CISSP Domain 2: Asset Security

Question 1

Remanence

Answer 1

Data that persists beyond noninvasive means to delete it

Question 2

Reference Monitor

Answer 2

Mediates all access between subjects and objects/

Question 3

Scoping

Answer 3

The process of determining which portions of a standard/baseline will be employed by an organization

Question 4

SSD

Answer 4

Solid State Drive: a combination of flash memory and (EEPROM) and DRAM

Question 5

Labels

Answer 5

Objects have labels. Subjects have clearances

Government: Top secret, Secret, Confidential

Private Sector: Confidential, internal Use Only, Public

Formal approval/ authorization to specific levels of information.

Question 6

Formal Access Approval

Answer 6

• Documented
• Access request approved by the Data Owner
• Approves subjects access to certain objects
• Subjects must understand all rules and requirements for access
• Best practices is that all access requests and access approvals are auditable

Question 7

Data Classification

Answer 7

Confidential, Internal Use, Public

• Defines sensitive information
• Data Handling Requirements
• Data storage requirements
• Data Retention requirements

Question 8

Data Owner

Answer 8

• Person responsible for or dependent upon the business process associated with an information asset.
• Knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.
• Determined the appropriate value and classification of information generated to business owner or department.
• Must communicate the information classification when the information is released to others
• Controls assess to their information and must be consulted when access is extended or modified
• Must communicated information classification to Data Custodian so that they can provide appropriate level of protection.

Question 9

Data Custodian

Answer 9

-Maintains the protection of data according to the information classification associated to the by the Data Owner

Question 10

Data User

Answer 10

• Any person, organization or entity that interacts with data for the purpose of performing and authorized task.
• Responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy

Question 11

Data Controller

Answer 11

controls the processing of sensitive data within an organization

Question 12

Data Processors

Answer 12

processes data on behalf of data controllers

Question 13

Memory

Cache

Answer 13

-Cache; fast and close to CPU
. Level 1 cache - located on the CPU
. Level 2 cache - connected to the CPU

Question 14

Memory

RAM
DRAM
SRAM

Answer 14

-RAM: Random Access Memory
. Volatile
. Modules installed on slots on motherboard

-DRAM: Dynamic Random Access Memory
 . slower and cheaper
 . small capacitors to store bits
 . capacitors lose charge and must be continuously    
   refreshed

-SRAM: Static Random Access Memory
, Fast and expensive
. Latches called “flip flops” to store bits (data)
. Does not require refreshing

Question 15

Memory

ROM
PROM
EPROM
EEPROM
PLD

Answer 15

ROM: can be used to store firmware, configurations and small programs that do not change much

-PROM: (Programmable Read Only Memory)
. written once, usually by manufacturer

-EPROM: (Erasable Programmable Read Only Memory)
.can be “flashed”; usually with ultraviolet light

-EEPROM: (Electrically Erasable Programmable Read Only Memory)
. can be flashed “electrically”
. Flash memory

PLD: (Programmable Logic Device) field programmable device (EPROM EEPROM Flash)

Question 16

Data Destruction

Deleting
Overwriting
Clearing
Purging

Answer 16

-deleting a file only removed the entry from the FAT and marks the block as unallocated. Data still there
- reformatting only replaces old fat with new. Data still there
Data Remanence: data remaining after attempted delete or destruction

-Clearing, Overwriting shredding and wiping
.process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tools.
. overwrites the data and removes the FAT entry
. secure overwrites each section of hard drive or media
. one pass in enough as long as each sector is overwritten

• Purging
  . a more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods.

Question 17

Data Destruction

Physical

Answer 17

• most secure method of destroying data

- incineration, pulverization, shredding, acid

Question 18

Certification

Accreditation

Answer 18

Certification: the validation that a certain (owner-specified) security requirements have been met.

Accreditation: formal acceptance of the certification by the owner

Question 19

PCI-DSS

Answer 19

-only applies to Cardholder Data Environment
-Core principles include
.build and maintain a secure network and system
.protect cardholder data
.maintain vulnerability management program
. implement strong access control measures
. regularly monitor and test networks
. maintain an information security policy

Question 20

OCTAVE

Answer 20

Operationally Threat, Asset and Vulnerability Evaluation

• Risk management framework developed by Carnegie Melon

-3 phases for managing risk
. Phase 1- staff knowledge , assets and threats
. Phase 2- identify vulnerabilities and evaluate safeguards and
controls
. Phase 3- risk analysis and risk mitigation strategy

Question 21

ISO 17799 and 27000 Series

Answer 21

-broad flexible information security standard maintained by the International Organization for Standardization (ISO)

• derived from the British standard.
  . ISO 27001 - Information technology - Security Techniques
  . ISO 27002 - code of practice for information security management
  . ISO 27005 - information security risk management
  . ISO 27799 - information security management in health using ISO 27002

Question 22

COBIT

Answer 22

Control Objectives for Information and Related Technology

-4 Domains
 . Plan and Organize
 . Acquire and Implement
 . Deliver and Support
 . Monitor and Evaluate

Question 23

Tailoring

Answer 23

Modifying the list of security controls within a security standard/ baseline to align with the organization’s mission

Question 24

Proprietary Data

Answer 24

Proprietary data refers to any data that helps an organization maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets. If competitors can access the proprietary data, it can seriously affect the primary mission of an organization.

Question 25

Data Classification

Answer 25

• identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.
• The policy identifies classification labels used within the organization.
• It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification.

Question 26

Data Loss Prevention

Answer 26

• systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning unencrypted data looking for keywords and data patterns
• Network-Based DLP A network-based DLP scans all outgoing data looking for specific data. Administrators place it on the edge of the network to scan all data leaving the organization.
• Endpoint-Based DLP An endpoint-based DLP can scan files stored on a system as well as files sent to external devices, such as printers.