CISSP Domain 2: Data Security Controls and Compliance Requirements Flashcards

1
Q

What is Data State?

A

different states or phases that data can exist in throughout its lifecycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the different data states?

A
  • Data at Rest
  • Data in Transit
  • Data in Use
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe Data at Rest.
What are the security considerations?

A
  • data that is stored or saved in a fixed location, such as a hard drive, database, or any other persistent storage medium
  • security considerations:
    • Encryption
    • Access Controls
    • Secure Storage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe Data in Transit.
What are the security considerations?

A
  • data that is being transmitted or transferred between systems or networks
  • security considerations:
    • Encryption
    • Network Segmentation
    • Authentication and Authorization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe Data in Use.
What are the security considerations?

A
  • data that is actively being processed, accessed, or manipulated by applications, users, or system processes
  • includes data being viewed on a computer screen, processed by applications, or manipulated within memory
  • security considerations:
    • Access Controls
    • Endpoint Protection
    • Secure Disposal
      • secure disposal of data in use, such as clearing temporary files or wiping volatile memory, helps prevent residual data from being accessible after its intended use
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Scoping?

A
  • involves defining the boundaries and extent of the security controls within an organization
  • essential to establish the scope of security controls to ensure that they are appropriately applied and aligned with the organization’s requirements and objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the scoping considerations?

A
  • Organizational Boundaries
    • identify the organizational units, departments, or systems that are included within the scope of the security controls
  • Legal and Regulatory Requirements
    • determine the specific legal, regulatory, or contractual obligations that impact the scope of security controls
  • Assets and Systems
    • identify the critical assets, information systems, and data that need to be protected
  • Interfaces and Dependencies
    • consider the external interfaces and dependencies that impact the security of the organization’s systems and assets
  • Business Processes
    • analyze the business processes that require protection and evaluate their impact on the scope of security controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Tailoring?

A
  • customizing the security controls to suit the specific needs, risks, and characteristics of an organization
  • recognizes that a one-size-fits-all approach may not be suitable or feasible for every organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the Tailoring considerations?

A
  • Risk Assessment
    • conduct a risk assessment to identify and prioritize the specific risks faced by the organization
  • Risk Appetite
    • consider the organization’s risk appetite and tolerance levels when selecting and implementing security controls
  • Business Requirements
    • take into account the unique business requirements, operational needs, and objectives of the organization
  • Cost and Feasibility
    • evaluate the cost and feasibility of implementing certain security controls based on available resources, budget constraints, and technical capabilities
  • Compliance Obligations
    • consider any specific compliance obligations or industry-specific standards that impact the customization and implementation of security controls
  • Emerging Threats and Technologies
    • stay updated on emerging threats, vulnerabilities, and technological advancements to ensure that security controls remain relevant and effective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a data protection method?

A

techniques and technologies employed to safeguard data and prevent unauthorized access, loss, or misuse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What’s Digital Rights Management (DRM)?

A

managing and enforcing access controls and usage rights for digital content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are Digital Rights Management (DRM) technologies used for?

A

protect copyrighted materials, such as music, movies, e-books, and software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What’s DLP?

A
  • Data Loss Prevention
  • set of technologies and practices designed to prevent unauthorized disclosure, leakage, or loss of sensitive data
  • focuses on identifying, classifying, and monitoring sensitive information within an organization to ensure its protection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the functions of DLP?

A
  • Data Discovery and Classification
  • Policy Enforcement
  • Data Leakage Detection
  • Incident Response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does CASB stand for?

A

Cloud Access Security Broker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is CASB?

A
  • security control technology that acts as an intermediary between cloud service users and cloud service providers
  • help organizations maintain security and control over data and applications stored in cloud environments
17
Q

What are the security benefits that CASB provide?

A
  • Visibility and Monitoring
  • Data Encryption and Tokenization
  • Access Control and Authentication
  • Threat Detection and Prevention
  • Compliance and Policy Enforcement
18
Q

What’s pseudoanonymization?

A
  • uses pseudonyms to represent other data
  • when performed effectively, it can result in less stringent requirements that would otherwise apply under GDPR
19
Q

What type of encryption may allow to work on encrypted data?

A

homomorphic encryption

20
Q

What organization tracks data breaches?

A

Identity Theft Resource Center (ITRC)

21
Q

What are the 2 types of DLP protection?

A
  1. network based
  2. endpoint based
22
Q

What’s the reason personnel should never work on classified data on unclassified system?

A

some OSes fill slack space with data from memory, if a user worked on a top secret file moment ago and then creates a small unclassified file, the small file might contain top secret data pulled from memory

23
Q

What tools can be used to hide data within slack space?

A

bmap on Linux and Slacker on Windows

24
Q

When is pseudoanonymization most useful?

A

when releasing data set to a third party without releasing any privacy data to the third party

25
Q

What’s anonymization?

A
  • replaces private data with useful but inaccurate data
  • data set can be shared and used for analysis purposes, but individual identities are removed
  • is permanent
26
Q

What’s the difference between scoping and tailoring?

A
  • scoping focuses on security of the system
  • tailoring assures that selected controls allign with the business mission
  • scoping is part of tailoring
27
Q

How can a data retention policy help to reduce liabilities?

A

by ensuring unneeded data isn’t retained

28
Q

Encryption key is needed to be secured, what location is the most difficult to protect, if the key is kept and used in that location?

A

active memory, as the data needs to be decrypted to be used

29
Q

What method provides the most complete list of connected devices to identify all the active systems and devices on the network

A

using network logs to identify all connected devices and track them from there

30
Q

During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information?

A

Processing

31
Q

What does organization need to ensure in the Preservation phase of the electronic discovery process?

A

organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion

32
Q

What happens in the identification phase of the electronic discovery process?

A

identification phase locates relevant information but does not preserve it

33
Q

What happens in the collection phase of the electronic discovery process?

A

occurs after preservation and gathers responsive information

34
Q

Which of the data management security controls is most likely driven by a legal requirement?

A

record retention policies define the amount of time to keep data, and laws or regulations often drive these policies