3.3 Compare and contrast concepts and strategies to protect data.

Question 1

• Data types

Answer 1

• Regulated
• Trade secret
• Intellectual property
• Legal information
• Financial information
• Human- and non-human - readable

Question 2

Regulated Data

Answer 2

■ Controlled by laws, regulations, or industry standards
■ Compliance requirements
● General Data Protection Regulation (GDPR)
● Health Insurance Portability and Accountability Act (HIPAA)

Question 3

PII (Personal Identification Information)

Answer 3

■ Information used to identify an individual (e.g., names, social security numbers,
addresses)
■ Targeted by cybercriminals and protected by privacy laws

Question 4

○ PHI (Protected Health Information)

Answer 4

■ Information about health status, healthcare provision, or payment linked to a
specific individual
■ Protected under HIPAA

Question 5

Trade Secrets

Answer 5

■ Confidential business information giving a competitive edge (e.g., manufacturing
processes, marketing strategies, proprietary software)
■ Legally protected; unauthorized disclosure results in penalties

Question 6

Intellectual Property (IP)

Answer 6

■ Creations of the mind (e.g., inventions, literary works, designs)
■ Protected by patents, copyrights, trademarks to encourage innovation
■ Unauthorized use can lead to legal action

Question 7

Legal Information

Answer 7

■ Data related to legal proceedings, contracts, regulatory compliance

Requires high-level protection for client confidentiality and legal privilege

Question 8

○ Financial Information

Answer 8

■ Data related to financial transactions (e.g., sales records, tax documents, bank
statements)
■ Targeted by cybercriminals for fraud and identity theft
■ Subject to PCI DSS (Payment Card Industry Data Security Standard)

Question 9

Human-Readable Data

Answer 9

■ Understandable directly by humans (e.g., text documents, spreadsheets)

Question 10

Non-Human-Readable Data

Answer 10

■ Requires machine or software to interpret (e.g., binary code, machine language)
■ Contains sensitive information and requires protection

Question 11

Data classifications

Answer 11

• Sensitive
• Confidential
• Public
• Restricted
• Private
• Critical

Question 12

Restricted data

Answer 12

is highly confidential business or personal information. There are often general statutory, regulatory or contractual requirements

Question 13

Sensitive Data

Answer 13

Information that, if accessed by unauthorized persons, can result in the loss of
security or competitive advantage for a company

Question 14

○ Importance of Data Classification

Answer 14

■ Helps allocate appropriate protection resources
■ Prevents over-classification to avoid excessive costs
■ Requires proper policies to identify and classify data accurately

Question 15

Public

Answer 15

● No impact if released; often publicly accessible data

Question 16

Private

Answer 16

● Contains internal personnel or salary information

Question 17

Confidential

Answer 17

● Holds trade secrets, intellectual property, source code, etc.

Question 18

■ Critical

Answer 18

● Extremely valuable and restricted information

Question 19

Commercial Business Data Classification Levels

Answer 19

Public: often publicly accessible data
Sensitive: Minimal impact if released, e.g., financial data

Private : Contains internal personnel or salary information

Confidential : Holds trade secrets, intellectual property, source code, etc.

Critical : Extremely valuable and restricted information

Question 20

Government Classification Levels

Answer 20

■ Unclassified
● Generally releasable to the public

■ Sensitive but Unclassified
● Includes medical records, personnel files, etc.

■ Confidential
● Contains information that could affect the government

■ Secret
● Holds data like military deployment plans, defensive postures

■ Top Secret
● Highest level, includes highly sensitive national security information

Question 21

General data considerations

Answer 21

• Data states
  o Data at rest
  o Data in transit
  o Data in use
• Data sovereignty
• Geolocation

Question 22

Data Sovereignty

Answer 22

■ Information subject to laws and governance structures within the nation it is
collected

Question 23

Data at Rest

Answer 23

■ Data stored in databases, file systems, or storage systems, not actively moving

Question 24

Data in Transit (Data in Motion)

Answer 24

Data actively moving from one location to another, vulnerable to interception

Question 25

Transport Encryption Methods

Answer 25

• SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
• VPN (Virtual Private Network)
• IPSec (Internet Protocol Security)

Question 26

SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

Answer 26

○ Secure communication over networks, widely used in web
browsing and email

Question 27

VPN (Virtual Private Network)

Answer 27

○ Creates secure connections over less secure networks like the
internet

Question 28

IPSec (Internet Protocol Security)

Answer 28

○ Secures IP communications by authenticating and encrypting IP
packets

Question 29

Data in Use

Answer 29

■ Data actively being created, retrieved, updated, or deleted

Question 30

Data in Use Protection Measures

Answer 30

● Encryption at the Application Level
○ Encrypts data during processing

● Access Controls
○ Restricts access to data during processing

● Secure Enclaves
○ Isolated environments for processing sensitive data

● Mechanisms like INTEL Software Guard
○ Encrypts data in memory to prevent unauthorized access

Question 31

• Methods to secure data

Answer 31

• Geographic restrictions
• Encryption
• Hashing
• Masking
• Tokenization
• Obfuscation
• Segmentation
• Permission restrictions

Question 32

Geographic Restrictions (Geofencing)

Answer 32

■ Virtual boundaries to restrict data access based on location
■ Compliance with data sovereignty laws
■ Prevent unauthorized access from high-risk locations

Question 33

Encryption

Answer 33

■ Transform plaintext into ciphertext using algorithms and keys
■ Protects data at rest and in transit
■ Requires decryption key for data recovery

Question 34

Hashing

Answer 34

■ Converts data into fixed-size hash values
■ Irreversible one-way function
■ Commonly used for password storage

Question 35

Masking

Answer 35

■ Replace some or all data with placeholders (e.g., “x”)
■ Partially retains metadata for analysis
■ Irreversible de-identification method

Question 36

Tokenization

Answer 36

■ Replace sensitive data with non-sensitive tokens
■ Original data stored securely in a separate database
■ Often used in payment processing for credit card protection

Question 37

Obfuscation

Answer 37

■ Make data unclear or unintelligible
■ Various techniques, including encryption, masking, and pseudonyms
■ Hinder unauthorized understanding

Question 38

Segmentation

Answer 38

■ Divide network into separate segments with unique security controls
■ Prevent lateral movement in case of a breach
■ Limits potential damage

Question 39

○ Permission Restrictions

Answer 39

■ Define data access and actions through ACLs or RBAC
■ Restrict access to authorized users
■ Reduce risk of internal data breaches