Data Protection

Question 1

Data protection

Answer 1

Safeguarding information from corruption, compromise, or loss

Question 2

Data Classification

Answer 2

Based on the value to organization and the sensitivity of the information, determined by the data owner

• Sensitive
• Confidential
• Public
• Restricted
• Private
• Critical

Question 3

Sensitive data

Answer 3

Information that, if accessed by unauthorized persons, can result in the loss of security or competitive advantage for a company

• over classifying data leads to protecting data at a high level

Question 4

Importance of data classification

Answer 4

• Helps allocate appropriate protection resources
• Prevents over-classification to avoid excessive costs
• Requires proper policies to identify and classify data accurately

Question 5

Commercial Business Classification Levels

Answer 5

Public - No impact if released; often publicly accessible data

Sensitive - Minimal impact if released (ex: financial data)

Private - Contains internal personnel or salary information

Confidential - Holds trade secrets, intellectual property, source code, etc

Critical - Extremely valuable and restricted information

Question 6

Government Classification Levels

Answer 6

Unclassified - Generally releasable to the public; can be released under the Freedom of Information Act

Sensitive, but unclassified - Includes medical records, personnel files, etc. ; no harm to national security

Confidential - Contains information that could affect the government (ex: trade secrets)

Secret - Holds data like military deployment plans, defensive postures

Top Secret - Highest level, highly sensitive national security information

Question 7

Data Ownership

Answer 7

Process of identifying the individual responsible for maintaining the confidentiality, integrality, availability, and privacy of information assets

Question 8

Data Owner

Answer 8

a senior executive responsible for labeling information and ensuring they are protected with appropriate controls

Question 9

Data Controller

Answer 9

Entity responsible for determining data storage, collection, and usage purposes and methods, as well as ensuring the legality of these processes

Question 10

Data processor

Answer 10

a group or individual hired by the data controller to assist with tasks like data collection and processing

Question 11

Data Steward

Answer 11

Focuses on data quality and metadata, ensuring data is appropriately labeled and classified, often working under the data owner

Question 12

Data Custodian

Answer 12

Responsible for managing the systems on which data assets are stored, including enforcing access controls, encryption, and backup measures

Question 13

Privacy Officer

Answer 13

Oversees privacy-related data, such as PII, SPI, and PHI ensuring compliance with legal and regulatory frameworks

Question 14

Data Ownership Responsibility

Answer 14

The IT Department (CIO or IT personnel) should NOT be the data owner; data owners should be individuals from the business side who understand the data’s content and can make informed decisions about classification

Question 15

Selection of Data Owners

Answer 15

Should be designated within their respective departments based on their knowledge of the data and its significance within the organization

• example: CFO controls financial data

Question 16

Data at Rest

Answer 16

Data stored in databases, file systems, or storage systems, not actively moving

Question 17

Encryption Methods

Answer 17

• Full Disk Encryption (FDE) = Encrypts the entire hard drive
• ** Partition Encryption** = Encrypts specific partitions, leaving others unencrypted
• Volume Encryption = Encrypts selected files or directories
• Database Encryption = Encrypts data stored in a database at column, row, or table levels
• Record Encryption = Encrypts specific fields within a database record

Question 18

Data in Transit

Answer 18

Data actively moving from one location to another, vulnerable to interception

Can be protected with transport encryption methods:
- SSL
- VPN
- IPSec

Question 19

Secure Sockets Layer (SSL)

Answer 19

Secure communication over networks, widely used in web browsing and email

Question 20

Virtual Private Network (VPN)

Answer 20

Creates secure connections over less secure networks like the internet

Question 21

Internet Protocol Security (IPSec)

Answer 21

Secures IP communications by authenticating and encrypting IP packets

Question 22

Data in Use

Answer 22

Data actively being created, retrieved, updated, or deleted

Protection measures:
- Encryption at the application level = encrypts data during procession

• Access controls = Restricts access to data during processing
• Secure Enclaves = Isolated environments for processing sensitive data
• Mechanisms like INTRL Software Guard; encrypts data in memory to prevent unauthorized access

Question 23

Regulated data

Answer 23

Controlled by laws, regulations, or industry standards

Compliance requirements:
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPPA)

Question 24

Personal Identification Information (PII)

Answer 24

Information used to identify and individual
- names
- social security number
- addresses

Question 25

Protected Health Information (PHI)

Answer 25

Information about health status, healthcare provision, or payment linked to a specific individual - Protected under HIPAA

Question 26

Trade Secrets

Answer 26

Confidential business information giving a competitive edge - legally protected, unauthorized disclosure results in penalties example: - manufacturing processes - marketing strategies - Proprietary software

Question 27

Intellectual Property (IP)

Answer 27

Creations of the mind (inventions, literary works, designs) - protected by patents , copyrights, trademarks to encourage innovation - unauthorized use can lead to legal action

Question 28

Legal Information

Answer 28

Data related to legal proceedings, contracts, regulatory compliance - requires high-level protection for client confidentiality and legal privilege

Question 29

Financial Information

Answer 29

Data related to financial transactions like sales records, tax documents, bank statements - Targeted by cyber criminals for fraud and identity theft - subject to PCI DSS (Payment Card Industry Data Security Standard)

Question 30

Human-Readable Data

Answer 30

Understandable directly by humans (text documents, spreadsheets)

Question 31

Non-Human-Readable Data

Answer 31

Requires machine or software to interpret - Binary code - machine language Contains sensitive information and requires protection

Question 32

Data Sovereignty

Answer 32

Digital information subject to laws of the country where its located - Gained importance with cloud computing's global data storage

Question 33

General Data Protection Regulation (GDPR)

Answer 33

Protects EU citizens' data within EU and EEA borders - compliance required regardless of data location - non-compliance leads to significant fines

Question 34

Data Sovereignty Laws (ex: Chine/Russia)

Answer 34

Require data storage and processing within national borders - challenge for multinational companies and cloud services - pose complex challenges

Question 35

Access Restrictions

Answer 35

Cloud services may restrict access from multiple geographic locations

Question 36

Geographic Restrictions (Geofencing)

Answer 36

Virtual boundaries to restrict data access based on location - compliance with data sovereignty laws - prevent unauthorized access from high risk locations

Question 37

Encryption

Answer 37

Transform plaintext into cipher text using algorithms and keys - protects data at rest and in transit - requires decryption key for data recovery

Question 38

Hashing

Answer 38

Converts data into fixed-size hash values - Irreversible one-way function - commonly used for password storage

Question 39

Masking

Answer 39

Replace some or all data with placeholders (ex: "x") - partially retains metadata for analysis - irreversible de-identification method

Question 40

Tokenization

Answer 40

Replacing sensitive data with non-sensitive tokens - original data stored securely in a separate database - often used in patient processing for credit card protection

Question 41

Obfuscation

Answer 41

Make data unclear or unintelligible - Various techniques, including encryption, masking, and pseudonyms - hinder unauthorized understanding

Question 42

Segmentation

Answer 42

Divide network into separate segments with unique security controls - prevent lateral movement in case of a breach - limits potential damage

Question 43

Permission Restrictions

Answer 43

Define data access and actions through ACLs (Access Control Lists) and RBACs (Role-Based Access Controls)

Question 44

Data Loss Prevention (DLP)

Answer 44

Aims to monitor data in use, in transit, or at rest to detect and prevent data theft - DLP systems are available as software or hardware solutions

Question 45

Endpoint DLP System

Answer 45

Installed as software on workstations or laptops - Monitors data in use on individual computers - Can prevent or alert on file transfers based on predefined rules

Question 46

Network DLP System

Answer 46

Software or hardware placed at the network perimeter - Focuses on monitoring data entering and leaving the network - Detects unauthorized data leaving the network

Question 47

Storage DLP System

Answer 47

Installed on a server in the data center - inspects data at rest, especially encrypted or watermarked data - monitors data access patterns and flags policy violations

Question 48

Cloud-Based DLP System

Answer 48

Offered as a software-as-a-service solution - protects data stored in cloud services