Domain 2: Classifying Data

Question 1

Unauthorized disclosure could cause exceptionally grave damage to national security
Classification label

Answer 1

Top Secret

Question 2

Unauthorized disclosure could cause serious damage to national security

Answer 2

Secret

Question 3

Unauthorized disclosure could cause damage to national security

Answer 3

Confidential

Question 4

A formal determination of whether a user can be trusted with a specific level of information

Answer 4

Clearance

Question 5

A document approved from the data owner that outlines all the rules and requirements for accessing data, as well as the consequences should the data become lost, destroyed or compromised.

Answer 5

Formal Access Approval

Question 6

Sensitive info should not persist beyond a certain period or legal requirement, as this needlessly exposes the data to threats of disclosure when in fact the data is no longer needed.

Answer 6

Retention

Question 7

AKA senior management creates the InfoSec program and ensures it is properly staffed and funded

Answer 7

Business or Mission Owners

Question 8

• Manager who is ultimately responsible for the data of an organization i.e. CEO, president, dept. head
• They determine data sensitivity labels and frequency of data backup

Answer 8

Data Owners

Question 9

• Manager responsible for the actual computer that houses the data.
• Typically the same person as the data owner, but this can be delegated to someone else

Answer 9

Asset Owner or (System Owner)

Question 10

Responsible for granting appropriate access to personnel.

Answer 10

Administrators

Question 11

• Personal that provides day-to-day tasks relating to the handling the data
• i.e. perform data backups, patch systems, configure antivirus, etc.
• i.e. personal in the IT dept. or the security admin.

Answer 11

Custodian

Question 12

• Users that create and manage sensitive data within an organization
• i.e. Human Resources

Answer 12

Data Controllers

Question 13

• Manages data on behalf of data controllers

- i.e. outsource payroll company (Paycom)

Answer 13

Data Processors

Question 14

• Created in 1980’s by the DoD to impose security standards for computers the gov purchased and used
• Orange book of the rainbow series
• Replaced by International Common Criteria

Answer 14

Trusted Computer System Evaluation Criteria (TCSEC)

Question 15

What are TCSEC categories?

Answer 15

Category A Verified protection (Highest level of protection)
Category B Mandatory protection
Category C Discretionary protection
Category D Minimal protection

Question 16

• Trusted Computer System Evaluation Criteria (TCSEC) category
• In the development cycle for systems each phase is documented, evaluated, and verified before moving to the next step

Answer 16

Category A Verified protection (Highest level of protection)

Question 17

• Trusted Computer System Evaluation Criteria (TCSEC) category
• More granularity of control is mandated
• Used to allow very limited sets of subjects/objects

Answer 17

Category B Mandatory protection

Question 18

• Trusted Computer System Evaluation Criteria (TCSEC) category
• Systems in this category do provide some security controls but are lacking more sophisticated and stringent controls that address specific needs for secure systems

Answer 18

Category C Discretionary protection

Question 19

• Trusted Computer System Evaluation Criteria (TCSEC) category
• Reserved for systems that have been evaluated but do not meet requirements to belong to any other category

Answer 19

Category D Minimal protection

Question 20

• Part of the rainbow series
• Gov standards relating to networking
• Now outdated

Answer 20

Red Book

Question 21

• Part of the rainbow series
• Gov standards relating to password creation and management
• Now outdated

Answer 21

Green Book

Question 22

• Users must have a security clearance and access approval that permits all info processed by the system
• A valid need to know only for the info they will access on the system

Answer 22

System high mode

Question 23

• Users must have a security clearance, access approval, and a valid need to know for all info processed by the system
• All users on the system can access all the data on the system
• Enforced by admin personnel who physically limit access to the system

Answer 23

Dedicated mode

Question 24

• Users must have a security clearance for all info processed by the system
• Access approval and a valid need to know only for info they will access on the system, (not for all the info processed by the system)

Answer 24

Compartmented mode

Question 25

• Users must have a security clearance, access approval, and a valid need to know that permits only the info they will access on the system
• Do not need these things for all the info processed by the system
• Enforced primarily by hardware or software on a system

Answer 25

Multilevel mode

Question 26

• Component of TCSEC
• System components that were designed to adhere to and enforce the security policy of the system as a whole
• i.e. OS kernel and the supporting programs that configure file ownership and permissions

Answer 26

Trusted Computer Base (TCB)

Question 27

• Data that is for internal use or for office use only

- Used to protected info that could violate the privacy rights of individuals

Answer 27

Sensitive but Unclassified

Question 28

Unauthorized disclosure does not compromise confidentiality or cause any noticeable damage

Answer 28

Unclassified

Question 29

• Private sector classification level

- Proprietary data if disclosed could have drastic effects on the competitive edge of an organization

Answer 29

Confidential

Question 30

• Private sector classification level
• Data related to individuals of a company and intended for internal use only
• i.e. medical data

Answer 30

Private

Question 31

• Private sector classification level

- Data that could have a negative impact if disclosed

Answer 31

Sensitive

Question 32

• Private sector classification level

- Disclosure does not have a serious impact on the organization

Answer 32

Public

Question 33

• The imaginary boundary that separates the TCB from the rest of the system
• TCB components communicate with non-TCB components using trusted paths

Answer 33

Security perimeter

Question 34

In order to implement a classification scheme, list the 7 steps you must perform:

Answer 34

1. Identify the custodian, and define their responsibilities.
2. Specify the evaluation criteria of how the information will be classified and labeled.
3. Classify and label each resource. (The owner conducts this step, but a supervisor should review it.)
4. Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria.
5. Select the security controls that will be applied to each classification level
6. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity.
7. Create an enterprise-wide awareness program to instruct all personnel about the classification system.

Question 35

• Defined a list of security controls based on industry best practices
• Provided centralization of security controls across different organizational departments (i.e. facilities, IT, HR, etc)
• First international standard used for developing an org internal security program

Answer 35

British Standard (BS)7799

Question 36

• Based on BS7799
• Defines general requirement for setting up an information security management system
• Typically used to as a basis for certification by an accredited third-party
• List of security controls based on industry best practices

Answer 36

ISO 27001

Question 37

• Based on BS7799
• Goes into more detail on the specifics of information security controls
• Provides industry specific general security guidelines (i.e. financial services, healthcare, etc…)
• Focuses on security governance

Answer 37

ISO 27002

Question 38

ISO guidelines for information security management system for organizations in the healthcare industry

Answer 38

ISO 27799

Question 39

ISO guidelines for information security management system for organizations in the financial industry

Answer 39

ISO 27015