Chapter 5

Question 1

Sensitive Data Types

Answer 1

PII
PHI
Proprietary

Question 2

PII

Answer 2

• distinguish individual identify
• can link to individual; financial, medical, educational, employment

Question 3

PHI (health)

Answer 3

• created or received by health care provider, plan, employer, etc.
• past/present/future physical or mental health, provision of or payment for health care

Question 4

Proprietary Data

Answer 4

Trade secrets, software code, internal processes, etc.

Question 5

Data Classification

Answer 5

Gov’t:
Class 3 - Top secret - grave damage
Class 2 - Secret - serious damage
Class 1 - Confidential - damage
Class 0 - Unclassified - no damage

Organizations:
Class 3 - Confidential/Proprietary - trade secrets, IP
Class 2 - Private - PII, PHI, financial
Class 1 - Sensitive - IT info
Class 0 - Public

Question 6

DLP

Answer 6

1. Network-based
2. Endpoint-based
3. Cloud-based

Also includes sensitive info discovery function

Question 7

Data destruction techniques

Answer 7

1. Erasing - not secure
2. Clearing/overwriting - usually for media reuse but not fully secure; some bad sectors can be skipped
3. Purging - more intense clearing; several iterations of clearing plus degauss; also can’t be always trusted
4. Degaussing - only for magnetic media
5. Destruction - most secure
6. Cryptographic erasure - destroy encryption/decryption keys of encrypted data

Question 8

Declassification

Answer 8

Purging of classified data for re-use in non-classified env

Better to destroy

Question 9

DRM (Digital Rights Mgmt)

Answer 9

To protect copyrighted works

• DRM license - small file with terms of use and license key
• Persistent online authentication
• Automatic expiration
• Continuous audit trail - e.g. to detect concurrent use in diff locations

Question 10

CASB

Answer 10

• between users and cloud resources
• replicate all internal security controls
• Can detect shadow IT

Question 11

Other Data Protection Methods

Answer 11

1. Pseudonymization - replace personal data with pseudonyms (e.g. Patient123) before releasing data; may have less stringent GDPR requirements
2. Tokenization - for credit card payment processing
3. Anonymization - remove personal data or random masking (re-arrange rows within columns); GDPR may not apply if used; randomized masking is one method

Question 12

Data Roles

Answer 12

1. Data owner - responsible for security of data
2. Asset (or system) owner - responsible for security of system processing the data
3. Business owner - responsible for the business processes that use the systems and data
4. Data controller - collects data; determines what, why and how data should be processed
5. Data processor - process data on behalf of data controller
6. Data protection officer - mandated by GDPR; ensure protection of data privacy
7. Data custodian - day-to-day tasks of protecting data
8. Data administrator - someone who is a data custodian or with elevated privilege
9. Users - access data
10. Data subjects (GDPR) - person identified by data

Question 13

Security Baseline

Answer 13

Set of min security controls

NIST published:
- Low-impact baseline
- Moderate-impact baseline
- High-impact baseline
- Privacy-control baseline - for those orgs that process PII

Tailoring - take baseline controls and tailor to organization
Scoping - is a part of tailoring; remove controls that don’t apply