Asset Security Flashcards
As head of sales, Jim is the data owner for the sales department. Which of the following is not Jim’s responsibility as data owner?
A. Assigning information classifications
B. Dictating how data should be protected
C. Verifying the availability of data
D. Determining how long to retain data
C. The responsibility of verifying the availability of data is the only responsibility listed that does not belong to the data (information) owner. Rather, it is the responsibility of the data (information) custodian. The data custodian is also responsible for maintaining and protecting data as dictated by the data owner. This includes performing regular backups of data, restoring data from backup media, retaining records of activity, and fulfilling information security and data protection requirements in the company’s policies, guidelines, and standards. Data owners work at a higher level than the data custodians. The data owners basically state, “This is the level of integrity, availability, and confidentiality that needs to be provided—now go do it.” The data custodian must then carry out these mandates and follow up with the installed controls to make sure they are working properly.
Images A is incorrect because, as data owner, Jim is responsible for assigning information classifications. (The question asked which of the following Jim is not responsible for.)
Images B is incorrect because data owners such as Jim are responsible for dictating how information should be protected. The data owner has the organizational responsibility for data protection and is liable for any negligence when it comes to protecting the organization’s information assets. This means that Jim must make decisions regarding how information is protected and ensure that the data custodian (a role usually filled by IT or security) is carrying out these decisions.
Images D is incorrect because determining how long to retain data is the responsibility of the data owner. The data owner is also responsible for determining who can access the information and ensuring that proper access rights are being used. He can approve access requests himself or delegate the function to business unit managers, who will approve requests based on user access criteria defined by the data owner.
Assigning data classification levels can help with all of the following except:
A. The grouping of classified information with hierarchical and restrictive security
B. Ensuring that nonsensitive data is not being protected by unnecessary controls
C. Extracting data from a database
D. Lowering the costs of protecting data
C. Data classification does not involve the extraction of data from a database. However, data classification can be used to dictate who has access to read and write data that is stored in a database. Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed. For example, in a corporation, confidential information may only be accessed by senior management. Auditing could be very detailed and its results monitored daily, and degaussing or overwriting procedures may be required to erase the data. On the other hand, information classified as public may be accessed by all employees, with no special auditing or destruction methods required.
Images A is incorrect because assigning data classification levels can help with the grouping of classified information with hierarchical and restrictive security. Data that shares the same classification, for example, can be grouped together and assigned the same handling requirements and procedures pertaining to how it is accessed, used, and destroyed.
Images B is incorrect because assigning data classification levels can help ensure that nonsensitive data is being protected by the necessary controls. Data classification directly deals with ensuring that the different levels of sensitive data are being protected by the necessary controls. This answer is very tricky because of all the negatives, so make sure to read such questions and answers carefully.
Images D is incorrect because data classification helps ensure data is protected in the most cost-effective manner. Protecting and maintaining data costs money, but it is important to spend this money for the information that actually requires protection. For example, data that is classified confidential may require additional access controls (as compared to public data) to restrict access. It may also require additional auditing and monitoring. This may be appropriate for a soda company’s proprietary recipe, but it would be a waste of resources if those same measures were implemented for the soda company’s employee directory.
Susan, an attorney, has been hired to fill a new position at Widgets, Inc.: chief privacy officer (CPO). What is the primary function of her new role?
A. Ensuring the protection of partner data
B. Ensuring the accuracy and protection of company financial information
C. Ensuring that security policies are defined and enforced
D. Ensuring the protection of customer, company, and employee data
D. The chief privacy officer (CPO) position is being created by companies in response to the increasing demands on organizations to protect myriad types of data. The CPO is responsible for ensuring the security of customer, company, and employee data, which keeps the company free from legal prosecution and—hopefully—out of the headlines. Thus, the CPO is directly involved with setting policies on how data is collected, protected, and distributed to third parties. The CPO is usually an attorney and reports to the chief security officer (CSO).
Images A is incorrect because protecting partner data is just a small subset of all the data the CPO is responsible for protecting. CPOs are responsible for ensuring the protection of customer, company, and employee data. Partner data is among the various types of data that the CPO is responsible for protecting. In addition, the CPO is responsible for knowing how the company’s suppliers, partners, and other third parties are protecting its sensitive information. Many times, companies will need to review these other parties (which have copies of data needing protection).
Images B is incorrect because the accuracy of financial information is the responsibility of its data owner—the chief financial officer (CFO). The CFO is responsible for the corporation’s account and financial activities, and the overall financial structure of the organization. The CPO is responsible for helping to ensure the secrecy of this data, but not the accuracy of the data. The financial information is also a small subset of all the data types the CPO is responsible for protecting.
Images C is incorrect because the definition and enforcement of security policies is the responsibility of senior management, commonly delegated to the chief information security officer (CISO) or CSO—not the CPO. A security policy is an overall general statement that dictates what role security plays within the organization. The CPO’s responsibilities as they relate to policies are to contribute to the setting of data protection policies, including how data is collected, protected, and distributed to third parties.
Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role?
A. Data owner
B. Data custodian
C. Data user
D. Information systems auditor
C. Any individual who uses data for work-related tasks is a data user. Users must have the necessary level of access to the data to perform the duties within their position and are responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others. This means that users must practice due care and act in accordance with both security policy and data classification rules.
Images A is incorrect because the data owner has a greater level of responsibility in the protection of the data. Data owners are responsible for classifying the data, regularly reviewing classification levels, and delegating the responsibility of the data protection duties to the data custodian. The data owner is typically a manager or executive in the organization and is held responsible when it comes to protecting the company’s information assets.
Images B is incorrect because the data custodian is responsible for the implementation and maintenance of security controls as dictated by the data owner. In other words, the data custodian is the technical caretaker of the controls that protect the data. Her duties include making backups, restoring data, implementing and maintaining countermeasures, and administering controls.
Images D is incorrect because an information systems auditor is responsible for evaluating controls. After evaluating the controls, the auditor provides reports to management, illustrating the mapping between the set acceptable risk level of the organization and her findings. This does not have to do with using the data or practicing due care with the use of data.
Michael is charged with developing a data classification program for his company. Which of the following should he do first?
A. Understand the different levels of protection that must be provided
B. Specify data classification criteria
C. Identify the data custodians
D. Determine protection mechanisms for each classification level
A. Before Michael begins developing his company’s classification program, he must understand the different levels of protection that must be provided. Only then can he develop the necessary classification levels and their criteria. One company may choose to use only two layers of classification, whereas another may choose to use more. Regardless, when developing classification levels, he should keep in mind that too many or too few classification levels will render the classification ineffective; there should be no overlap in the criteria definitions between classification levels; and classification levels should be developed for both data and software.
Images B is incorrect because data classification criteria cannot be established until the classification levels themselves have been defined. The classification criteria are used by data owners to know what classification should be assigned to specific data. Basically, the classifications are defined buckets and the criteria help data owners determine what bucket each data set should be put into.
Images C is incorrect because there is no need to identify the data custodians until classification levels are defined, criteria are determined for how data is classified, and the data owner has indicated the classification of the data she is responsible for. Remember, the data custodian is responsible for implementing and maintaining the controls specified by the data owner.
Images D is incorrect because protection mechanisms for each classification level cannot be determined until the classification levels themselves are defined based on the different levels of protection that are required. The types of controls implemented per classification will depend upon the level of protection that management and the security team have determined is needed.
Which of the following is NOT a factor in determining the sensitivity of data?
A. Who should be accessing the data
B. The value of the data
C. How the data will be used
D. The level of damage that could be caused should the data be exposed
C. How the data will be used has no bearing on how sensitive it is. In other words, the data is sensitive no matter how it will be used—even if it is not used at all.
Images A is incorrect because data classification criteria must consider very directly who will need access to the data and their level of clearance to see sensitive data. If the data is classified at too high a level, then its users will not be able to access it. If it is classified at too low a level, then unauthorized users may have access to it.
Images B is incorrect because the inherent value of the data also directly drives the degree of protection it must be afforded, and this is determined by its classification. This is true regardless of whether the prioritization must be confidentiality, integrity, or availability.
Images D is incorrect because the degree of damage that disclosure, alteration, or destruction of the data would cause is directly related to the level of protection it must be provided.
What is the chief security responsibility of a data owner?
A. Determine how the data should be preserved
B. Determine the data classification
C. Determine the data value
D. Determine how the data will be used
B. Setting the classification for the data drives all other decisions about the data. Determining how the data will be used and determining who should use it are responsibilities within the scope of the data owner, but they are functional rather than security responsibilities. The owner may participate in determining the value of the data, but since its value is a measure relative to all other corporate data assets, it is not usually something the data owner is solely responsible for. Determining how the data will be preserved falls to the role of the data custodian.
Images A is incorrect because the preservation countermeasures are determined by mandatory access controls based on the classification of the data, not the other way around.
Images C is incorrect because although assessment of the data’s value is a critical component of determining its classification, it is just one component of the overall goal of the data owner.
Images D is incorrect because how the data is to be used is not a factor in its classification. How data is used may change over time, but its sensitivity to the enterprise must determine who can access it regardless.
Which is the most valuable technique when determining if a specific security control should be implemented?
A. Risk analysis
B. Cost/benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk
B. Once a risk has been identified to be real, sufficiently likely, and sufficiently impactful to require a control to be put in place to reduce the risk within a tolerable range, a countermeasure must be selected. Only an analysis of each possible measure’s cost and benefit can determine which course of action should be taken.
Images A is incorrect because the determination of risk is only the first step in identifying that a countermeasure might be required to control the risk within an acceptable threshold.
Images C is incorrect because the ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure.
Images D is incorrect because although the assessment of vulnerabilities and threats drives the recognition of a need for a countermeasure, that assessment alone cannot determine what the likely cost effectiveness will be among competing countermeasures.
Which of the following is the LEAST important stage in the life-cycle management of information?
A. Data specification and classification
B. Continuous monitoring and auditing of data access
C. Data archival
D. Database migration
D. The movement of accessible data from one repository to another may be required over its lifespan, but typically is not as important as the other phases offered as answers to this question.
Images A is incorrect because the determination of what the data is, and its classification, is the first essential phase of being able to provide it with the appropriate level of protection.
Images B is incorrect because without continuous monitoring and auditing of accesses to sensitive data, breaches cannot be identified, and no assurance of security can be attained.
Images C is incorrect because even the most sensitive data will be subject to retention requirements, which means that it will have to be archived for the appropriate period of time, but with the same level of security as when it is in live use.
Which of the following are effective methods of preventing data remanence on solid-state devices (SSDs)?
i. Clearing
ii. Purging
iii. Degaussing
iv. Destruction
A. i, ii
B. i, iii, iv
C. iv
D. All of the above
C. Among the options given, physical destruction of the device is the only effective way to ensure no data remains on an SSD.
Images A is incorrect because of the way that SSDs write bits to the solid-state storage. Clearing media is usually no more effective than deletion and will not remove the data. Purging media is usually an attempt to overwrite all bits, which also may not remove the data because of the unique properties of SSDs that differ from those of hard disk devices (HDDs).
Images B is incorrect because degaussing only works by destroying the magnetization of storage devices that rely on it for persistent storage, which SSDs do not.
Images D is incorrect for all the reasons stated.
The requirement of erasure is the end of the media life cycle if the media contains sensitive information. Which of the following best describes purging?
A. Changing the polarization of the atoms on the media.
B. It is unacceptable when media are to be reused in the same physical environment for the same purposes.
C. Data formerly on the media is made unrecoverable by overwriting it with a pattern.
D. Information is made unrecoverable, even with extraordinary effort.
D. Purging is the removal of sensitive data from a system, storage device, or peripheral device with storage capacity at the end of a processing period. This action is performed in such a way that there is assurance proportional to the sensitivity of the data that the data cannot be reconstructed. Deleting files on a medium does not actually make the data disappear; it only deletes the pointers to where the data in those files still lives on the medium. This is how companies that specialize in restoration can recover the deleted files intact after they have been apparently/accidentally destroyed. Even simply overwriting media with new information may not eliminate the possibility of recovering the previously written information. This is why secure overwriting algorithms are required. And, if any part of a medium containing highly sensitive information cannot be cleared or purged, then physical destruction must take place.
Images A is incorrect because it describes degaussing, which is an example of purging. A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data is stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization by using a type of large magnet to bring it back to its original flux (magnetic alignment).
Images B is incorrect because purging is required when media will be repurposed to a different compartment. When media are erased (cleared of their contents), they are said to be sanitized. This means erasing information so that it is not readily retrieved using routine operating system commands or commercially available forensic/data recovery software.
Images C is incorrect because it describes zeroization, which is an example of purging but does not describe purging itself. Media holding sensitive data must be properly purged, which can be accomplished through zeroization, degaussing, or media destruction.
Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft is this?
A. Phishing
B. True name
C. Pharming
D. Account takeover
B. Identity theft refers to a situation where someone obtains key pieces of personal information, such as a driver’s license number, bank account number, credentials, or Social Security number, and then uses that information to impersonate someone else. Typically, identity thieves will use the personal information to obtain credit, merchandise, or services in the name of the victim. This can result in such things as ruining the victim’s credit rating, generating false criminal records, and issuing arrest warrants for the wrong individuals. Identity theft is categorized in two ways: true name and account takeover. True name identity theft means the thief uses personal information to open new accounts. The thief might open a new credit card account, establish mobile phone service like Sam, or open a new checking account in order to obtain blank checks.
Images A is incorrect because phishing is a type of social engineering attack with the goal of obtaining personal information, credentials, credit card numbers, or financial data. The attackers lure, or fish, for sensitive data through various methods. While the goal of phishing is to dupe a victim into handing over his personal information, the goal of identity theft is to use that personal information for personal or financial gain. An attacker can employ a phishing attack as a means to carry out identity theft.
Images C is incorrect because pharming is a technical attack that is carried out to trick victims into sending their personal information to an attacker via an illegitimate website. The victim types in a web address, such as www.nicebank.com, into his browser. The victim’s system sends a request to a poisoned DNS server, which points the victim to a website that is under the attacker’s control. Because the site looks and feels like the requested website, the user enters his personal information, which the attacker can then use to commit identity theft.
Images D is incorrect because account takeover identity theft means the imposter uses personal information to gain access to the person’s existing accounts, rather than opening a new account. Typically, the thief will change the mailing address on an account and run up a huge bill before the person, whose identity has been stolen, realizes there is a problem. The Internet has made it easier for an identity thief to use the information they’ve stolen because transactions can be made without any personal interaction.
Which of the following are common military categories of data classification?
A. Top secret, Secret, Classified, Unclassified
B. Top secret, Secret, Confidential, Private
C. Top secret, Secret, Confidential, Unclassified
D. Classified, Unclassified, Public
C. Within the U.S. military complex and national security apparatus, the most common designations for data classification are unclassified vs. classified. Within the classifications for “classified” information are Confidential, Secret, and Top Secret. They are defined as follows: Confidential data is that which, if improperly disclosed, could cause harm to national security. Secret data is that which, if improperly disclosed, could cause “serious” harm to national security. And finally Top Secret data is that, which if improperly disclosed, could cause “grave” harm to national security.
Images A is incorrect because both Top Secret and Secret data are officially Classified.
Images B is incorrect because “Private” is not an official category commonly used by the military. Top Secret, Secret, and Confidential are commonly used categories for classified information in a national security context, and categories such as “For Official Use Only (FOUO)” are commonly designated to protect privacy. But they are not uniformly used.
Images D is incorrect because although data is commonly designated as one of these three, it is less granular an answer than C.
Joan needs to document a data classification scheme for her organization. Which criteria should she use to guide her decisions?
A. The value of the data and the age of the data
B. Legal responsibilities, based on ISO regulations
C. Who will be responsible for protecting the data and how
D. How an adverse data breach would be handled
A. The value of the data—both currently and for some period of time into the future—should be the most critical metric when evaluating data classification. That value should consider both the value of the data to the organization over time and the value of the data to an adversary. The age of the data and its usefulness to both the organization and any other organization must be taken into account as well.
Images B is incorrect because although any organization may be subject to legal regulatory responsibilities with respect to data classification, either within the United States or internationally, the ISO merely defines standards, not requirements or regulations.
Images C is incorrect because the designation of the roles and responsibilities as to how any data must be protected should not be determined by the operators of the scheme. Those responsible for the protection of the data must not perform those duties at their own discretion.
Images D is incorrect because, once again, the reliability of the staff in handling an adverse event should not be a question of the discretion of their superiors or those who hired them.
Which of the following means of data removal makes the data unrecoverable even with extraordinary effort, such as with physical forensics in a laboratory?
A. Deletion of the data
B. Sanitization of the media
C. Purging via overwriting
D. None of these will work
C. Purging means making data unavailable even by physical forensic efforts. This is typically achieved via overwriting each and every sector of the media upon which the data had been stored.
Images A is incorrect. Mere deletion of data with operating system commands typically leaves the data present on the storage media while marking the clusters or blocks that still store it available for later reuse.
Images B is incorrect. Although a stronger method than merely deleting data with operating system commands, sanitization usually refers to making storage media reusable within the same security context. With magnetic media, this is commonly done via degaussing.
Images D is incorrect. With appropriate diligence, data remanence can be dealt with successfully via purging techniques.
