Ch 5 Flashcards
- Which one of the following identifies the primary a purpose of information classification processes?
A. Define the requirements for protecting sensitive data.
B. Define the requirements for backing up data.
C. Define the requirements for storing data.
D. Define the requirements for transmitting data.
Answer: A
A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing any data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit, but not any data.
- When determining the classification of data, which one of the following is the most important consideration?
A. Processing system
B. Value
C. Storage media
D. Accessibility
Answer: B
Data is classified based on its value to the organization. In some cases, it is classified based on the potential negative impact if unauthorized personnel can access it, which represents a negative value. It is not classified based on the processing system, but the processing system is classified based on the data it processes. Similarly, the storage media is classified based on the data classification, but the data is not classified based on where it is stored. Accessibility is affected by the classification, but the accessibility does not determine the classification. Personnel implement controls to limit accessibility of sensitive data.
- Which of the following answers would not be included as sensitive data?
A. Personally identifiable information (PII)
B. Protected health information (PHI)
C. Proprietary data
D. Data posted on a website
Answer: D
Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.
- What is the most important aspect of marking media?
A. Data labeling
B. Content description
C. Electronic labeling
D. Classification
Answer: D
Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn’t as important as marking the classification. Electronic labels or marks can be used, but when they are used, the most important information is still the classification of the data.
- Which would an administrator do to classified media before reusing it in a less secure environment?
A. Erasing
B. Clearing
C. Purging
D. Overwriting
Answer: C
Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.
- Which of the following statements correctly identifies a problem with sanitization methods?
A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data.
B. Even fully incinerated media can offer extractable data.
C. Personnel can perform sanitization steps improperly.
D. Stored data is physically etched into the media.
Answer: C
Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.
- Which of the following choices is the most reliable method of destroying data on a solid state drive?
A. Erasing
B. Degaussing
C. Deleting
D. Purging
Answer: D
Purging is the most reliable method of the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure data is removed. While not an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting processes rarely remove the data from media, but instead mark it for deletion. Solid state drives (SSDs) do not have magnetic flux so degaussing an SSD doesn’t destroy data.
- Which of the following is the most secure method of deleting data on a DVD?
A. Formatting
B. Deleting
C. Destruction
D. Degaussing
Answer: C
Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux so degaussing a DVD doesn’t destroy data.
- Which of the following does not erase data?
A. Clearing
B. Purging
C. Overwriting
D. Remanence
Answer: D
Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.
- Which one of the following is based on Blowfish and helps protect against rainbow table attacks?
A. 3DES
B. AES
C. Bcrypt
D. SCP
Answer: C
Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy (SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.
- Which one of the following would administrators use to connect to a remote server securely for administration?
A. Telnet
B. Secure File Transfer Protocol (SFTP)
C. Secure Copy (SCP)
D. Secure Shell (SSH)
Answer: D
SSH is a secure alternative to Telnet because it encrypts data transmitted over a network. In contrast, Telnet transmits data in cleartext. SFTP and SCP are good methods for transmitting sensitive data over a network, but not for administration purposes.
- Which one of the following tasks would a custodian most likely perform?
A. Access the data
B. Classify the data
C. Assign permissions to the data
D. Back up data
Answer: D
A data custodian performs day to day tasks to protect the integrity security of data and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.
- Which one of the following data roles is most likely to assign permissions to grant users access to data?
A. Administrator
B. Custodian
C. Owner
D. User
Answer: A
The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.
- Which of the following best defines “rules of behavior” established by a data owner?
A. Ensuring users are granted access to only what they need
B. Determining who has access to a system
C. Identifying appropriate use and protection of data
D. Applying security controls to a system
Answer: C
The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.
- Within the context of the European Union (EU) Data Protection law, what is a data processor?
A. The entity that processes personal data on behalf of the data controller
B. The entity that controls processing of data
C. The computing system that processes data
D. The network that processes data
Answer: A
The EU Data Protection law defines a data processor as “a natural or legal person which processes personal data solely on behalf of the data controller.” The data controller is the entity that controls processing of the data and directs the data processor. Within the context of the EU Data Protection law, the data processor is not a computing system or network.