Anki - Organization Security 2

Question 1

What is Data Handling or Document Management?

Answer 1

The process of managing information over it’s lifecycle - from creation to destruction

Question 2

What is a Data Policy?

Answer 2

The security controls that will be applied to protect data.

Question 3

What four roles exist in a Data Governance Policy?

Answer 3

• Data Owner
• Data Steward
• Data Custodian
• Privacy Officer

Question 4

Describe the role of a Data Owner

Answer 4

Senior/Exec role, responsible for:

• Maintaining confidentiality, integrity and availability of data
• “Labeling the data” (determining who has access and the data’s sensitivity)
• Ensure and select it’s security controls (backups, access control etc)
• Selecting a Steward and Custodian

Question 5

Describe the role of a Data Steward

Answer 5

Responsible for data quality, and must ensure data is:

• Identified/labelled appropriately (metadata)
• Collected and stored in a way that complies with laws/regulations

Question 6

Describe the role of a Data Custodian

Answer 6

Responsible for managing the system where data is stored, including enforcing:

• Access control
• Encryption
• Backup/recovery measures

Question 7

Describe the role of a Privacy Officer

Answer 7

Responsible for any PII (personally identifiable information) assets managed by the company.

Question 8

What is Data Classification?

Answer 8

Classification restricts who may see the document contents based on the data’s sensitivity.

Question 9

What are the five levels of data classification?

Answer 9

• Unclassified (public)
• Classified (private/restricted/internal use only/official use only)
• Confidential (or low)
• Secret (or medium)
• Top-Secret (or high)

Question 10

How should classified, confidential, secret and top-secret data be protected?

Answer 10

They should all be encrypted for storage and transmission.

Question 11

What is the MAC model when referring to data classification?

Answer 11

Mandatory Access Control

Question 12

What is PII? Give some examples

Answer 12

Personally identifiable information

• SSN
• Name
• DOB
• Phone number
• Biometric Data

Question 13

Give an example of data that is “sometimes” considered PII

Answer 13

A static IP address is PII, but an IP address dynamically assigned by the ISP may not be.

Question 14

What is PHI? Give some examples

Answer 14

Protected health information

• Medical records
• Insurance records
• Hospital records
• Lab results

Question 15

Why is PHI used as a target for criminals?

Answer 15

• PHI is valuable on the black market
• Criminals exploit data for insurance fraud or to blackmail victims
• PHI data cannot be changed unlike a credit card or bank account number

Question 16

What is IP?

Answer 16

Intellectual property created and owned by a company. Target for competitors, foreign governments and counterfeiters.

Question 17

What is Data Retention?

Answer 17

The process to maintain the existence of and control over data in order to comply with policies/laws/regulations. E.g. Keeping audit logs for HIPAA

Question 18

What is Data Sanitation and Disposal Policy?

Answer 18

Procedures for disposing of

• obsolete information and equipment
• storage devices
• paper records

Question 19

Why should you shred all paper documents before disposal, even innocuous ones?

Answer 19

Attackers “Dumpster Dive” for information for impersonation attacks (e.g. employee phone numbers or calendar appts)

Question 20

How should paper confidential or secret documents be disposed of?

Answer 20

Finer cross-shredding, incineration or pulping.

Shedders have levels that correspond to the size a sheet is reduced to. L1 is 12mm strips, L6 is 0.8x4mm.

Question 21

What is Media Sanitization or Remnant Removal?

Answer 21

The decommission of media (hard drives, flash drives/SSDs, tape media, CD and DVD ROMs, printers, old PCs)

Question 22

What are the 3 main reasons Remnant Removal is important?

Answer 22

• Own company’s confidential data could be compromised.
• Third-party data could be compromised
• Software licensing could be compromised.

Question 23

Why is just formatting a hard drive or device not considered proper remnant sanitization?

Answer 23

Deleted data is marked as available for writing, and the data they contain will only be removed as new files are added.

Question 24

What is zero-filling?

Answer 24

A process of overwriting or disk wiping, where each bit is set to zero.

Question 25

What is a flaw of zero-filling?

Answer 25

Can leave patterns that can be read with specialist tools.

Better to overwrite with pseudorandom ones and zeros, but is time consuming and needs special software.

Question 26

What is low-level formatting?

Answer 26

Similar to disk-wiping, it cleans data from sectors; and does’t re-create the sector layout. Whereas at the factory, a “low-level format” creates cylinders and sectors on the disk.

Question 27

What is degaussing?

Answer 27

Exposing a disk to a powerful electromagnet to disrupt the magnetic pattern.

Requires costly machinery and usually renders the disk unusable.

Question 28

What is pulverizing?

Answer 28

Mechanically destroying the disk e.g. drill or hammer.

Not suitable for highly confidential data as fragments can be analyzed.

Question 29

How should you dispose of Optical Media?

Answer 29

Shredders - because CDs and DVDs cannot be reformatted.

Question 30

Give five methods of Media Sanitization/Remnant Removal.

Answer 30

1. Overwriting/Disk Wiping
2. Low-level formatting
3. Pulverizing
4. Degaussing
5. Disk encryption