D2 - App FC - Asset Security

Question 1

With what level of security precautions should backup media be treated?

Answer 1

Backup media should be handled with the same security precautions as any other asset with the same data classification.

Question 2

What are the goals of managing backup media?

Answer 2

• Preventing disclosure,
• Destruction,
• Alteration of data.

Question 3

What are the processes that can be applied to used media in order to prepare the media for reuse in various environments?

Answer 3

Erasing, clearing, and overwriting media that will be used in the same classification environments; purging, sanitizing, and degaussing if media is used in different classification environments.

Question 4

If a message is signed and encrypted, what security services are you providing?

Answer 4

Confidentiality, integrity, authenticity/access control, and nonrepudiation.

Question 5

Who has the responsibility to ensure that communications are secured?

Answer 5

The sender.

Question 6

What is the primary difference between memory cards and smartcards?

Answer 6

Processing capability.

Question 7

What is the term for exercising reasonable care in protecting organisational assets and interests, including development of a formalised security structure consisting of policies, procedures, and protocols?

Answer 7

Due care.

Question 8

When users are granted only the minimum access necessary to complete some task or process, what principle is involved?

Answer 8

The principle of least privilege.

Question 9

What kinds of processes must be applied when confidential storage media is prepared for reuse in questionably secure environments?

Answer 9

Declassification.

Question 10

What is the name for the demagnetisation process used to erase disk drives or tapes to wipe out all previously stored data?

Answer 10

Degaussing.

Question 11

What governs how long records are kept to substantiate system security assessments and support system analysis?

Answer 11

Record retention.

Question 12

What method will remove all data with assurances that it cannot be removed using any known methods?

Answer 12

Purging, sanitization, or destruction.

Question 13

What methods can be used to protect mobile devices such as a smartphone?

Answer 13

Encryption,
OPS,
Password-protected screen locks,
Remote wipe.

Question 14

What can be used to remove data on a lost smartphone?

Answer 14

Remote wipe.

Question 15

What should be done before disposing of a desktop backup computer at the end of its life cycle?

Answer 15

Sanitization.

Question 16

What is the term that identifies data on a disk after the data has supposedly been erased?

Answer 16

Data remanence.

Question 17

What does imaging provide in relation to configuration management?

Answer 17

Baseline.

Question 18

What is an early step in asset security?

Answer 18

Classifying and labelling assets.

Question 19

What is sensitive data?

Answer 19

Sensitive data is any information that isn’t public or unclassified. It can include confidential proprietary, protected, or any other type of data that an organization needs to protect due its value to the organisation or to comply with existing laws and regulations.

Question 20

What is PII?

Answer 20

Personally Identifiable Information (PII) is any information that can identify an individual.

Question 21

What is PHI?

Answer 21

Protected Health Information (PHI) is any health-related information that can be related to a specific person. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of PHI.

Question 22

What is proprietary data?

Answer 22

Proprietary data refers to any data that helps an organisation maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets. If competitor are able to access the proprietary data, it can seriously affect the primary mission of an organisation.

Question 23

What legal protections exist for proprietary data?

Answer 23

Copyrights, patents, and trade secret laws provide protection for proprietary data.

Question 24

What are the three data states and their definitions?

Answer 24

Data at rest is any data stored on media such as system hard drives, external USB drives, storage area networks (SANs), and backup tapes. Data in transit (sometimes called data in motion) is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public networks such as the internet. Data in use refers to data in temporary buffers while an application is using it.

Question 25

When sensitive data is no longer needed by an organisation, what should be done with it?

Answer 25

When an organisation no longer needs sensitive data, personnel should destroy it. Proper destruction ensures that it cannot fall into the wrong hands and result in unauthorised disclosure.

Question 26

What is data remanence?

Answer 26

Data remanence is the data that remains on a storage device as residual and potentially recoverable data. Using system tools to delete data generally leaves much of the data remaining on the media, and widely available tools can easily undelete it. Even when you use sophisticated tools to overwrite the media, traces of the original data may remain.

Question 27

In relation to storage media, what is erasing?

Answer 27

Erasing media is simple performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process removes only the directory or catalogue link to the data. The actual data remains on the drive.

Question 28

In relation to storage media, what is clearing?

Answer 28

Clearing, or overwriting, is a process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools. When media is cleared, unclassified data is written over all addressable locations on the media.

Question 29

In relation to storage media, what is purging?

Answer 29

Purging is a more intense form of clearing that prepares media for a reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods. A purging process will repeat the clearing process multiple times and may combine it with another method such as degaussing to completely remove the data. Even though purging is intended to remove all data remnants, it isn't always trusted.

Question 30

In relation to storage media, what is declassification?

Answer 30

Declassification involves any process that purges media or a system in preparation for reuse in an unclassified environment. Purging can be used to prepare media for declassification, but often efforts required to securely declassify media are significantly greater than the cost of new media for a less secure environment.

Question 31

In relation to storage media, what is sanitization?

Answer 31

Sanitization is a combination of processes that removes data from a system or from media. It ensures that data cannot be recovered by any means.

Question 32

What is degaussing?

Answer 32

A degausser creates a strong magnetic field that erases data on some media in a process called degaussing. Technicians commonly use degaussing methods to remove data from magnetic tapes with the goal of returning the tape to its original state. Although it is possible to degauss hard disks, it is not recommended. Degaussing a hard disk will normally destroy the electronics used to access the data.

Question 33

What are some methods of storage media destruction?

Answer 33

Destruction is the final stage in the life cycle of media and is the most secure method of sanitizing media. When destroying media it's important to ensure that media cannot be reused or repaired and that data cannot be extracted from the destroyed media. Methods of destruction include incineration, crushing, shredding, disintegration, and dissolving using caustic or acidic chemicals. Some organisations remove the platters in highly classified disk drives and destroy them separately.

Question 34

What are scoping and tailoring?

Answer 34

Scoping refers to reviewing baseline security controls and selecting only those controls that apply to the IT system you're trying to protect. Tailoring refers to modifying the list of security controls within a baseline so that they align with the mission of the organisation.

Question 35

Administrators are removing all data from data records that can be used to identify an individual. What is this process called?

Answer 35

Anonymisation.

Question 36

Administrators are replacing all data in data records that can be used to identify an individual with pseudonyms. What is this process called ?

Answer 36

Pseudonymisation.

Question 37

Define Sensitive But Unclassified (SBU)?

Answer 37

Sensitive But Unclassified (SBU) is used for data that is for internal use or office only. Often SBU is used to protect information that could violate the privacy rights of individuals.

Question 38

What is cloud storage?

Answer 38

Cloud storage is the idea of using storage capacity provided by a cloud vendor as a means to host data files for an organisation. Cloud storage can be used as form of backup or support for online data services. Cloud storage may be cost effective, but it is not always high or low latency.

Question 39

Define an on-premises solution.

Answer 39

An on-premises solution is the traditional deployment concept in which an organisation owns the hardware, licenses the software, and operates and maintains the systems on its own usually within their own building.

Question 40

Define a hosted solution.

Answer 40

A hosted solution is a deployment concept where the organisation must license software and then operates and maintains the software. The hosting provider owns, operates, and maintains the hardware that supports the organisation's software.

Question 41

Define a cloud solution.

Answer 41

A cloud solution is a deployment concept where an organisation contracts with a third-party cloud provider. The cloud provider owns, operates, and maintains the hardware and software. The organisation pays a monthly fee (often based on a per-user multiplier) to use the cloud solution.

Question 42

What is cloud access security broker (CASB)?

Answer 42

A cloud access security broker (CASB) is a security policy enforcement solution that may be installed on-premises, or it may be cloud-based. The goal of a CASB is to enforce and ensure that proper security measures are implemented between a cloud solution and a customer organisation.

Question 43

What is the importance of data and asset classifications?

Answer 43

Data owners are responsible for defining data and asset classification and ensuring that data and systems are properly marked. Additionally, data owners define requirements to protect data at different classification, such as encrypting sensitive data at rest and in transit. Data classifications are typically defined within security policies or data policies.

Question 44

How should an organisation approach the management of sensitive information?

Answer 44

Sensitive information is any type of classified information, and proper management helps prevent unauthorised disclosure resulting in a loss of confidentiality. Proper management includes marking, handling, storing, and destroying sensitive information. The two areas where organisations often miss the mark are adequately protecting backup media holding sensitive information and sanitizing media or equipment when it is at the of its lifecycle.

Question 45

Compare the various data destruction methods.

Answer 45

- Erasing file doesn't delete it. - Clearing media overwrites it with characters or bits . - Purging repeats the clearing process multiple times and removes data so that the media can be reused. - Degaussing removes data from tapes and magnetic hard disk drives, but it does not affect optical media or SSDs. - Destruction methods include incinerations, crushing, shredding, and disintegration.

Question 46

Describe record retention policies.

Answer 46

Record retention policies ensure that data is kept in usable state while it is needed and destroyed when it is no longer needed. Many laws and regulations mandate keeping data for a specific amount of time, but in the absence of formal regulation, organisations specify the retention period within policy. Audit trail data needs to be kept long enough to reconstruct recent past incidents. A current trend in many organisations is to reduce legal liabilities by implementing shorter retention policies.

Question 47

What is the difference between EOL and EOS?

Answer 47

End-of-life (EOL) is the date announced by a vendor when sales of a product stop. However, the vendor still supports the products after EOL. End-of-support (EOS) identifies the date when a vendor will no longer support a product.

Question 48

What is tokenization?

Answer 48

Tokenization replaces data elements with a string of characters or a token. Credit card processors replace credit card data with a token, and a third party holds the mapping to the original data and the token.

Question 49

What are security control baselines?

Answer 49

Security control baselines provide a listing of controls that an organisation can apply as a baseline. Bot all baselines apply to all organisation. Organisations apply scoping and tailoring techniques to adapt a baseline to their needs.

Question 50

What are the responsibilities of the roles of data custodian, data processor, data administrator, and user?

Answer 50

Data controller decide what to process and how to process it. Data processors are often the third-party entities that process data for an organisation at the direction of the data processor. Data administrators grant access to data based on guidelines provided by the data owners. A user, or subject, accesses data while performing work tasks. A custodian has day-to-day responsibilities for protecting and storing data.

Question 51

What are the responsibilities of the roles of data owner, system owner, and business/mission owner?

Answer 51

The data owner is the person responsible for classifying, labelling, and protecting data. System owners are responsible for systems that process the data. Business and mission owners own the processes and ensure that the systems provide value to the organisation.

Question 52

What is data portability?

Answer 52

Data portability refers to the ability of individuals to easily and securely move their personal data from one system, service or application to another. It allows users to transfer their data between different platforms, promoting user control and facilitating competition among service providers.