Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP - Certified Information Systems Security Professional > 5 - Protecting Security of Assets > Flashcards

5 - Protecting Security of Assets Flashcards

1
Q

What is Sensitive Data?

A

Any info that isn’t public or classified that an org needs to protect due to its value to the organization (or to comply with existing laws and regulations).

  • Personally Identifiable Information (PII): Any information that can identify an individual (name, SSN, date and place of birth, mother’s maiden name, biometric records). Could also be medical, educational, financial, or biometric.
  • Protected Health Information (PHI): Any health-related info that can be related to a specific person. HIPAA covers the protection of PHI.
  • Proprietary Data: Any data that helps an org maintain a competitive edge. Could be software code, technical plans, internal processes, intellectual property, or trade secrets.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is data classification and what are the government classification levels of data?

A

Data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity. (Government/Private)

  • Top Secret/Confidential: Applied to information where the unauthorized disclosure of which could cause exceptionally grave damage to national security
  • Secret/Private: Applied to information where the unauthorized disclosure of which could cause serious damage to national security.
  • Confidential/Sensitive: Applied to information where the unauthorized disclosure of which could cause damage to national security
  • Unclassified/Public: Any data that doesn’t meet one of the descriptions of the other categories.

**Classifications are not only done on data but also on hardware, systems that the data is processed on.**

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the different states of data?

A
  • Data at Rest: Data stored in media such as hard drives, external USB drives, or SANs (Storage Area Networks)
  • Data in Transit (Data in Motion): Any data transmitted over a network public or private.
  • Data in Use: Data in memory or temporary storage buffers while an application is using it. Data must be decrypted in order to be actively used.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Data Remanence?

A

Data that remains on media after the data was supposedly erased. (Usually magnetic flux)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some terms associated with destroying data?

A
  • Erasing: SImply performs a delete operation.
  • Clearing (Overwriting): Process of writing a single character over all the media with a couple of passes.
  • Purging: Clearing media and provides assurance that data cannot be recovered with any known methods.
  • Degaussing: Creates a strong magnetic field that erases data (used on magnetic tapes). This has no effect on optical media.
  • Destruction: Most secure, physically destroying data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the components of asset retention?

A
  • Record retention: involves retaining and maintaining important info as long as it is needed and destroying it when it is no longer needed.
  • Retention timeframe: Set by the company’s security policy.
  • Hardware Retention: Primarily refers to retaining the hardware until it has been properly sanitized.
  • Personnel Retention: Refers to the knowledge that personnel gain while employed by an organization. It is common for organizations to include nondisclosure agreements (NDAs) when hiring new personnel which prevent employees from leaving the job and sharing the proprietary data with others.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is encryption?

A

An algorithm that converts cleartext data into scrambled ciphertext.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Symmetric Encryption and what are some types of it?

A

Symmetric data uses the same key to encrypt and decrypt the data.

  • AES (Advanced Encryption Standard): Uses keys sizes 128, 192, and 256 bits respectively.
  • Triple DES: Use 56, 112, and 168-bit keys
  • Blowfish: Uses 32 to 448-bit keys. Also adds 128 bits of salting to protect the passwords.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Transport Encryption and what are some examples of it?

A

Transport encryption methods encrypt data before it is transmitted, providing protection of data in transit.

  • HTTPS: Uses TLS as the underlying encryption method.
  • VPN: Uses TLS and IPsec/L2TP to provide encryption and tunneling to provide protection.
    • Layer 2 Tunneling Protocol (L2TP): Sends data in a tunnel
    • Authentication Header (AH): Provides authentication and integrity
    • Encapsulating Security Payload (ESP): Provides confidentiality
  • Secure Shell (SSH): Encrypts all traffic that is sent in a session.
  • Secure File Transfer Protocol (SFTP): Encrypts file transfers

Secure Copy (SCP): Encrypts copy files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the different types of ownership?

A
  • Data Owner: The person who has ultimate organizational responsibility for data. Typically CEO, president, or department head (DH). They identify the classification of data and ensure that it is labeled properly as well as having the necessary security controls. Responsibilities:
    • Establish rules for protection and use. (rules of behavior)
    • Provides input regarding requirements and controls
    • Decides who has access to the system with data and what privileges they have.
    • Assist in identification and assessment of common security controls where info resides.
  • Asset Owners: The person who owns the asset or system that processes sensitive data. Responsibilities:
    • Develops and maintains system security plan
    • Ensures appropriate training is done.
    • Keep security plan updated
    • Assists in the identification, implementation, and assessment of the common security controls.
  • Business/Mission Owners: Might own processes that use systems managed by other entities.
  • Data Processors: Any system used to process data.
  • Administrators: Responsible for granting appropriate access to personnel
  • Custodians: Help protect the integrity and security of data by ensuring it is properly stored and protected.
  • Users: Any person who accesses data via a computing system to accomplish work tasks. Only have access to the data they need to get their work done.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the difference between Pseudonymization and Anonymization?

A
  • A pseudonym is an alias. Pseudonymization is the process of using pseudonyms to represent other data.
  • Anonymization is the process of removing all relevant data so that it is impossible to identify the original subject or person.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a security baseline?

A

A baseline is a minimum level of security a system needs to be at.

  • Scoping: Reviewing a list of baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect.
  • Tailoring: Refers to modifying the list of security controls within a baseline so that they align with the mission of the org.
  • Selecting Standards: Ensuring certain controls comply with certain external security standards.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CISSP - Certified Information Systems Security Professional (20 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions