CISSP Domain 2-

Question 1

Information Life Cycle - Introduction

Answer 1

* Information is created and has value for a time until it is no longer needed: It has a life cycle
* Encryption is useful at any of the stages

Question 2

Information Life Cycle - Acquisition

Answer 2

* Occurs when information can be created within or copied into a system
* Steps
- Meta data describing the information is attached along with the classification
- Information is extracted so that it can be quickly located later
- Sometimes we must apply policy controls to the information

Question 3

Information Life Cycle - Use

Answer 3

* Addressing the CIA triad
* While the information is in active use it must remain available while still enforcing confidentiality and integrity
* If an organization duplicates data, the consistency of that duplication must be an enforced process

Question 4

Information Life Cycle - Archival

Answer 4

* At some point, the info will become dated, but will still need to be accessible for a time
* Information usually moved to a secondary storage point not as optimized for reading
* It’s not the same as a backup

Question 5

Information Life Cycle - Disposal

Answer 5

Two possible steps
* Transfer: In case you want to sell it (The transfer must be carried out safely)
* Destruction: Depending on the sensitivity of the information, the media may need to be physically destroyed

Question 6

Information Classification - Classification Levels

Answer 6

* Commercial
- Confidential
- Private
- Sensitive/Propietary
- Public
* Military
- Top Secret
- Secret
- Confidential
- Secretive but unclassified
- Unclassified

Question 7

Information Classification - Commercial classification levels

Answer 7

* Confidential
* Private
* Sensitive/Propietary
* Public

Question 8

Information Classification - Military classification levels

Answer 8

* Top Secret
* Secret
* Confidential
* Secretive but unclassified
* Unclassified

Question 9

Information Classification - Classification Attributes

Answer 9

* How the data is related to security
* Legal or regulatory requirements
* How old the data is
* How valuable the data is
* How useful the data is
* How damaging it would be if there data were disclosed
* How damaging it would be if there data were lost or compromised
* Who can access or copy the data

Question 10

Information Classification - Classification Controls - Steps for classifying data

Answer 10

1) Define the classification levels
2) Define criteria on how to classify
3) Identify those who will be classifying data
4) Identify the data custodian
5) Indicate the security controls required for each classification
6) Document exceptions to the previous step
7) Specify how custody of data may be internally transferred
8) Create a process to periodically review classification and ownership, and communicate any changes to the data custodian
9) Create a process for declassifying data
10) Incorporate the above into the security-awareness training

Question 11

Layers of Responsibility - Executive Management

Answer 11

* Chief Executive Officer (CEO)
* Chief Financial Officer (CFO)
* Chief Information Officer (CIO)
* Chief Privacy Officer (CPO)
* Chief Security Officer (CSO)
* Chief Information Security Officer (CISO)

Question 12

Layers of Responsibility - Executive Management - Chief Executive Officer (CEO)

Answer 12

* Highest ranking officer in the company
* Acts like the visionary
* Can delegate tasks but not responsibility

Question 13

Layers of Responsibility - Executive Management - Chief Financial Officer (CFO)

Answer 13

Responsible for the financial structure of a company

Question 14

Layers of Responsibility - Executive Management - Chief Information Officer (CIO)

Answer 14

* Oversees information systems and technologies
* Ultimately responsible for the success of the security program

Question 15

Layers of Responsibility - Executive Management - Chief Privacy Officer (CPO)

Answer 15

* Usually an attorney
* Ensures the company’s data is kept safe

Question 16

Layers of Responsibility - Executive Management - Chief Security Officer (CSO)

Answer 16

* Responsible for understanding company risks and for mitigating them to acceptable levels
* Extends into the legal and regulatory realm

Question 17

Layers of Responsibility - Executive Management - Chief Information Security Officer (CISO)

Answer 17

Technical role reporting to the CSO

Question 18

Layers of Responsibility - Data Owner

Answer 18

* Usually a member of MGMT
* Responsible for data owned by his department
* Responsibilities
- Classification of data
- Ensure security controls are in place
- Approving disclosure activities and access requests
- Ensuring proper access rights are enforced

Question 19

Layers of Responsibility - Data Custodian

Answer 19

* Responsible for storing and keeping the data safe, including backup and restorative duties
* Ensure that the company’s security policy regarding Information Security and data protection are being enforced. This results in the data custodian being responsible for maintaining controls to enforce classification levels as set by the data owner

Question 20

Layers of Responsibility - System Owner

Answer 20

* Responsible for one or more systems, each of which may contain or process data owned by more than one data owner
* Ensures the systems under his or her purview align with the company’s policies regarding
- Security controls
- Authentication
- Authorization
- Configurations
* Ensures the systems have been assessed for vulnerabilities and report incursions to the data owners

Question 21

Layers of Responsibility - Security Administrator

Answer 21

* Implements and maintains security network devices and software
* Manages user accounts and access
* Tests security patches

Question 22

Layers of Responsibility - Supervisor

Answer 22

* Responsible for access and assets for the people under the role’s supervision
* Informs the security administrator of new hires or terminations

Question 23

Layers of Responsibility - Change Control Analyst

Answer 23

Approves or rejects changes to the network, systems or software

Question 24

Layers of Responsibility - Data Analyst

Answer 24

Works with data owners and is responsible for ensuring data is stored in a manner that makes sense to the organization’s business needs

Question 25

Layers of Responsibility - User

Answer 25

Uses data for work-related tasks

Question 26

Layers of Responsibility - Auditor

Answer 26

* Makes sure all other roles are doing what they are supposed to be doing
* Ensures the proper controls are in place and maintained properly

Question 27

Retention Policies - Definition

Answer 27

Dictates what data should be kept, where it is kept, how it should be stored, and how long it should be stored for

Question 28

Retention Policies - Function

Answer 28

Driving the transition from the archival to the disposal stage of the data life cycle

Question 29

Retention Policies - Legal issues

Answer 29

* Legal counsel must be consulted when dictating retention boundaries
* We have to take into account legal, regulatory and operational requirements

Question 30

Retention Policies - Issues with Retained Data

Answer 30

* Taxonomy: How classifications are labeled
* Classification: It can affect how data is archived
* Normalization: Adding attributes to be able to easier locate the data
* Indexing: Make searches quicker by precomputing indexes

Question 31

Retention Policies - Guidelines on how long to retain data

Answer 31

* Permanently: Legal Correspondence
* 7 years:
- Business documents
- Accounts payables/receivables
- Employees who leave
* 5 years: Invoices
* 4 years: Tax records after taxes were paid
* 3 years: Candidates who were not hired

Question 32

Retention Policies - e-discovery

Answer 32

The process of producing electronically stored information (ESI) for a court or external attorney

Question 33

Retention Policies - Electronic Discovery Reference Model (EDRM)

Answer 33

1) Identification of the requested data
2) Preservation of this data while being delivered 3) Collection of the data
4) Processing to ensure the correct format
5) Review of the data
6) Analysis of the data for proper content
7) Production of the final data set
8) Presentation of the data

Question 34

Protecting Privacy - Data Owners

Answer 34

Organization-wide formal written policies should make these decisions, with exceptions well-documented an approved

Question 35

Protecting Privacy - Data Processers

Answer 35

* Users who touch the privacy data on a daily basis
* Routine inspections to ensure their behavior complies with policy must be implemented

Question 36

Protecting Privacy - Data Remanence

Answer 36

* Occurs when data is not permanently erased from storage media
* NIST SP 800-88 “Guidelines for Media Sanitization” provides guidelines for combating data remanence.
* Countermeasures:
- Overwriting: Replacing the 1’s and 0’s with random data
- Degaussing: Applying a powerful magnetic force to magnetic media
- Encryption: Deleting the key renders the data unusable
- Physical destruction: The best way. It can be done by shredding, burning it or exposing it to destructive chemicals

Question 37

Protecting Privacy - Limits on Collection

Answer 37

* In the US: Very few limitations for the private sector
* Only data which is required to the business to operate should be collected and stored
* The policy should be well documented: Ideally, two documents: one for employee data and one for external customer data

Question 38

Protecting Assets - Physical security

Answer 38

Designed to counteract the following threats:
* Environment integrity
* Unauthorized access
* Theft
* Interruption to service
* Physical damage
* Compromised systems

Question 39

Protecting Assets - Data Security Controls - Data at rest

Answer 39

* Particularly vulnerable because a thief can steal the storage media if they have physical access
* To be protected, we encrypt the data
* NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices

Question 40

Protecting Assets - Data Security Controls - Data in motion

Answer 40

* Describes the state of data as it is traveling across a network
* Protection strategy: Encryption (TLS 1.1+, IPSec, VPN’s)

Question 41

Protecting Assets - Data Security Controls - Data in use

Answer 41

* Data residing in primary storage devices: RAM, Caché, CPU registers
* The danger is that the data is unencrypted almost always in this state

Question 42

Protecting Assets - Data Security Controls - Side-channel attack

Answer 42

Exploits information that is being leaked by a cryptosystem

Question 43

Protecting Assets - Media Controls - Media Sanitization

Answer 43

When media has been erased

Question 44

Protecting Assets - Media Controls - Media Management Attributes

Answer 44

* Audit: Paper trail of who accessed what when
* Access: Ensure only authorized people can access media
* Backups: We need to track this for two reasons:
- To be able to restore damaged media
- To know what needs to be deleted when the data has reached end-of-life
* History: We need to track this for two reasons:
- To make sure we don’t use obsolete versions
- To prove due diligence
* Environment: Physically protect media
* Integrity: Transfer data to a newer media container before the old one wears out
* Inventory: This must be done on a scheduled basis to determine if media has gone missing
* Disposal: Proper disposal of media that is no longer applicable or needed
* Labeling: When and who created it, how long should we keep it, classification, name and version

Question 45

Data Leakage - Introduction

Answer 45

* It can be devastating to the company
* Possible losses
- Investigation and remediation
- Contacting individuals
- Penalties and fines
- Contractual liabilities
- Mitigating expenses such as free credit monitoring
- Direct damages to individuals, such as identity theft
- Loss of reputation or customer base

Question 46

Data Leakage - Data Leak Prevention

Answer 46

* Describes all steps a company takes to prevent unauthorized external parties from gaining access to sensitive data
* DLP is not a technology problem, and neither can it be solved by technology alone
* Steps
1) Take inventory: Figure out what you have and where it lives. First, the most important assets
2) Classify Data
3) Map the pathways through which the data flows: This will tell you where to place DLP sensors, or checks that detect when sensitive data passes by
* Sensors: Examine file names, extensions, keywords and formats. Easily defeated by steganography and encryption

Question 47

Data Leakage - Implementation, Testing and Tuning

Answer 47

* Evaluation Criteria
- Sensitivity: The more in-depth it looks, the fewer false-positives you will have
- Policies: As granularity increases so does complexity and flexibility
- Interoperability: How much integration effort will you have to undertake to make a product work with your existing infrastructure
- Accuracy: This can only be discovered by testing the product in your own environment
* Tuning aspects:
- Make sure existing allowed paths still operate
- Make sure previously-identified misuse paths are blocked

Question 48

Data Leakage - Network DLP

Answer 48

* Usually implemented inside of a network appliance and examines all traffic as it passes by (data in motion)
* Due to the high cost, these devices are usually placed at traffic choke points, and therefore cannot see any traffic occurring on network segments not connected directly to the appliance

Question 49

Data Leakage - Endpoint DLP

Answer 49

* Software that is installed on devices themselves and applies to data at rest and in use
* Advantage of being able to detect protected data when it is entered into the device or on the decryption/encryption boundary
* Drawbacks
- Complexity: Requires many installations
- Cost: License per device
- Updates: Ensuring all devices are updated with new configuration can be expensive
- Circumvention: Software can be disabled, effectively rendering this solution useless

Question 50

Data Leakage - Hybrid DLP

Answer 50

* Deploying NDLP and EDLP together
* It’s costly but effective

Question 51

Protecting Other Assets - Mobile Devices

Answer 51

* Laptops, tablets and phones are a very tempting target for thieves beyond their hardware value
* Security Precautions
- Inventory all devices and periodically check nothing has been stolen
- Harden the OS with a baseline configuration
- Password-protect BIOS
- Register the device with the vendor
- Do not check mobile devices when traveling
- Never leave on unattended
- Engrave the device with the serial number
- Use a slot lock cable
- Back up to an organizational repository
- Encrypt all data
- Enable remote wiping

Question 52

Protecting Other Assets - Paper Records

Answer 52

* They often contain sufficiently sensitive information to warrant controls
* Security Precautions
- Educate your staff on proper handling
- Minimize the use of paper
- Keep workspaces tidy
- Lock sensitive paperwork away
- Prohibit taking paper home
- Label all paper with its classification
- Conduct random searches of employee bags when leaving
- Use a crosscut shredder

Question 53

Protecting Other Assets - Safes - Safe Types

Answer 53

* Wall: Embedded into a wall
* Floor: Embedded into a floor
* Chest: Stand-alone
* Depository: Safes with slots allowing valuables to be added without opening
* Vault: Large enough to walk inside
* Passive Relocking: Can detect someone trying to tamper with it, and extra bolts fall into place
* Thermal Relocking: When a certain temperature is reached an extra lock is implemented

Question 54

Protecting Other Assets - Safes - Security Precautions

Answer 54

* Change combinations periodically
* Only a small number of people should have access to the combination or key
* Place in a visible location