Chapter 2 Flashcards

1
Q

Which of the following statements is true about the information life cycle?

A. The information life cycle begins with its archival and ends with its classification.

B. Most information must be retained indefinitely.

C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction.

D. Preparing information for use does not typically involve adding metadata to it.

A

C. Although various information life-cycle models exist, they all begin with the creation or acquisition of the information and end with its ultimate disposal (typically destruction).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ensuring data consistency is important for all the following reasons, except

A. Replicated data sets can become desynchronized.

B. Multiple data items are commonly needed to perform a transaction.

C. Data may exist in multiple locations within our information systems.

D. Multiple users could attempt to modify data simultaneously.

A

B. Although it is typically true that multiple data items are needed for a transaction, this has much less to do with the need for data consistency than do the other three options. Consistency is important because we oftentimes keep multiple copies of a given data item.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following makes the most sense for a single organization’s classification levels for data?

A. Unclassified, Secret, Top Secret

B. Public, Releasable, Unclassified

C. Sensitive, Sensitive But Unclassified (SBU), Proprietary

D. Proprietary, Trade Secret, Private

A

A. This is a typical set of classification levels for government and military organizations. Each of the other options has at least two terms that are synonymous or nearly synonymous.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is the most important criterion in determining the classification of data?

A. The level of damage that could be caused if the data were disclosed

B. The likelihood that the data will be accidentally or maliciously disclosed

C. Regulatory requirements in jurisdictions within which the organization is not operating

D. The cost of implementing controls for the data

A

A. There are many criteria for classifying information, but it is most important to focus on the value of the data or the potential loss from its disclosure. The likelihood of disclosure, irrelevant jurisdictions, and cost considerations should not be central to the classification process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The effect of data aggregation on classification levels is best described by which of the following?

A. Data classification standards apply to all the data within an organization.

B. Aggregation is a disaster recovery technique with no effect on classification.

C. A low-classification aggregation of data can be deconstructed into higher-classification data items.

D. Items of low-classification data combine to create a higher-classification set.

A

D. Data aggregation can become a classification issue whenever someone can combine data items and end up with a higher-classification aggregate. For instance, a person’s name, address, phone number, or date of birth are normally not PII by themselves. However, when combined, they do become PII under the definition of most jurisdictions with applicable laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who bears ultimate responsibility for the protection of assets within the organization?

A. Data owners

B. Cyber insurance providers

C. Senior management

D. Security professionals

A

C. Senior management always carries the ultimate responsibility for the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

During which phase or phases of the information life cycle can cryptography be an effective control?

A. Use

B. Archival

C. Disposal

D. All the above

A

D. Cryptography can be an effective control at every phase in the information life cycle. During information acquisition, a cryptographic hash can certify its integrity. When sensitive information is in use or in archives, encryption can protect it from unauthorized access. Finally, encryption can be an effective means of destroying the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A transition into the disposal phase of the information life cycle is most commonly triggered by:

A. Senior management

B. Insufficient storage

C. Acceptable use policies

D. Data retention policies

A

D. Data retention policies should be the primary reason for the disposal of most of our information. Senior management or lack of resources should seldom, if ever, be the reason we dispose of data, while acceptable use policies have little, if anything, to do with it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Information classification is most closely related to which of the following?

A. The source of the information

B. The information’s destination

C. The information’s value

D. The information’s age

A

C. Information classification is very strongly related to the information’s value and/or risk. For instance, trade secrets that are the key to a business’s success are highly valuable, which will lead to a higher classification level. Similarly, information that could severely damage a company’s reputation presents a high level of risk and is similarly classified at a higher level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The data owner is most often described by all of the following except:

A. Manager in charge of a business unit

B. Ultimately responsible for the protection of the data

C. Financially liable for the loss of the data

D. Ultimately responsible for the use of the data

A

C. The data owner is the manager in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information. In most situations, this person is not financially liable for the loss of his or her data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data at rest is commonly:

A. Using a RESTful protocol for transmission

B. Stored in registers

C. Being transmitted across the network

D. Stored in external storage devices

A

D. Data at rest is characterized by residing in secondary storage devices such as disk drives, DVDs, or magnetic tapes. Registers are temporary storage within the CPU and are used for data storage only when the data is being used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data in motion is commonly

A. Using a RESTful protocol for transmission

B. Stored in registers

C. Being transmitted across the network

D. Stored in external storage devices

A

C. Data in motion is characterized by network or off-host transmission. The RESTful protocol, while pertaining to a subset of data on a network, is not as good an answer as option C.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data in use is commonly

A. Using a RESTful protocol for transmission

B. Stored in registers

C. Being transmitted across the network

D. Stored in external storage devices

A

B. Registers are used only while data is being used by the CPU, so when data is resident in registers, it is, by definition, in use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who has the primary responsibility of determining the classification level for information?

A. The functional manager

B. Senior management

C. The owner

D. The user

A

C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

If different user groups with different security access levels need to access the same information, which of the following actions should management take?

A. Decrease the security level on the information to ensure accessibility and usability of the information.

B. Require specific written approval each time an individual needs to access the information.

C. Increase the security controls on the information.

D. Decrease the classification label on the information.

A

C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should management consider the most when classifying data?

A. The type of employees, contractors, and customers who will be accessing the data

B. Availability, integrity, and confidentiality

C. Assessing the risk level and disabling countermeasures

D. The access controls that will be protecting the data

A

B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.

17
Q

Who is ultimately responsible for making sure data is classified and protected?

A. Data owners

B. Users

C. Administrators

D. Management

A

D. The key to this question is the use of the word “ultimately.” Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.

18
Q

Which of the following requirements should the data retention policy address?

A. Legal

B. Regulatory

C. Operational

D. All the above

A

D. The data retention policy should follow the laws of any jurisdiction within which the organization’s data resides. It must similarly comply with any regulatory requirements. Finally, the policy must address the organization’s operational requirements.

19
Q

Which of the following is not addressed by the data retention policy?

A. What data to keep

B. For whom data is kept

C. How long data is kept

D. Where data is kept

A

B. The data retention policy should address what data to keep, where to keep it, how to store it, and for how long to keep it. The policy is not concerned with “for whom” the data is kept.

20
Q

Which of the following best describes an application of cryptography to protect data at rest?

A. VPN

B. Degaussing

C. Whole-disk encryption

D. Up-to-date antivirus software

A

C. Data at rest is best protected using whole-disk encryption on the user workstations or mobile computers. None of the other options apply to data at rest.

21
Q

Which of the following best describes an application of cryptography to protect data in motion?

A. Testing software against side-channel attacks

B. TLS

C. Whole-disk encryption

D. EDLP

A

B. Data in motion is best protected by network encryption solutions such as TLS, VPN, or IPSec. None of the other options apply to data in motion.

22
Q

Which of the following best describes the mitigation of data remanence by a physical destruction process?

A. Replacing the 1’s and 0’s that represent data on storage media with random or fixed patterns of 1’s and 0’s

B. Converting the 1’s and 0’s that represent data with the output of a cryptographic function

C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes

D. Exposing storage media to caustic or corrosive chemicals that render it unusable

A

D. Two of the most common approaches to destroying data physically involve shredding the storage media or exposing it to corrosive or caustic chemicals. In certain highly sensitive government organizations, these approaches are used in tandem to make the risk of data remanence negligible.

23
Q

Which of the following best describes the mitigation of data remanence by a degaussing destruction process?

A. Replacing the 1’s and 0’s that represent data on storage media with random or fixed patterns of 1’s and 0’s

B. Converting the 1’s and 0’s that represent data with the output of a cryptographic function

C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes

D. Exposing storage media to caustic or corrosive chemicals that render it unusable

A

C. Degaussing is typically accomplished by exposing magnetic media (such as hard disk drives or magnetic tapes) to powerful magnetic fields in order to change the orientation of the particles that physically represent 1’s and 0’s.

24
Q

Which of the following best describes the mitigation of data remanence by an overwriting process?

A. Replacing the 1’s and 0’s that represent data on storage media with random or fixed patterns of 1’s and 0’s

B. Converting the 1’s and 0’s that represent data with the output of a cryptographic function

C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes

D. Exposing storage media to caustic or corrosive chemicals that render it unusable

A

A. Data remanence can be mitigated by overwriting every bit on the storage medium. This is normally accomplished by writing all 0’s, or all 1’s, or a fixed pattern of them, or a random sequence of them. Better results can be obtained by repeating the process with different patterns multiple times.