A. Clearing B. Purging C. Overwriting D. Remanence

D. Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.

Incineration, crushing, shredding, and disintegration all describe what stage in the life cycle of media? A. Sanitization B. Degaussing C. Purging D. Destruction

D. Destruction is the final stage in the life cycle of media and can be done via disintegration, incineration, or a variety of other methods that result in the media and data being nonrecoverable. Sanitization is a combination of processes used when data is being removed from a system or media. Purging is an intense form of clearing, and degaussing uses strong magnetic fields to wipe data from magnetic media.

Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization's data retention policy. As part of its legal requirements, the organization must comply with the US Food and Drug Administration's Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement? A. It ensures that someone has reviewed the data. B. It provides confidentiality. C. It ensures that the data has not been changed. D. It validates who approved the data.

D. Electronic signatures, as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are "trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper." Signatures cannot provide confidentiality, or integrity, and don't ensure that someone has reviewed the data.

What primary issue does personnel retention deal with? A. Employees quitting B. Employees not moving on to new positions C. Knowledge gained after employment D. Knowledge gained during employment

D. Personnel retention deals with the knowledge that employees gain while employed. Issues related to the knowledge they may leave with and share are often handled with nondisclosure agreements. Knowledge gained after employment, as well as how soon (or how late) employees leave the organization, is not central to this issue.

Safe Harbor is part of a US program to meet what European Union law? A. The EU CyberSafe Act B. The Network and Information Security (NIS) directives C. The General Data Protection Regulation (GDPR) D. The EU Data Protection Directive

D. Safe Harbor is a framework intended to bridge the different privacy protection laws between the United States and the European Union and is run by the US Department of Commerce. At the time of this writing, Safe Harbor had been declared "invalid" by the European Court of Justice, although the US Department of Commerce has stated that it will continue the Safe Harbor program. Both the GDPR and NIS are pending EU regulations, and there is no EU CyberSafe Act.

An organization is implementing a preselected baseline of security controls, but finds not all of the controls apply. What should they do? A. Implement all of the controls anyway. B. Identify another baseline. C. Re-create a baseline. D. Tailor the baseline to their needs.

D. Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re‐create a different baseline.

What term describes the process of reviewing baseline security controls and selecting only the controls that are appropriate for the IT system you are trying to protect? A. Standard creation B. CIS benchmarking C. Baselining D. Scoping

D. Scoping is performed when you match baseline controls to the IT system you're working to secure. Creation of standards is part of the configuration process and may involve the use of baselines. Baselining can mean the process of creating a security baseline or configuring systems to meet the baseline. CIS, the Center for Internet Security, provides a variety of security baselines.

What protocol is preferred over Telnet for remote server administration via the command line? A. SCP B. SFTP C. WDS D. SSH

D. Secure Shell (SSH) is an encrypted protocol for remote login and command-line access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities for Windows operating systems.

What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs? A. They can be used to hide data. B. They can only be degaussed. C. They are not addressable, resulting in data remanence. D. They may not be cleared, resulting in data remanence.

D. Spare sectors, bad sectors, and space provided for wear leveling on SSDs (overprovisioned space) may all contain data that was written to the space that will not be cleared when the drive is wiped. Most wiping utilities only deal with currently addressable space on the drive. SSDs cannot be degaussed, and wear leveling space cannot be reliably used to hide data. These spaces are still addressable by the drive, although they may not be seen by the operating system.

The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. The CIS benchmarks are an example of what practice? A. Conducting a risk assessment B. Implementing data labeling C. Proper system ownership D. Using security baselines

D. The CIS benchmarks are an example of a security baseline. A risk assessment would help identify which controls were needed, and proper system ownership is an important part of making sure baselines are implemented and maintained. Data labeling can help ensure that controls are applied to the right systems and data.

Ben is following the NIST Special Publication 800-88 guidelines for sanitization and disposition as shown in the following diagram. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow? A. Destroy, validate, document B. Clear, purge, document C. Purge, document, validate D. Purge, validate, document

D. The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.

What US government agency oversees compliance with the Safe Harbor framework for organizations wishing to use the personal data of EU citizens? A. The FAA B. The FDA C. The DoD D. The Department of Commerce

D. The U.S. Department of Commerce oversees Safe Harbor. Only U.S. organizations subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DOT) are permitted to participate in Safe Harbor.

Major Hunter, a member of the US armed forces, has been entrusted with information that, if exposed, could cause serious damage to national security. Under US government classification standards, how should this data be classified? A. Unclassified B. Top Secret C. Confidential D. Secret

D. The US government specifies Secret as the classification level for information that, if disclosed, could cause serious harm to national security. Top Secret is reserved for information that could cause exceptionally grave harm, while confidential data could be expected to cause less harm. Unclassified is not an actual classification but only indicates that the data may be released to unclassified individuals. Organizations may still restrict access to unclassified information.

What security measure can provide an additional security control in the event that backup tapes are stolen or lost? A. Keep multiple copies of the tapes. B. Replace tape media with hard drives. C. Use appropriate security labels. D. Use AES256 encryption.

D. Using strong encryption, like AES256, can help ensure that loss of removable media like tapes doesn't result in a data breach. Security labels may help with handling processes, but they won't help once the media is stolen or lost. Having multiple copies will ensure that you can still access the data but won't increase the security of the media. Finally, using hard drives instead of tape only changes the media type and not the risk from theft or loss.

A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this? A. Select a new security baseline. B. Relabel the data. C. Encrypt all of the data at rest and in transit. D. Review its data classifications and classify the data appropriately.

D. When the value of data changes due to legal, compliance, or business reasons, reviewing classifications and reclassifying the data is an appropriate response. Once the review is complete, data can be reclassified and handled according to its classification level. Simply relabeling the data avoids the classification process and may not result in the data being handled appropriately. Similarly, selecting a new baseline or simply encrypting the data may not handle all of the needs that the changes affecting the data create.


Related study sets

Human Anatomy & Physiology Test 1

View Set

A History of Global Climate Change Lab, Practice, + Quiz

View Set

Growth and Development Adaptive Quizzing

View Set

Prep U for Brunner and Suddarth's Textbook of Medical Surgical Nursing, 13th Edition Chapter 42: Management of Patients With Musculoskeletal Disorders

View Set

French depuis quand vs. depuis combien de temps

View Set