Chapter 5 (Domain 2: Asset Security)

Question 1

First steps in Asset Security

Answer 1

Identifying and classifying information and assets

Question 2

Sensitive data

Answer 2

Any information that isn’t public or unclassified such as confidential, proprietary, protected, or any other type of data that an organization needs to protect due to its value to the organization, or to comply with existing laws and regulations

Question 3

PII

Answer 3

Personally identifiable information (PII) is any information that can identify an individual

Question 4

PHI

Answer 4

Protected health information (PHI) is any health-related information that can be related to a specific person

Question 5

HIPAA

Answer 5

Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of PHI

Question 6

Proprietary data

Answer 6

Any data that helps an organization maintain a competitive edge such as software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets

Question 7

Data classification

Answer 7

Identifies the value of the data to the organization and is critical to protect data confidentiality and integrity. Included in a security policy or data policy.

Question 8

US government data classification

Answer 8

Top secret
Secret
Confidential
Unclassified

Question 9

Non-government data classification

Answer 9

Confidential/Proprietary
Private
Sensitive
Public

Question 10

Sensitive information

Answer 10

Any information that isn’t public or unclassified

Question 11

Asset classification

Answer 11

Asset classifications should match the data classifications

Question 12

What comes after Data Classification?

Answer 12

Define the security requirements and identify security controls to implement those security requirements

Question 13

What is the best way to protect the confidentiality of data?

Answer 13

Strong encryption protocols, authentication and authorization controls help prevent unauthorized access.

Question 14

Data breach

Answer 14

Any event in which an unauthorized entity can view or access sensitive data

Question 15

What is the most important information that a mark or label provides? (Marking or Labeling)

Answer 15

Classification of the data

Question 16

Example of Marking or Labeling

Answer 16

Digital marks or labels, header or footer in a document, embed as a watermark

Question 17

How is downgrading media handled?

Answer 17

Requires procedures that will purge the tape of all usable data.
Many organizations prohibit downgrading media at all.
It is rare to downgrade a system.

Question 18

How is physical media stored?

Answer 18

Devices in locked safes or vaults and/or within a secure room that includes several additional physical security controls

Question 19

How is sensitive data handled when no longer needed?

Answer 19

Should be destroyed when no longer needed

Question 20

How are acceptable methods of destroying data defined?

Answer 20

An organization’s security policy or data policy should define the acceptable methods of destroying data based on the data’s classification

Question 21

What is data remanence?

Answer 21

Data remanence is the data that remains on media after the data was supposedly erased. It typically refers to data on a hard drive as residual magnetic flux

Question 22

How can data remanence be removed?

Answer 22

A degausser generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives

Question 23

What is a degausser?

Answer 23

A degausser generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives. Only effective on magnetic media.

Question 24

How should SSDs be handled?

Answer 24

The best method of sanitizing SSDs is destruction since built-in erase commands are not effective.

Question 25

What is the best way to sanitize SSDs?

Answer 25

The best method of sanitizing SSDs is destruction

Question 26

What is erasing data?

Answer 26

Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media-

Question 27

What is clearing data?

Answer 27

Clearing, or overwriting, is a process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tools by overwriting with unclassified data

Question 28

What is purging?

Answer 28

Purging is a more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods. A purging process will repeat the clearing process multiple times and may combine it with another method such as degaussing to completely remove the data.

Question 29

What is the most secure method of sanitizing media?

Answer 29

Destruction is the most secure method of sanitizing media.

Question 30

What is record retention or media retention?

Answer 30

Record retention involves retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed.

Question 31

How is record retention defined?

Answer 31

An organization’s security policy or data policy typically identifies retention timeframes.

Question 32

What happens when there is no retention policy?

Answer 32

May delete data earlier than expected or keep data indefinitely

Question 33

What is bcrypt?

Answer 33

Linux systems use bcrypt to encrypt passwords.
Bcrypt is based on Blowfish
Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks.

Question 34

What is Blowfish?

Answer 34

Bruce Schneier developed Blowfish as a possible alternative to DES.
It can use key sizes of 32 bits to 448 bits and is a strong encryption protocol

Question 35

Symmetric encryption

Answer 35

Uses the same key to encrypt and decrypt data

Question 36

Examples of Symmetric Encryption

Answer 36

• Advanced Encryption Standard (AES), Microsoft tools
• Triple DES or 3DES, payment cards
• Blowfish, Bruce Schneier developed Blowfish as a possible alternative to DES, bcrypt

Question 37

What is the primary risk of sending unencrypted data over a network?

Answer 37

A sniffing attack - Attackers can use a sniffer or protocol analyzer to capture traffic sent over a network. The sniffer allows attackers to read all the data sent in cleartext

Question 38

How to protect data in transit?

Answer 38

• HTTPS, encrypts e-commerce transactions
  
  • HTTPS uses TLS (Transport Layer Security)
• VPNs use TLS and IPsec for encryption
• TLS
• IPsec, Internet Protocol Security
• Secure Shell (SSH), administrators use SSH when administering remote servers

Question 39

Protocols that transmit data in cleartext?

Answer 39

• HTTP
• FTP
• Telnet
• L2TP, Layer 2 Tunneling Protocol transmits data in cleartext

Question 40

Data owner

Answer 40

Person who has ultimate organizational responsibility for data.
Data owner is typically the CEO, president or a department head.
Data owners identify the classification of data and ensure that it is labeled properly.

Question 41

Asset owner

Answer 41

The asset owner (or system owner) is the person who owns the asset or system that processes sensitive data.
Same person as the data owner but can be different like the Department Head.

Question 42

System owner

Answer 42

Ensuring that the data processed on the system remains secure.
System is labeled accurately and that the appropriate security controls are in in place to protect the data.

Question 43

Business owner

Answer 43

Owns the processes that use systems managed by other entities.
Ensure that systems provide value to the organization

Question 44

What is COBIT?

Answer 44

Control Objectives for Information and Related Technology (COBIT) - IT governance method that helps business owners and mission owners balance security control requirements with business or mission needs.

Question 45

Data processor

Answer 45

Any system used to process data.
European Union (EU) General Data Protection Regulation (GDPR) defines a data processor as “a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller"

Question 46

GDPR

Answer 46

European Union (EU) General Data Protection Regulation (GDPR)

• Regulation in EU law on data protection and privacy in the European Union (EU).
• It addresses the transfer of personal data outside the EU.
• The GDPR restricts data transfers to countries outside the EU

Question 47

Data controller

Answer 47

The person or entity that controls processing of the data

Example: a third-party company to process payroll, the payroll company is the data processor.

Question 48

Administrator

Answer 48

Responsible for granting appropriate access to personnel.
Assign permissions based on the principles of least privilege and the need to know, granting users access to only what they need for their job

Question 49

Custodian

Answer 49

Data owners often delegate day-to-day tasks to a custodian. A custodian helps protect the integrity and security of data by ensuring that it is properly stored and protected. For example, custodians would ensure that the data is backed up in accordance with a backup policy.

Question 50

Security baseline

Answer 50

Baselines provide a starting point and ensure a minimum security standard.
One common baseline that organizations use is imaging.

Question 51

Scoping and Tailoring

Answer 51

• Scoping refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect.
• Tailoring refers to modifying the list of security controls within a baseline so that they align with the mission of the organization