Chapter 5: Protecting Security of Assets

Question 1

Any data that helps an organization maintain a competitive edge

Answer 1

Proprietary data

Question 2

Value of the data to the organization and is critical to protect data confidentiality and integrity.

Answer 2

data classification

Question 3

Unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.”

Answer 3

Top secret

Question 4

Unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security

Answer 4

Secret

Question 5

Unauthorized disclosure of which reasonably could be expected to cause damage to the national security

Answer 5

Confidential

Question 6

Any data that doesn’t meet one of the descriptions for top secret, secret, or confidential data

Answer 6

Unclassified

Question 7

The entity that applies the original classification to the sensitive data, and strict rules identify who can do so

Answer 7

Classification authority

Question 8

Any information that isn’t public or unclassified.

Answer 8

Sensitive information

Question 9

Similar to unclassified data

Answer 9

Public data

Question 10

Data that should stay private within the organization but that doesn’t meet the definition of confidential or proprietary data

Answer 10

Private data

Question 11

The highest level of classified data

Answer 11

Confidential or Proprietary data

Question 12

Any data stored on media such as system hard drives, solid-state drives (SSDs), external USB drives, storage area networks (SANs), and backup tapes

Answer 12

Data at Rest

Question 13

Any data transmitted over a network

Answer 13

Data in Transit

Question 14

Data in memory or temporary storage buffers while an application is using it

Answer 14

Data in Uses

Question 15

The best way to protect the confidentiality of data is to use _________ protocols

Answer 15

strong encryption

Question 16

A physical security control and means that systems and cables from the classified network never physically touch systems and cables from the unclassified network.

Answer 16

Air gapped

Question 17

Attempt to detect and block data exfiltration attempts. These systems have the capability of scanning unencrypted data looking for keywords and data patterns.

Answer 17

Data loss prevention (DLP)

Question 18

There are two primary types of DLP systems:

Answer 18

Network-Based DLP and Endpoint-Based DLP

Question 19

Labeling sensitive information ensures that users can easily identify the classification level of any data.

Answer 19

Marking

Question 20

True or False:

If media or a computing system needs to be downgraded to a less sensitive classification, it must be sanitized using appropriate procedures

Answer 20

True

Question 21

Data that remains on media after the data was supposedly erased.

Answer 21

Data remanence

Question 22

The unused space within a disk cluster

Answer 22

Slack space

Question 23

Generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives.

Answer 23

Degausser

Question 24

True of False:

A degausser will remove all data remanence on an SSD

Answer 24

False

They are only effective on magnetic media

Question 25

True or False:

The best way to destroy a SSD is by destruction using an approved disintegrator

Answer 25

True

Question 26

Performing a delete operation against a file, a selection of files, or the entire media.

Answer 26

Erasing

Question 27

Process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tools.

Answer 27

Clearing or Overwriting

Question 28

A more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods.

Answer 28

Purging

Question 29

Ensuring that the media cannot be reused or repaired and that data cannot be extracted from the destroyed media.

Answer 29

Destruction

Question 30

Destroying the cryptographic key

Answer 30

Cryptographic Erasure

Question 31

Retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed

Answer 31

Record retention

Question 32

True or False:

Pseudonymization is most useful when releasing a dataset to a third party (such as researchers aggregating data) without releasing any privacy data to the third party. Tokenization allows a third party (such as a credit card processor) to know the token and the original data.

Answer 32

True

Question 33

A license grants access to a product and defines the terms of use.

Answer 33

DRM License

Question 34

Requires a system to be connected with the internet to use a product.

Answer 34

Persistent Online Authentication

Question 35

Use of a token, typically a random string of characters, to replace other data.

Answer 35

Tokenization

Question 36

Process of removing all relevant data so that it is theoretically impossible to identify the original subject or person.

Answer 36

Anonymization

Question 37

The person who has ultimate organizational responsibility for data.

Answer 37

data owner

Question 38

The person who owns the asset or system that processes sensitive data.

Answer 38

asset owner

Question 39

Any system used to process data

Answer 39

data processor

Question 40

The person or entity that controls the processing of the data.

Answer 40

data controller

Question 41

Helps protect the integrity and security of data by ensuring that it is properly stored and protected.

Answer 41

data custodian

Question 42

A person who can be identified through an identifier, such as a name, identification number, or other means.

Answer 42

data subject

Question 43

Provides a starting point and ensure a minimum security standard.

Answer 43

Baseline

Question 44

What are the 4 baselines according to NIST SP 800-53B, “Control Baselines for Information Systems and Organizations”?

Answer 44

Low-Impact Baseline:
Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a low impact on the organization’s mission.

Moderate-Impact Baseline: Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a moderate impact on the organization’s mission.

High-Impact Baseline:
Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a high impact on the organization’s mission.

Privacy Control Baseline:
This baseline provides an initial baseline for any systems that process PII. Organizations may combine this baseline with one of the other baselines.

Question 45

A part of the tailoring process and refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT systems you’re trying to protect.

Answer 45

scoping