Lesson 16: Summarize Data Protection and Compliance Concepts

Question 1

Define ‘regulated data’

Answer 1

Information subject to legal or regulatory requirements regarding their handling, storage, and protection.

Question 2

What are common forms of regulated data?

Answer 2

Financial information, healthcare records, social security numbers, credit card details, etc.

Question 3

Define a ‘trade secret’

Answer 3

Intellectual property that gives a company a competitive advantage but hasn’t been registered with a copyright, trademark, or patent.

Question 4

What do organizations implement to safeguard trade secrets?

Answer 4

NDA’s to bind confidentiality of trade secrets.

Question 5

Define ‘non-human-readable data’

Answer 5

Binary code, encrypted data, or data represented in a complex structure or encoding that requires specialized software or algorithms to decipher and interpret.

Question 6

What mechanisms are typically implemented to secure human readable data?

Answer 6

Security monitoring, user awareness, DLP, content filtering, and web security.

Question 7

What mechanisms are typically implemented to secure non-human readable data?

Answer 7

Encryption, access controls, intrusion detection and prevention, secure data exchange, and code/application security.

Question 8

Define ‘data classification’

Answer 8

A decision tree for applying one or more tags or labels to each data asset.

Question 9

Define the ‘public/unclassified’ data classification

Answer 9

No restrictions on viewing the data.

Question 10

Define ‘Data sovereignty’

Answer 10

The principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

Question 11

Define ‘privacy data’

Answer 11

Personally identifiable or sensitive information associated with an individual’s personal, financial, or social identity, that if exposed or mishandled, could infringe upon an individual’s privacy rights.

Question 12

What is the purpose of privacy data?

Answer 12

Privacy data focuses on protecting personal information to preserve an individual’s privacy rights, prevent identity theft, and maintain the confidentiality of personal details.

Question 13

Define a ‘data controller’ in regards to General Data Protection Regulation (GDPR)

Answer 13

The entity or organization that determines the purposes and means of processing personal data.

Question 14

What is the responsibility of a data controller?

Answer 14

Handling compliance, obtaining appropriate consent from data subjects, providing privacy notices, implementing data protection policies and procedures, and handling data subject requests.

Question 15

Define a ‘data processor’ in regards to General Data Protection Regulation (GDPR)

Answer 15

Acts under the authority and instructions of the Data Controller to processes personal data.

Question 16

What is the responsibility of a data processor?

Answer 16

To process personal data only for the purposes defined by the Data Controller; Implement required security measures, maintain CIA of the data, and cooperate with the Data Controller to meet their legal obligations.

Question 17

What are examples of data processors?

Answer 17

A cloud service provider or a payroll processing company.

Question 18

Define a ‘data inventory’

Answer 18

List of classified data/information stored or processed by a system.

Question 19

What is the purpose of a data inventory?

Answer 19

So organizations can ensure that their processing activities align with the specified lawful purposes outlined in privacy laws.

Question 20

Define ‘data retention’

Answer 20

The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.

Question 21

How does keep a data inventory help data retention?

Answer 21

Data inventories help organizations determine appropriate retention periods for different categories of personal data, ensuring compliance.

Question 22

Define a ‘data breach’

Answer 22

When confidential or private data is read, modified, or deleted without authorization.

Question 23

Define a ‘privacy breach’

Answer 23

Refers specifically to loss or disclosure of personal and sensitive data.

Question 24

What are some of the outcomes a data/privacy breach can have?

Answer 24

Reputational damage; Identity theft; fines; Intellectual property theft.

Question 25

What are the 3 states data can be classified in?

Answer 25

1. Data at rest
2. Data in transit/motion
3. Data in use/processing

Question 26

Define ‘data at rest’

Answer 26

The data is in some sort of persistent storage media.

Question 27

How is data at rest typically secured?

Answer 27

By implementing some form of encryption (FDE, database encryption, file/folder) or access control.

Question 28

Define ‘data in transit/motion’

Answer 28

When data is transmitted over a network.

Question 29

How is data in transit/motion secured?

Answer 29

By implementing a transport encryption protocol, such as TLS or IPSec.

Question 30

Define ‘data in use’

Answer 30

When data is present in volatile memory, such as system RAM or CPU registers and cache.

Question 31

How can data in use be secure?

Answer 31

Although most data needs to be decrypted from rest in order to be used, trusted execution environment (TEE) mechanisms are able to encrypt data as it exists in memory.

Question 32

What is the function of data loss prevention (DLP) software?

Answer 32

To automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization.

Question 33

What are the 3 typical components of Data loss prevention (DLP) products?

Answer 33

1. Policy Server
2. Endpoint agents
3. Network agents

Question 34

What is the purpose of a Data loss prevention (DLP) policy server?

Answer 34

To configure classification, confidentiality, and privacy rules and policies, log incidents, and compile reports.

Question 35

What is the purpose of a Data loss prevention (DLP) endpoint agent?

Answer 35

To enforce policy on client computers, even when they are not connected to the network.

Question 36

What is the purpose of a Data loss prevention (DLP) network agent?

Answer 36

To scan communications at network borders and interface with web and messaging servers to enforce policy.

Question 37

This method of data protection is often associated with payment processing systems.

Answer 37

Tokenization; Replaces sensitive data (such as a credit card number) with a randomly generated token while securely storing the original data in a separate location.

Question 38

Define a ‘tombstone’ mechanism

Answer 38

a Data loss prevention (DLP) mechanism where original file is quarantined and replaced with one describing the policy violation and how the user can release it again.

Question 39

Define a ‘code of conduct’

Answer 39

Rules of behavior and ethical standards; Sets out expected professional standards.

Question 40

Define a ‘clean desk policy’

Answer 40

Organizational policy that mandates employee work areas be free from potentially sensitive information.

Question 41

When educating end users, what should be of focus?

Answer 41

Responsibilities and threats that are relevant to users in a language they can understand.

Question 42

What are methods of employee education?

Answer 42

Facilitated workshops and events, one-on-one instruction and mentoring, plus resources such as computer-based or online training, videos, books, and blogs/newsletters.

Question 43

Define ‘Computer-based training (CBT)’

Answer 43

Training and education programs delivered using computer devices and e-learning instructional models and design.

Question 44

What are forms of Computer-based training (CBT)?

Answer 44

Simulations; branching scenarios.

Question 45

What is a branching scenario?

Answer 45

Having students choose between options to find the best choices to solve a cybersecurity incident or configuration problem.

Question 46

Define ‘Anomalous behavior recognition’

Answer 46

Actions or patterns that deviate significantly from expectations; Systems that automatically detect users, hosts, and services that deviate from what is expected.

Question 47

How can end users support anomalous behavior recognition?

Answer 47

By training employees to recognize and report anomalous behavior.

Question 48

What are examples of anomalous behavior?

Answer 48

Unusual network traffic, user account activity anomalies, insider threat actions, abnormal system events, and fraudulent transactions.

Question 49

What mechanisms are used to automatically detect anomalous behavior?

Answer 49

Network intrusion detection, user behavior analytics, system log analysis, and fraud detection.

Question 50

In order, what are the 7 stages of the security awareness training lifecycle?

Answer 50

1. Assessment
2. Planning and design
3. Development
4. Delivery and implementation
5. Evaluation and feedback
6. Ongoing reinforcement
7. Monitoring and adaptation