Asset Security

Question 1

What is the purpose of a classification system?

Answer 1

To ensure information is marked in a way that only those that need access can see the information.

Question 2

Once data has been classified it retains that classification for its entire existence and a review is not necessary - True or False?

Answer 2

False. A periodic review should be done to recertify the classification is still appropriate.

Question 3

Who is responsible for classifying the data?

Answer 3

The Data Owner

Question 4

What does the acronym ITAM stand for?

Answer 4

IT Asset Management

Question 5

What two things should you consider when classifying information and supporting assets?

Answer 5

Sensitivity and Criticality

Question 6

What is the difference between data ownership and data custodianship?

Answer 6

Data ownership is the accountability and responsibility for the systems around the management of data. Custodianship is the implementation of those controls and the management of data within those systems.

Question 7

At a high-level, information has a life that consists of _________, ____ and __________.

Answer 7

Creation, Use and Destruction.

Question 8

Define “Data Remanence”?

Answer 8

Data remanence is the residual physical representation of data that has been in some way erased.

Question 9

In the context of a data security control, what is the objective of a baseline?

Answer 9

The objective of a baseline protection is to establish a minimum set of safeguards to protect all or some of the IT systems in the organisation.

Question 10

What does the US DoD 5220.22-M standard define when disk wiping?

Answer 10

The US DoD 5220.22-M method requires overwriting all addressable storage and indexing locations on the drive three times: with zeros (0x00), complement (0xFF) and random characters; and then verifies all writing procedures.

Question 11

Name three methods of secure destruction?

Answer 11

• Wiping
• Degaussing
• Shredding

Question 12

The Anytown Hospital Gift Shop POS system was the target of a successful cybercrime attack. The POS system stored product SKUs, postcodes and transaction amounts. Is this information legally protected?

a. No, SKUs, postcodes and transaction amounts are not legally protected.
b. Yes, postcodes and transactions are classified as NPPI.
c. Maybe, it depends upon the number of records.
d. Yes, patient information is legally protected underr HIPAA.

Answer 12

Answer: a

No, SKUs, postcodes and transaction amounts are not legally protected.

Don’t be tempted by d because it’s a hospital, and c because PCI does look at the number of records. FOCUS only on the information that has been provided.

Question 13

What does the acronym COPPA stand for?

Answer 13

Children’s Online Privacy Protection Rule (US)

Question 14

Which of the following statements best defines the concept of privacy?

a. The right of an individual to opt out of data use and collection.
b. The right of an individual to conduct their daily lives unnoticed.
c. The right of an individual to be compensated for the use of their personal information.
d. The right of an individual to control the use of their personal information.

Answer 14

Answer: d

The right of an individual to control the use of their personal information.

Question 15

Select the terms to correctly complete the sentences below.

a. __________ applies to the privacy and security of financial records.
b. __________ applies to the privacy and security of medical records.
c. __________ applies to the security of payment card data.
d. __________ requires parental consent for data collection.
e. __________ applies to the privacy of educational records.
f. __________ is based on the OECD principles.

• PCI DSS
• GLBA
• Data Protection Directive
• COPPA
• HIPAA
• FERPA

Answer 15

a. GLBA applies to the privacy and security of financial records.
b. HIPAA applies to the privacy and security of medical records.
c. PCI applies to the security of payment card data.
d. COPPA requires parental consent for data collection.
e. FERPA applies to the privacy of educational records.
f. Data Protection Directive is based on the OECD principles.

Question 16

Which of the following best describes the difference between archiving and backup?

a. Archiving is discretionary; back is mandatory.
b. Archiving must comply with Federal Rules of Civil Procedure.
c. Archiving has a retention period; backups do not.
d. Archiving objective is retention; backup objective is recovery.

Answer 16

Answer: d

Archiving objective is retention; backup objective is recovery.

Question 17

When a file is deleted, which of the following is not true?

a. The MFT table documents the area as available.
b. The OS marks the drive three times with zeros (0x00).
c. The corresponding file pointer in the MFT is removed.
d. The original data remains intact until overwritten.

Answer 17

Answer: b

The OS marks the drive three times with zeros (0x00).

Question 18

The US DoD 5220.22-M specification pertains to what destruction method?

a. Disk shredding
b. DIsk wiping
c. Disk deletion
d. Disk degaussing

Answer 18

Answer: b

Disk wiping

Question 19

The European Union data protection legislation is closely tied to which principle?

a. Zachman Ontology
b. OECD Privacy Principles
c. NIST Cybersecurity Framework
d. ISO 27000 ISMS

Answer 19

Answer: b

OECD Privacy Principles

Zachman Ontology is a framework that has nothing to do with privacy. NIST Cybersecurity Framework is all about controls and maturity. ISO 27000 is a management system which has more to do with certification.

Question 20

What is meant by dwell time in keystroke dynamics?

Answer 20

The amount of time you hold down a specific key.

Question 21

What does the acronym DSV denote?

Answer 21

Digital Signature Verification

Question 22

What is Flask?

Answer 22

A flexible operating system security architecture.

Question 23

Which authentication factor type is a smart card?

Answer 23

A Type 2 authentication factor, or something you have.