Chapter 5

Question 1

Any data that isn’t public or unclassified

Answer 1

Sensitive Data

Question 2

information that can identify an individual

Answer 2

PII

Question 3

any health-related information that can be related to a specific person

Answer 3

PHI

Question 4

data that helps an organization maintain a competetive edge

ie software code, trade secrets, intellectual property

Answer 4

Proprietary Data

Question 5

disclosure would cause exceptionally grave damage to national security

Answer 5

top secret

Question 6

disclosure would cause serious damage to national security

Answer 6

secret

Question 7

disclosure would cause damage to national security

Answer 7

confidential

Question 8

NGO classification for exceptionally grave damage

Answer 8

Confidential/Proprietary

Question 9

NGO classification for serious damage

Answer 9

Private

Question 10

NGO classification for damage

Answer 10

Sensitive

Question 11

NGO classification for no damage

Answer 11

Public

Question 12

data stored on media

Answer 12

Data at Rest

Question 13

What kind of encryption protects data at rest?

Answer 13

Strong, symmetric encryption

Question 14

data transmitted over a network

Answer 14

data in transit

Question 15

what kind of encryption protects data in transit?

Answer 15

a combination of symmetric and asymmetric encryption

Question 16

data in memory or temporary storage buffers

Answer 16

Data in Use

Question 17

what kind of encryption protects data in use?

Answer 17

usually unencrypted (o.o)

sometimes homomoprhic encryption

Question 18

what is the best way to protect confidentiality of data?

Answer 18

strong encryption paired with strong authentication and authorization controls.

Question 19

person filling this role ensures that the organization is conducting all business activities by following the laws and regulations that apply to the organization

Answer 19

compliance officer

Question 20

Security administrators use the _____ defined in the security police to identify security ______.

Answer 20

requirements
security controls

Question 21

DLP

Answer 21

Data Loss Prevention

Question 22

event in which an unauthorized entity can view or access sensitive data

Answer 22

data breach

Question 23

ongoing efforts to organize and care for data throughout its lifetime

Answer 23

data maintenance

Question 24

What does this describe?

One network process unclassified data only. Another network processes classified data only. The two networks never physically touch each other.

Answer 24

Air Gap - a physical security control

Question 25

How can data be transferred between air gapped networks?

Answer 25

Manually
USB
unidirectional network bridge (data can only move from unclass to class network)
technical guard solution - combo of hardware and software that requires data to be appropriately marked

Question 26

systems that attempt to detect and block data exfiltration attempts
can scan unencrypted data and look for keywords or patterns

Answer 26

DLP

Question 27

two primary types of DLP

Answer 27

Network and Endpoint

Question 28

which type of DLP is looks at data leaving an organization on an edge device?

Answer 28

Network

Question 29

which type of DLP can detect users copying data to a USB or sending to a printer?

Answer 29

Endpoint

Question 30

what is a risk of logging/storing data?

Answer 30

Loosing the data or data breaches. Only store what is necessary for business purposes or what is required by law/regulation. (limit data collection)

Question 31

Where is the best practice location for backups?

Answer 31

One copy on site and another copy offsite.

Question 32

physical security measures for sensitive data storage:

Answer 32

locks
multiple layers of physical security (guards, badged entry)
environmental controls

Question 33

data that remains on media after it was supposedly erased

Answer 33

data remanence

Question 34

If a user was working on a top secret file a moment ago and then creates a small unclassified file, the small file might contain top secret data pulled from memory.

what security control would prevent this?

Answer 34

Do not process classified data on unclass systems

Question 35

what generates a heavy magnetic field, which realigns the magfields in media such as traditional hard drives, magentic tape, and floppy disk drives?

(uses magents to completely remove data remanence)

Answer 35

degauser

Question 36

what is the best method of sanitizing SSDs?

Answer 36

destruction - shred to 2 mm or less

Question 37

performing a delete operation against media - usually only removes the directory link to the data.

Answer 37

erasing

Question 38

preparing media for reuse and ensuring that the cleared data cannot be recovered

Answer 38

clearing/overwriting

Question 39

3 steps of a common clearing protocol

Answer 39

1. a character (110)
2. its complement (001)
3. random bits

Question 40

intense form of clearing for reusing media in less secure environments - data is not recoverable using any known methods

Answer 40

purging

Question 41

uses magnets to erase data on traditional media

Answer 41

degaussing

Question 42

final stage in lifecycle of media and most secure method of sanitizing data

Answer 42

destruction

Question 43

any process that purges media or a system in preparation for reuse in an unclassified environment

Answer 43

declassification

Question 44

declassification vs destruction

Answer 44

purchasing new media is often less expensive that declassification methods so most organizations opt to destroy media when it is no longer needed.

Question 45

destroying the encryption key, or both encryption and decryption keys

Answer 45

cryptographic erasure - could possibly be decrypted so is often paired with a method to overwrite the data

Question 46

what can organizations do to data stored in the cloud?

Answer 46

encryption erasure is often the only option

Question 47

retaining and maintaining important information while it is needed and destroying it when it is no longer needed

Answer 47

record retention

Question 48

solutions that provide copyright protection for copyrighted works

Answer 48

DRM (Digital rights management)

Question 49

a license that grants access to a product with terms of use

Answer 49

DRM license

Question 50

over the internet, system periodically connects with an authentication server, and if the connection or authentication fails, DRM blocks use of the product

Answer 50

Persistent Online Authentication (always-on DRM)

Question 51

detects abuse, such as concurrent use of a product simultaneously but in two geographically different locations (Hulu, anyone?)

Answer 51

Continuous Audit Trail

Question 52

products are sold on a subscription basis and access is blocked if monthly bill is not paid

Answer 52

Automatic Expiration

Question 53

software placed logically between users and cloud-based resources that monitors all activity and enforces admin-defined security policies

Answer 53

Cloud Access Security Broker (CASB)

Question 54

the use of IT resources without the approval of the IT department

Like Mr. Armstrong using Google Drive to ask us how we feel about each other.

Answer 54

Shadow IT

Question 55

using pseudonyms to represent other PII data (can result in less stringent requirements that would apply under the GDPR)

ie using a patient number instead of a name on medical records

Answer 55

pseudonymization

Question 56

use of a random string of characters to replace other data (often used with credit card transactions)

Answer 56

tokenization. the string is the token.

Question 57

4 steps of tokenization

Answer 57

1. Registration
2. Usage
3. Validation
4. Completing the Sale

Question 58

creating a token and recording it along with the encrypted credit card number, associated with a phone number

Answer 58

registration

Question 59

processor sends token to tokenization vault, which answers with unencrypted credit card data and the charge is processed

Answer 59

validation

Question 60

processor sends a reply to the POS system and credits the seller for purchase

Answer 60

completing the sale

Question 61

If an attacker gets a token can they make purchases?

Answer 61

No. The transaction would fail because the token only works from the account associated with the token.

Question 62

removing all PII data

Answer 62

Anonymization

Question 63

swapping data in columns so that records no longer represent the actual data - aggregate data within each column is still usable for research

Answer 63

randomization

Question 64

person who is ultimately responsible for data

identify classification and ensure it is properly labeled and protected

Answer 64

owner

Question 65

the person who owns the asset or system that processes sensitive data

Answer 65

asset owner

Question 66

which data role Develops a system security plan in coordination with information owners, the system administrator, and functional end users

Answer 66

asset owner

Question 67

which data role Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements

Answer 67

asset owner

Question 68

which data role Ensures that system users and support personnel receive appropriate security training, such as instruction on rules of behavior (or an AUP)

Answer 68

Asset owner

Question 69

which data role is seen as a program manager or information system owner who is responsible for ensuring that systems provide value to an organization

Answer 69

business/mission owner

Question 70

which method helps business owners and mission owners balance security control requirements with business or mission needs?

Answer 70

COBIT - Control Objectives for Information and Related Technology

Question 71

the GDPR defines this role as “a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller”

Answer 71

data processor

Question 72

person or entity that controls to processing of the data - decides which data to process, why, and how

Answer 72

data controller

Question 73

roles created to oversee the control of data and ensure the organization follows all relevant laws and regulations
this role is mandated by the GDPR
responsible for ensuring the organization applies the laws to protect individual’s private data

Answer 73

data privacy officer

Question 74

this data role is responsible for day-to-day tasks

ensures proper storage and protection

typically personnel within an IT department or sysadmins

Answer 74

data custodian

Question 75

anyone with elevated privileges related to data

Answer 75

data administrators

Question 76

person who accesses data to accomplish work tasks

Answer 76

users

Question 77

person who can be identified through an identifier within data

Answer 77

data subject

Question 78

set of minimum security controls defined for an information system

Answer 78

security control baselines

Question 79

four baselines from NIST SP 800-53B

Answer 79

Low-Impact Baseline
Moderate-Impact Baseline
High-Impact Baseline
Privacy Control Baseline

Question 80

modifying a list of security controls within a baseline to align with the organizations mission

Answer 80

tailoring

Question 81

reviewing a list of baseline security controls and selecting only those controls that apply

vigorously defends in writing any decision to omit a control from the baseline

Answer 81

scoping