Chapter 2 Flashcards
Which of the following statements is true about the information life cycle?
A. The information life cycle begins with its archival and ends with its classification.
B. Most information must be retained indefinitely.
C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction.
D. Preparing information for use does not typically involve adding metadata to it.
C. Although various information life-cycle models exist, they all begin with the creation or acquisition of the information and end with its ultimate disposal (typically destruction).
Ensuring data consistency is important for all the following reasons, except
A. Replicated data sets can become desynchronized.
B. Multiple data items are commonly needed to perform a transaction.
C. Data may exist in multiple locations within our information systems.
D. Multiple users could attempt to modify data simultaneously.
B. Although it is typically true that multiple data items are needed for a transaction, this has much less to do with the need for data consistency than do the other three options. Consistency is important because we oftentimes keep multiple copies of a given data item.
Which of the following makes the most sense for a single organization’s classification levels for data?
A. Unclassified, Secret, Top Secret
B. Public, Releasable, Unclassified
C. Sensitive, Sensitive But Unclassified (SBU), Proprietary
D. Proprietary, Trade Secret, Private
A. This is a typical set of classification levels for government and military organizations. Each of the other options has at least two terms that are synonymous or nearly synonymous.
Which of the following is the most important criterion in determining the classification of data?
A. The level of damage that could be caused if the data were disclosed
B. The likelihood that the data will be accidentally or maliciously disclosed
C. Regulatory requirements in jurisdictions within which the organization is not operating
D. The cost of implementing controls for the data
A. There are many criteria for classifying information, but it is most important to focus on the value of the data or the potential loss from its disclosure. The likelihood of disclosure, irrelevant jurisdictions, and cost considerations should not be central to the classification process.
The effect of data aggregation on classification levels is best described by which of the following?
A. Data classification standards apply to all the data within an organization.
B. Aggregation is a disaster recovery technique with no effect on classification.
C. A low-classification aggregation of data can be deconstructed into higher-classification data items.
D. Items of low-classification data combine to create a higher-classification set.
D. Data aggregation can become a classification issue whenever someone can combine data items and end up with a higher-classification aggregate. For instance, a person’s name, address, phone number, or date of birth are normally not PII by themselves. However, when combined, they do become PII under the definition of most jurisdictions with applicable laws.
Who bears ultimate responsibility for the protection of assets within the organization?
A. Data owners
B. Cyber insurance providers
C. Senior management
D. Security professionals
C. Senior management always carries the ultimate responsibility for the organization.
During which phase or phases of the information life cycle can cryptography be an effective control?
A. Use
B. Archival
C. Disposal
D. All the above
D. Cryptography can be an effective control at every phase in the information life cycle. During information acquisition, a cryptographic hash can certify its integrity. When sensitive information is in use or in archives, encryption can protect it from unauthorized access. Finally, encryption can be an effective means of destroying the data.
A transition into the disposal phase of the information life cycle is most commonly triggered by:
A. Senior management
B. Insufficient storage
C. Acceptable use policies
D. Data retention policies
D. Data retention policies should be the primary reason for the disposal of most of our information. Senior management or lack of resources should seldom, if ever, be the reason we dispose of data, while acceptable use policies have little, if anything, to do with it.
Information classification is most closely related to which of the following?
A. The source of the information
B. The information’s destination
C. The information’s value
D. The information’s age
C. Information classification is very strongly related to the information’s value and/or risk. For instance, trade secrets that are the key to a business’s success are highly valuable, which will lead to a higher classification level. Similarly, information that could severely damage a company’s reputation presents a high level of risk and is similarly classified at a higher level.
The data owner is most often described by all of the following except:
A. Manager in charge of a business unit
B. Ultimately responsible for the protection of the data
C. Financially liable for the loss of the data
D. Ultimately responsible for the use of the data
C. The data owner is the manager in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information. In most situations, this person is not financially liable for the loss of his or her data.
Data at rest is commonly:
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
D. Data at rest is characterized by residing in secondary storage devices such as disk drives, DVDs, or magnetic tapes. Registers are temporary storage within the CPU and are used for data storage only when the data is being used.
Data in motion is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
C. Data in motion is characterized by network or off-host transmission. The RESTful protocol, while pertaining to a subset of data on a network, is not as good an answer as option C.
Data in use is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
B. Registers are used only while data is being used by the CPU, so when data is resident in registers, it is, by definition, in use.
Who has the primary responsibility of determining the classification level for information?
A. The functional manager
B. Senior management
C. The owner
D. The user
C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it.
If different user groups with different security access levels need to access the same information, which of the following actions should management take?
A. Decrease the security level on the information to ensure accessibility and usability of the information.
B. Require specific written approval each time an individual needs to access the information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information.
C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.