CISSP PRACTICE TESTS Chapter 2 ▪Asset Security (Domain 2)

Ace your homework & exams now with Quizwiz!

5. The need to protect sensitive data drives what administrative process? A. Information classification B. Remanence C. Transmitting data D. Clearing

A. Information classification

46. Which attack helped drive vendors to move away from SSL toward TLS-only by default? A. POODLE B. Stuxnet C. BEAST D. CRIME

A. POODLE

28. Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information? A. Personally identifiable information (PII) B. Personal health information (PHI) C. Social Security number (SSN) D. Secure identity information (SII)

A. Personally identifiable information (PII)

63. When a computer is removed from service and disposed of, the process that ensures that all storage media has been removed or destroyed is know as what? A. Sanitization B. Purging C. Destruction D. Delclassification

A. Sanitization

25. How should you determine what controls from the baseline a given system or software package should receive? A. Consult the custodians of the data. B. Select based on the data classification of the data it stores or handles. C. Apply the same controls to all systems. D. Consult the business owner of the process the system or data supports.

B. Select based on the data classification of the data it stores or handles.

100. Which mapping correctly matches data classifications between nongovernment and government classification schemes? A. Top Secret - Confidential/Proprietary Secret- Private Confidential - Sensitive B. Secret - Business confidential Classified - Proprietary Confidential - Business Internal C. Top Secret - Business sensitive Secret - Business internal Confidential - Business proprietary D. Sacret - Proprietary Classified - Privatr Unclassified - Public

A. Top Secret - Confidential/Proprietary Secret - Private Confidential - Sensitive

3. What term is used to describe a starting point for a minimum security standard? A. Outline B. Baseline C. Policy D. Configuration guide

B. Baseline

82. What type of health information is the Health Insurance Portability and Accountability Act required to protect? A. PII B. PHI C.SHI D. HPHI

B. PHI

60. Which of the following is not a part of the European Union's Data Protection principles? A. Notice B. Reason C. Security D. Access

B. Reason

76. Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow? A. Degauss the drives, and then relabel them with a lower classification level. B. Pulverize the drives, and then reclassify them based on the data they contain. C. Follow the organization's purging process, and then downgrade and replace labels. D. Relabel the media, and then follow the organization's purging process to ensure that the media matches the label.

C. Follow the organization's purging process, and then downgrade and replace labels.

92. Which of the following activities is not a consideration during data classification? A.Who can access the data B. What the impact would be if the data was lost or breached C. How much the data cost to create D. What protection regulations may be required for the data

C. How much the data cost to create

78.Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure? A. All email should be encrypted. B. All email should be encrypted and labeled. C. Sensitive email should be encrypted and labeled. D. Only highly sensitive email should be encrypted.

C. Sensitive email should be encrypted and labeled.

94. which data role is tasked with granting appropriate access to staff members? A. Data processors B. Business owners C. Custodians D. Administrators

D. Administrators

32. What is the primary purpose of data classification? A. Its quantifies the cost of a data breach. B. It prioritizes IT expenditures. C. It allows compliance with breach notification laws. D. It identifies the value of the data to the organization.

D. It identifies the value of the data to the organization.

30. Full disk encryption like Microsoft's BitLocker is used to protect data in what state? A. Data in transit B. Data at rest C. Unlabeled data D. Labeled data

B. Data at rest

The following image shows a. typical workstation and server and their connections to each other and the Internet. Use the image to answer questions 70, 71,and 72. User workstation is A <---B---> Internet is C<---D---> Server is E <---F---> 70. Which letters should be associated with data at rest? A. A,B, and C B. C and E C. A and E D. B, D, and F

C. A and E

42. What encryption algorithm is used by both BitLocker and Microsoft's Encrypting File System? A. Blowfish B. Serpent C. AES D. 3DES

C. AES

15. What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it? A. Classification B. Symmetric encryption C. Watermarks D. Metadata

C. Watermarks

51. What primary issue does personnel retention deal with? A. Employees quitting B. Employees not moving on to new positions C. Knowledge gained after employment D. Knowledge gained during employment

D. Knowledge gained during employment

47. What security measure can provide an additional security control in the event that backup tapes are stolen or lost? A. Keep multiple copies of the tapes. B. Replace tape media with hard drives. C. Use appropriate security labels. D. Use AES256 encryption.

D. Use AES256 encryption.

2. COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements? A. Business owners B. Data processors C. Data owners D. Data stewards

A. Business owners

6. How can a data retention policy help to reduce liabilities? A. By ensuring that unneeded data isn't retained B. By ensuring that incriminating data is destroyed C. By ensuring that data is securely wiped so it cannot be restored for legal discovery D. By reducingthe cost of data storage required by law

A. By ensuring that unneeded data isn't retained

10. What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level? A. Clearing B. Erasing C. Purging D. Sanitization

A. Clearing

20. Which is the proper order from least to most sensitive for US government classifications? A. Confidential, Secret, Top Secret B. Confidential, Classified, Secret C. Top Secret, Secret, Classified, Public, Classified, Top Secret D. Public, Unclassified, Classified, Top Secret

A. Confidential, Secret, Top Secret

39.What technology could Lauren's employer implement to help prevent confidential data from being emailed out of the organization? A. DLP B. IDS C. A firewall D. UDP

A. DLP

97. Which of the following does not describe data in motion? A. Data on a backup tape that is being shipped to a storage facility B. Data in a TCP packet C. Data in an e-commerce transaction D. Data in files being copied between locations

A. Data on a backup tape that is being shipped to a storage facility

For questions 86, 87, and 88, use the following scenario. As shown in the following security life cycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Using your knowledge of data roles and practices, answer the following questions based on the NIST framework process. [Step 1: Categorize Systems and Data] ▪[ Step 2: Select Security Controls] ▪ [ Step 3: Implement Security Controls] ▪ [ Step 4: Assess Security Controls] ▪ [ Step 5: Monitor Security] 86. What data role will own responsibility for step 1, the categorization of information systems, to whom will they delegate step 2, and what data role will be responsible for step 3? A. Data owners, system owners, custodians B. Data processors, custodians, users C. Business owners, administrators, custodians D. System owners, business owner, administrators

A. Data owners, system owners, custodians

96 Fred is preparing to send backup tapes off site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility? A. Ensure that the tapes are handled the same way the orginal media would be handled based on their classification. B. Increase the classification level of the tapes because they are leaving the possession of the company. C. Purge the tapes to ensure that classified data is not lost. D. Encrypt the tapesin case they are lost in transit.

A. Ensure that the tapes are handled the same way the orginal media would be handled based on their classification.

For questions 57, 58, and 59, use the following scenario. Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process: 1. Criteria Re set for classifying data. 2. Data owners are established for each type of data. 3. Data is classified 4. Required controls are selected for each classification. 5. Baseline security standards are selected for the organization. 6. Controls are scoped and trailored. 7. Controls are applied and enforced. 8. Access is granted and managed. Use the classification process to answer the following questions. 57. If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for? A. He is responsible for steps 3, 4, and 5. B. He is responsible for steps 1, 2, and 3. C. He is responsible for steps 5, 6, and 7. D. All of the steps are his direct responsibility.

A. He is responsible for steps 3, 4, and 5.

17. What does labeling data allow a DLP system to do? A. The DLP system can detect labels and apply appropriate protections. B. The DLP system can adjust labels based on changes in the classification scheme. C. The DLP system can notify the firewall that traffic should be allowed through. D. The DLP system can delete unlabeled data.

A. The DLP system can detect labels and apply appropriate protections.

81. Which of the following will be superceded in 2018 by the European Union's General Data Protection Regulation (GDPR)? A. The EU Data Protection Directive B. NIST SP 800-12 C. The EU Personal Data Protection Regulation D. COBIT

A. The EU Data Protection Directive

34. Which of the following concerns should not be part of the decision when classifying data? A. The cost to classify the data B. The sensitivity of the data C. The amount of harm that exposure of the data could cause D. The value of the data to the organization

A. The cost to classify the data

40. A US government database contains Secret, Confidential, and Top Secret data. How should it be classified? A.Top Secret B. Confidential C. Secret D. Mixed classification

A. Top Secret

16. What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion? A. TLS at rest and AES in motion B. AES at rest and TLS in motion C. VPN at rest and TLS in motion D. DES at rest and AES in motion

B. AES at rest and TLS in motion

44. What term is used to describe a set of common security configurations, often provided by a third party? A. Security policy B. Baseline C. DSS D. SP 800

B. Baseline

69. NIST SP 800-60 provides a process shown in the following diagram to assess information systems. What process does this diagram show? PROCESS INPUTS Identify Information Systems: [1. Identify Information Types]▪[2. Select Provisional Impact Levels]▪[3. Review Provisional Impact Levels]▪[Adjust/Finalize Information Import Levels]▪[4. Assign System Security Category] RROCESS Process Outputs... Security Categorization FIPS 200/SP 800-53 A. Selecting a standard and implementing it B. Categorizing and selecting controls C. Baselining and selecting controls D. Categorizing and sanitizind

B. Categorizing and selecting controls

31. Sue's employer has asked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do? A. Send decrypted data over a public network and act like she is on her employer's internal network. B. Create a private encrypted network carried via a public network and act like she is on her employer's internal network. C. Create a virtual private network using TLS while on her employer's internal network. D. Create a tunneled network that connects her employer's network to her internal home network.

B. Create a private encrypted network carried via a public network and act like she is on her employer's internal network.

29. What is the primary information security risk to data at rest? A. Improper classification B. Data breach C. Decryption D. Loss of data integrity

B. Data breach

66. Data stored in RAM is best characterized as what typeof data? A. Data at rest B. Data in use C. Data in transit D. Data at large

B. Data in use

84. Lauren's multinational company wants to insure compliance with the EU Data Protection. If she allows data to be used aganist the requirements of the notice principle and against what users selected in the choice principle, what principle has her organization violated? A. Onward transfer B. Data integrity C. Enforcement D. Access

B. Data integrity

13. What term describes data that remains after attempts have been made to remove the data? A.Residual bytes B. Data remanence C. Slack space D. Zero fill

B. Data remanence

27. The government defense contractor that Saria works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for others purposes. When Saria reviews the company's internal processes, she finds that she can't reuse the tapes and that the manual says they should be destroyed. Why isn't Saria allowed to degauss and then reuse the tapes to save her employer money? A.Data permanence may be an issue. B. Data remanence is a concern. C. The tapes may suffer from bitrot. D. Data from tapes can't be erased by degaussing.

B. Data remanence is a concern.

50. What method uses a strong magnetic field to erase media? A. Magwipe B. Degaussing C. Sanitization D. Purging

B. Degaussing

72. What is the best way to secure files that are sent from workstation A via the Internet service (C) to remote server E? A. Use AES at rest at point A, and TLS in transit via B and D. B. Encrypt the data files and send them. C. Use 3DES and TLS to provide double security. D. Use full disk encryption at A and E, and use SSL at B and D.

B. Encrypt the data files and send them.

77.Whìch of the following tasks are not performed by a system owner per NIST SP 800-18? A. Develops a system security plan B. Establishes rules for appropriate use and protection of data C. Identifies and implements security controls D. Ensures that system users receive appropriate security training

B. Establishes rules for appropriate use and protection of data

26. What problems with FTP and Telnet makes using SFTP and SSH better alternatives? A. FTP and Telnet aren't installed on many systems. B. FTP and Telnet do not encrypt data. C. FTP and Telnet have known bugs and are no longer mainained. D. FTP and Telnet are difficult to use, making SFTP and SSH the perferred solution.

B. FTP and Telnet do not encrypt data.

4l. What tool is used to prevent employees who leave from sharing proprietary information with their new employers? A. Encryption B. NDA C. Classification D. Purging

B. NDA

24. Adjusting the CIS benchmarks to your organization's mission and your specific IT systems would involve what two processes? A. Scoping and selection B. Scoping and tailoring C. Baselining and tailoring D. Tailoring and selection

B. Scoping and tailoring

87. If the systems that are being assessed all handle credit card information (and no other sensitive data), at what step would the PCI DSS first play an important role? A. Step 1 B. Step 2 C. Step 3 D. Step 4

B. Step 2

93. What type of encryption is typically used for data at rest? A. Asymmetric encryption B. Symmetric encryption C. DES D. OTP

B. Symmetric encryption

95. Which California law requires conspicuously posted privacy policies on commercial websites that collect the personal information of California residents? A. The Personal Information Protection and Electronic Documents Act B. The California Online Privacy Protection Act C. California Online Web Privacy Act D. California Civil Code 1798.82

B. The California Online Privacy Protection Act

33. Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret? A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system. B. The cost of the sanitization process may exceed the cost of new equipment. C. The data may be exposed as part of the sanitization process. D. The organization's DLP system may flag the new system due to the difference in data labels.

B. The cost of the sanitization process may exceed the cost of new equipment.

4. When media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels? A. The data is labeled based on its integrity requirements. B. The media is labeled based on the highest classification level of the data it contains. C. The media is labeled with all levels of classification of the data it contains. D. The media is labeled with the lowest level of classification of the data it contains.

B. The media is labeled based on the hightest classification level of the data it contains.

74.The European Union (EU) Data Protection Directive's seven principles do not include which of the following key elements? A. The need to inform subjects when their data is being collected B. The need to set a limit on how long data is retained C. The need to keep the data secure D. The need to allow data subjects to be able to access and correct their data

B. The need to set a limit on how long data is retained

61. Ben's company, which is based in the EU, hires a third-party organization that processes data for it. Who has responsibility to protect the privacy of the data and ensure that it isn't used for anything other than its intended purpose? A. Ben's company is responsible. B. The third-party data processor is responsible. C. The data controller is responsible. D. Both organizations bear equal responsibility.

B. The third-party data processor is responsible.

18. Why is it cost effective to purchase high- quality media to contain sensitive data? A. Expensive media is less likely to fail. B. The value of the data often far exceeds the cost of the media. C. Expensive media is easier to encrypt. D. More expensive media typically improves data integrity.

B. The value of the data often far exceeds the cost of the media.

58. Chris manage a team of system administrators. What data role are they fulfilling if they conduct steps 6,7, and 8 of the classification process? A. They are system owners and administrators. B. They are administrators and custodians. C. They are data owners and administrators. D. They are custodians and users.

B. They are administrators and custodians.

43.Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary? A. Assign users to spot-check baseline compliance. B. Use Microsoft Group Policy. C. Create startedup scripts to apply policyat system start. D. Periodically review the baselineswith the data owner and system owners.

B. Use Microsoft Group Policy.

89. Susan's organization performs a zero fill on hard drives before they are sent to a third-party organization to be shredded. What issue is her organization attempting to avoid? A. Data remanence while at the third-party site B. Mishandling of drives by the third party C. Classification mistakes D. Data permanence

B.Mishandling of drives by the third party

83. What encryption algorithm would provide strong protection for data stored on a USB thumb drive? A. TLS B. SHAI C. AES D. DES

C. AES

11. Which of the following classification levels is the US government's classification label for data that could cause damage but wouldn't cause serious or grave damage? A. Top secret B. Secret C. Confidential D. Classified

C. Confidential

88.What data security role is primarily responsible for step 5? A. Data owners B. Data processors C. Custodians D. Users

C. Custodians

55. Which data role is described as the person who has ultimate organizational responsibility for data? A. System owners B. Business owners C. Data owners D. Mission owners

C. Data owners

80. What data role does a system that is used to process data have? A. Mission owner B. Data owner C. Data processor D. Custodian

C. Data processor

59. If Chris's company 0perates in the European Union and has been contracted to handle the data for a third party, what role is his company operating in when it uses this process to classify and handle data? A. Business owners B. Mission owners C. Data processors D. Data adminstrators

C. Data processors

67. What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization intend to help prevent? A. Destruction B. Reuse C. Data remanence D. Attribution

C. Data remanence

21. What scenario describes data at rest? A. Data in an IPsec tunnel B. Data in an e-commerce transaction C. Data stored on a hard drive D. Data stored in RAM

C. Data stored on a hard drive

90. Embedded data used to help identify the owner of a file is an example of what type of label? A. Copyright notice B. DLP C. Digital watermark D. Steganography

C. Digital watermark

85. What is the best method to sanitize a solid- state drive (SSD)? A. Clearing B. Zero fill C. Disintegration D. Degaussing

C. Disintegration

35. Which of the following is the least effective method of removing data from media? A. Degaussing B. Purging C. Erasing D. Clearing

C. Erasing

68. Why is declassification rarely chosen as an option for media reuse? A. Purging is sufficient for sensitive data. B. Sanitization is the preferred method of data removal. C. It is more expensive than new media and may still fail. D. Clearing is required first.

C. It is more expensive than new media and may still fail.

65. Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan's employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed? A. It is cheaper to order all prelabeled media. B. It prevents sensitive media from not being marked by mistake. C. It prevents reuse of public media for sensitive data. D. Labeling all media is required by HIPAA.

C. It prevents reuse of public media for sensitive data.

52. Alex works for a government agency that is required to meet US Federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level. What should Alex do to the data? A. Classify the data. B. Encrypt the data. C. Label the data. D. Apply DRM to the data.

C. Label the data.

22. If you are selecting a security standard for a Windows 10 system that processes credit card, what security standard is your best choice? A. Microsoft's Windows 10 security baseline B. The CIS Windows 10 baseline C. PCI DSS D. The NSA Windows 10 baseline

C. PCI DSS

99. Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files attached to the email remain confidential as they traverse the Internet? A. SSL B. TLS C. PGP D. VPN

C. PGP

38. Lauren's employer asks Lauren to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company's data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Lauren classify the idea? A. Public B. Sensitive C. Private D. Confidential

C. Private

For questions 14, 15, and 16, please refer to the following scenario: Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. 14. What civilian data classifications best fit this data? A. Unclassified, confidential, top secret B. Public, sensitive, private C. Public, sensitive, proprietary D. Public, confidential, private

C. Public, sensitive, proprietary

45. What type of policy describes how long data is retained and maintained before destruction? A.Classification B. Audit C. Record retention D. Availability

C. Record retention

19. Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for? A. Erasing B. Clearing C. Sanitization D. Destruction

C. Sanitization

1. Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is the most likely attempting to stop, and what method is she using to proctect against it? A. Man-in-the-middle VPN B. Packet injection, encryption C. Sniffing, encryption D. Sniffing, TEMPEST

C. Sniffing, encryption

7l. What would be the best way to secure data at points B, D, and F? A. AES256 B. SSL C. TLS D. 3DES

C. TLS

Use the following scenario to answer questions 37, 38, and 39. The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. CLASSIFICATION▪▪ HANDLING REQUIREMENTS Confidential (HIPAA): Encrypt at rest and in transit. Full disk encryption required for all workstations. Files can only be sent in encrypted form, and passwords must be transferred under separate cover. Printed documents must be labeled with "HIPAA handling required." Private (PHI) : Encrypt at rest and in transit. PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with "Private." Sensitive ( business confidential): Encryption is recommended but not required. Public: Information can be sent unecrypted. Using the table, answer the following questions. 37. What type of encryption would be appropriate for HIPAA documents in transit? A. AES256 B. DES C. TLS D. SSL

C. TLS

9. Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline? A. It applies in all circumstances, allowing consistent security controls. B. They are approved by industry standards bodies, preventing liability. C. They provide a good starting point that can be tailored to organizational needs. D. They ensure that systems are always in a secure state.

C. They provide a good starting point that can be tailored to organizational needs.

64. Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme? A. 3DES B. AES C. Diffie-Hellman D. Blowfish

D. Blowfish

8. Susan works for an American company that conducts business with customers in the European Union. What is she likely to have to do if she is responsible for handling PII from those customers? A. Encrypt the data at all times. B. Label and classify the data according to HIPAA. C. Conduct yearly assessments to the EU DPD baseline. D. Comply with the US-EU Safe Harbor requirements.

D. Comply with the US-EU Safe Harbor requirements.

7. Staff in an IT department who are delegated responsibility for day-to-day tasks hold what data role? A. Business owner B. User C. Data processor D. Custodian

D. Custodian

73.Incineration, crushing, shredding, and disintegration all describe what stage in the life cycle of media? A. Sanitization B. Degaussing C. Purging D. Destruction

D. Destruction

48. Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization's data retention policy. As part of its legal requirements, the organization must comply with the US Food and Drug Administration's Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement? A. It ensures that someone has reviewed the data. B. It provides confidentiality. C. It ensures that the data has not been changed. D. It validates who approved the data.

D. It validates who approved the data.

53. Ben is following the NIST Special Publiciation 800-88 guidelines for santiziation and disposition as shown in the following diagram. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST MODEL. If the media is going to be sold as surplus, what process does Ben need to follow? Refer to page 36 in book. A. Destroy, validate, document B. Clear, purge, document C. Purge, document, validate D. Purge, validate, document

D. Purge, validate, document

91.Retaining and maintaining information for as long as it is needed is known as what? A. Data storage policy B. Data storage C. Asset maintenance D. Record retention

D. Record retention

98. A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organizationdo about this? A. Select a new security baseline. B. Relabel the data. C. Encrypt all of the data at rest and in transit. D. Review its data classifications and classify the data appropriately.

D. Review its data classifications and classify the data appropriately.

49. What protocol is preferred over Telnet for remote server adminstration via the command line? A.SCP B.SFTP C. WDS D. SSH

D. SSH

79. What term describes the process of reviewing baseline security controls and selecting only the controls that are appropriate for the IT system you are trying to protect? A. Standard creation B. CIS benchmarking C. Baselining D. Scoping

D. Scoping

62. Major Hunter, member of the US armed forces, has been enstrusted with information that, if exposed, could cause serious damage to national security. Under US government classification standards, how should this data be classified? A. Unclassified B. Top Secret C. Confidential D. Secret

D. Secret

54. What methods are often used to protect data in transit? A. Telnet, ISDN, UDP B. Encrypted storage media C. AES, Serpent, IDEA D. TLS,VPN,IPsec

D. TLS, VPN, IPsec

56. What US government agency oversees compliance with the Safe Harbor framework for organizations wishing to use personal data of EU citizens? A. The FTC B. The FDA C. The DoD D. The Department of Commerce

D. The Department of Commerce

36. Safe Harbor is part of a US program to meet what European Union law? A.The EU CyberSafe Act B. The Network and Information Security (NIS) directives B. The General Data Protection Regulation (GDPR) D. The EU Data Protection Directive

D. The EU Data Protection Directive

12. What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs? A. They can be used to hide data. B. They can only be degaussed. C. They are not addressable, resulting in data remanence. D. They may not be cleared, resulting in data remanence.

D. They may not be cleared, resulting in data remanence.

75.Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels? A. To indicate the software version in use B. To promote a corporate message C. To promote availability D. To indicate the classification level of the data or system

D. To indicate the classification level of the data or system

Use the following senario for questions 23, 24, and 25. The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following question based on this decision. 23. The CIS benchmarks are an example of what practice? A. Conducting a risk assessment B. Implementing data labeling C. Proper system ownership D. Using security baselines

D. Using security baselines


Related study sets

Costs and Benefits in Decision Making

View Set

AP EUROPEAN HISTORY :TOWARD a New World

View Set

Monetary Policy Question Bank and Explanations for some

View Set

chapter 9: the Confederation and the Constitution (1776-1790)

View Set

EMT (Cardiovascular Emergencies)

View Set