Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > CISSP Sybex Official Study Guide Chapter 5 Review Questions > Flashcards

CISSP Sybex Official Study Guide Chapter 5 Review Questions Flashcards

1
Q

Which one of the following identifies the primary purpose of information classification processes?

A. Define the requirements for protecting sensitive data.
B. Define the requirements for backing up data.
C. Define the requirements for storing data.
D. Define the requirements for transmitting data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 190). Wiley. Kindle Edition.

A

A. Define the requirements for protecting sensitive data.

Explanation:
A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing all data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit but not necessarily all data in transit.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 956). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When determining the classification of data, which one of the following is the most important consideration?

A. Processing system
B. Value
C. Storage media
D. Accessibility

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 190). Wiley. Kindle Edition.

A

B. Value

Explanation:
Data is classified based on its value to the organization. In some cases, it is classified based on the potential negative impact if unauthorized personnel can access it. It is not classified based on the processing system, but the processing system is classified based on the data it processes. Similarly, the storage media is classified based on the data classification, but the data is not classified based on where it is stored. Accessibility is affected by the classification, but the accessibility does not determine the classification. Personnel implement controls to limit accessibility of sensitive data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 956). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 956). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following answers would not be included as sensitive data?

A. Personally identifiable information (PII)
B. Protected health information (PHI)
C. Proprietary data
D. Data posted on a website

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 190). Wiley. Kindle Edition.

A

D. Data posted on a website

Explanation:
Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 956). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the most important aspect of marking media?

A. Date labeling
B. Content description
C. Electronic labeling
D. Classification

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 190). Wiley. Kindle Edition.

A

D. Classification

Explanation:
Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn’t as important as marking the classification. Electronic labels or marks can be used, but they are applied to the files, not the media, and when they are used, it is still important to mark the media.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 956). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 956). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which would an administrator do to classified media before reusing it in a less secure environment?

A. Erasing
B. Clearing
C. Purging
D. Overwriting

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 190). Wiley. Kindle Edition.

A

C. Purging

Explanation:
Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following statements correctly identifies a problem with sanitization methods?

A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data.
B. Even fully incinerated media can offer extractable data.
C. Personnel can perform sanitization steps improperly.
D. Stored data is physically etched into the media.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 190). Wiley. Kindle Edition.

A

C. Personnel can perform sanitization steps improperly.

Explanation:
Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following choices is the most reliable method of destroying data on a solid state drive (SSD)?

A. Erasing
B. Degaussing
C. Deleting
D. Purging

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

A

D. Purging

Explanation:
Purging is the most reliable method of the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure that data is removed. While not an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting processes rarely remove the data from media, but instead mark it for deletion. Solid state drives (SSDs) do not have magnetic flux, so degaussing an SSD doesn’t destroy data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is the most secure method of deleting data on a DVD?

A. Formatting
B. Deleting
C. Destruction
D. Degaussing

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

A

C. Destruction

Explanation:
Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux, so degaussing a DVD doesn’t destroy data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following does not erase data?

A. Clearing
B. Purging
C. Overwriting
D. Remanence

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

A

D. Remanence

Explanation:
D. Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which one of the following is based on Blowfish and helps protect against rainbow table attacks?

A. 3DES
B. AES
C. Bcrypt
D. SCP

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

A

C. Bcrypt

Explanation:
Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy (SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which one of the following would administrators use to connect to a remote server securely for administration?

A. Telnet
B. Secure File Transfer Protocol (SFTP)
C. Secure Copy (SCP)
D. Secure Shell (SSH)

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

A

D. Secure Shell (SSH)

Explanation:
SSH is a secure method of connecting to remote servers over a network because it encrypts data transmitted over a network. In contrast, Telnet transmits data in cleartext. SFTP and SCP are good methods for transmitting sensitive data over a network but not for administration purposes.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following tasks would a custodian most likely perform?

A. Access the data
B. Classify the data
C. Assign permissions to the data
D. Back up data

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 191). Wiley. Kindle Edition.

A

A. Access the data

Explanation:
A data custodian performs day to day tasks to protect the integrity and security of data, and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which one of the following data roles is most likely to assign permissions to grant users access to data?

A. Administrator
B. Custodian
C. Owner
D. User

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 192). Wiley. Kindle Edition.

A

A. Administrator

Explanation:
The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following best defines “rules of behavior” established by a data owner?

A. Ensuring that users are granted access to only what they need
B. Determining who has access to a system
C. Identifying appropriate use and protection of data
D. Applying security controls to a system

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 192). Wiley. Kindle Edition.

A

C. Identifying appropriate use and protection of data

Explanation:
The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures that users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 957). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Within the context of the EU GDPR, what is a data processor?

A. The entity that processes personal data on behalf of the data controller
B. The entity that controls processing of data
C. The computing system that processes data
D. The network that processes data

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 192). Wiley. Kindle Edition.

A

A. The entity that processes personal data on behalf of the data controller

Explanation:
The European Union (EU) Global Data Protection Regulation (GDPR) defines a data processor as “a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.” The data controller is the entity that controls processing of the data and directs the data processor. Within the context of the EU GDPR, the data processor is not a computing system or network.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your organization has a large database of customer data. To comply with the EU GDPR, administrators plan to use pseudonymization. Which of the following best describes pseudonymization?

A. The process of replacing some data with another identifier
B. The process of removing all personal data
C. The process of encrypting data
D. The process of storing data

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 192). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 192). Wiley. Kindle Edition.

A

A. The process of replacing some data with another identifier

Explanation:
Pseudonymization is the process of replacing some data with an identifier, such as a pseudonym. This makes it more difficult to identify an individual from the data. Removing personal data without using an identifier is closer to anonymization. Encrypting data is a logical alternative to pseudonymization because it makes it difficult to view the data. Data should be stored in such a way that it is protected against any type of loss, but this is unrelated to pseudonymization.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

17
Q

An organization is implementing a preselected baseline of security controls, but finds that some of the controls aren’t relevant to their needs. What should they do?

A. Implement all the controls anyway.
B. Identify another baseline.
C. Re-create a baseline.
D. Tailor the baseline to their needs.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 192). Wiley. Kindle Edition.

A

D. Tailor the baseline to their needs.

Explanation:
Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re-create a different baseline.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

18
Q

Refer the following scenario when answering questions 18 through 20. An organization has a datacenter that processes highly sensitive information and is staffed 24 hours a day. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization’s security policy.
Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on internet sites, exposing the organization’s internal sensitive data.

Of the following choices, what would have prevented this loss without sacrificing security?

A. Mark the media kept offsite.
B. Don’t store data offsite.
C. Destroy the backups offsite.
D. Use a secure offsite storage facility.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 193). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (pp. 192-193). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 192). Wiley. Kindle Edition.

A

D. Use a secure offsite storage facility.

Explanation:
D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won’t protect it if it is stored in an unstaffed warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite, or offsite backups are destroyed, security is sacrificed by risking availability.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

19
Q

Which of the following administrator actions might have prevented this incident?

A. Mark the tapes before sending them to the warehouse.
B. Purge the tapes before backing up data to them.
C. Degauss the tapes before backing up data to them.
D. Add the tapes to an asset management database.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 193). Wiley. Kindle Edition.

A

A. Mark the tapes before sending them to the warehouse.

Explanation:
If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unstaffed warehouse. Purging or degaussing the tapes before using them will erase previously held data but won’t help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn’t prevent this incident.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

20
Q

Of the following choices, what policy was not followed regarding the backup media?

A. Media destruction
B. Record retention
C. Configuration management
D. Versioning

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 193). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 193). Wiley. Kindle Edition.

A

B. Record retention

Explanation:
Personnel did not follow the record retention policy. The scenario states that administrators purge onsite email older than six months to comply with the organization’s security policy, but offsite backups included backups for the last 20 years. Personnel should follow media destruction policies when the organization no longer needs the media, but the issue here is the data on the tapes. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning is applied to applications, not backup tapes.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 958). Wiley. Kindle Edition.

CISSP (43 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions