Chap 2 - Information asset security

Question 1

what are assets

Answer 1

• people
• process / know-how
• facilities
• equipment
• retained knowledge

Question 2

tangible assets

Answer 2

physical existence

Question 3

intangible assets

Answer 3

exist in mind (e.g., brand)

Question 4

IT asset mgmt lifecycle

Answer 4

1. plan
2. assign security needs
3. acquire
4. deploy
5. manage
6. retire

Question 5

how to assign security needs to asset

Answer 5

either qualitative or quantitative.
the security needs first looks at classifying & categorizing the asset based on HARM to organization if hit

Question 6

what is asset classification

Answer 6

process of recognizing the impact of asset if compromise based on CIA triad

Question 7

what is asset categorization

Answer 7

process of grouping sets of data, information, knowledge that have comparable sensitivity –> similar security needs

Question 8

what should classification/categorization policy include

Answer 8

1. data classification/categorization -> criteria & process
2. data access -> define role of subject who can access data
3. data security -> generally available or restricted data by default
4. data retention -> data retained for period of time (e.g., law -> telcos)
5. data disposal -> printed VS digital
6. data encryption -> if need to be encrypted and how
7. appropriate use of data -> how to use the data

Question 9

what are data sensitivity levels (classic)

Answer 9

1. highly restricted
2. moderately restricted
3. low sensitivity / internal use
4. unrestricted/ public

Question 10

what are key issues related to classification & categorization

Answer 10

1. responsibility
2. accountability

Question 11

what is the data security lifecycle

Answer 11

1. creating
2. storing
3. using
4. sharing
5. archiving
6. disposing

Question 12

what are the key data roles (people)

Answer 12

1. data subject -> individual who describe/identify by data
2. data owner -> accountable for determining the value of the data
3. data controller -> in absence of controller, he is accountable
4. data steward -> responsible for the data content
5. data processor -> entities that process data on behalf of controller
6. data custodian -> responsible for the protection of the data (security)

Question 13

what are the key data states

Answer 13

1. data at rest
2. data in motion (transit)
3. data in use

Question 14

what is the data lifecycle considerations

Answer 14

1. data collection
2. data location
3. data maintenance
4. data retention
5. data remanence -> use e.g., CPU
6. data destruction

Question 15

what are the 3 ways for data destruction

Answer 15

1. clearing -> overwrite data with random values also called “clobbering” or “zeroizing”
2. Purging -> perform a delete operation - NOTE data may be recoverable
3. physical destruction -> e.g. shred/destruct physically

Question 16

Main applicable type of controls for data security

Answer 16

1. administrative controls -> policies & procedures
2. technical/logical controls -> tech solutions
3. physical controls -> tangible mechanism e.g, fence/guards/lock…

Question 17

Security controls categories

Answer 17

1. directive controls -> policies & rules
2. deterrent controls -> reduce likelihood of unwanted activity
3. preventive control -> prevent activity from happening
4. compensating controls -> mitigate the effect of unwanted activity
5. detective control -> recognize or discover hostile activities
6. corrective controls -> react to situation to remedy/restore operations
7. recovery controls -> restore operations

Question 18

why establishing a data security baseline

Answer 18

security baseline is the minimum level of protection as a reference point -> minimum understood & acceptable level of security requirements

definition of the minimum level of protection that is required to protect valuable assets

Question 19

what are the security generally accepted principles

Answer 19

1. info system security objectives
2. prevent, detect, respond & recover
3. protection of info while being processed, transit and stored
4. external system assumed to be unsecured
5. resilience for critical info system
6. auditability and accountability

Question 20

what is the difference between security control scoping & tailoring

Answer 20

scoping: limiting the general baseline to remove inapplicable controls

tailoring: involves scoping to further match organization which gives the FLEXIBILITY needed to avoid COMPLEX & COSTY assessment while meeting requirements

Question 21

what is accountability

Answer 21

ensure the account mgmt has assurance that only authorized users have access & using properly

Question 22

what is data defensible destruction

Answer 22

eliminating data using a controlled, legally defensible and regulatory compliant way

Question 23

Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?

Answer 23

Sniffing, encryption

Question 24

What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?

Answer 24

They may not be cleared, resulting in data remanence

Question 25

What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?

Answer 25

Watermarks

Question 26

Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?

Answer 26

Sanitization

Question 27

How should you determine what controls from the baseline a given system or software package should receive?

Answer 27

Select based on the data classification of the data it stores or handles

Question 28

Fred’s organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?

Answer 28

The cost of the sanitization process may exceed the cost of new equipment

Question 29

Which of the following is the least effective method of removing data from media?

Answer 29

Erasing

Question 30

what is erasing data

Answer 30

Erasing, which describes a typical deletion process in many operating systems, typically removes only the link to the file, and leaves the data that makes up the file itself

Question 31

what is degaussing

Answer 31

Degaussing works only on magnetic media, but it can be quite effective on it

Question 32

Chris is responsible for his organization’s security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary?

Answer 32

Use Microsoft Group Policy

Question 33

What primary issue does personnel retention deal with?

Answer 33

Knowledge gained during employment

Question 34

what is the difference between data clearing and data purging

Answer 34

Clearing: data removed, but fragments are recoverable Purging: data removed, it is permanently gone --> degaussing is a form of purge

Question 35

Which of the following is not a part of the European Union’s Data Protection principles?

Answer 35

A. Notice B. Reason -> correct C. Security D. Access

Question 36

Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan’s employer label all media instead of labelling only the media that contains data that could cause harm if it was exposed?

Answer 36

It prevents reuse of public media for sensitive data.

Question 37

Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?

Answer 37

Follow the organization’s purging process, and then downgrade and replace labels.

Question 38

Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?

Answer 38

Sensitive email should be encrypted and labelled.

Question 39

What is the most important aspect of marking media?

Answer 39

Classification