Chapter 5 Flashcards
(81 cards)
1
Q
Any data that isn’t public or unclassified
A
Sensitive Data
2
Q
information that can identify an individual
A
PII
3
Q
any health-related information that can be related to a specific person
A
PHI
4
Q
data that helps an organization maintain a competetive edge
ie software code, trade secrets, intellectual property
A
Proprietary Data
5
Q
disclosure would cause exceptionally grave damage to national security
A
top secret
6
Q
disclosure would cause serious damage to national security
A
secret
7
Q
disclosure would cause damage to national security
A
confidential
8
Q
NGO classification for exceptionally grave damage
A
Confidential/Proprietary
9
Q
NGO classification for serious damage
A
Private
10
Q
NGO classification for damage
A
Sensitive
11
Q
NGO classification for no damage
A
Public
12
Q
data stored on media
A
Data at Rest
13
Q
What kind of encryption protects data at rest?
A
Strong, symmetric encryption
14
Q
data transmitted over a network
A
data in transit
15
Q
what kind of encryption protects data in transit?
A
a combination of symmetric and asymmetric encryption
16
Q
data in memory or temporary storage buffers
A
Data in Use
17
Q
what kind of encryption protects data in use?
A
usually unencrypted (o.o)
sometimes homomoprhic encryption
18
Q
what is the best way to protect confidentiality of data?
A
strong encryption paired with strong authentication and authorization controls.
19
Q
person filling this role ensures that the organization is conducting all business activities by following the laws and regulations that apply to the organization
A
compliance officer
20
Q
Security administrators use the _____ defined in the security police to identify security ______.
A
requirements
security controls
21
Q
DLP
A
Data Loss Prevention
22
Q
event in which an unauthorized entity can view or access sensitive data
A
data breach
23
Q
ongoing efforts to organize and care for data throughout its lifetime
A
data maintenance
24
Q
What does this describe?
One network process unclassified data only. Another network processes classified data only. The two networks never physically touch each other.
A
Air Gap - a physical security control
25
How can data be transferred between air gapped networks?
Manually
USB
unidirectional network bridge (data can only move from unclass to class network)
technical guard solution - combo of hardware and software that requires data to be appropriately marked
26
systems that attempt to detect and block data exfiltration attempts
can scan unencrypted data and look for keywords or patterns
DLP
27
two primary types of DLP
Network and Endpoint
28
which type of DLP is looks at data leaving an organization on an edge device?
Network
29
which type of DLP can detect users copying data to a USB or sending to a printer?
Endpoint
30
what is a risk of logging/storing data?
Loosing the data or data breaches. Only store what is necessary for business purposes or what is required by law/regulation. (limit data collection)
31
Where is the best practice location for backups?
One copy on site and another copy offsite.
32
physical security measures for sensitive data storage:
locks
multiple layers of physical security (guards, badged entry)
environmental controls
33
data that remains on media after it was supposedly erased
data remanence
34
If a user was working on a top secret file a moment ago and then creates a small unclassified file, the small file might contain top secret data pulled from memory.
what security control would prevent this?
Do not process classified data on unclass systems
35
what generates a heavy magnetic field, which realigns the magfields in media such as traditional hard drives, magentic tape, and floppy disk drives?
(uses magents to completely remove data remanence)
degauser
36
what is the best method of sanitizing SSDs?
destruction - shred to 2 mm or less
37
performing a delete operation against media - usually only removes the directory link to the data.
erasing
38
preparing media for reuse and ensuring that the cleared data cannot be recovered
clearing/overwriting
39
3 steps of a common clearing protocol
1. a character (110)
2. its complement (001)
3. random bits
40
intense form of clearing for reusing media in less secure environments - data is not recoverable using any known methods
purging
41
uses magnets to erase data on traditional media
degaussing
42
final stage in lifecycle of media and most secure method of sanitizing data
destruction
43
any process that purges media or a system in preparation for reuse in an unclassified environment
declassification
44
declassification vs destruction
purchasing new media is often less expensive that declassification methods so most organizations opt to destroy media when it is no longer needed.
45
destroying the encryption key, or both encryption and decryption keys
cryptographic erasure - could possibly be decrypted so is often paired with a method to overwrite the data
46
what can organizations do to data stored in the cloud?
encryption erasure is often the only option
47
retaining and maintaining important information while it is needed and destroying it when it is no longer needed
record retention
48
solutions that provide copyright protection for copyrighted works
DRM (Digital rights management)
49
a license that grants access to a product with terms of use
DRM license
50
over the internet, system periodically connects with an authentication server, and if the connection or authentication fails, DRM blocks use of the product
Persistent Online Authentication (always-on DRM)
51
detects abuse, such as concurrent use of a product simultaneously but in two geographically different locations (Hulu, anyone?)
Continuous Audit Trail
52
products are sold on a subscription basis and access is blocked if monthly bill is not paid
Automatic Expiration
53
software placed logically between users and cloud-based resources that monitors all activity and enforces admin-defined security policies
Cloud Access Security Broker (CASB)
54
the use of IT resources without the approval of the IT department
Like Mr. Armstrong using Google Drive to ask us how we feel about each other.
Shadow IT
55
using pseudonyms to represent other PII data (can result in less stringent requirements that would apply under the GDPR)
ie using a patient number instead of a name on medical records
pseudonymization
56
use of a random string of characters to replace other data (often used with credit card transactions)
tokenization. the string is the token.
57
4 steps of tokenization
1. Registration
2. Usage
3. Validation
4. Completing the Sale
58
creating a token and recording it along with the encrypted credit card number, associated with a phone number
registration
59
processor sends token to tokenization vault, which answers with unencrypted credit card data and the charge is processed
validation
60
processor sends a reply to the POS system and credits the seller for purchase
completing the sale
61
If an attacker gets a token can they make purchases?
No. The transaction would fail because the token only works from the account associated with the token.
62
removing all PII data
Anonymization
63
swapping data in columns so that records no longer represent the actual data - aggregate data within each column is still usable for research
randomization
64
person who is ultimately responsible for data
identify classification and ensure it is properly labeled and protected
owner
65
the person who owns the asset or system that processes sensitive data
asset owner
66
which data role Develops a system security plan in coordination with information owners, the system administrator, and functional end users
asset owner
67
which data role Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements
asset owner
68
which data role Ensures that system users and support personnel receive appropriate security training, such as instruction on rules of behavior (or an AUP)
Asset owner
69
which data role is seen as a program manager or information system owner who is responsible for ensuring that systems provide value to an organization
business/mission owner
70
which method helps business owners and mission owners balance security control requirements with business or mission needs?
COBIT - Control Objectives for Information and Related Technology
71
the GDPR defines this role as "a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller"
data processor
72
person or entity that controls to processing of the data - decides which data to process, why, and how
data controller
73
roles created to oversee the control of data and ensure the organization follows all relevant laws and regulations
this role is mandated by the GDPR
responsible for ensuring the organization applies the laws to protect individual's private data
data privacy officer
74
this data role is responsible for day-to-day tasks
ensures proper storage and protection
typically personnel within an IT department or sysadmins
data custodian
75
anyone with elevated privileges related to data
data administrators
76
person who accesses data to accomplish work tasks
users
77
person who can be identified through an identifier within data
data subject
78
set of minimum security controls defined for an information system
security control baselines
79
four baselines from NIST SP 800-53B
Low-Impact Baseline
Moderate-Impact Baseline
High-Impact Baseline
Privacy Control Baseline
80
modifying a list of security controls within a baseline to align with the organizations mission
tailoring
81
reviewing a list of baseline security controls and selecting only those controls that apply
vigorously defends in writing any decision to omit a control from the baseline
scoping
