3.3

Question 1

Data at rest

Answer 1

is data that has arrived at a destination in a file system, database, or object storage (disk,
tape) and is not being accessed or used

• It typically refers to stored data and excludes data that is moving across a network or is temporarily in computer memory or Redis cache waiting to be read or updated
• Data at rest is data that is not dynamically moving from device to device or network to network

Question 2

Data in transit

Answer 2

is being packet forwarded or
switched over a wireless or wired network in a unicast, broadcast, multicast, or anycast
fashion

Examples include:
* Wired Ethernet
* Cable (DOCSIS)
* Fiber optic
* 802.11 wireless
* Cellular
* Satellite
* Personal area networking using RFID,
Bluetooth, Infrared, Zigbee, and more

Question 3

data in use

Answer 3

This is active data undergoing processing, translation, analysis, change, or other manipulation

Examples include:
* Data in system RAM memory
* CPU registers
* Caches and buffers
* Data in Memcached or Redis clusters
* Database transactions
* Cloud-based file or code being modified in real-time
by one or more users

Question 4

There are five common categories used for data classification in various business and commercial
sectors:

Answer 4

• Public data
• Private data
• Internal data
• Confidential data
• Restricted data

Question 5

Public data

Answer 5

Public data may be
important, but it is
accessible to the
public

Since this data is
openly shared, it is the
lowest level

Question 6

Private data

Answer 6

Private data requires a
greater level of security
than public data

It should not be
available for public
access and is often
protected through
common security
measures such as
passwords

Question 7

internal data

Answer 7

Internal data is usually
limited to employees
only and often has
different security
requirements that
affect who can access
it and how it can be
used

Question 8

confidential data

Answer 8

This information
should only be
accessed by a limited
audience that has
obtained proper
authorization using
strict identity
management

Question 9

restricted data

Answer 9

This classification is
reserved for an
organization’s most
sensitive information

Access to this data is
strictly controlled to
prevent its unauthorized
use

Question 10

regulated data

Answer 10

information that its use and
protection is dictated by a
government agency or third-party
agreements

Question 11

trade secrets

Answer 11

Any practice or process of a
company that is generally not
known outside of the company

Question 12

Intellectual property

Answer 12

Creations of the mind, such as
inventions, literary and artistic works, designs and symbols, names, and
images used in commerce

Question 13

Personal health
information (PHI)

Answer 13

The demographic information,
medical histories, test and lab results, mental health conditions, insurance
information, and other data

Question 14

Personally identifiable
information (PII)

Answer 14

Any representation of data that allows the identity of an individual to whom the information applies to be
reasonably inferred by either direct or indirect means

Question 15

Legal information

Answer 15

Involves the careful reading about
specific clauses or stipulations that
does not constitute “advice”

Question 16

Financial data

Answer 16

Quantitative information used by
organizations to make financial
decisions and data concerning a
company’s financial health and
performance

Question 17

Human and nonhuman readable

Answer 17

Some human-readable formats, such as PDF, are not machine-readable as they are not structured or semistructured (JSON, YAML) data

Question 18

data life cycle

Answer 18

-create
-store
-use
-share
-archive
-destroy

Question 19

Create phase (mandatory)

Answer 19

Data is either generated from scratch, inputted, acquired, purchased, or
modified into another format

• The data owner, stewards, and
  custodians (if applicable) are identified
  in this earliest phase

Other key activities of phase one
include:
* Data discovery
* Data categorization
* Data classification
* Data mapping
* Data labeling (tagging)

Question 20

store phase

Answer 20

The data is put onto a volume (block), object (blob), or file storage system or into one of several types of database systems

• This phase relates to the optional transactional, near-term usage data as opposed to long-term cold
  data storage
• Protection of data at rest and data in transit will often occur in this phase unless default encryption
  is implemented in the Create phase

Question 21

use phase (mandatory)

Answer 21

data is utilized by
people, applications, services, and tools as well as being changed from the original state

• If data is used remotely then protection mechanisms must be in place (virtual private network (VPN), secure endpoints, digitally signed application protocol interface (API)
  calls)
• The systems that “use” the data must be secured as well;
  for example, endpoint
  detection and response (EDR) or host-based intrusion prevention system (IPS) agents (Palo
  Alto Cortex XDR)

Question 22

share phase

Answer 22

In this optional phase, data is visible, analyzed, and apportioned among users, systems, and applications

• Data can be shared in a client-server, peer-to-peer, or distributed manner
• Most of the control used in the previous phases will be implemented here in phase four (such as information rights management (IRM) and data loss
  prevention (DLP) services)
• Stringent Identity and Access Management (IAM) and/or Identity Management (IdM) should be used
  to enforce the least privilege

Question 23

archive phase

Answer 23

In this optional phase, data is stored for the long-term and removed from active usage

• Archiving is based on regulations, governance policies, and/or best practices
  -Archiving is often automated and based on Intelligent Tiering or Storage Gateway management over a high-speed connection to
  cloud providers

Question 24

destroy phase

Answer 24

Data is no longer accessible or usable based on lifetime, utility,
policy, governance, and/or regulations

• The organization should have their own established methods for
  disposal of data and media, often using military grade programs or
  physical destruction such as crushers and furnaces
• Although data can be disposed of using a variety of methods, when
  storing data at a cloud provider, crypto-shredding (cryptographic
  erasure) is the only practical and comprehensive solution

Question 25

methods to secure data

Answer 25

geographical restrictions
encryption
hashing
masking
tokenization
obfuscation
segmentation
Compartmentalization

Question 26

geographical restrictions

Answer 26

Limit access to users or devices based in a specific region 

Question 27

encryption 

Answer 27

Transforms data from plain text to cipher text that can only be deciphered with a correct private key known as the description key

Question 28

hashing

Answer 28

By hashing the data before storing it in a database, one can prevent unauthorized parties from reading or changing it without knowing the original data or the hashing
algorithm

• It is common for systems like directory services to hash the passwords of users so that they can be verified without exposing the
  plain text
  Choose a hashing algorithm that meets all policy requirements and that is supported by tools and utilities
• Generate a salt for each data input that is hashed with a built-in function or library
• Hash the data input and salt with the chosen algorithm
• It is essential to use the same hashing algorithm and salt for the same data input every time it is hashed
• Employ a secure connection to the data storage or database to offer protection of data-in-transit

Question 29

masking

Answer 29

Data masking often involves using characters like “X” to hide some or
all data

• Example is to only display the last four digits of:
• Social security number
• Credit card number
• National ID number
• Bank account number
• Username or email address

Question 30

tokenization

Answer 30

involves sending sensitive data through an API call (or batch file) to a system or cloud provider service that replaces the data with nonsensitive, pseudorandom placeholders called tokens

• Unlike encrypted data, the tokenized data is
  irreversible and unintelligible
• The practice involves two distinct databases:
• One with the actual sensitive data
• One with tokens mapped to each chunk of data

Question 31

obfuscation

Answer 31

applies to any
mechanism that makes data less decipherable

• The goal is to render data unreadable or to hide aspects of personally identifiable, personal health, or corporate intellectual property information
• “Obscuring” is a concept where static or dynamic techniques are used on the original data or a
  representational data set
• “Shuffling” is a term that describes utilizing characters from the same data set to further present the data
• “Randomization” is when all or some of the data is replaced with indiscriminate characters

Question 32

segmentation

Answer 32

a process of dividing and
organizing data and information into defined groups to enable:
* Handling
* Labeling
* Sorting
* Viewing
* Securing

• Segmented data offers a team or group with segregated, clear, actionable information

Data segmentation involves grouping data into
at least two subsets, although more
separations may be necessary on a large network with sensitive data

Question 33

Compartmentalization

Answer 33

is regarded as a very powerful way to protect
personal information

• It involves limiting access to information to only those people or
  organizations who need it to perform a certain task

military and fbi use it