Domain 2 - Asset Security

Question 1

Angela is an information security architect at a bank and has
been assigned to ensure that transactions are secure as they
traverse the network. She recommends that all transactions use
TLS. What threat is she most likely attempting to stop, and what
method is she most likely using to protect against it?
A. Man-in-the-middle, VPN
B. Packet injection, encryption
C. Sniffing, encryption
D. Sniffing, TEMPEST

Answer 1

C. Sniffing, encryption

C. Encryption is often used to protect traffic like bank
transactions from sniffing. While packet injection and man-inthe-middle attacks are possible, they are far less likely to occur,
and if a VPN were used, it would be used to provide encryption.
TEMPEST is a specification for techniques used to prevent
spying using electromagnetic emissions and wouldn’t be used to
stop attacks at any normal bank

Question 2

Control Objectives for Information and Related Technology
(COBIT) is a framework for information technology (IT)
management and governance. Which data management role is
most likely to select and apply COBIT to balance the need for
security controls against business requirements?
A. Business owners
B. Data processors
C. Data owners
D. Data stewards

Answer 2

A. Business owners

A. Business owners have to balance the need to provide value
with regulatory, security, and other requirements. This makes
the adoption of a common framework like COBIT attractive.
Data owners are more likely to ask that those responsible for
control selection identify a standard to use. Data processors are
required to perform specific actions under regulations like the
EU GDPR. Finally, in many organizations, data stewards are
internal roles that oversee how data is used.

Question 3

Nadia’s company is operating a hybrid cloud environment with
some on-site systems and some cloud-based systems. She has
satisfactory monitoring on-site, but needs to apply security
policies to both the activities her users engage in and to report
on exceptions with her growing number of cloud services. What
type of tool is best suited to this purpose?
A. A NGFW
B. A CASB
C. An IDS
D. A SOAR

Answer 3

B. A CASB

B. The best option for Nadia is a cloud access security broker
(CASB). A CASB is designed to sit between a cloud environment
and the users who use it, and it provides monitoring and policy
enforcement capabilities. A next-generation firewall (NGFW),
an intrusion detection system (IDS), and a security operations
and response (SOAR) tool could each provide some insight into
what is going on, but they are not purpose built and designed for
this like the CASB is. The NGFW and IDS are most likely to
provide insight into traffic patterns and behaviors, while the
SOAR is primarily intended to monitor other systems and
centralize data for response, making it potentially the least
useful in this specific scenario.

Question 4

When media is labeled based on the classification of the data it
contains, what rule is typically applied regarding labels?
A. The data is labeled based on its integrity requirements.
B. The media is labeled based on the highest classification level of the data it contains.
C. The media is labeled with all levels of classification of the data it contains.
D. The media is labeled with the lowest level of classification of the data it contains.

Answer 4

B. The media is labeled based on the highest classification level of the data it contains.

B. Media is typically labeled with the highest classification level
of data it contains. This prevents the data from being handled or
accessed at a lower classification level. Data integrity
requirements may be part of a classification process but don’t
independently drive labeling in a classification scheme.

Question 5

Which one of the following administrative processes assists
organizations in assigning appropriate levels of security control
to sensitive information?
A. Data classification
B. Remanence
C. Transmitting data
D. Clearing

Answer 5

A. Data classification

A. The need to protect sensitive data drives data classification.
Classifying data allows organizations to focus on data that needs
to be protected rather than spending effort on less important
data. Remanence describes data left on media after an attempt is
made to remove the data. Transmitting data isn’t a driver for an
administrative process to protect sensitive data, and clearing is a
technical process for removing data from media.

Question 6

How can a data retention policy help to reduce liabilities?
A. By ensuring that unneeded data isn’t retained
B. By ensuring that incriminating data is destroyed
C. By ensuring that data is securely wiped so it cannot be
restored for legal discovery
D. By reducing the cost of data storage required by law

Answer 6

A. A data retention policy can help to ensure that outdated data
is purged, removing potential additional costs for discovery.
Many organizations have aggressive retention policies to both
reduce the cost of storage and limit the amount of data that is
kept on hand and discoverable. Data retention policies are not
designed to destroy incriminating data, and legal requirements
for data retention must still be met.

Question 7

Staff in an information technology (IT) department who are
delegated responsibility for day-to-day tasks hold what data
role?
A. Business owner
B. User
C. Data processor
D. Custodian

Answer 7

D. Custodian

D. Custodians are delegated the role of handling day-to-day
tasks by managing and overseeing how data is handled, stored,
and protected. Data processors are systems used to process data.
Business owners are typically project or system owners who are
tasked with making sure systems provide value to their users or
customers.

Question 8

Helen’s company uses a simple data lifecycle as shown in the
figure here. What stage should come first in their data lifecycle?
??? > Data Analysis > Data Usage > Data Retention > Data Destruction
A. Data policy creation
B. Data labeling
C. Data collection
D. Data analysis

Answer 8

C. Data collection

C. In a typical data lifecycle, collection is the first stage. Once
collected, data can be analyzed, used, stored, and disposed of at
the end of its useful life. Policies may be created at any time, and
organizations often have data before they have policies. Labels
are added to data during the analysis, usage, or retention cycle.

Question 9

Ben has been tasked with identifying security controls for
systems covered by his organization’s information classification
system. Why might Ben choose to use a security baseline?
A. It applies in all circumstances, allowing consistent security controls.
B. They are approved by industry standards bodies, preventing liability.
C. They provide a good starting point that can be tailored to organizational needs.
D. They ensure that systems are always in a secure state.

Answer 9

C. They provide a good starting point that can be tailored to organizational needs.

C. Security baselines provide a starting point to scope and tailor
security controls to your organization’s needs. They aren’t
always appropriate to specific organizational needs, they cannot
ensure that systems are always in a secure state, and they do not
prevent liability.

Question 10

Megan wants to prepare media to allow for its reuse in an
environment operating at the same sensitivity level. Which of
the following is the best option to meet her needs?
A. Clearing
B. Erasing
C. Purging
D. Sanitization

Answer 10

A. Clearing

A. Clearing describes preparing media for reuse. When media is
cleared, unclassified data is written over all addressable
locations on the media. Once that’s completed, the media can be
reused. Erasing is the deletion of files or media and may not
include all of the data on the device or media, making it the
worst choice here. Purging is a more intensive form of clearing
for reuse in lower-security areas, and sanitization is a series of
processes that removes data from a system or media while
ensuring that the data is unrecoverable by any means.

Question 11

Mikayla wants to identify data that should be classified that
already exists in her environment. What type of tool is best
suited to identifying data like Social Security numbers, credit
card numbers, and similar well-understood data formats?
A. Manual searching
B. A sensitive data scanning tool
C. An asset metadata search tool
D. A data loss prevention system (DLP)

Answer 11

B. A sensitive data scanning tool

B. Sensitive data scanning tools are designed to scan for and
flag sensitive data types using known formatting and structure.
Social Security numbers, credit card numbers, and other
regularly structured data that follows known rules can be
identified and then addressed as needed. Manual searching is a
massive undertaking for an organization with even a relatively
small amount of data; asset metadata needs to be set first and
would have already been identified; and a DLP system looks for
data that is in transit using rules rather than hunting down data
at rest and in storage.

Question 12

What issue is common to spare sectors and bad sectors on hard
drives as well as overprovisioned space on modern SSDs?
A. They can be used to hide data.
B. They can only be degaussed.
C. They are not addressable, resulting in data remanence.
D. They may not be cleared, resulting in data remanence.

Answer 12

D. They may not be cleared, resulting in data remanence.

D. Spare sectors, bad sectors, and space provided for wear
leveling on SSDs (overprovisioned space) may all contain data
that was written to the space that will not be cleared when the
drive is wiped. This is a form of data remanence and is a concern
for organizations that do not want data to potentially be
accessible. Many wiping utilities only deal with currently
addressable space on the drive. SSDs cannot be degaussed, and
wear leveling space cannot be reliably used to hide data. These
spaces are still addressable by the drive, although they may not
be seen by the operating system.

Question 13

Naomi knows that commercial data is typically classified based
on different criteria than government data. Which of the
following is not a common criterion for commercial data
classification?
A. Useful lifespan
B. Data value
C. Impact to national security
D. Regulatory or legal requirements

Answer 13

C. Impact to national security

C. Commercial data classification often takes into account the
value of the data, any regulatory or legal requirements that may
apply to the data, and how long the data is useful—its lifespan.
The impact to national security is more typically associated with
government classification schemes.

Question 14

Your organization regularly handles three types of data:
information that it shares with customers, information that it
uses internally to conduct business, and trade secret information
that offers the organization significant competitive advantages.
Information shared with customers is used and stored on web
servers, while both the internal business data and the trade
secret information are stored on internal file servers and
employee workstations.
What term best describes data that is resident in system
memory?
A. Data at rest
B. Buffered data
C. Data in use
D. Data in motion

Answer 14

C. Data in use

C. Data is often considered based on the data state that it is in.
Data can be at rest (on a drive or other storage medium), in use
and thus in memory or a buffer and often decrypted for use, or
in transit over a network. Data that is resident in system
memory is considered data in use.

Question 15

Your organization regularly handles three types of data:
information that it shares with customers, information that it
uses internally to conduct business, and trade secret information
that offers the organization significant competitive advantages.
Information shared with customers is used and stored on web
servers, while both the internal business data and the trade
secret information are stored on internal file servers and
employee workstations.
What technique could you use to mark your trade secret
information in case it was released or stolen and you need to
identify it?
A. Classification
B. Symmetric encryption
C. Watermarks
D. Metadata

Answer 15

C. Watermarks

C. A watermark is used to digitally label data and can be used to
indicate ownership, as well as to assist a digital rights
management (DRM) system in identifying data that should be
protected. Encryption would have prevented the data from being
accessed if it was lost, while classification is part of the set of
security practices that can help make sure the right controls are
in place. Finally, metadata is used to label data and might help a
data loss prevention system flag it before it leaves your
organization.

Question 16

Your organization regularly handles three types of data:
information that it shares with customers, information that it
uses internally to conduct business, and trade secret information
that offers the organization significant competitive advantages.
Information shared with customers is used and stored on web
servers, while both the internal business data and the trade
secret information are stored on internal file servers and
employee workstations.
What type of encryption is best suited for use on the file servers
for the proprietary data, and how might you secure the data
when it is in motion?
A. TLS at rest and AES in motion
B. AES at rest and TLS in motion
C. VPN at rest and TLS in motion
D. DES at rest and AES in motion

Answer 16

B. AES at rest and TLS in motion

B. AES is a strong modern symmetric encryption algorithm that
is appropriate for encrypting data at rest. TLS is frequently used
to secure data when it is in transit. A virtual private network is
not necessarily an encrypted connection and would be used for
data in motion, while DES is an outdated algorithm and should
not be used for data that needs strong security.

Question 17

What does labeling data allow a DLP system to do?
A. The DLP system can detect labels and apply appropriate protections based on rules.
B. The DLP system can adjust labels based on changes in the classification scheme.
C. The DLP system can modify labels to permit requested actions.
D. The DLP system can delete unlabeled data.

Answer 17

A. The DLP system can detect labels and apply appropriate protections based on rules.

A. Data loss prevention (DLP) systems can use labels on data to
determine the appropriate controls to apply to the data. Most
DLP systems won’t modify labels in real time and typically don’t
work directly with firewalls to stop traffic. Deleting unlabeled
data would cause big problems for organizations that haven’t
labeled every piece of data!

Question 18

Why is it cost effective to purchase high-quality media to contain
sensitive data?
A. Expensive media is less likely to fail.
B. The value of the data often far exceeds the cost of the media.
C. Expensive media is easier to encrypt.
D. More expensive media typically improves data integrity.

Answer 18

B. The value of the data often far exceeds the cost of the media.

B. The value of the data contained on media often exceeds the
cost of the media, making more expensive media that may have
a longer life span or additional capabilities like encryption
support a good choice. While expensive media may be less likely
to fail, the reason it makes sense is the value of the data, not just
that it is less likely to fail. In general, the cost of the media
doesn’t have anything to do with the ease of encryption, and
data integrity isn’t ensured by better media.

Question 19

Chris is responsible for workstations throughout his company
and knows that some of the company’s workstations are used to
handle both proprietary information and highly sensitive trade
secrets. Which option best describes what should happen at the
end of their life (EOL) for workstations he is responsible for?
A. Erasing
B. Clearing
C. Sanitization
D. Destruction

Answer 19

D. Destruction

D. Destruction is the most complete method of ensuring that
data cannot be exposed, and organizations often opt to destroy
either the drive or the entire workstation or device to ensure that
data cannot be recovered or exposed. Sanitization is a
combination of processes that ensure that data from a system
cannot be recovered by any means. Erasing and clearing are
both prone to mistakes and technical problems that can result in
remnant data and don’t make sense for systems that handled
proprietary information.

Question 20

Fred wants to classify his organization’s data using common
labels: private, sensitive, public, and proprietary. Which of the
following should he apply to his highest classification level based
on common industry practices?
A. Private
B. Sensitive
C. Public
D. Proprietary

Answer 20

D. Proprietary

D. Common practice makes proprietary or confidential data the
most sensitive data. Private data is internal business data that
shouldn’t be exposed but that doesn’t meet the threshold for
confidential or proprietary data. Sensitive data may help
attackers or otherwise create risk, and public data is just that—
data that is or can be made public.

Question 21

What scenario describes data at rest?
A. Data in an IPsec tunnel
B. Data in an e-commerce transaction
C. Data stored on a hard drive
D. Data stored in RAM

Answer 21

C. Data stored on a hard drive

C. Data at rest is inactive data that is physically stored. Data in
an IPsec tunnel or part of an e-commerce transaction is data in
motion. Data in RAM is ephemeral and is not inactive.

Question 22

If you are selecting a security standard for a Windows 10 system
that processes credit cards, what security standard is your best
choice?
A. Microsoft’s Windows 10 security baseline
B. The CIS Windows 10 baseline
C. PCI DSS
D. The NSA Windows 10 Secure Host Baseline

Answer 22

C. PCI DSS

C. The Payment Card Industry Data Security Standard (PCI
DSS) provides the set of requirements for credit card processing
systems. The Microsoft, NSA, and CIS baseline are all useful for
building a Windows 10 security standard, but the PCI DSS
standard is a better answer.

Question 23

The Center for Internet Security (CIS) works with subject matter
experts from a variety of industries to create lists of security
controls for operating systems, mobile devices, server software,
and network devices. Your organization has decided to use the
CIS benchmarks for your systems. Answer the following
questions based on this decision
The CIS benchmarks are an example of what practice?
A. Conducting a risk assessment
B. Implementing data labeling
C. Proper system ownership
D. Using security baselines

Answer 23

D. Using security baselines

D. The CIS benchmarks are an example of a security baseline. A
risk assessment would help identify which controls were needed,
and proper system ownership is an important part of making
sure baselines are implemented and maintained. Data labeling
can help ensure that controls are applied to the right systems
and data.

Question 24

The Center for Internet Security (CIS) works with subject matter
experts from a variety of industries to create lists of security
controls for operating systems, mobile devices, server software,
and network devices. Your organization has decided to use the
CIS benchmarks for your systems. Answer the following
questions based on this decision
Adjusting the CIS benchmarks to your organization’s mission
and your specific IT systems would involve what two processes?
A. Scoping and selection
B. Scoping and tailoring
C. Baselining and tailoring
D. Tailoring and selection

Answer 24

B. Scoping and tailoring

B. Scoping involves selecting only the controls that are
appropriate for your IT systems, while tailoring matches your
organization’s mission and the controls from a selected baseline.
Baselining is the process of configuring a system or software to
match a baseline or building a baseline itself. Selection isn’t a
technical term used for any of these processes.

Question 25

The Center for Internet Security (CIS) works with subject matter
experts from a variety of industries to create lists of security
controls for operating systems, mobile devices, server software,
and network devices. Your organization has decided to use the
CIS benchmarks for your systems. Answer the following
questions based on this decision
How should you determine which controls from the baseline
should be applied to a given system or software package?
A. Consult the custodians of the data.
B. Select based on the data classification of the data it stores or handles.
C. Apply the same controls to all systems.
D. Consult the business owner of the process the system or
data supports.

Answer 25

B. Select based on the data classification of the data it stores or handles.

B. The controls implemented from a security baseline should
match the data classification of the data used or stored on the
system. Custodians are trusted to ensure the day-to-day security
of the data and should do so by ensuring that the baseline is met
and maintained. Business owners often have a conflict of
interest between functionality and data security, and of course,
applying the same controls everywhere is expensive and may not
meet business needs or be a responsible use of resources.

Question 26

The company that Henry works for operates in the EU and
collects data about their customers. They send that data to a
third party to analyze and provide reports to help the company
make better business decisions. What term best describes the
third-party analysis company?
A. The data controller
B. The data owner
C. The data subject
D. The data processor

Answer 26

D. The data processor

D. The third-party company is a data processor—they process
data on behalf of Henry’s company, which is a data controller.
The data is collected about data subjects. Data owners are tasked
with making decisions about data, such as who receives access to
it and how it is used.

Question 27

The government defense contractor that Selah works for has
recently shut down a major research project and is planning on
reusing the hundreds of thousands of dollars of systems and
data storage tapes used for the project for other purposes. When
Selah reviews the company’s internal processes, she finds that
she can’t reuse the tapes and that the manual says they should
be destroyed. Why isn’t Selah allowed to degauss and then reuse
the tapes to save her employer money?
A. Data permanence may be an issue.
B. Data remanence is a concern.
C. The tapes may suffer from bitrot.
D. Data from tapes can’t be erased by degaussing.

Answer 27

B. Data remanence is a concern.

B. Many organizations require the destruction of media that
contains data at higher levels of classification. Often the cost of
the media is lower than the potential costs of data exposure, and
it is difficult to guarantee that reused media doesn’t contain
remnant data. Tapes can be erased by degaussing, but
degaussing is not always fully effective. Bitrot describes the slow
loss of data on aging media, while data permanence is a term
sometimes used to describe the life span of data and media.

Question 28

Information maintained about an individual that can be used to
distinguish or trace their identity is known as what type of
information?
A. Personally identifiable information (PII)
B. Personal health information (PHI)
C. Social Security number (SSN)
D. Secure identity information (SII)

Answer 28

A. Personally identifiable information (PII)

A. NIST Special Publication 800-122 defines PII as any
information that can be used to distinguish or trace an
individual’s identity, such as name, Social Security number, date
and place of birth, mother’s maiden name, biometric records,
and other information that is linked or linkable to an individual
such as medical, educational, financial, and employment
information. PHI is health-related information about a specific
person, Social Security numbers are issued to individuals in the
United States, and SII is a made-up term.

Question 29

Which of the following information security risks to data at rest
would result in the greatest reputational impact on an
organization?
A. Improper classification
B. Data breach
C. Decryption
D. An intentional insider threat

Answer 29

B. Data breach

B. Typically, data breaches cause the greatest reputational
damage as a result of threats to data at rest. Data at rest with a
high level of sensitivity is often encrypted to help prevent this.
Decryption is not as significant of a threat if strong encryption is
used and encryption keys are well secured. Insider threats are a
risk, but the majority of insider threat issues are unintentional
rather than intentional, making this risk less likely in most
organizations.

Question 30

Full disk encryption like Microsoft’s BitLocker is used to protect
data in what state?
A. Data in transit
B. Data at rest
C. Unlabeled data
D. Labeled data

Answer 30

B. Data at rest

B. Full disk encryption only protects data at rest. Since it
encrypts the full disk, it does not distinguish between labeled
and unlabeled data.

Question 31

The company that Katie works for provides its staff with mobile
phones for employee use, with new phones issued every two
years. What scenario best describes this type of practice when
the phones themselves are still usable and receiving operating
system updates?
A. EOL
B. Planned obsolescence
C. EOS
D. Device risk management

Answer 31

C. EOS

C. This is an example of an end-of-support (EOS) scenario. The
company is intentionally ending support and needs to address
what happens to the devices next—secure disposal, destruction,
or re-sale—depending on data security requirements and
policies set by the company. EOL is when a device or software is
no longer made or supported, in contrast to end of support,
which may be when it is no longer serviced, including via
patches, upgrades, or organizational maintenance. Planned
obsolescence and device risk management are not terms that are
used on the exam.

Question 32

What is the primary purpose of data classification?
A. It quantifies the cost of a data breach.
B. It prioritizes IT expenditures.
C. It allows compliance with breach notification laws.
D. It identifies the value of the data to the organization.

Answer 32

D. It identifies the value of the data to the organization.

D. Classification identifies the value of data to an organization.
This can often help drive IT expenditure prioritization and could
help with rough cost estimates if a breach occurred, but that’s
not the primary purpose. Finally, most breach laws call out
specific data types for notification rather than requiring
organizations to classify data themselves.

Question 33

Fred’s organization allows downgrading of systems for reuse
after projects have been finished and the systems have been
purged. What concern should Fred raise about the reuse of the
systems from his Top Secret classified project for a future
project classified as Secret?
A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system.
B. The cost of the sanitization process may exceed the cost of new equipment.
C. The data may be exposed as part of the sanitization process.
D. The organization’s DLP system may flag the new system due to the difference in data labels.

Answer 33

B. The cost of the sanitization process may exceed the cost of new equipment.

B. Downgrading systems and media is rare due to the difficulty
of ensuring that sanitization is complete. The need to completely
wipe (or destroy) the media that systems use means that the cost
of reuse is often significant and may exceed the cost of
purchasing a new system or media. The goal of purging is to
ensure that no data remains, so commingling data should not be
a concern, nor should the exposure of the data; only staff with
the proper clearance should handle the systems! Finally, a DLP
system should flag data based on labels, not on the system it
comes from.

Question 34

Which of the following concerns should not be part of the
decision when classifying data?
A. The cost to classify the data
B. The sensitivity of the data
C. The amount of harm that exposure of the data could cause
D. The value of the data to the organization

Answer 34

A. The cost to classify the data

A. Classification should be conducted based on the value of the
data to the organization, its sensitivity, and the amount of harm
that could result from exposure of the data. Cost should be
considered when implementing controls and is weighed against
the damage that exposure would create.

Question 35

Which of the following is the least effective method of removing
data from media?
A. Degaussing
B. Purging
C. Erasing
D. Clearing

Answer 35

C. Erasing

C. Erasing, which describes a typical deletion process in many
operating systems, typically removes only the link to the file and
leaves the data that makes up the file itself. The data will remain
in place but not indexed until the space is needed and it is
overwritten. Degaussing works only on magnetic media, but it
can be quite effective on it. Purging and clearing both describe
more elaborate removal processes.

Question 36

What encryption technology would be appropriate for HIPAA
documents in transit?
A. BitLocker
B. DES
C. TLS
D. SSL

Answer 36

C. TLS

C. TLS is a modern encryption method used to encrypt and
protect data in transit. BitLocker is a full disk encryption
technology used for data at rest. DES and SSL are both outdated
encryption methods and should not be used for data that
requires high levels of security.

Question 37

Amanda’s employer asks Amanda to classify patient X-ray data
that has an internal patient identifier associated with it but does
not have any way to directly identify a patient. The company’s
data owner believes that exposure of the data could cause
damage (but not exceptional damage) to the organization. How
should Amanda classify the data?
A. Public
B. Sensitive
C. Private
D. Confidential

Answer 37

C. Private

C. We know that the data classification will not be the top-level
classification of Confidential because the loss of the data would
not cause severe damage. This means we have to choose
between private (PHI) and sensitive (confidential). Calling this
private due to the patient’s personal health information fits the
classification scheme, giving us the correct answer.

Question 38

What technology could Amanda’s employer implement to help
prevent confidential data from being emailed out of the
organization?
A. DLP
B. IDS
C. A firewall
D. UDP

Answer 38

A. DLP

A. A data loss prevention (DLP) system or software is designed
to identify labeled data or data that fits specific patterns and
descriptions to help prevent it from leaving the organization. An
IDS is designed to identify intrusions. Although some IDS
systems can detect specific types of sensitive data using pattern
matching, they have no ability to stop traffic. A firewall uses
rules to control traffic routing, while UDP is a network protocol.

Question 39

Jacob’s organization uses the US government’s data
classification system, which includes Top Secret, Secret,
Confidential, and Unclassified ratings (from most sensitive to
least). Jacob encounters a system that contains Secret,
Confidential, and Top Secret data. How should it be classified?
A. Top Secret
B. Confidential
C. Secret
D. Mixed classification

Answer 39

A. Top Secret

A. When data is stored in a mixed classification environment, it
is typically classified based on the highest classification of data
included. In this case, the US government’s highest classification
is Top Secret. Mixed classification is not a valid classification in
this scheme.

Question 40

Elle is planning her organization’s asset retention efforts and
wants to establish when the company will remove assets from
use. Which of the following is typically the last event in a
manufacturer or software provider’s lifecycle?
A. End of life
B. End of support
C. End of sales
D. General availability

Answer 40

B. End of support

B. The end of support of a device or product typically occurs
after the end of life and end of sales. Support may continue for a
period of months or even years, but eventually support stops
too. General availability is found during the main part of a
lifecycle, rather than at the end, and helps note when the
product is out of testing and can be acquired or used by
customers or others instead of specific groups like beta testers or
early release partners.

Question 41

Amanda has been asked to ensure that her organization’s
controls assessment procedures match the specific systems that
the company uses. What activity best matches this task?
A. Asset management
B. Compliance
C. Scoping
D. Tailoring

Answer 41

D. Tailoring

D. Tailoring ensures that assessment methods are appropriate
to the systems, services, and other assets that are being
validated and is the best answer here. Scoping is a related term
and involves setting the boundaries of security control
implementations. Asset management involves how assets are
overseen throughout their lifecycle, and compliance is a broad
term that describes ensuring that regulations, contractual terms,
or other requirements are met.

Question 42

Chris is responsible for his organization’s security standards and
has guided the selection and implementation of a security
baseline for Windows PCs in his organization. How can Chris
most effectively make sure that the workstations he is
responsible for are being checked for compliance and that
settings are being applied as necessary?
A. Assign users to spot-check baseline compliance.
B. Use Microsoft Group Policy.
C. Create startup scripts to apply policy at system start.
D. Periodically review the baselines with the data owner and
system owners.

Answer 42

B. Use Microsoft Group Policy.

B. Group Policy provides the ability to monitor and apply
settings in a security baseline. Manual checks by users and using
startup scripts provide fewer reviews and may be prone to
failure, while periodic review of the baseline won’t result in
compliance being checked.

Question 43

Frank is reviewing his company’s data lifecycle and wants to
place appropriate controls around the data collection phase.
Which of the following ensures that data subjects agree to the
processing of their data?
A. Retention
B. Consent
C. Certification
D. Remanence

Answer 43

B. Consent

B. Providing consent, or agreeing to data collection and use, is
important in many data collection scenarios and may be
required by law. Remanence occurs when data remains in place,
sometimes inadvertently, after it should have been removed or
disposed of. Retention is the intentional process of keeping and
managing data. Certification is not a data lifecycle process
element.

Question 44

As a DBA, Amy’s data role in her organization includes technical
implementations of the data policies and standards, as well as
managing the data structures that the data is stored in. What
data role best fits what Amy does?
A. Data custodian
B. Data owner
C. Data processor
D. Data user

Answer 44

A. Data custodian

A. Amy is a data custodian and is responsible for the technical
environment, including things like database structures and the
technical implementations of data policies. Some organizations
may overlap other data roles, including data controllers or data
stewards, but the best answer here is a data custodian. Amy is
not a data user and is not a data processor who uses the data on
behalf of a data controller

Question 45

The company Jim works for suffered from a major data breach
in the past year and now wants to ensure that it knows where
data is located and if it is being transferred, is being copied to a
thumb drive, or is in a network file share where it should not be.
Which of the following solutions is best suited to tagging,
monitoring, and limiting where files are transferred to?
A. DRM
B. DLP
C. A network IPS
D. Antiviru

Answer 45

B. DLP

B. A data loss prevention (DLP) system can tag, monitor, and
limit where files are transferred to. Jim’s company may also
elect to use digital rights management tools in combination with
a data loss prevention system, but DRM controls how data can
be used, not where files are transferred to or where they exist at
any point in time in most cases. An intrusion prevention system
(IPS) may be able to detect files that are being sent across a
network but won’t stop files from being copied on workstations
or thumb drives. Antivirus is not designed for this purpose.

Question 46

What security measure can provide an additional security
control in the event that backup tapes are stolen or lost?
A. Keep multiple copies of the tapes.
B. Replace tape media with hard drives.
C. Use appropriate security labels.
D. Use AES-256 encryption.

Answer 46

D. Use AES-256 encryption.

D. Using strong encryption, like AES-256, can help ensure that
loss of removable media like tapes doesn’t result in a data
breach. Security labels may help with handling processes, but
they won’t help once the media is stolen or lost. Having multiple
copies will ensure that you can still access the data but won’t
increase the security of the media. Finally, using hard drives
instead of tape only changes the media type and not the risk
from theft or loss.

Question 47

Joe works at a major pharmaceutical research and development
company and has been tasked with writing his organization’s
data retention policy. As part of its legal requirements, the
organization must comply with the US Food and Drug
Administration’s Code of Federal Regulations Title 21. To do so,
it is required to retain records with electronic signatures. Why
would a signature be part of a retention requirement?
A. It ensures that someone has reviewed the data.
B. It provides confidentiality.
C. It ensures that the data has been changed.
D. It validates who approved the data.

Answer 47

D. It validates who approved the data.

D. Electronic signatures, as used in this rule, prove that the
signature was provided by the intended signer. Electronic
signatures as part of the FDA code are intended to ensure that
electronic records are “trustworthy, reliable, and generally
equivalent to paper records and handwritten signatures
executed on paper.” Signatures cannot provide confidentiality or
integrity and don’t ensure that someone has reviewed the data.

Question 48

Susan wants to manage her data’s lifecycle based on retention
rules. What technique can she use to ensure that data that has
reached the end of its lifecycle can be identified and disposed of
based on her organization’s disposal processes?
A. Rotation
B. DRM
C. DLP
D. Tagging

Answer 48

D. Tagging

D. Tags that include information about the life span of the data
and when it has expired can help with lifecycle management
processes. Tags can be as simple as timestamps, or they can
include additional metadata like the data type, creator, or
purpose that can help inform the retention and disposal process.
Rotation of files like logs is commonly done to limit how much
space they take up, but rotation itself does not address disposal
requirements and information that would guide the disposal
process. DRM, or digital rights management, and DLP, or data
loss prevention, both address data security and use but not
disposal.

Question 49

Ben has been asked to scrub data to remove data that is no
longer needed by his organization. What phase of the data
lifecycle is Ben most likely operating in?
A. Data retention
B. Data maintenance
C. Data remanence
D. Data collection

Answer 49

B. Data maintenance

B. During the data maintenance phase of a typical data lifecycle,
activities like data scrubbing occur to remove unneeded,
incorrect, or out-of-date data. Data retention is not a phase;
instead, it is a decision that organizations make based on
requirements, laws, or their own needs. Data remanence is also
not a phase. Data remanence describes the problem of data that
remains after data is removed. Finally, in the data collection
phase, data is acquired and may be scrubbed, but the question
describes a process occurring after data is no longer needed, not
during acquisition.

Question 50

Steve is concerned about the fact that employees leaving his
organization were often privy to proprietary information. Which
one of the following controls is most effective against this
threat?
A. Sanitization
B. NDAs
C. Clearing
D. Encryption

Answer 50

B. NDAs

B. Nondisclosure agreements (NDAs) are used to enforce
confidentiality agreements with employees and may remain in
effect even after an employee leaves the organization. Other
controls, such as sanitization, clearing, and encryption, would
not be effective against information in an employee’s memory.

Question 51

Alex works for a government agency that is required to meet US
federal government requirements for data security. To meet
these requirements, Alex has been tasked with making sure data
is identifiable by its classification level when it is created. What
should Alex do to the data?
A. Classify the data.
B. Encrypt the data.
C. Label the data.
D. Apply DRM to the data.

Answer 51

C. Label the data.

C. Data labels are crucial to identify the classification level of
information contained on the media, and labeling data at
creation helps to ensure that it is properly handled throughout
its lifecycle. Digital rights management (DRM) tools provide
ways to control how data is used, while encrypting it can help
maintain the confidentiality and integrity of the data. Classifying
the data is necessary to label it, but it doesn’t automatically place
a label on the data

Question 52

Ben is following the National Institute of Standards and
Technology (NIST) Special Publication 800-88 guidelines for
sanitization and disposition. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need
to follow?
A. Destroy, validate, document
B. Clear, purge, document
C. Purge, document, validate
D. Purge, validate, document

Answer 52

D. Purge, validate, document

D. The NIST SP 800-88 process for sanitization and disposition
shows that media that will be reused and was classified at a
moderate level should be purged and then that purge should be
validated. Finally, it should be documented.

Question 53

What methods are often used to protect data in transit?
A. Telnet, ISDN, UDP
B. BitLocker, FileVault
C. AES, Serpent, IDEA
D. TLS, VPN, IPsec

Answer 53

D. TLS, VPN, IPsec

D. Data in transit is data that is traversing a network or is
otherwise in motion. TLS, VPNs, and IPsec tunnels are all
techniques used to protect data in transit. AES, Serpent, and
IDEA are all symmetric algorithms, while Telnet, ISDN, and
UDP are all protocols. BitLocker and FileVault are both used to
encrypt data, but they protect only stored data, not data in
transit.

Question 54

Which one of the following data roles bears ultimate
organizational responsibility for data?
A. System owners
B. Business owners
C. Data owners
D. Mission owners

Answer 54

C. Data owners

C. The data owner has ultimate responsibility for data belonging
to an organization and is typically the CEO, president, or
another senior employee. Business and mission owners typically
own processes or programs. System owners own a system that
processes sensitive data.

Question 55

Shandra wants to secure an encryption key. Which location
would be the most difficult to protect, if the key was kept and
used in that location?
A. On a local network
B. On disk
C. In memory
D. On a public network

Answer 55

C. In memory

C. The most difficult location to secure for encryption keys and
similar highly sensitive information is in active memory because
the data needs to be decrypted to be used. When data is at rest
on a drive or in transit via either a local or public network, it can
be encrypted until it reaches its destination, and you can use
strong encryption in each of those circumstances.

Question 56

Chris has recently been hired into a new organization. The
organization that Chris belongs to uses the following
classification process:
1. Criteria are set for classifying data.
2. Data owners are established for each type of data.
3. Data is classified.
4. Required controls are selected for each classification.
5. Baseline security standards are selected for the
organization.
6. Controls are scoped and tailored.
7. Controls are applied and enforced.
8. Access is granted and managed.

If Chris is one of the data owners for the organization, what
steps in this process is he most likely responsible for?
A. He is responsible for steps 3, 4, and 5.
B. He is responsible for steps 1, 2, and 3.
C. He is responsible for steps 5, 6, and 7.
D. All of the steps are his direct responsibility.

Answer 56

A. He is responsible for steps 3, 4, and 5.

A. Chris is most likely to be responsible for classifying the data
that he owns as well as assisting with or advising the system
owners on security requirements and control selection. In an
organization with multiple data owners, Chris is unlikely to set
criteria for classifying data on his own. As a data owner, Chris
will also not typically have direct responsibility for scoping,
tailoring, applying, or enforcing those controls

Question 57

Chris has recently been hired into a new organization. The
organization that Chris belongs to uses the following
classification process:
1. Criteria are set for classifying data.
2. Data owners are established for each type of data.
3. Data is classified.
4. Required controls are selected for each classification.
5. Baseline security standards are selected for the
organization.
6. Controls are scoped and tailored.
7. Controls are applied and enforced.
8. Access is granted and managed.

Chris manages a team of system administrators. What data role
are they fulfilling if they conduct steps 6, 7, and 8 of the
classification process?
A. They are system owners and administrators.
B. They are administrators and custodians.
C. They are data owners and administrators.
D. They are custodians and users.

Answer 57

B. They are administrators and custodians.

B. The system administrators are acting in the roles of data
administrators who grant access and will also act as custodians
who are tasked with the day-to-day application of security
controls. They are not acting as data owners who own the data
itself. Typically, system administrators are delegated authority
by system owners, such as a department head, and of course
they are tasked with providing access to users.

Question 58

Chris has recently been hired into a new organization. The
organization that Chris belongs to uses the following
classification process:
1. Criteria are set for classifying data.
2. Data owners are established for each type of data.
3. Data is classified.
4. Required controls are selected for each classification.
5. Baseline security standards are selected for the
organization.
6. Controls are scoped and tailored.
7. Controls are applied and enforced.
8. Access is granted and managed.

If Chris’s company operates in the European Union and has
been contracted to handle the data for a third party, what role is
his company operating in when it uses this process to classify
and handle data?
A. Business owners
B. Mission owners
C. Data processors
D. Data administrators

Answer 58

C. Data processors

C. Third-party organizations that process personal data on
behalf of a data controller are known as data processors. The
organization that they are contracting with would act in the role
of the business or mission owners, and others within Chris’s
organization would have the role of data administrators,
granting access as needed to the data based on their operational
procedures and data classification.

Question 59

Chris has been put in charge of his organization’s IT service
management effort, and part of that effort includes creating an
inventory of both tangible and intangible assets. As a security
professional, you have been asked to provide Chris with
security-related guidance on each of the following topics. Your
goal is to provide Chris with the best answer from each of the
options, knowing that in some cases more than one of the
answers could be acceptable.
Chris needs to identify all of the active systems and devices on
the network. Which of the following techniques will give him the
most complete list of connected devices?
A. Query Active Directory for a list of all computer objects.
B. Perform a port scan of all systems on the network.
C. Ask all staff members to fill out a form listing all of their systems and devices.
D. Use network logs to identify all connected devices and track them down from there.

Answer 59

D. Use network logs to identify all connected devices and track them down from there.

D. While it can be a lot of work, the most complete inventory of
active systems and devices can be created by determining what
is connected to the network and then finding those assets. Port
scans can help to find some systems, but firewalls and other
security solutions can prevent systems from being discovered.
Staff may not know about all of the systems and devices on the
network or may presume that someone else will provide
information about shared resources such as printers, security
cameras, or other devices. Active Directory is unlikely to contain
all devices, particularly if an inventory is needed!

Question 60

Chris has been put in charge of his organization’s IT service
management effort, and part of that effort includes creating an
inventory of both tangible and intangible assets. As a security
professional, you have been asked to provide Chris with
security-related guidance on each of the following topics. Your
goal is to provide Chris with the best answer from each of the
options, knowing that in some cases more than one of the
answers could be acceptable.
Chris knows that his inventory is only accurate at the moment it
was completed. How can he best ensure that it remains up-todate?
A. Perform a point-in-time query of network connected devices and update the list based on what is found.
B. Ensure that procurement and acquisition processes add new devices to the inventory before they are deployed.
C. Require every employee to provide an updated inventory of devices they are responsible for on a quarterly basis.
D. Manually verify every device in service at each organizational location on a yearly basis.

Answer 60

B. Ensure that procurement and acquisition processes add new devices to the inventory before they are deployed.

B. In most organizations, changing processes so that new
systems and devices are added to inventory before they are
deployed is the first step in making sure asset inventories are
current. Yearly or quarterly updates are too infrequent for most
organizations and will lead to gaps as devices are forgotten.

Question 61

Chris has been put in charge of his organization’s IT service
management effort, and part of that effort includes creating an
inventory of both tangible and intangible assets. As a security
professional, you have been asked to provide Chris with
security-related guidance on each of the following topics. Your
goal is to provide Chris with the best answer from each of the
options, knowing that in some cases more than one of the
answers could be acceptable.
Chris knows that his organization has more than just physical
assets. In fact, his organization’s business involves significant
intellectual property assets, including designs and formulas.
Chris needs to track and inventory those assets as well. How can
he most effectively ensure that he can identify and manage data
throughout his organization based on its classification or type?
A. Track file extensions for common data types.
B. Ensure that data is collected in specific network share locations based on the data type and group that works with it.
C. Use metadata tagging based on data type or security level.
D. Automatically tag data by file extension type.

Answer 61

C. Use metadata tagging based on data type or security level.

C. Chris should use metadata tagging to allow him to use
technical tools like DLP and DRM to handle and track data
based on its type and content. File extensions do not reveal data
security or type, and relying on network share locations to
secure data or inventory will lead to gaps in security as files are
moved, copied, or stored locally.

Question 62

Chris has been put in charge of his organization’s IT service
management effort, and part of that effort includes creating an
inventory of both tangible and intangible assets. As a security
professional, you have been asked to provide Chris with
security-related guidance on each of the following topics. Your
goal is to provide Chris with the best answer from each of the
options, knowing that in some cases more than one of the
answers could be acceptable.
Chris has been tasked with identifying intangible assets but
needs to provide his team with a list of the assets they will be
inventorying. Which of the following is not an example of an
intangible asset?
A. Patents
B. Databases
C. Formulas
D. Employees

Answer 62

D. Employees

D. Patents, databases, and formulas are all examples of
intangible assets. Tangible assets include things like hardware,
cables, and buildings. Personnel assets include employees, and
most organizations would be quite concerned if their employees
were intangible!

Question 63

Which of the following is not a common requirement for the
collection of data under data privacy laws and statutes?
A. Only data that is needed is collected.
B. Data should be obtained lawfully and via fair methods.
C. Data should only be collected with the consent of the
individual whose data is being collected.
D. Data should be collected from all individuals equally

Answer 63

D. Data should be collected from all individuals equally

D. There is no requirement that data collection be equal or
equivalent. Instead, data collection statutes and other
requirements often require that only required data is collected,
that individuals are made aware of the data collection, and that
they consent to the collection. Similarly, data should only be
collected lawfully and via fair methods.

Question 64

Susan works in an organization that labels all removable media
with the classification level of the data it contains, including
public data. Why would Susan’s employer label all media instead
of labeling only the media that contains data that could cause
harm if it was exposed?
A. It is cheaper to order all prelabeled media.
B. It prevents sensitive media from not being marked by
mistake.
C. It prevents reuse of public media for sensitive data.
D. Labeling all media is required by HIPAA

Answer 64

B. It prevents sensitive media from not being marked by
mistake.

B. Requiring all media to have a label means that when
unlabeled media is found, it should immediately be considered
suspicious. This helps to prevent mistakes that might leave
sensitive data unlabeled. Prelabeled media is not necessarily
cheaper (nor may it make sense to buy!), while reusing public
media simply means that it must be classified based on the data
it now contains. HIPAA does not have specific media labeling
requirements.

Question 65

Data stored in RAM is best characterized as what type of data?
A. Data at rest
B. Data in use
C. Data in transit
D. Data at larg

Answer 65

B. Data in use

B. Data in use is data that is in a temporary storage location
while an application or process is using it. Thus, data in memory
is best described as data in use or ephemeral data. Data at rest is
in storage, while data in transit is traveling over a network or
other channel. Data at large is a made-up term.

Question 66

What issue is the validation portion of the NIST SP 800-88
sample certificate of sanitization intended to help
prevent?
A. Destruction
B. Reuse
C. Data remanence
D. Attribution

Answer 66

C. Data remanence

C. Validation processes are conducted to ensure that the
sanitization process was completed, avoiding data remanence. A
form like this one helps to ensure that each device has been
checked and that it was properly wiped, purged, or sanitized.
This can allow reuse, does not prevent destruction, and does not
help with attribution, which is a concept used with encryption to
prove who created or sent a file

Question 67

Why is declassification rarely chosen as an option for media
reuse?
A. Purging is sufficient for sensitive data.
B. Sanitization is the preferred method of data removal.
C. It is more expensive than new media and may still fail.
D. Clearing is required first.

Answer 67

C. It is more expensive than new media and may still fail.

C. Ensuring that data cannot be recovered is difficult, and the
time and effort required to securely and completely wipe media
as part of declassification can exceed the cost of new media.
Sanitization, purging, and clearing may be part of
declassification, but they are not reasons that it is not frequently
chosen as an option for organizations with data security
concerns.

Question 68

Incineration, crushing, shredding, and disintegration all
describe what stage in the lifecycle of media?
A. Sanitization
B. Degaussing
C. Purging
D. Destruction

Answer 68

D. Destruction

D. Destruction is the final stage in the lifecycle of media and can
be done via disintegration, incineration, or a variety of other
methods that result in the media and data being nonrecoverable.
Sanitization is a combination of processes used when data is
being removed from a system or media. Purging is an intense
form of clearing, and degaussing uses strong magnetic fields to
wipe data from magnetic media.

Question 69

What term is used to describe information like prescriptions and
X-rays?
A. PHI
B. Proprietary data
C. PID
D. PII

Answer 69

A. PHI

A. PHI is protected health information. Personally identifiable
information (PII) is any information that can identify an
individual. Proprietary data is information that helps
organizations maintain a competitive edge or that they want to
keep to their own organization or a controlled set of individuals.
PID is not a term used for data classification.

Question 70

Why might an organization use unique screen backgrounds or
designs on workstations that deal with data of different
classification levels?
A. To indicate the software version in use
B. To promote a corporate message
C. To promote availability
D. To indicate the classification level of the data or system

Answer 70

D. To indicate the classification level of the data or system

D. Handling requirements and tools include visual indicators
like a distinctive screen background and can help employees
remember what level of classification they are dealing with and
thus the handling requirements that they are expected to follow.

Question 71

Charles has been asked to downgrade the media used for storage
of private data for his organization. What process should Charles
follow?
A. Degauss the drives, and then relabel them with a lower classification level.
B. Pulverize the drives, and then reclassify them based on the data they contain.
C. Follow the organization’s purging process, and then downgrade and replace labels.
D. Relabel the media, and then follow the organization’s purging process to ensure that the media matches the label.

Answer 71

C. Follow the organization’s purging process, and then downgrade and replace labels.

C. If an organization allows media to be downgraded, the
purging process should be followed, and then the media should
be relabeled. Degaussing may be used for magnetic media but
won’t handle all types of media. Pulverizing would destroy the
media, preventing reuse, while relabeling first could lead to
mistakes that result in media that hasn’t been purged entering
use.

Question 72

Which of the following tasks is not performed by a system owner
per NIST SP 800-18?
A. Develops a system security plan
B. Establishes rules for appropriate use and protection of data
C. Identifies and implements security controls
D. Ensures that system users receive appropriate security
training

Answer 72

B. Establishes rules for appropriate use and protection of data

B. The data owner sets the rules for use and protection of data.
The remaining options all describe tasks for the system owner,
including implementation of security controls.

Question 73

NIST SP 800-60 provides a process to assess information systems. What process does this diagram show?
Source: NIST SP 800-60.
A. Selecting a standard and implementing it
B. Categorizing and selecting controls
C. Baselining and selecting controls
D. Categorizing and sanitizing

Requires Graphic

Answer 73

B. Categorizing and selecting controls

B. In the NIST SP 800-60 diagram, the process determines
appropriate categorization levels resulting in security
categorization and then uses that as an input to determine
controls. Standard selection would occur at an organizational
level, while baselining occurs when systems are configured to
meet a baseline. Sanitization would require the intentional
removal of data from machines or media.

Question 74

Which letters on this diagram are locations where you might
find data at rest?
A=Workstation, C=Internet, E=Server
A. A, B, and C
B. C and E
C. A and E
D. B, D, and F

Answer 74

C. A and E

C. A and E can both be expected to have data at rest. C, the
internet, is an unknown, and the data can’t be guaranteed to be
at rest. B, D, and F are all data in transit across network links.

Question 75

What would be the best way to secure data at points B, D, and F?
These are connections between computers.
A. AES-256
B. SSL
C. TLS
D. 3DES

Answer 75

B. SSL
D. 3DES

C. B, D, and F all show network links. Of the answers provided,
Transport Layer Security (TLS) provides the best security for
data in motion. AES-256 and 3DES are both symmetric ciphers
and are more likely to be used for data at rest. SSL has been
replaced with TLS and should not be a preferred solution

Question 76

What is the best way to secure files that are sent from
workstation A via the internet service (C) to remote server E?
A. Use AES at rest at point A, and use TLS in transit via B and D.
B. Encrypt the data files and send them.
C. Use 3DES and TLS to provide double security.
D. Use full disk encryption at A and E, and use SSL at B and D

Answer 76

What is the best way to secure files that are sent from

B. Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach and the file will remain secure until decrypted at location E. Since answers A, C, and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form.

Question 77

Susan needs to provide a set of minimum security requirements
for email. What steps should she recommend for her
organization to ensure that the email remains secure?
A. All email should be encrypted.
B. All email should be encrypted and labeled.
C. Sensitive email should be encrypted and labeled.
D. Only highly sensitive email should be encrypted.

Answer 77

Susan needs to provide a set of minimum security requirements

C. Encrypting and labeling sensitive email will ensure that it
remains confidential and can be identified. Performing these
actions only on sensitive email will reduce the cost and effort of
encrypting all email, allowing only sensitive email to be the
focus of the organization’s efforts. Only encrypting highly
sensitive email not only skips labeling but might expose other
classifications of email that shouldn’t be exposed.

Question 78

How can a data retention policy reduce liabilities?
A. By reducing the amount of storage in use
B. By limiting the number of data classifications
C. By reducing the amount of data that may need to be produced for lawsuits
D. By reducing the legal penalties for noncompliance

Answer 78

C. By reducing the amount of data that may need to be produced for lawsuits

C. Data retention policies can reduce the amount of old logs and
other files that may need to be produced during a legal case.
That can reduce organizational risk, but retention policies need
to be in place well before a legal hold is filed. Reducing storage
in use does not reduce liability, but it can reduce financial costs,
and data retention policies don’t tend to limit the number of
classifications in use. Legal penalties are not impacted by a
retention policy.

Question 79

What data role does a system that is used to process data have?
A. Mission owner
B. Data owner
C. Data processor
D. Custodian

Answer 79

C. Data processor

C. Systems used to process data are data processors. Data
owners are typically CEOs or other very senior staff, custodians
are granted rights to perform day-to-day tasks when handling
data, and mission owners are typically program or information
system owners.

Question 80

Which one of the following is not considered PII under US
federal government regulations?
A. Name
B. Social Security number
C. Student ID number
D. ZIP code

Answer 80

D. ZIP code

D. Personally identifiable information includes any information
that can uniquely identify an individual. This would include
name, Social Security number, and any other unique identifier
(including a student ID number). ZIP code, by itself, does not
uniquely identify an individual.

Question 81

What type of health information is the Health Insurance
Portability and Accountability Act required to protect?
A. PII
B. PHI
C. SHI
D. HPHI

Answer 81

B. PHI

B. Protected health information, or PHI, includes a variety of
data in multiple formats, including oral and recorded data, such
as that created or received by healthcare providers, employers,
and life insurance providers. PHI must be protected by HIPAA.
PII is personally identifiable information. SHI and HPHI are
both made-up acronyms.

Question 82

The system that Ian has built replaces data in a database field
with a randomized string of characters that remains the same
for each instance of that data. What technique has he used?
A. Data masking
B. Tokenization
C. Anonymization
D. DES

Answer 82

B. Tokenization

B. Tokenization replaces other data with a random string of
characters. These tokens are then matched to the actual values
for secure lookups as needed. Anonymization removes all
personally identifiable data to ensure that the original subject
cannot be identified. Data masking obscures some, but not all,
data. Pseudonymization uses a pseudonym or alias to replace
other information.

Question 83

Juanita’s company processes credit cards and wants to select
appropriate data security standards. What data security
standard is she most likely to need to use and comply with?
A. CC-Comply
B. PCI-DSS
C. GLBA
D. GDPR

Answer 83

B. PCI-DSS

B. The Payment Card Industry Data Security Standard, or PCIDSS, is a credit card industry data security standard that defines
how businesses must handle information related to credit cards.
CC-Comply was made up for this question. GLBA, or GrammLeach-Bliley, modernized financial institution standards, and
GDPR is an EU data privacy regulation.

Question 84

What is the best method to sanitize a solid-state drive (SSD)?
A. Clearing
B. Zero fill
C. Disintegration
D. Degaussing

Answer 84

C. Disintegration

C. Due to problems with remnant data, the U.S. National
Security Agency requires physical destruction of SSDs. This
process, known as disintegration, results in very small fragments
via a shredding process. Zero fill wipes a drive by replacing data
with zeros, degaussing uses magnets to wipe magnetic media,
and clearing is the process of preparing media for reuse.

Question 85

Step 1: Categorize Information Systems
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Monitor Security Controls
What data role will own responsibility for step 1, the categorization of information systems; to whom will they delegate step 2; and what data role will be responsible for step 3?
A. Data owners, system owners, custodians
B. Data processors, custodians, users
C. Business owners, administrators, custodians
D. System owners, business owners, administrators

Answer 85

A. Data owners, system owners, custodians

A. The data owner bears responsibility for categorizing
information systems and delegates selection of controls to
system owners, while custodians implement the controls. Users
don’t perform any of these actions, while business owners are
tasked with ensuring that systems are fulfilling their business
purpose

Question 86

Step 1: Categorize Information Systems
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Monitor Security Controls
If the systems that are being assessed all handle credit card
information (and no other sensitive data), at what step would
the PCI DSS first play an important role?
A. Step 1
B. Step 2
C. Step 3
D. Step 4

Answer 86

B. Step 2

B. PCI DSS provides a set of required security controls and
standards. Step 2 would be guided by the requirements of PCI
DSS. PCI DSS will not greatly influence step1 because all of the
systems handle credit card information, making PCI DSS apply
to all systems covered. Steps 3 and 4 will be conducted after PCI
DSS has guided the decisions in step 2.

Question 87

Step 1: Categorize Information Systems
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Monitor Security Controls
What data security role is primarily responsible for step 5?
A. Data owners
B. Data processors
C. Custodians
D. Users

Answer 87

C. Custodians

C. Custodians are tasked with the day-to-day monitoring of the
integrity and security of data. Step 5 requires monitoring, which
is a custodial task. A data owner may grant rights to custodians
but will not be responsible for conducting monitoring. Data
processors process data on behalf of the data controller, and a
user simply uses the data via a computing system.

Question 88

Susan’s organization performs a secure disk wipe process on
hard drives before they are sent to a third-party organization to
be shredded. What issue is her organization attempting to
avoid?
A. Data retention that is longer than defined in policy
B. Mishandling of drives by the third party
C. Classification mistakes
D. Data permanence

Answer 88

B. Mishandling of drives by the third party

B. Susan’s organization is limiting its risk by sending drives that
have been sanitized before they are destroyed. This limits the
possibility of a data breach if drives are mishandled by the third
party, allowing them to be stolen, resold, or simply copied. The
destruction of the drives will handle any issues with data
remanence, while classification mistakes are not important if the
drives have been destroyed. Wiping the data before destruction
does not make a meaningful difference for data retention policy
concerns. Data permanence and the life span of the data are not
important on a destroyed drive.

Question 89

Mike wants to track hardware assets as devices and equipment
are moved throughout his organization. What type of system can
help do this without requiring staff to individually check bar
codes or serial numbers?
A. A visual inventory
B. WiFi MAC address tracking
C. RFID tags
D. Steganography

Answer 89

C. RFID tags are a common solution for tracking hardware
assets and equipment. They can be queried wirelessly at varying
ranges depending on the tags and may be built-in to hand-held
readers or even included in doorways or arches to track items as
they enter or leave a facility. Visual inventory relies on staff
checking items, MAC addresses are hardware addresses for
networked devices and not every asset in inventory is likely to
have a wireless network capability—or to be on! Steganography
is hiding messages in images and doesn’t help at all with
inventory.

Question 90

Retaining and maintaining information for as long as it is
needed is known as what?
A. Data storage policy
B. Data storage
C. Asset maintenance
D. Record retention

Answer 90

D. Record retention

D. Record retention is the process of retaining and maintaining
information for as long as it is needed. A data storage policy
describes how and why data is stored, while data storage is the
process of actually keeping the data. Asset maintenance is a
noninformation-security-related process for maintaining
physical assets.

Question 91

Which of the following activities is not a consideration during
data classification?
A. Who can access the data
B. What the impact would be if the data was lost or breached
C. How much the data cost to create
D. What protection regulations may be required for the data

Answer 91

C. How much the data cost to create

C. The cost of the data is not directly included in the
classification process. Instead, the impact to the organization if
the data were exposed or breached is considered. Who can
access the data and what regulatory or compliance requirements
cover the data are also important considerations.

Question 92

What type of encryption is typically used for data at rest?
A. Asymmetric encryption
B. Symmetric encryption
C. DES
D. OTP

Answer 92

B. Symmetric encryption

B. Symmetric encryption like AES is typically used for data at
rest. Asymmetric encryption is often used during transactions or
communications when the ability to have public and private keys
is necessary. DES is an outdated encryption standard, and OTP
is the acronym for onetime password.

Question 93

Which data role is tasked with apply rights that provide
appropriate access to staff members?
A. Data processors
B. Business owners
C. Custodians
D. Administrators

Answer 93

D. Administrators

D. Administrators have the rights to apply the permissions to
access and handle data. Custodians are trusted with day-to-day
data handling tasks. Business owners are typically system or
project owners, and data processors are systems used to process
data.

Question 94

What element of asset security is often determined by
identifying an asset’s owner?
A. It identifies the individual(s) responsible for protecting the asset.
B. It provides a law enforcement contact in case of theft.
C. It helps establish the value of the asset.
D. It determines the security classification of the asset.

Answer 94

A. It identifies the individual(s) responsible for protecting the asset.

A. Knowing the asset’s owner also tells you who is responsible
for protecting the asset or for delegating that task. While asset
owners may be law enforcement contacts, this is not a critical
item for asset security. It does not directly help you to establish
the value of the asset or to set security classification levels for an
asset.

Question 95

Fred is preparing to send backup tapes off-site to a secure thirdparty storage facility. What steps should Fred take before
sending the tapes to that facility?
A. Ensure that the tapes are handled the same way the original media would be handled based on their classification.
B. Increase the classification level of the tapes because they are leaving the possession of the company.
C. Purge the tapes to ensure that classified data is not lost.
D. Decrypt the tapes in case they are lost in transit.

Answer 95

A. Ensure that the tapes are handled the same way the original media would be handled based on their classification.

A. Tapes may be vulnerable to theft or loss in transit. That
means that tapes that are leaving their normal storage facility
should be handled according to the organization’s classification
schemes and handling requirements. Purging the tapes would
cause the loss of data, while increasing the classification level of
the tapes. The tapes should be encrypted rather than decrypted.

Question 96

Which of the following does not describe data in motion?
A. Data on a backup tape that is being shipped to a storage facility
B. Data in a TCP packet
C. Data in an e-commerce transaction
D. Data in files being copied between locations

Answer 96

A. Data on a backup tape that is being shipped to a storage facility

A. The correct answer is the tape that is being shipped to a
storage facility. You might think that the tape in shipment is “in
motion,” but the concept is that the data is not being accessed
and is instead in storage rather than being sent across a
network. Data in a TCP packet, in an e-commerce transaction, or
in local RAM is in motion and is actively being used.

Question 97

A new law is passed that would result in significant financial
harm to your company if the data that it covers was stolen or
inadvertently released. What should your organization do about
this?
A. Select a new security baseline.
B. Relabel the data.
C. Encrypt all of the data at rest and in transit.
D. Review its data classifications and classify the data appropriately.

Answer 97

D. Review its data classifications and classify the data appropriately.

D. When the value of data changes due to legal, compliance, or
business reasons, reviewing classifications and reclassifying the
data is an appropriate response. Once the review is complete,
data can be reclassified and handled according to its
classification level. Simply relabeling the data avoids the
classification process and may not result in the data being
handled appropriately. Similarly, selecting a new baseline or
simply encrypting the data may not handle all of the needs that
the changes affecting the data create.

Question 98

Which of the following data roles are typically found inside of a
company instead of as a third-party contracting relationship?
(Select all that apply.)
A. Data owners
B. Data controllers
C. Data custodians
D. Data processors

Answer 98

A. Data owners
B. Data controllers
C. Data custodians

A, B, C. Data owners, controllers, and custodians are typically
found inside of a company, while data processors are typically
third parties.

Question 99

What commercial data classification is most appropriate for data
contained on corporate websites?
A. Private
B. Sensitive
C. Public
D. Proprietary

Answer 99

C. Public

C. Public data is just that—information that can be made public
without any harm to the organization, and in fact, it is often
information that the organization wants to make available.
Private information should stay private inside of an
organization, sensitive data may cause damage to the mission of
the organization if exposed, and proprietary or confidential
information is the most sensitive data that an organization
wants to protect.

Question 100

Match each of the numbered data elements shown here with one
of the lettered categories. You may use the categories once, more
than once, or not at all. If a data element matches more than one
category, choose the one that is most specific.
Data elements
1. Medical records
2. Trade secrets
3. Social Security numbers
4. Driver’s license numbers
Categories
A. Proprietary data
B. Protected health information
C. Personally identifiable information

Answer 100

The data elements match with the categories as follows:
Data elements
1. Medical records: B. PHI
2. Trade secrets A. Proprietary data
3. Social Security numbers: C. PII
4. Driver’s license numbers: C. PII

Medical records are an example of protected health information
(PHI). Trade secrets are an example of proprietary data. Social
Security numbers and driver’s license numbers are examples of
PII; if they were used in a medical context, they may also be
PHI, but this question does not ask you to consider them in that
context.