Domain 2

Question 1

Data lifecycle

Answer 1

Create
Store
Use
Share
Archive
Destroy

Question 2

Government Data Classification

Answer 2

Top Secret(class 3)
Secret(class 2)
Confidential(class 1)
Unclassified(class 0)

Question 3

Non-gov’t( public) data classification

Answer 3

Confidential/Proprietary (class 3)
Private (class 2)
Sensitive (class 1)
Public (class 0)

Question 4

Data Security Controls

Answer 4

Marking, labeling, handling, classification
Data handling
Data destruction
Record retention
Tape backup security

Question 5

Erasing

Answer 5

A data destruction method where a delete operation against a file, files, or media is performed. Data is typically recoverable

Question 6

Clearing (overwriting)

Answer 6

A data destruction method that prepares media for reuse and ensuring data cannot be recovered using traditional recovery tools

Question 7

Purging

Answer 7

A data destruction method that is more intense form of clearing that prepares media for reuse in less secure environments

Question 8

Degaussing

Answer 8

A data destruction method that creates a strong magnetic field that erases data on some media.

Question 9

Destruction

Answer 9

A data destruction method that is the final stage in the lifecycle of media and is the most secure method of sanitizing media.

Question 10

Security Control Baseline

Answer 10

Provides a listing of controls that an organization can apply as a baseline

Question 11

Data protection

Answer 11

Confidentiality is often protected through encryption ( at rest and in transport)

Question 12

Asset classification

Answer 12

Asset classification should match the data classification

Question 13

Sensitive Data

Answer 13

Is any information that isn’t public or unclassified. Example: Personally identifiable information (PII), Protected Health Information(PHI)

Question 14

Data Owner

Answer 14

Usually a member of senior management. Can delegate some day to day duties. Cannot delegate total responsibility.

Question 15

Data Custodian

Answer 15

Usually someone in the IT department. Does not decide what controls are needed but does implement controls for data owner.

Question 16

Data Administrators

Answer 16

Responsible for granting appropriate access to personal ( often via RBAC)

Question 17

User

Answer 17

Any person who accesses data via a computing system to accomplish work tasks

Question 18

Business/Mission Owners

Answer 18

Can overlap with the responsibilities of the system owner or be same role

Question 19

Asset Owners

Answer 19

Owns asset or system that processes sensitive data and associated security plans

Question 20

Data Processor

Answer 20

A GDPR term which is a natural or legal person, public authority, agency, or other body which processes personal data solely on behalf of the data controller

Question 21

Data Controller

Answer 21

A GDPR term which is a person or entity that controls processing of the data

Question 22

Data Transfer

Answer 22

A GDPR term which the GDPR restricts data transfers to countries outside the EU

Question 23

Anonymization

Answer 23

The process of removing all relevant data so that it is impossible to identify original subject or person. If done effectively the GDPR is no longer relevant for the anonymized data. Use this if the data is not needed.

Question 24

Pseudonymization

Answer 24

The process of using pseudonyms (aliases) to represent the data. Can result in less stringent requirements than would otherwise apply under the GDPR. Use if you need data and want to reduce exposure