Wondershare EdrawMind
MindMap Gallery CISSP Study Notes-Domain 2 (Asset Security)
- 26
CISSP Study Notes-Domain 2 (Asset Security)
CISSP study notes-Domain 2 (Asset Security) study notes and important exercises. Strengthen the focus of learning and help consolidate memory.
Edited at 2024-02-25 15:28:01
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP Study Notes-Domain 2 (Asset Security)
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
CISSP Study Notes-Domain 2 (Asset Security)
Knowledge points
2.1 Identify and classify information and assets
2.1.1. Data classification
Data segmentation is to meet legal and regulatory requirements by classifying data based on its criticality (importance to business processes) and sensitivity (how confidential the data is) for more effective analysis and implementation of security controls.
2.1.1.1 Dimensions of data classification:
•Context-based: Classification based on metadata such as ownership, location, etc.
. Content-based: The content of the root file directly identifies sensitive data, such as privacy, medical, financial, etc. involved in HIPAA, PCI or contract terms.
•User-based: Manual assignment based on the user's understanding of the data and the organization's classification scheme.
2.1.1.2 Sensitivity level labels for data classification:
1.Business organization:
•Confidential: leakage of data that may have a great impact on corporate competitiveness, such as trade secrets, core codes, patents, etc.
•Sensitive: Data that is less valuable than confidential but still needs to be protected, such as strategic documents, project details, profit returns and forecasts, etc.
•Private: Data that will not cause harm to the company but needs to be kept confidential, such as personal medical, salary and other private information.
•Proprietary: Data that is disclosed to the outside of the company to a limited extent, or information that may reduce the company's competitive advantage, such as new product technical specifications.
•Public: Non-sensitive information that can be disclosed to the public.
2. Attack a government or military organization:
. Top Secret: Disclosure of data that may cause great harm to national security.
•Secret: Disclosure of data that could cause serious damage to national security.
•Confidential: Disclosure of data that may cause damage to national security.
•Unclassified: The data does not belong to sensitive categories.
Other: Other tags (non-categorical) used to specify files, such as For Official Use Only (FOUO) and Limited Official Use.
2.1.2. Asset classification
2.1.2.1 Asset Class
In the field of information security, assets are usually divided into two broad categories: tangible assets and intangible assets.
•Tangible assets: include hardware, equipment, buildings and other items that can be seen and touched. The value of such assets can be measured by market price, cost or depreciation. Security of physical assets often involves physical protection measures such as access controls, monitoring systems, etc.
•Intangible assets: including intellectual property, trade secrets, employee skills and experience and other intangible assets that are not easily valued. The value of such assets lies in their contribution to the organization and potential market advantage. Protecting intangible assets usually involves legal, contract, intellectual property protection and other means.
2.1.2.2 Classify assets
The importance and sensitivity of the asset need to be considered. It can help organizations allocate security resources reasonably to ensure that critical assets are adequately protected.
The process of asset classification includes:
•Asset inventory:
Collect and record all asset information within your organization, including name, type, location, and more.
•Identify the person or owner of:
Designate a responsible person or owner for each asset to ensure that responsibility for the security and management of the asset is attributed.
•Classification and grouping:
Separate assets into different categories or groupings based on their criticality and sensitivity. This can be determined based on the organization's specific needs and risk tolerance.
•Identify security controls:
For different categories or groupings of assets, implement corresponding levels of security control measures to ensure the confidentiality, integrity and availability of assets. The practical application of asset classification may vary depending on the size, industry and needs of the organization. When implementing asset classification, it is recommended to refer to industry standards and best practices to ensure effective and sustainable asset protection.
Note: In the CISSP exam, we treat assets as tangible things and treat data separately. Data is often the greatest asset of all (e.g., intellectual property)
2.2. Establish information and asset handling requirements
2.2.1. Asset handling requirements
1. Logo and labeling
Label assets for easy identification and management. For untagged data assets, it's best to start with the highest level of security measures. Data loss prevention (DLP) systems prevent the leakage of sensitive information.
2. Processing
Develop policies and procedures to manage different classifications of assets, including access, transfer and usage rules. Strengthen employee training and improve the sense of responsibility and awareness of information processing.
3.Storage
Encrypt static sensitive data and properly store keys. Limit the amount of data retained, reducing organizational risk and operational costs. Pay attention to data backup.
4. Uncategorize
Adjust asset classification to lower sensitivity. When changing classifications, adjust labeling, processing, and storage requirements accordingly. Declassification requires multi-level approval and is determined by the data owner.
5. Methods to unclassify
Remove or obfuscate sensitive elements in data through methods such as anonymization, masking, and tokenization.
2.3. Providing resources securely
2.3.1. Information and Asset Ownership
Asset Owner refers to the person or entity within an organization that has ultimate responsibility for a specific information asset or physical asset. The asset owner is generally responsible for the use, protection, and management of the asset and for ensuring that the confidentiality, integrity, and availability of the asset are maintained.
2.3.1.1 Asset Owner Responsibilities:
•Develop and maintain system security plan
Determine asset classification levels, authorize access rights, and implement appropriate security controls
•Ensure safety plan is implemented
Monitor and evaluate the effectiveness of the above measures
•Ensure system users and support staff receive appropriate security training
The asset owner may be a business unit leader, a project manager, or a senior executive with an appropriate function. May be the same person as the data owner.
2.3.2. Asset inventory
2.3.2.1 Asset List
•Physical assets (e.g. hardware equipment)
•Virtual assets (e.g. software applications, data)
2.3.2.2 Asset inventory tool
Due to the scale, complexity and frequency of asset inventories, organizations should try to use automated tools to assist in the creation and maintenance of asset inventories. Key features include:
1. Able to identify and distinguish authorized and unauthorized assets
2. Send alerts when potential security threats are discovered
3. Collect and track asset information:
•Hardware specifications
•Software version and license
•For reporting, auditing, risk management and incident management
2.3.2.3 Asset Recording System
By establishing an authoritative system of record that serves as the primary data source for internal reference throughout the organization, serving as an authoritative and reliable source when inconsistent or conflicting information is encountered. and may be used to meet official reporting and other data requirements
For example: audits, compliance checks
2.3.3. Asset Management
Asset management is a systematic approach to the effective and efficient tracking, management, and protection of all assets within an organization, including hardware, software, information, and other tangible or intangible assets. It covers the entire life cycle of assets from procurement, deployment, maintenance, upgrades to final decommissioning. The primary goal of asset management is to ensure that an organization's assets provide maximum value to the organization while reducing risk, cost and resource waste, and ensuring compliance with regulatory and compliance requirements.
Asset management involves several key activities and processes, such as:
1.Ownership distribution:
Identify asset owners and ensure accountability for their use, protection and management.
2. Asset inventory:
Identify all physical and virtual assets within the organization and create and maintain asset inventories.
3.IT Asset Management (ITAM):
Ensure that the accounting, maintenance, upgrade and decommissioning of assets are managed effectively and in compliance with relevant standards (such as ISO 19770
5. Configuration management:
Strictly control and record the configuration of systems and software to ensure inventory effectiveness.
•System baseline: determines the versions and settings of all configuration items in a product, system, or subsystem;
•Security baseline: the minimum safeguards required to protect a specific system (e.g. security controls)
6.Change Management
Use standardized processes to make changes to assets to ensure the stability and security of assets
2.4 Managing data life cycle
2.4.1. Data roles
2.4.1.1 Data owners (Owners)
•Determine how data will be used and protected
•Has ultimate responsibility for data within the organization
•Positions include: data identification, classification, labeling; security strategy and control; access rights management; assuming ultimate responsibility
2.4.1.2 Data Controllers (Controllers)
•Deciding how to handle different types of data
. Ensure compliance with data processing principles: compliance with legality, fairness, transparency, data minimization, accuracy, storage limitations, integrity and confidentiality of personal data, etc.
•It may be the data owner itself, or it may be a third party
2.4.1.3 Data Custodians
•Responsible for maintaining data on IT infrastructure
•Usually the IT department is responsible
2.4.1.4 Data Processors (Processors)
A person or entity that provides services and processes data on behalf of the data controller under the GDPR. A data processor is not necessarily an individual; third-party service providers contracted to process data on behalf of a data controller also meet this definition.
2.4.1.5 Data Users (Users)
•The party consuming the data
•Can hold data processors accountable to service level agreements (SLAs)
2.4.1.6 Data Subjects
•Usually refers to a human being, the individual who provides personal information
•The goal of privacy protection is to protect the rights and personal information of data subjects
2.4.2. Data collection
2.4.2.1 Data life cycle
1. Collect: data generation or aggregation
2. Storage (Store): save data to a storage system or repository
3.Use: data processing or analysis
4. Share: Data is shared with external authorized users and systems
5. Retain: Data is kept for a predetermined period (such as archiving)
6. Destroy: The data is permanently deleted and cannot be accessed and used.
2.4.2.2 Data collection process
•Special follow-up procedures, such as: medical data entry, online financial form filling, etc.
•Can be formal or informal, paper or electronic
•Organizations should only collect data that meets business purposes or regulatory requirements
•Data management policies should limit the scope of collection
•From a privacy perspective, follow best practices and regulations (such as GDPR) and obtain consent or other legal authorization before collecting data
2.4.3. Data location
There are an increasing number of laws and regulations regarding where various types of data may be processed and stored. For example, some privacy laws require that information about a country's citizens be stored within that country's borders. Businesses need to understand region-specific requirements and include steps in their asset management processes to identify and confirm the physical location of assets and conduct periodic reviews to confirm that asset locations comply with regulatory requirements.
2.4.4. Data maintenance
2.4.4.1Data maintenance
Data maintenance focuses on the security of data as it is moved, processed, analyzed, and shared within an organization. To ensure effective maintenance, the organization should:
1Control access and implement security controls.
2. Continuously monitor and adopt principles such as least privilege and defense in depth.
3. Balance functions and security, and continuously evaluate policies and controls to achieve secure business needs.
2.4.4.2 Data retention policy
The length of time data is retained before secure destruction takes into account the following factors:
1Ensure that the data retention policy meets all legal and regulatory requirements.
2. Specify the maximum retention period for sensitive or personal data.
3. The less data you have, the less damaging a security breach will be.
4. Data no longer needed should be safely destroyed.
2.4.5. Data destruction
Data destruction refers to various techniques used to remove data from a system or data storage medium to ensure that no one can reconstruct the data.
2.4.5.1 Principles of data destruction
•Compliance first
Data destruction must first consider compliance. If regulations require complete physical destruction of storage devices, even if the cost is high, this must be done to ensure that sensitive data cannot be restored.
•Cost considerations
If sensitive data is not involved, organizations may process the storage media through technical methods such as overwriting or degaussing, and then reuse the device.
2.4.5.2 Data destruction method
•Physical destruction: For example, crushing, smashing or melting the storage media to ensure that the data cannot be recovered. This applies to optical discs, hard drives, flash memory devices, etc.
•Logical destruction: including methods such as overwriting, encryption or degaussing. These methods do not destroy the storage device itself, but rather overwrite or modify the data to prevent its recovery.
• Take care to ensure that all copies are destroyed. When destroying data, all possible copies need to be considered, such as backups, archives or data in cloud storage.
•Destruction of data held by third parties upon termination of contract. At the end of your engagement with a third party, make sure they destroy all data associated with your organization in compliance with contractual requirements and regulations.
2.4.6. Data residue
2.4.6.1 How to handle data residue:
Data retention occurs when insufficient deletion of data leads to the leakage of information.
•Cleaning:
Digitally erasing data or overwriting data with zeros or ones. This is the least efficient way to delete data and may allow the data to be recovered.
•Purging:
These include methods such as degaussing, which destroys data by exposing its storage media to strong magnetic fields.
•Destruction:
Physical destruction of media by crushing, burning, etc.
2.4.6.2 Media disinfection
Disinfection is typically through a combination of cleaning and removal so that the media can be reused within the tissue. It is more thorough than simple formatting or repartitioning.
2.4.6.3 Dealing with data residue on the cloud
Because cloud tenants do not have access to physical drives, in a cloud environment, the alternative is to encrypt the data and keep the keys outside the cloud environment where the data resides. When the data is no longer needed, by deleting the keys, the data becomes become unusable and unreadable, this is called cryptographic erasure.
2.5. Ensure appropriate asset retention
2.5.1. Asset Retention
2.5.1.1 Life cycle of assets (systems, hardware, equipment and software)
•Requirements: Put forward requirements based on business development needs.
•Creation or acquisition: Carry out corresponding business activities after evaluation.
•Operation and maintenance: put into service and maintained.
•Replacement or reimbursement: The asset enters the unexpired period.
2.5.1.2 End of life (EOL, end of life)
Usually refers to the end of sales of the product.
2.5.1.3 End of support (EOS. end of support)
Usually refers to a product that no longer supports updates.
2.5.1.4 Asset retention records
There are two aspects to consider for record retention:
•Compliance requirements: Meet legal and regulatory requirements, considering that some data may still need to be used again at the end of the life cycle, such as audit or recovery scenarios.
••Internal requirements: Meet the needs and regulations within the organization; retaining assets without limit is not practical because the organization's funds are limited.
2.6. Determine data security controls and compliance requirements
2.6.1. Data status
2.6.1.1 Data at Rest
Definition: Data stored in the system that is not actively written, read, transmitted or otherwise processed.
Storage systems include databases, data warehouses, spreadsheets, archives, acid tapes, off-site backups, mobile devices, etc.
Protection method:
•Issuance controls: For example, sensitive data requires multi-factor authentication.
• Encryption: for example, hardware encryption (TPM, etc.) or data encryption by encryption algorithm (AES, etc.)
2.6.1.2 Data in Transit
Definition: Any data transmitted over a network, also known as data in mobile or communications.
Protection method:
Use Transport Layer Security (TLS) or Virtual Private Network (VPN) to ensure that the transmission process cannot be intercepted, monitored, and decrypted.
2.6.1.3 Data in Use
Definition: Data in a temporary or ephemeral state characterized by the data being actively processed by the device's CPU and remaining in volatile or temporary storage, such as RAM.
Protection method: homomorphic encryption.
2.6.2. Tailoring and scoping
"Tailoring and scoping" is the process of adjusting and optimizing security controls in the information security management process based on the organization's specific needs, risk profile, and business environment.
2.6.2.1 Tailoring
Definition: Tailor the security control baseline based on the organization's risk assessment and best practices, and record relevant decisions.
NIST SP 800-53 Best Practices for Cropping:
1. Identify and specify common controls (Common Controls)
2. Scoping considerations
3. Select compensatory control measures
4Assign security control parameters
5. Supplement baseline security controls
6. Provide additional normative information for implementation
2.6.2.2 Scoping
Definition: The process of pruning a broader standard away from unimportant or unnecessary parts.
2.6.2.3 Common Controls
•Technical controls: firewall, IDS, DLP, PKl, network security monitoring, etc.
•Administrative controls: data protection policy, NDA, etc.
•Physical controls: physical access control, environmental control, etc.
2.6.2.4 Compensatory safety controls
Definition: Alternative or enhanced controls used when baseline controls may reduce or impede business operations or cause excessive costs.
Example: When security personnel are limited and segregation of duties cannot be achieved (more human resources are required), compensating controls could be increased collection and review of security logs.
2.6.3. Standard selection
One way to establish a baseline of security controls is to select an existing framework. A security framework is a collection of documented policies and procedures that determine how security is managed in an enterprise. In general, security frameworks focus less on specific controls and more on overall processes and best practices. It is appropriate to use a framework to establish security baselines to assess and improve an organization's ability to prevent, detect, and respond to cyberattacks.
When choosing an information asset protection standard, the most important concept to remember is balancing the value of information with the cost of protecting it. Relevant international or industry standards: 1SO27000 series, NIST SP 800-53, CIS, industry standards (PCI DSS, HIPAA, GDPR, etc.)
2.6.4. Data protection methods
2.6.4.1 DRM and IRM
Digital Rights Management (DRM) and Information Rights Management (IRM) are a set of technologies used to protect digital content and data. DRM focuses on preventing unauthorized access and copying of content, while IRM more broadly protects data from unauthorized access and modification.
The main function:
•Restrict access to specific content
Protect content using encryption technology
Control data access and modification permissions
-Apply to various information forms such as files, emails, web pages, etc.
2.6.4.2 Data Loss Prevention (DLP)
Data loss prevention (DLP) is a set of technologies and practices used to protect sensitive data from being lost or accessed. DLP
It is mainly implemented through the following three stages:
1. Discovery and Classification: Find all data stored and classify it based on sensitivity and value.
2. Monitoring: Monitor data throughout its lifecycle to detect misuse or mishandling.
3 Enforcement: Take action on policy violations discovered during the monitoring phase.
2.6.4.3 Network DLP (NDLP)
Apply data protection policies to data in transit, typically implemented as an appliance deployed at the edge of an organization's network
2.6.4.4 Endpoint DLP (EDLP)
Apply protection policies to data at rest and in use by running software on each protected endpoint
2.6.4.5 Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) is a software deployed between users and cloud computing resources, supporting local and cloud environment deployment.
The main function:
Monitor and secure access to cloud computing resources
Supports local and cloud environment deployment
Implement security policies
Detect Shadow IT
Key exercises
1.Angel Day is an information security architect at a bank. She is assigned to ensure that transactions are secure during network transmission. She recommends using TLS for all transactions. What threat is she most likely trying to prevent, and what method is she most likely to use to prevent it? A. Man-in-the-middle attack, VPN B. Packet injection, encryption C. Sniffing, encryption D. Sniff, TEMPEST
C
2. Control Objectives for Information and Related Technology (COBIT) is a framework for the management and governance of information technology (T). Which data management role is most likely to select and apply COBIT to balance security control needs with business needs? A. Business owners B. Data processors C. Data owners D. Data stewards
A P155 Data Owner: Executive, with ultimate responsibility for the data NST SP 800-18 Rev.1 "Guidelines for the Development of Federal Information Systems Security Programs" outlines the following responsibilities of information owners (actually the same as data owners). •Establish rules for the appropriate use and protection of subject data/information (rules of conduct). •Provides input to information system owners regarding the security requirements and security controls for the systems in which the information resides. •Determine who has access to the information system and what types of privileges or access rights they have. •Assist in identifying and evaluating common security controls for the environment in which information resides. Asset owner: NST SP 800-18 outlines the following responsibilities of the system owner. • Develop system security plans in collaboration with information owners, system administrators, and functional end users. •Maintain system security plans to ensure systems are deployed and operating in accordance with agreed security requirements. •Ensure system users and support staff receive appropriate security training, such as code of conduct guidance. •Update the system security plan when significant changes occur. •Assist in identifying, implementing and evaluating security controls. The Tongdi system owner and the data owner are the same person, but sometimes they are not the same person Business owner: NST SP 800-18 for Project Managers or Information Systems Owners, COBIT
3. Nadia's company is operating a hybrid cloud environment with some systems on-site and other systems on the cloud. She has satisfactory monitoring on site, but needs to apply security policies to all activities in which users engage and report anomalies to her growing number of cloud services. What type of tool is best suited for this purpose? A. Next Generation Firewall (NGFW) B. Cloud Access Security Broker (CASB) C. Intrusion detection system (1DS) D. Security Automation and Response Platform (SOAR)
B P152 Detect shadow IT, CASB monitors all data entering the cloud, and can copy all security policies within the organization to CASB
4. When media is labeled based on the classification of the data it contains, what are the rules that typically apply to labeling? A. Data is tagged based on its integrity requirements. B. Media is tagged based on the highest classification level of the data it contains. C. The classification level of all data contained in a media tag. D. The lowest classification level of data contained in a media tag.
B
5.Which of the following administrative processes helps organizations assign appropriate levels of security controls to sensitive information? A. Data classification B. Residual data (Remanence) C. Transmitting data D. Clearing
A
6. How does a data retention policy help reduce liability? A. Ensure that useless data does not need to be retained B. Ensure that criminal evidence data is destroyed C. Ensure data is securely erased to prevent recovery in the event of legal discovery D. Reduce legally required data storage costs
A
7. What data role do employees in the information technology (IT) department who are assigned day-to-day tasks play? A. Business owner B. User C. Data processing personnel D. Custodian
D P157 Data custodians: Typically IT department employees or system security administrators are custodians and can act as administrators who assign permissions to data
8. Helen's company uses a simple data lifecycle as shown in the diagram below. Which stage in their data lifecycle should come first? A. Data strategy creation B. Data Marking C.Data collection D.Data analysis
C
9.Ben has been assigned to identify security controls for systems covered by his organization's information classification system. Ben Why choose to use a secure baseline? A. It works in all situations and provides consistent security controls. B. They are approved by industry standards bodies to protect against liability. C. They provide a good starting point that can be adapted to organizational needs. D. They ensure that the system is always in a safe state.
C
10.Megan wishes to prepare media for reuse in an environment with the same sensitivity level. Which of the following options is best suited to meet her needs? A. Clearing B. Erasing C. Purging D. Sanitization
A P147 · Erase: Deletion operation, the actual data remains on the drive · Clean: Clean or overwrite, data cannot be recovered using traditional recovery tools · Cleanup: Reuse media in less secure environments, data cannot be recovered, combined with degaussing, but is not always trusted · Degaussing: tapes and hard disks can be used, but CDs, DVDs, etc. are useless. The hard disk can be replaced with a drive. · Destruction: The last stage of the media life cycle and the safest method.
1 wipe 2 clear 2 eliminate (pin)
11.Mikayla wants to identify data that already exists in the environment and should be classified. What type of tool is best for identifying Social Security numbers, credit card numbers, and similar common data formats? A. Manual search B. Sensitive Data Scanning Tools C. Asset metadata search tool D. Data Loss Prevention System DLP
B
12 What is a common problem with spare and bad sectors on hard drives and overprovisioned space on modern SSDs? A. They can be used to hide data. B. They can only be demagnetized. C. They are not addressable, resulting in data retention. D. They may not have been cleared, resulting in data residue.
D
13. Naomi knows that commercial data is often classified according to different criteria than government data. Which of the following options is not a common standard for business data classification? A. Useful life B. Data value C. Impact on national security D.Regulations or legal requirements
C
For questions 14-16, please refer to the following scenario: Your organization regularly processes three types of data: information shared with customers, information used for internal business, and trade secret information that provides the organization with a critical competitive advantage. Information shared with customers is used and stored on web servers, while internal business data and trade secret information are stored on internal file servers and employee workstations. 14. What is the term that best describes the data that resides in system memory? A. Data at rest B. Buffering data C. Data in use D. Data in motion 15. If your trade secret information was leaked or stolen and you needed to mark it for identification, what technology could you use? A. Classification B. Symmetric encryption C.Watermark D. Metadata 16. Which type of encryption is best used on file servers for proprietary data and when the data is transferred e.g. Can data be protected? A. Use TLS in stationary state and AES in moving state. B. Use AES in stationary state and TLS in moving state. C Use VPN when stationary and TLS when in motion D. Use DES in stationary state and AES in moving state.
C
C
B
17. What does tagged data allow a DLP system to do? A.DLP systems can detect flags and apply appropriate protections based on rules. B.DLP systems can adjust tags based on changes in classification schemes. C. The DLP system can modify the tag to allow the requested action. D.DLP systems can delete unlabeled data.
P144 Original words in the book
18. Why is it cost-effective to purchase high-quality media to store sensitive data? A. Expensive media is less prone to failure. B. The value of data often far exceeds the cost of the media. C. Expensive media are easier to encrypt. D. More expensive media generally improves data integrity.
B
19. Chris is responsible for the company's workstations and knows that some of those workstations are used to handle proprietary information and highly sensitive trade secrets. For the workstation for which he is responsible, the following options best describe its end-of-life (EOL) What should happen? A. Erasing B. Clearing C. Sanitization D. Destruction
D
20.Fred wants to classify his organization's data using common labels: private, sensitive, public, and proprietary. Based on common industry practice, he should apply the following options to the data at the highest classification level? A. Private B. Sensitive C. Public D.Proprietary
D P137 Government data classification: top secret, secret secret, confidential, unclassified unclassified NGO: Confidential/Proprietary, Private, Sensitive, Public
21. Which scenario describes data at rest? A. Data in IPsec Tunnel B. Data in e-commerce transactions C. Data stored on hard drive D. Data stored in RAM
C
22 If you were to choose a security standard for a Windows 10 system that processes credit cards, which security standard would be the best choice? A. Microsoft’s Windows 10 Security Baseline B.CIS Windows 10 Baseline C. PCI DSS D. NSA’s Windows 10 Secure Host Baseline
C
23CIS benchmarks are examples of which of the following practices? A. Conduct a risk assessment B. Implement data tagging C. Correct system ownership D. Use a safe baseline
D
24. What two processes are required to align the CIS alignment with the organization's tasks and specific IT systems? A. Scoping and Selection B. Scoping and Customization C. Baseline determination and customization D. Customization and selection
B
P158 Baseline process: 1. Compare customization and scoping 2. Selection criteria
25. How should you determine which controls from the baseline apply to a specific system or package? A. Consult the custodian of the data. B. Make selections based on the data classification of the data being stored or processed. C. Apply the same controls to all systems. D. Consult with the business owner supporting the system or data.
B
26. Henry’s company operates in the EU and collects data about its customers. They send this data to third parties for analysis and provide reports to help companies make better business decisions. What is the best term to describe a third-party analytics firm? A. data controller B. data owner C. data subject D. data processor
D
The defense contractor hired by 27 Selah had recently closed a major research project and planned to reuse hundreds of thousands of dollars worth of systems and data storage tapes used by the project for other purposes. when When Selah digs into the company's internal processes, she discovers that she can't reuse the tapes and the manual says they should be destroyed. Selah Why can't employers save money by demagnetizing and reusing tapes? A. Data persistence may be an issue. B. Data residual is a problem. C. The tape may be affected by bit corruption. 口. The data on the tape cannot be erased by degaussing.
B
28. What type of information is called information that is used to distinguish or trace the identity of an individual? A. Personally Identifiable Information (PI) B. Personal Health Information (PHI) C. Social Security Number (SSN) 口.Secure Identity Information (Si1)
A
29. In a static and fast state of data, which of the following information security risks has the greatest impact on an organization's reputation? A. Incorrect classification B. Data breach C. Decryption D. Deliberate insider threats
B
30. In what state is data protected by full-disk encryption technologies like Microsoft's Bitlocker? A. Data in data transmission B. Data in static state C. Unlabeled data D. Labeled data
B
31Katie’s company provides employees with mobile phones for employee use and replaces them with new phones every two years. Which scenario best describes this practice when the phone itself is still usable and receiving operating system updates? A. End of Life (EOL) B. Planned obsolescence C. End of Support (EOS) D. Equipment risk management
C
32. What is the main purpose of data classification? A. Quantify the cost of a data breach. B. Prioritize IT spending. C. Comply with the requirements of data breach notification laws. D. Determine the value of the data to the organization.
D
33.Which of the following concerns should Fred raise about the reuse of systems from his Top Secret project for the Secret project? A. Top Secret data may be mixed with Secret data, resulting in the need to relabel the system. B. The cost of the disinfection process may exceed the cost of purchasing new equipment. C. Data may be exposed during the disinfection process. 口. The organization's DLP system may flag the new system due to differences in data labeling.
B
34. When classifying arithmetic moves, which of the following concerns should not be part of the decision-making process? A. Cost of classifying data B. Sensitivity of data C. Level of damage that may result from data exposure D. The value of data to the organization
A
35 Which of the following methods is the least effective at removing data from media? A. Degaussing B. Purging C Erase D clear
C
Please refer to the following scenarios to answer questions 36-38: I am in a super-demand period. The internal policy of Ai Kin Bo Te is using the following requirements to protect HIPAA data in Security at rest and in transit. 36. What encryption technology applies to HIPAA documents in transit? A. BitLocker B.DES C.TLS D.SSL 37.Amanda's employer asks her to classify patient × radiographic data with internal patient identifiers, but without any way to directly identify the patient. The company's data owner believes that the exposure of the data may cause damage to the organization (but not particularly severe damage). How should Amanda classify the data? A.Public B. Sensitive C.Private D.Confidential 38. What technology could Amanda’s employer implement to prevent confidential data from being emailed to the group? Textile exterior? A.DLP (Data Loss Prevention) B.IDS (Intrusion Detection System) C. Firewall D.UDP
C
C
A
39. Jacob's organization applies the U.S. government's data classification system, which includes most sensitive, secret, secret and unclassified (from most sensitive to least sensitive). Jacob encounters a man who combines secrets, secrets and top secrets -Data system. How should it be classified? A. Top Secret B. Confidential C. secret D. Mixed classification
A
40. Elle is planning the organization's asset retention efforts and wants to determine when the company will cease using assets. Which of the following events is typically the last event in a manufacturer's or software provider's life cycle? A. End of life cycle B. End of support C. End of sale D.General availability
B
41.Amanda has been asked to ensure that her organization's control assessment procedures match the specific systems used by the company. Which of the following activities best fits this mission? A. Asset Management B. Compliance C. Define scope D.Customized
D
42. Chris is responsible for his organization’s security standards. •And guide the selection and implementation of an appropriate Security baseline for Windows PCs. How can Chris best ensure the work he is responsible for? Does the site meet compliance requirements and settings have been applied as required? A. Assign users to perform baseline compliance spot checks. B. Use Microsoft Group Policy. C. Create a startup script to apply the policy when the system starts. D. Regularly review baselines with data owners and system owners.
B
43. Frank is reviewing the company's data lifecycle and wants to put appropriate controls in place during the data collection phase. Which of the following ensures that the data subject consents to the processing of his or her data? A. Reserve B. Agree C. Certification D.residue
B
44. As a database administrator, Amy's role within her organization includes technical implementation of data policies and standards, as well as managing data storage structures. Which of the following data roles would be the best fit for Amy's job? A. Data Keeper B. Data owner C. Data Processor D data user
A
45 Jim's company has suffered a major data breach in the past year and now wants to ensure that it knows where the data is and can retrieve it if it is being transferred, being copied to a storage device, or is on a network file share where it should not be. know these situations. . Which of the following solutions is suitable for marking, monitoring, and restricting file exports? A. Digital Copyright Management (DRM) B. Data Loss Prevention (DLP) C.Network Intrusion Prevention Systems (network IPs) D. Antivirus
B
46. Which of the following security measures would provide additional security in the event that a backup tape is stolen or lost? control? A. Keep multiple copies of the tapes. B. Replace the tape media with a hard drive. C. Use appropriate safety labels. D. Use AES-256 encryption.
D
47.J0e works for a large pharmaceutical research and development company and is responsible for writing the organization's data retention policy. As part of the legal requirements, the organization must comply with the U.S. Food and Drug Administration's Code of Federal Regulations Chapter 21. To meet the requirements, organizations must maintain records with electronic signatures. Why is a signature part of the retention requirement? A. It ensures that someone has reviewed the data. B. It provides confidentiality. C. It ensures that the data has been changed. D. It verifies who approved the data.
D
48.Susan wants to manage the lifecycle of her data based on retention rules. What techniques can she use to ensure that data that has reached the end of its lifecycle can be identified and disposed of according to the organization's processes? A. Rotation B.Digital Copyright Management (DRM) C. Data Loss Prevention (DLP) D. mark
D
49, Ben was asked to cleanse the data to remove data that was no longer needed by the organization. At what stage of the data life cycle is Ben most likely to be? A. Data retention B. Data maintenance C. Data remanence D.Data collection
B
50 Sove is concerned about the proprietary information often held by departing employees. Which measures are most effective in countering this threat? A. Sanitization B. Non-Disclosure Agreements (NDAs) C. Clearing D. Encryption
B
51. Alex works for a government agency subject to U.S. federal government data security requirements. To meet these requirements, Alex is assigned to ensure that data is identifiable based on its classification level when created. What should he do with the data? A. Classify the data. B. Encrypt the data. C labels the data. D. Apply digital rights management (DRM) to the data.
C
52. Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Disinfection and Disposal, which are listed below. He was dealing with information that his organization classified as sensitive, a medium security classification in the NIST model. If the media is to be sold as idle, which process does Ben need to follow? Security Categorization Clea Purgi Categorizatior Source: NIST SP 800-88. A. Destroy, verify, record B. clear, clear, record C. Clear, record, verify D clear, verify, record
D
53. What methods are commonly used to protect data during transmission? A. Telnet. ISDN. UDP B. BitLocker, FileVault C. AES. Serpent. IDEA D. TLS. VPN, IPsec
D
54.Which of the following data roles has ultimate organizational responsibility for data? A. System owner B. Business Owner C. Data owner D. Task owner
C
55. Shandra wants to protect an encryption key. If the key is kept and used at this location, which bit Which property is most difficult to protect? A. On the local network B.On the hard disk C.In memory D.On the public network
D
For questions 56 to 58, please consider the following scenario: Chris was recently hired by a new organization. Chris' organization uses the following classification process: 1. Set criteria for data classification. 2. Determine the data owner for each type of data. 3. Classify the data. 4. Select the required controls for each classification. 5. Select baseline security standards for your organization. 6. Determine and adjust the scope of control measures. 7. Apply and enforce controls. 8. Conferring children and managing access rights. 56. If Chris is one of the organization’s data owners, he is most likely to be responsible for some aspects of this process. step? A. He is responsible for steps 3, 4 and 5. B. He costs steps 1, 2 and 3. C. He is responsible for steps 5, 6 and 7. D. He is directly responsible for all steps. 57.Chris manages a team of system administrators. If they perform steps 6, 7, and 8 in the classification process, which data role are they fulfilling? A They are system owners and administrators. B. They are administrators and custodians. C. They are the data owners and administrators. D They are custodians and users 58 If Chris’s company operates in the EU and is contracted to process the data of a third party, what is the role of his company in classifying and processing the data using this process? A. Business owners B. Mission owners C. Data processors D.Data administrators
A
B
C
Regarding questions 59-62, please refer to the following scenarios: Chris was put in charge of his organization's 1 service management efforts, and part of this job included creating an inventory of tangible and intangible assets. As a security professional, you have been asked to provide security-related guidance to Chris on each of the following topics. Your goal is to provide Chris with the best answer for each option, knowing that in some cases more than one answer may be acceptable. 59.Chris needs to identify all active systems and devices on the network. Which of the following technologies will provide him with the most complete list of connected devices? A. Query Active Directory to obtain a list of all computer objects. B. Perform a port scan of all systems on the network. C. Require all employees to fill out a form listing all their systems and equipment. D. Use network logs to identify all connected devices and track them from there. 60. Chris knows that his list is only accurate when completed. How can he best ensure that it stays updated? A. Perform a one-time query for network-connected devices and update the list based on what is discovered. B. Ensure procurement and acquisition processes add new equipment to inventory prior to deployment. C. Require each employee to provide an updated list of equipment for which they are responsible quarterly. D. Manually verify every device in every organization location annually. 61.Chris knows that his organization not only owns physical assets, but in fact, his organization's business involves significant intellectual property assets, including designs and recipes. Chais still needs to be chosen by talking to the language department. How can he most effectively ensure that data across the organization can be identified and managed according to its classification or type? A keeps track of file extensions for common data types. B. Ensure data collection for specific network share locations is based on the type of data and the groups using the data. C. Use metadata tags based on data type or security level. D. Automatically tag data based on file extension. 62 Chris is assigned to identify intangible assets but is required to provide his team with a list of assets they will inventory. Which of the following is not an example of an intangible asset? A.Patent B.Database C.Recipe D.Employees
D
C
C
D
63. Which of the following is not a common requirement for data collection under data privacy laws and regulations? A. Collect only the data you need. B. Data should be obtained legally and through fair methods. C. Data may only be collected with the consent of the individual from whom the data is collected. D. Data should be collected equally from all individuals.
D
64. Suson's organization-specific removable media is labeled with a classification level that contains data, including public data. Why does Susan's employer label all media and not just data media that could cause damage? A. It costs less to order all pre-labeled media. B. Prevent sensitive media from being labeled incorrectly. C. Prevent public media from being reused for sensitive data. D. Labeling of all media is a HIPAA requirement.
B
65. The data stored in RAM is best described as which type of data? A. Data at rest B. Data in use C. Data in transit D.Large-scale data
B
66. The verification portion of the NIST SP 800-88 Sample Removal Certification Certificate (shown below) is designed to help prevent A question? A.Destroy B. Reuse C. Data residue D.Problem of ownership
C
67. Why is decryption rarely chosen as an option for media reuse? A. Purge is sufficient for sensitive data. B. Wiping is the preferred data removal method. C. It is more expensive than new media and may still have problems. D. Cleanup is required first.
C
68. Incineration, crushing, shredding, and shredding all describe which stage in the media life cycle? A. Sanitization B. Magnetization and degaussing (Degaussing) C. Purging D, Destruction
D
69. How to describe information such as prescriptions and X-rays? A.PHI B proprietary data C PID D PII
A
70. Why do organizations use unique screen backgrounds or designs on workstations that process data at different classification levels? A. Indicates the software version being used B. Promote company information C. Promote usability D. Represents the classification level of data or system
D
71.What process was Charles required to follow in order to downgrade the media used to store private data? A. Degauss the drive and relabel it to a lower classification level. B. Shred the drive and then reclassify it based on the data it contains. C. Follow the organization's removal process and then downgrade and replace tags. ip. Change the label of the media and then follow your organization's purge process to ensure that the media matches the label.
C
72. According to NIST SP 800-18, which of the following tasks is not a task performed by the system owner? A. Develop a system security plan B. Establish rules for appropriate use and protection of data C. Identify and implement security controls D. Ensure system users receive appropriate security training
B
73.NIST SP 800-60 provides a process for evaluating information systems as shown in the following diagram. Which process does this diagram show? A. Select standards and implement them B. Classification and Selection Control C. Baseline and Selection Control D. Classification and removal
B
The following diagram illustrates two typical workstations and service paths and their connections to each other and to the Internet. For questions 74-76, please refer to this circle list. Server User workstation 74. In this graph, which locations might contain stationary data? A.A, B and C B.C and E C.A and E D.B, D and F 75. How to best protect the data at points B, D and F? A. AES-256 B. SSL C.TLS D. 3DES 76. How to best protect files sent from workstation A to remote server E via an Internet service (C)? A. Use AES at rest at point A, and use TLS in transit through point B and port. B. Encrypt the data file and send it. C. Use 3DES and TLS to provide double security. D. Use full disk encryption at points A and E, and use SSL at points B and exit.
C
C
B
77. Susen is required to provide a minimum set of security requirements for email. What steps should she recommend organizations take to ensure email remains secure? A. All emails should be encrypted. 8. All emails should be encrypted and tagged. C. Sensitive emails should be encrypted and tagged. D. Only highly sensitive emails should be encrypted.
C
78. How does data retention policy reduce risk liability? A. By reducing the amount of storage used B. By limiting the number of data categories C. By reducing the amount of data that may need to be provided to the litigation D. By reducing legal penalties for violations
C
79 What data role does a system used to process data play? A. Task owner B. Data owner C.Data processor D. Data custodian
C
80.Which of the following is not considered personally identifiable information (PI) under U.S. federal government regulations? A. Name B. Social Security Number C.Student ID number D.Postal code
D
81. What type of health information is required to be protected by the Health Insurance Portability and Accountability Act (HIPAA)? A. Personally Identifiable Information (P1) B. Protected Health Information (PHI) C. Special Health Information (SHI) D. Highly Protected Health Information (HPHD)
B
82. lan built a system that replaces data in database fields with strings of random characters that remain the same. What technique did he use? A. Data desensitization B. Tokenization C. Anonymization D.DES encryption
B P153 Tokenization: a random string replacing other data, i.e. a token Pseudonymization: GDPR defines it as the process of replacing data with human identifiers, such as a codename instead of a person’s name Anonymization: No need to comply with GDPR, random blocking is an effective method of anonymization, and anonymization is irreversible
83.Juanita's company processes credit cards and wants to choose appropriate data security standards. She is most likely Which data security standard does Fog use and adhere to? A.CC-Comply B. PCI-DSS C.GLBA D. GDPR
B
84What is the best disinfection method for erasing a solid state drive (SSD)? A. Clearing B. Zero fill C. Disintegration D.Degaussing
C
For questions 85 through 87, please consider the following scenario: As shown in the security lifecycle diagram below (based on the NIST Reference Architecture), NIST uses a five-step process in risk management. Based on your understanding of data roles and practices, answer the following questions based on the NIST Framework process. 85- To whom the proponents of Step 1 - the classification of the system of belief in responsibility for their execution will be entrusted to 2 Step: Which data role is specifically responsible for step 3? A Data Owner, System Owner, Data Custodian Date Data Processor, Data Custodian, User, •.Business Owner, Administrator, Data Custodian. System Owner, Business Owner, Administrator 86 If the systems being evaluated all handle credit card information (and not other sensitive data), at which step does PCIDSS first play an important role? A. Step 1 B. Step 2 C Step 3 D. Step 4 87.Which data security role is primarily responsible for step 5? A. Data owner B. Data Processor C. Data custodian D user
A
B
88. Susan's organization wipes hard drives before sending them to a third-party facility for shredding. What problem is her organization trying to avoid? A. Data retention beyond the time defined in the policy B. Mishandling of the drive by a third party C. Classification error D.Permanence of data
B
89. Mike wants to track hardware assets as the equipment and devices are moved within the organization. What type of system can accomplish this without requiring employees to check barcodes or serial numbers individually? A. Visual inventory B.WiFi MAC address tracking C.RFID tag D.Steganography
C
90. What is the practice of retaining and maintaining information as needed and until it is no longer needed called? A. Data storage strategy B. Data storage C. Asset Maintenance D. Record retention
D Pay attention to review questions
91. Which of the following activities does not need to be considered during the data classification process? A. Who can access the data B. What will be the impact if data is lost or compromised? C. Cost of creating data D. Data protection regulations that may be required
C
92. What type of encryption is typically used for data-at-rest storage? A. Asymmetric encryption B. Symmetric encryption C.DES D.OTP
B
93. Which data role is responsible for applying appropriate access rights to employees? A. Data Processor B. Business Owner C. Data custodian D. Administrator
D
94. Which element of asset security is typically determined by identifying the owner of the asset? A It identifies the person or team responsible for protecting the asset B. Provide contact information for law enforcement agencies in the event of a theft. C. It helps determine the value of an asset. D. It determines the security classification of assets.
A
95.Fred prepares to send the backup tapes to a secure third-party storage facility. What steps should Fred take before sending the tapes to this facility? A Make sure that the tape is handled in the same manner as the original media according to its classification. B. Increase the classification level of the tapes because they leave the company's control. C. Clear the tape to ensure confidential data is not lost. D. Decrypt the tape to prevent loss during transmission.
A
96. Which of the following does not describe the state of data during transmission? A. Data on backup tapes sent to storage facility B.Data in TCP packets C. Data in e-commerce transactions D. Data in files copied between different locations
A
97. A new law has been passed that will cause significant financial harm to your company if data covered by the law is stolen or inadvertently disclosed. What should your organization do about this? A. Select a new security baseline. B. Reclassify the data. C. Encrypt all data at rest and in transit. D. Apply for data classification and classify data appropriately.
D
98. Which of the following data roles typically exist within a company rather than as a third-party contracting relationship? (Select all that apply.) A. Data owner B. Data Controller C. Data Keeper D.Data Processor
ABC
99. Which classification of business data is most appropriate for data contained on a business website? A. Private B. Sensitive C.Public D. Proprietary
C
100. Match the following numbered data elements to the mother categories. You can use categories once, multiple times, or not at all. If a data element fits more than one category, select the most specific category. data element 1.Medical records 2. Trade secrets 3. Social Security Number 4. Driving license number category A. Proprietary Data B. Protected Health Information C. Identifiable personal information
BACC
Summarize
Data roles need to be mastered carefully, and the responsibilities of the role and the work involved are easily confused.
Data status
Data Classification
Data destruction method
security baseline
Do more questions