Domain 2

Question 1

Accountability

Answer 1

Accountability ensures that account management has assurance that only authorized users are accessing the system and using it properly.

Question 2

Asset

Answer 2

Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

Question 3

Asset Lifecycle

Answer 3

The phases that an asset goes through from creation (collection) to destruction.

Question 4

Baseline

Answer 4

A documented, lowest level of security configuration allowed by a standard or organization.

Question 5

Categorization

Answer 5

The process of grouping sets of data, information or knowledge that have comparable sensitivities (impact or loss ratings), and have similar security needs mandated by law, contracts or other compliance regimes.

Question 6

Classification

Answer 6

The process of recognizing the impacts to the organization if its information suffers any security compromise—to its confidentiality-, integrity-, availability-, non-repudiation-, authenticity-, privacy- or safety-related characteristics. Classifications are derived from the compliance mandates the organization must operate within, whether these be law, regulation, contract-specified standards or other business expectations.

Question 7

Clearing

Answer 7

The removal of sensitive data from storage devices in such a way that there is assurance the data may not be reconstructed using normal system functions or software recovery utilities.

Question 8

Data Custodian, Custodian

Answer 8

The individual who manages permissions and access on a day-to-day basis based on instructions from the data owner. Responsible for protecting an asset that has value, while in the custodian’s possession.

Question 9

Defensible Destruction

Answer 9

Eliminating data using a controlled, legally defensible and regulatory compliant way.

Question 10

Inventory

Answer 10

Complete list of items.

Question 11

Purging

Answer 11

The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique.

Question 12

Qualitative

Answer 12

Measuring something without using numbers, using adjectives, scales or grades.

Question 13

Quantitative

Answer 13

Using numbers to measure something, usually monetary values.

Question 14

Recovery

Answer 14

The process of jointly addressing business resiliency and restoration of critical infrastructure and functionality after a disruption.

Question 15

Responsibility

Answer 15

Obligation for doing something. Can be delegated.

Question 16

Scoping

Answer 16

Limiting the general baseline recommendations by removing those that do not apply.

Question 17

Tailoring

Answer 17

The process by which a security control baseline is modified based on (i) the application of scoping guidance, (ii) the specification of compensating security controls, if needed and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.