Domain 2: Asset Security; Classifying Data Flashcards Preview

CISSP > Domain 2: Asset Security; Classifying Data > Flashcards

Flashcards in Domain 2: Asset Security; Classifying Data Deck (24):
1

Labels are used with subjects or objects?

Objects.

2

When is an object labeled "Top Secret"?

"Top Secret" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.

3

When is an object labeled "Secret"?

"Secret" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.

4

When is an object labeled "Confidential"?

"Confidential" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to national security.

5

What is SBU?

Sensitive but Unclassified.

6

What is FOUO?

For Official Use Only.

7

What labels do private sector companies use?

"Internal Use Only" and "Company Proprietary".

8

What is unclassified?

Data that is not sensitive.

9

Who applies a label to an object?

Security Administrator.

10

What are Security Compartments?

Compartments allow additional control over highly sensitive information. This is called Sensitive Compartmented Information (SCI).

11

Some compartments used by the United States are HCS, COMINT (SI), GAMMA (G), TALENT KEYHOLE (TK). What do they require?

These compartments require a documented and approved need to know in addition to a normal clearance such as top secret.

12

What is clearance?

A clearance is a formal determination of whether or not a user can be trusted with a specific level of information.

13

What does a clearance require?

Each clearance requires a myriad of investigations and collection of personal data. Once all data has been gathered (including a person's credit score, arrest record, interviews with neighbors and friends, and more), an administrative judge makes a determination on whether or not this person can be trusted with U.S. national security information.

14

What are the two most popular reasons why people are not granted U.S. Government clearance?

Drug use and foreign influence.

15

What is formal access approval?

Documented approval from the data owner for a subject to access certain objects, requiring the subject to understand all of the rules and requirements for accessing data, and consequences should the data become lost, destroyed, or compromised.

16

In addition to clearance, what does a subject need to access compartmented information?

Formal access approval from the compartmented information's data owner.

17

What is 'need to know'?

Need to know refers to answering the question: does the user need to know the specific data they may attempt to access?

18

Which is more granular, need to know or least privilege?

Need to know is more granular. Unlike least privilege which groups access together, need to know access decisions are based on each individual object.

19

Whereever the data exists, there must be processes to ensure...

1. The data is not destroyed or inaccessible.
2. Disclosed.
3. Altered.

20

People handling sensitive data should be...

1. Trusted individuals who have been vetted by the organization.
2. Understand their role in the organization's information security posture.

21

What should policies require in regards to handling sensitive media?

Policies should require the inclusion of written logs detailing the person responsible for the media.

22

How should sensitive data at rest be stored?

When storing sensitive information, it is preferable to encrypt the data. Encryption of data at rest greatly reduces the likelihood of data being disclosed in an unauthorized fashion due to security issues.

23

If data is encrypted, is strong physical security needed?

Yes, care should be taken to ensure there are strong physical security controls whereever media containing sensitive information is accessible whether it is encrypted or not.

24

How long should sensitive information be retained?

Retention of sensitive data should not persist beyond the usefulness or legal requirement (whichever is greater). There may be regulatory or legal reasons to keep the data beyond it's time of utility.