CISSP Practice Test Chapter 2 Asset Security (Sybex) Flashcards

Question 1

Q

Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she most likely using to protect against it?

A. Man-in-the-middle, VPN
B. Packet injection, encryption
C. Sniffing, encryption
D. Sniffing, TEMPEST

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer

A

C. Sniffing, encryption

Explanation:
Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn’t be used to stop attacks at any normal bank.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 321). Wiley. Kindle Edition.

Question 2

Q

Control Objectives for Information and Related Technology (COBIT) is a framework for information technology (IT) management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?

A. Business owners
B. Data processors
C. Data owners
D. Data stewards

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer

A

A. Business owners

Explanation:
Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are required to perform specific actions under regulations like the EU GDPR. Finally, in many organizations, data stewards are internal roles that oversee how data is used.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 321-322). Wiley. Kindle Edition.

Question 3

Q

Nadia’s company is operating a hybrid cloud environment with some on-site systems and some cloud-based systems. She has satisfactory monitoring on-site, but needs to apply security policies to both the activities her users engage in and to report on exceptions with her growing number of cloud services. What type of tool is best suited to this purpose?

A. A NGFW
B. A CASB
C. An IDS
D. A SOAR

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer

A

B. A CASB

Explanation:
The best option for Nadia is a cloud access security broker (CASB). A CASB is designed to sit between a cloud environment and the users who use it, and it provides monitoring and policy enforcement capabilities. A next-generation firewall (NGFW), an intrusion detection system (IDS), and a security operations and response (SOAR) tool could each provide some insight into what is going on, but they are not purpose built and designed for this like the CASB is. The NGFW and IDS are most likely to provide insight into traffic patterns and behaviors, while the SOAR is primarily intended to monitor other systems and centralize data for response, making it potentially the least useful in this specific scenario.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 322). Wiley. Kindle Edition.

Question 4

Q

When media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels?

A. The data is labeled based on its integrity requirements.
B. The media is labeled based on the highest classification level of the data it contains.
C. The media is labeled with all levels of classification of the data it contains.
D. The media is labeled with the lowest level of classification of the data it contains.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer

A

B. The media is labeled based on the highest classification level of the data it contains.

Explanation:
Media is typically labeled with the highest classification level of data it contains. This prevents the data from being handled or accessed at a lower classification level. Data integrity requirements may be part of a classification process but don’t independently drive labeling in a classification scheme.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 322). Wiley. Kindle Edition.

Question 5

Q

Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?

A. Data classification
B. Remanence
C. Transmitting data
D. Clearing

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer

A

A. Data classification

Explanation:
The need to protect sensitive data drives data classification. Classifying data allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn’t a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 322). Wiley. Kindle Edition.

Question 6

Q

How can a data retention policy help to reduce liabilities?

A. By ensuring that unneeded data isn’t retained
B. By ensuring that incriminating data is destroyed
C. By ensuring that data is securely wiped so it cannot be restored for legal discovery
D. By reducing the cost of data storage required by law

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer

A

A. By ensuring that unneeded data isn’t retained

Explanation:
A data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable. Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 322). Wiley. Kindle Edition.

Question 7

Q

Staff in an information technology (IT) department who are delegated responsibility for day-to-day tasks hold what data role?

A. Business owner
B. User
C. Data processor
D. Custodian

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer

A

D. Custodian

Explanation:
Custodians are delegated the role of handling day-to-day tasks by managing and overseeing how data is handled, stored, and protected. Data processors are systems used to process data. Business owners are typically project or system owners who are tasked with making sure systems provide value to their users or customers.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 322). Wiley. Kindle Edition.

Question 8

Q

Helen’s company uses a simple data lifecycle as shown in the figure here. What stage should come first in their data lifecycle?

A. Data policy creation
B. Data labeling
C. Data collection
D. Data analysis

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer

A

C. Data collection

Explanation:
C. In a typical data lifecycle, collection is the first stage. Once collected, data can be analyzed, used, stored, and disposed of at the end of its useful life. Policies may be created at any time, and organizations often have data before they have policies. Labels are added to data during the analysis, usage, or retention cycle.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 322). Wiley. Kindle Edition.

Question 9

Q

Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?

A. It applies in all circumstances, allowing consistent security controls.
B. They are approved by industry standards bodies, preventing liability.
C. They provide a good starting point that can be tailored to organizational needs.
D. They ensure that systems are always in a secure state.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer

A

C. They provide a good starting point that can be tailored to organizational needs.

Explanation:
Security baselines provide a starting point to scope and tailor security controls to your organization’s needs. They aren’t always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, and they do not prevent liability.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 322). Wiley. Kindle Edition.

Question 10

Q

Megan wants to prepare media to allow for its reuse in an environment operating at the same sensitivity level. Which of the following is the best option to meet her needs?

A. Clearing
B. Erasing
C. Purging
D. Sanitization

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer

A

A. Clearing

Explanation:
A. Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that’s completed, the media can be reused. Erasing is the deletion of files or media and may not include all of the data on the device or media, making it the worst choice here. Purging is a more intensive form of clearing for reuse in lower-security areas, and sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 322-323). Wiley. Kindle Edition.

Question 11

Q

Mikayla wants to identify data that should be classified that already exists in her environment. What type of tool is best suited to identifying data like Social Security numbers, credit card numbers, and similar well-understood data formats?

A. Manual searching
B. A sensitive data scanning tool
C. An asset metadata search tool
D. A data loss prevention system (DLP)

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer

A

B. A sensitive data scanning tool

Explanation:
B. Sensitive data scanning tools are designed to scan for and flag sensitive data types using known formatting and structure. Social Security numbers, credit card numbers, and other regularly structured data that follows known rules can be identified and then addressed as needed. Manual searching is a massive undertaking for an organization with even a relatively small amount of data; asset metadata needs to be set first and would have already been identified; and a DLP system looks for data that is in transit using rules rather than hunting down data at rest and in storage.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 323). Wiley. Kindle Edition.

Question 12

Q

What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?

A. They can be used to hide data.
B. They can only be degaussed.
C. They are not addressable, resulting in data remanence.
D. They may not be cleared, resulting in data remanence.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer

A

D. They may not be cleared, resulting in data remanence.

Explanation:
Spare sectors, bad sectors, and space provided for wear leveling on SSDs (overprovisioned space) may all contain data that was written to the space that will not be cleared when the drive is wiped. This is a form of data remanence and is a concern for organizations that do not want data to potentially be accessible. Many wiping utilities only deal with currently addressable space on the drive. SSDs cannot be degaussed, and wear leveling space cannot be reliably used to hide data. These spaces are still addressable by the drive, although they may not be seen by the operating system.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 323). Wiley. Kindle Edition.

Question 13

Q

Naomi knows that commercial data is typically classified based on different criteria than government data. Which of the following is not a common criterion for commercial data classification?

A. Useful lifespan
B. Data value
C. Impact to national security
D. Regulatory or legal requirements

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer

A

C. Impact to national security

Explanation:
Commercial data classification often takes into account the value of the data, any regulatory or legal requirements that may apply to the data, and how long the data is useful—its lifespan. The impact to national security is more typically associated with government classification schemes.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 323). Wiley. Kindle Edition.

Question 14

Q

For questions 14–16, please refer to the following scenario: Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What term best describes data that is resident in system memory?

A. Data at rest
B. Buffered data
C. Data in use
D. Data in motion

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer

A

C. Data in use

Explanation:
C. Data is often considered based on the data state that it is in. Data can be at rest (on a drive or other storage medium), in use and thus in memory or a buffer and often decrypted for use, or in transit over a network. Data that is resident in system memory is considered data in use.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 323). Wiley. Kindle Edition.

Question 15

Q

What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?

A. Classification
B. Symmetric encryption
C. Watermarks
D. Metadata

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer

A

C. Watermarks

Explanation:
A watermark is used to digitally label data and can be used to indicate ownership, as well as to assist a digital rights management (DRM) system in identifying data that should be protected. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 323). Wiley. Kindle Edition.

Question 16

Q

What type of encryption is best suited for use on the file servers for the proprietary data, and how might you secure the data when it is in motion?

A. TLS at rest and AES in motion
B. AES at rest and TLS in motion
C. VPN at rest and TLS in motion
D. DES at rest and AES in motion

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer

A

B. AES at rest and TLS in motion

Explanation:
AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 323). Wiley. Kindle Edition.

Question 17

Q

What does labeling data allow a DLP system to do?

A. The DLP system can detect labels and apply appropriate protections based on rules.
B. The DLP system can adjust labels based on changes in the classification scheme.
C. The DLP system can modify labels to permit requested actions.
D. The DLP system can delete unlabeled data.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer

A

A. The DLP system can detect labels and apply appropriate protections based on rules.

Explanation:
A. Data loss prevention (DLP) systems can use labels on data to determine the appropriate controls to apply to the data. Most DLP systems won’t modify labels in real time and typically don’t work directly with firewalls to stop traffic.
Deleting unlabeled data would cause big problems for organizations that haven’t labeled every piece of data!

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 323). Wiley. Kindle Edition.

Question 18

Q

Why is it cost effective to purchase high-quality media to contain sensitive data?

A. Expensive media is less likely to fail.
B. The value of the data often far exceeds the cost of the media.
C. Expensive media is easier to encrypt.
D. More expensive media typically improves data integrity.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer

A

B. The value of the data often far exceeds the cost of the media.

Explanation:
The value of the data contained on media often exceeds the cost of the media, making more expensive media that may have a longer life span or additional capabilities like encryption support a good choice. While expensive media may be less likely to fail, the reason it makes sense is the value of the data, not just that it is less likely to fail. In general, the cost of the media doesn’t have anything to do with the ease of encryption, and data integrity isn’t ensured by better media.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 323-324). Wiley. Kindle Edition.

Question 19

Q

Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle both proprietary information and highly sensitive trade secrets. Which option best describes what should happen at the end of their life (EOL) for workstations he is responsible for?

A. Erasing
B. Clearing
C. Sanitization
D. Destruction

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer

A

D. Destruction

Explanation:
Destruction is the most complete method of ensuring that data cannot be exposed, and organizations often opt to destroy either the drive or the entire workstation or device to ensure that data cannot be recovered or exposed. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don’t make sense for systems that handled proprietary information.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 20

Q

Fred wants to classify his organization’s data using common labels: private, sensitive, public, and proprietary. Which of the following should he apply to his highest classification level based on common industry practices?

A. Private
B. Sensitive
C. Public
D. Proprietary

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer

A

D. Proprietary

Explanation:
D. Common practice makes proprietary or confidential data the most sensitive data. Private data is internal business data that shouldn’t be exposed but that doesn’t meet the threshold for confidential or proprietary data. Sensitive data may help attackers or otherwise create risk, and public data is just that—data that is or can be made public.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 21

Q

What scenario describes data at rest?

A. Data in an IPsec tunnel
B. Data in an e-commerce transaction
C. Data stored on a hard drive
D. Data stored in RAM

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer

A

C. Data stored on a hard drive

Explanation:
Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 22

Q

If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?

A. Microsoft’s Windows 10 security baseline
B. The CIS Windows 10 baseline
C. PCI DSS
D. The NSA Windows 10 Secure Host Baseline

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer

A

C. PCI DSS

Explanation:
C. The Payment Card Industry Data Security Standard (PCI DSS) provides the set of requirements for credit card processing systems. The Microsoft, NSA, and CIS baseline are all useful for building a Windows 10 security standard, but the PCI DSS standard is a better answer.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 23

Q

For questions 23–25, please refer to the following scenario:
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision.

The CIS benchmarks are an example of what practice?

A. Conducting a risk assessment
B. Implementing data labeling
C. Proper system ownership
D. Using security baselines

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer

A

D. Using security baselines

Explanation:
The CIS benchmarks are an example of a security baseline. A risk assessment would help identify which controls were needed, and proper system ownership is an important part of making sure baselines are implemented and maintained. Data labeling can help ensure that controls are applied to the right systems and data.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 24

Q

Adjusting the CIS benchmarks to your organization’s mission and your specific IT systems would involve what two processes?

A. Scoping and selection
B. Scoping and tailoring
C. Baselining and tailoring
D. Tailoring and selection

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer

A

B. Scoping and tailoring

Explanation:
Scoping involves selecting only the controls that are appropriate for your IT systems, while tailoring matches your organization’s mission and the controls from a selected baseline. Baselining is the process of configuring a system or software to match a baseline or building a baseline itself. Selection isn’t a technical term used for any of these processes.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 25

Q

How should you determine which controls from the baseline should be applied to a given system or software package?

A. Consult the custodians of the data.
B. Select based on the data classification of the data it stores or handles.
C. Apply the same controls to all systems.
D. Consult the business owner of the process the system or data supports.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer

A

B. Select based on the data classification of the data it stores or handles.

Explanation:
The controls implemented from a security baseline should match the data classification of the data used or stored on the system. Custodians are trusted to ensure the day-to-day security of the data and should do so by ensuring that the baseline is met and maintained. Business owners often have a conflict of interest between functionality and data security, and of course, applying the same controls everywhere is expensive and may not meet business needs or be a responsible use of resources.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 26

Q

The company that Henry works for operates in the EU and collects data about their customers. They send that data to a third party to analyze and provide reports to help the company make better business decisions. What term best describes the third-party analysis company?

A. The data controller
B. The data owner
C. The data subject
D. The data processor

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer

A

D. The data processor

Explanation:
The third-party company is a data processor—they process data on behalf of Henry’s company, which is a data controller. The data is collected about data subjects. Data owners are tasked with making decisions about data, such as who receives access to it and how it is used.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 27

Q

The government defense contractor that Selah works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Selah reviews the company’s internal processes, she finds that she can’t reuse the tapes and that the manual says they should be destroyed. Why isn’t Selah allowed to degauss and then reuse the tapes to save her employer money?

A. Data permanence may be an issue.
B. Data remanence is a concern.
C. The tapes may suffer from bitrot.
D. Data from tapes can’t be erased by degaussing.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer

A

B. Data remanence is a concern.

Explanation:
Many organizations require the destruction of media that contains data at higher levels of classification. Often the cost of the media is lower than the potential costs of data exposure, and it is difficult to guarantee that reused media doesn’t contain remnant data. Tapes can be erased by degaussing, but degaussing is not always fully effective. Bitrot describes the slow loss of data on aging media, while data permanence is a term sometimes used to describe the life span of data and media.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 324). Wiley. Kindle Edition.

Question 28

Q

Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information?

A. Personally identifiable information (PII)
B. Personal health information (PHI)
C. Social Security number (SSN)
D. Secure identity information (SII)

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer

A

A. Personally identifiable information (PII) |

Explanation:
NIST Special Publication 800-122 defines PII as any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, biometric records, and other information that is linked or linkable to an individual such as medical, educational, financial, and employment information. PHI is health-related information about a specific person, Social Security numbers are issued to individuals in the United States, and SII is a made-up term.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 29

Q

Which of the following information security risks to data at rest would result in the greatest reputational impact on an organization?

A. Improper classification
B. Data breach
C. Decryption
D. An intentional insider threat

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer

A

B. Data breach

Explanation:
Typically, data breaches cause the greatest reputational damage as a result of threats to data at rest. Data at rest with a high level of sensitivity is often encrypted to help prevent this. Decryption is not as significant of a threat if strong encryption is used and encryption keys are well secured. Insider threats are a risk, but the majority of insider threat issues are unintentional rather than intentional, making this risk less likely in most organizations.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 30

Q

Full disk encryption like Microsoft’s BitLocker is used to protect data in what state?

A. Data in transit
B. Data at rest
C. Unlabeled data
D. Labeled data

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer

A

B. Data at rest

Explanation:
Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 31

Q

The company that Katie works for provides its staff with mobile phones for employee use, with new phones issued every two years. What scenario best describes this type of practice when the phones themselves are still usable and receiving operating system updates?

A. EOL
B. Planned obsolescence
C. EOS
D. Device risk management

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer

A

C. EOS

Explanation:
C. This is an example of an end-of-support (EOS) scenario. The company is intentionally ending support and needs to address what happens to the devices next—secure disposal, destruction, or re-sale—depending on data security requirements and policies set by the company. EOL is when a device or software is no longer made or supported, in contrast to end of support, which may be when it is no longer serviced, including via patches, upgrades, or organizational maintenance. Planned obsolescence and device risk management are not terms that are used on the exam.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 32

Q

What is the primary purpose of data classification?

A. It quantifies the cost of a data breach.
B. It prioritizes IT expenditures.
C. It allows compliance with breach notification laws.
D. It identifies the value of the data to the organization.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer

A

D. It identifies the value of the data to the organization.

Explanation:
Classification identifies the value of data to an organization. This can often help drive IT expenditure prioritization and could help with rough cost estimates if a breach occurred, but that’s not the primary purpose. Finally, most breach laws call out specific data types for notification rather than requiring organizations to classify data themselves.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 33

Q

Fred’s organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?

A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system.
B. The cost of the sanitization process may exceed the cost of new equipment.
C. The data may be exposed as part of the sanitization process.
D. The organization’s DLP system may flag the new system due to the difference in data labels.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 31-32). Wiley. Kindle Edition.

Answer

A

B. The cost of the sanitization process may exceed the cost of new equipment.

Explanation:
Downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe (or destroy) the media that systems use means that the cost of reuse is often significant and may exceed the cost of purchasing a new system or media. The goal of purging is to ensure that no data remains, so commingling data should not be a concern, nor should the exposure of the data; only staff with the proper clearance should handle the systems! Finally, a DLP system should flag data based on labels, not on the system it comes from.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 34

Q

Which of the following concerns should not be part of the decision when classifying data?

A. The cost to classify the data
B. The sensitivity of the data
C. The amount of harm that exposure of the data could cause
D. The value of the data to the organization

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer

A

A. The cost to classify the data

Explanation:
A. Classification should be conducted based on the value of the data to the organization, its sensitivity, and the amount of harm that could result from exposure of the data. Cost should be considered when implementing controls and is weighed against the damage that exposure would create.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 35

Q

Which of the following is the least effective method of removing data from media?

A. Degaussing
B. Purging
C. Erasing
D. Clearing

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer

A

C. Erasing

Explanation:
Erasing, which describes a typical deletion process in many operating systems, typically removes only the link to the file and leaves the data that makes up the file itself. The data will remain in place but not indexed until the space is needed and it is overwritten. Degaussing works only on magnetic media, but it can be quite effective on it. Purging and clearing both describe more elaborate removal processes.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 36

Q

For questions 36–38, please refer to the following scenario:

The healthcare company that Amanda works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit.

Classification Handling Requirements Confidential (HIPAA)
Encrypt at rest and in transit.
Full disk encryption is required for all workstations.
Files can only be sent in encrypted form, and passwords must be transferred under separate cover.
Printed documents must be labeled with “HIPAA handling required.”

Private (PHI) Encrypt at rest and in transit.
PHI must be stored on secure servers, and copies should not be kept on local workstations. Printed documents must be labeled with “Private.” Sensitive (business confidential) Encryption is recommended but not required. Public Information can be sent unencrypted.

What encryption technology would be appropriate for HIPAA documents in transit?

A. BitLocker
B. DES
C. TLS
D. SSL

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer

A

C. TLS

Explanation:
TLS is a modern encryption method used to encrypt and protect data in transit. BitLocker is a full disk encryption technology used for data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 325). Wiley. Kindle Edition.

Question 37

Q

Amanda’s employer asks Amanda to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company’s data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Amanda classify the data?

A. Public
B. Sensitive
C. Private
D. Confidential

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer

A

C. Private

Explanation:
C. We know that the data classification will not be the top-level classification of Confidential because the loss of the data would not cause severe damage. This means we have to choose between private (PHI) and sensitive (confidential). Calling this private due to the patient’s personal health information fits the classification scheme, giving us the correct answer.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 325-326). Wiley. Kindle Edition.

Question 38

Q

What technology could Amanda’s employer implement to help prevent confidential data from being emailed out of the organization?

A. DLP
B. IDS
C. A firewall
D. UDP

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer

A

A. DLP

Explanation:
A data loss prevention (DLP) system or software is designed to identify labeled data or data that fits specific patterns and descriptions to help prevent it from leaving the organization. An IDS is designed to identify intrusions.
Although some IDS systems can detect specific types of sensitive data using pattern matching, they have no ability to stop traffic. A firewall uses rules to control traffic routing, while UDP is a network protocol.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 39

Q

Jacob’s organization uses the US government’s data classification system, which includes Top Secret, Secret, Confidential, and Unclassified ratings (from most sensitive to least). Jacob encounters a system that contains Secret, Confidential, and Top Secret data. How should it be classified?

A. Top Secret
B. Confidential
C. Secret
D. Mixed classification

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer

A

A. Top Secret

Explanation:
When data is stored in a mixed classification environment, it is typically classified based on the highest classification of data included. In this case, the US government’s highest classification is Top Secret. Mixed classification is not a valid classification in this scheme.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 40

Q

Elle is planning her organization’s asset retention efforts and wants to establish when the company will remove assets from use. Which of the following is typically the last event in a manufacturer or software provider’s lifecycle?

A. End of life
B. End of support
C. End of sales
D. General availability

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer

A

B. End of support

Explanation:
The end of support of a device or product typically occurs after the end of life and end of sales. Support may continue for a period of months or even years, but eventually support stops too. General availability is found during the main part of a lifecycle, rather than at the end, and helps note when the product is out of testing and can be acquired or used by customers or others instead of specific groups like beta testers or early release partners.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 41

Q

Amanda has been asked to ensure that her organization’s controls assessment procedures match the specific systems that the company uses. What activity best matches this task?

A. Asset management
B. Compliance
C. Scoping
D. Tailoring

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer

A

D. Tailoring

Explanation:
Tailoring ensures that assessment methods are appropriate to the systems, services, and other assets that are being validated and is the best answer here. Scoping is a related term and involves setting the boundaries of security control implementations. Asset management involves how assets are overseen throughout their lifecycle, and compliance is a broad term that describes ensuring that regulations, contractual terms, or other requirements are met.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 42

Q

Chris is responsible for his organization’s security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary?

A. Assign users to spot-check baseline compliance.
B. Use Microsoft Group Policy.
C. Create startup scripts to apply policy at system start.
D. Periodically review the baselines with the data owner and system owners.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer

A

B. Use Microsoft Group Policy.

Explanation:
Group Policy provides the ability to monitor and apply settings in a security baseline. Manual checks by users and using startup scripts provide fewer reviews and may be prone to failure, while periodic review of the baseline won’t result in compliance being checked.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 43

Q

Frank is reviewing his company’s data lifecycle and wants to place appropriate controls around the data collection phase. Which of the following ensures that data subjects agree to the processing of their data?

A. Retention
B. Consent
C. Certification
D. Remanence

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer

A

B. Consent

Explanation:
Providing consent, or agreeing to data collection and use, is important in many data collection scenarios and may be required by law. Remanence occurs when data remains in place, sometimes inadvertently, after it should have been removed or disposed of. Retention is the intentional process of keeping and managing data. Certification is not a data lifecycle process element.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 44

Q

As a DBA, Amy’s data role in her organization includes technical implementations of the data policies and standards, as well as managing the data structures that the data is stored in. What data role best fits what Amy does?

A. Data custodian
B. Data owner
C. Data processor
D. Data user

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer

A

A. Data custodian

Explanation:
A. Amy is a data custodian and is responsible for the technical environment, including things like database structures and the technical implementations of data policies. Some organizations may overlap other data roles, including data controllers or data stewards, but the best answer here is a data custodian. Amy is not a data user and is not a data processor who uses the data on behalf of a data controller.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 45

Q

The company Jim works for suffered from a major data breach in the past year and now wants to ensure that it knows where data is located and if it is being transferred, is being copied to a thumb drive, or is in a network file share where it should not be. Which of the following solutions is best suited to tagging, monitoring, and limiting where files are transferred to?

A. DRM
B. DLP
C. A network IPS
D. Antivirus

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer

A

B. DLP

Explanation:
A data loss prevention (DLP) system can tag, monitor, and limit where files are transferred to. Jim’s company may also elect to use digital rights management tools in combination with a data loss prevention system, but DRM controls how data can be used, not where files are transferred to or where they exist at any point in time in most cases. An intrusion prevention system (IPS) may be able to detect files that are being sent across a network but won’t stop files from being copied on workstations or thumb drives. Antivirus is not designed for this purpose.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 326). Wiley. Kindle Edition.

Question 46

Q

What security measure can provide an additional security control in the event that backup tapes are stolen or lost?

A. Keep multiple copies of the tapes.
B. Replace tape media with hard drives.
C. Use appropriate security labels.
D. Use AES-256 encryption.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer

A

D. Use AES-256 encryption.

Explanation:
Using strong encryption, like AES-256, can help ensure that loss of removable media like tapes doesn’t result in a data breach. Security labels may help with handling processes, but they won’t help once the media is stolen or lost. Having multiple copies will ensure that you can still access the data but won’t increase the security of the media. Finally, using hard drives instead of tape only changes the media type and not the risk from theft or loss.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 327). Wiley. Kindle Edition.

Question 47

Q

Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization’s data retention policy. As part of its legal requirements, the organization must comply with the US Food and Drug Administration’s Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement?

A. It ensures that someone has reviewed the data.
B. It provides confidentiality.
C. It ensures that the data has been changed.
D. It validates who approved the data.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer

A

D. It validates who approved the data.

Explanation:
Electronic signatures, as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.” Signatures cannot provide confidentiality or integrity and don’t ensure that someone has reviewed the data.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 327). Wiley. Kindle Edition.

Question 48

Q

Susan wants to manage her data’s lifecycle based on retention rules. What technique can she use to ensure that data that has reached the end of its lifecycle can be identified and disposed of based on her organization’s disposal processes?

A. Rotation
B. DRM
C. DLP
D. Tagging

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer

A

D. Tagging

Explanation:
Tags that include information about the life span of the data and when it has expired can help with lifecycle management processes. Tags can be as simple as timestamps, or they can include additional metadata like the data type, creator, or purpose that can help inform the retention and disposal process. Rotation of files like logs is commonly done to limit how much space they take up, but rotation itself does not address disposal requirements and information that would guide the disposal process. DRM, or digital rights management, and DLP, or data loss prevention, both address data security and use but not disposal.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 327). Wiley. Kindle Edition.

Question 49

Q

Ben has been asked to scrub data to remove data that is no longer needed by his organization. What phase of the data lifecycle is Ben most likely operating in?

A. Data retention
B. Data maintenance
C. Data remanence
D. Data collection

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer

A

B. Data maintenance

Explanation:
During the data maintenance phase of a typical data lifecycle, activities like data scrubbing occur to remove unneeded, incorrect, or out-of-date data. Data retention is not a phase; instead, it is a decision that organizations make based on requirements, laws, or their own needs. Data remanence is also not a phase. Data remanence describes the problem of data that remains after data is removed. Finally, in the data collection phase, data is acquired and may be scrubbed, but the question describes a process occurring after data is no longer needed, not during acquisition.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 327). Wiley. Kindle Edition.

Question 50

Q

Steve is concerned about the fact that employees leaving his organization were often privy to proprietary information. Which one of the following controls is most effective against this threat?

A. Sanitization
B. NDAs
C. Clearing
D. Encryption

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer

A

B. NDAs

Explanation:
Nondisclosure agreements (NDAs) are used to enforce confidentiality agreements with employees and may remain in effect even after an employee leaves the organization. Other controls, such as sanitization, clearing, and encryption, would not be effective against information in an employee's memory.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 327). Wiley. Kindle Edition.

Question 51

Q

Alex works for a government agency that is required to meet US federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level when it is created. What should Alex do to the data?

A. Classify the data.
B. Encrypt the data.
C. Label the data.
D. Apply DRM to the data.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 36). Wiley. Kindle Edition.

Answer

A

C. Label the data.

Explanation:
Data labels are crucial to identify the classification level of information contained on the media, and labeling data at creation helps to ensure that it is properly handled throughout its lifecycle. Digital rights management (DRM) tools provide ways to control how data is used, while encrypting it can help maintain the confidentiality and integrity of the data. Classifying the data is necessary to label it, but it doesn’t automatically place a label on the data.

Question 52

Q

Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow? Source: NIST SP 800-88.

A. Destroy, validate, document
B. Clear, purge, document
C. Purge, document, validate
D. Purge, validate, document

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 36-37). Wiley. Kindle Edition.

Answer

A

D. Purge, validate, document

Explanation:
The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.

Question 53

Q

What methods are often used to protect data in transit?

A. Telnet, ISDN, UDP
B. BitLocker, FileVault
C. AES, Serpent, IDEA
D. TLS, VPN, IPsec

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Answer

A

D. TLS, VPN, IPsec

Explanation:
Data in transit is data that is traversing a network or is otherwise in motion. TLS, VPNs, and IPsec tunnels are all techniques used to protect data in transit. AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols. BitLocker and FileVault are both used to encrypt data, but they protect only stored data, not data in transit.

Question 54

Q

Which one of the following data roles bears ultimate organizational responsibility for data?

A. System owners
B. Business owners
C. Data owners
D. Mission owners

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Answer

A

C. Data owners

Explanation:
The data owner has ultimate responsibility for data belonging to an organization and is typically the CEO, president, or another senior employee. Business and mission owners typically own processes or programs. System owners own a system that processes sensitive data.

Question 55

Q

Shandra wants to secure an encryption key. Which location would be the most difficult to protect, if the key was kept and used in that location?

A. On a local network
B. On disk
C. In memory
D. On a public network

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Answer

A

C. In memory

Explanation:
The most difficult location to secure for encryption keys and similar highly sensitive information is in active memory because the data needs to be decrypted to be used. When data is at rest on a drive or in transit via either a local or public network, it can be encrypted until it reaches its destination, and you can use strong encryption in each of those circumstances.

Question 56

Q

For questions 56–58, please refer to the following scenario: Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:

Criteria are set for classifying data.
Data owners are established for each type of data.
Data is classified.
Required controls are selected for each classification.
Baseline security standards are selected for the organization.
Controls are scoped and tailored.
Controls are applied and enforced.
Access is granted and managed.

If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for?

A. He is responsible for steps 3, 4, and 5.
B. He is responsible for steps 1, 2, and 3.
C. He is responsible for steps 5, 6, and 7.
D. All of the steps are his direct responsibility.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Answer

A

A. He is responsible for steps 3, 4, and 5.

Explanation:
A. Chris is most likely to be responsible for classifying the data that he owns as well as assisting with or advising the system owners on security requirements and control selection. In an organization with multiple data owners, Chris is unlikely to set criteria for classifying data on his own. As a data owner, Chris will also not typically have direct responsibility for scoping, tailoring, applying, or enforcing those controls.

Question 57

Q

Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process?

A. They are system owners and administrators.
B. They are administrators and custodians.
C. They are data owners and administrators.
D. They are custodians and users.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer

A

B. They are administrators and custodians.

Explanation:
The system administrators are acting in the roles of data administrators who grant access and will also act as custodians who are tasked with the day-to-day application of security controls. They are not acting as data owners who own the data itself. Typically, system administrators are delegated authority by system owners, such as a department head, and of course they are tasked with providing access to users.

Question 58

Q

If Chris’s company operates in the European Union and has been contracted to handle the data for a third party, what role is his company operating in when it uses this process to classify and handle data?

A. Business owners
B. Mission owners
C. Data processors
D. Data administrators

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer

A

C. Data processors

Explanation:
C. Third-party organizations that process personal data on behalf of a data controller are known as data processors. The organization that they are contracting with would act in the role of the business or mission owners, and others within Chris’s organization would have the role of data administrators, granting access as needed to the data based on their operational procedures and data classification.

Question 59

Q

Chris needs to identify all of the active systems and devices on the network. Which of the following techniques will give him the most complete list of connected devices?

A. Query Active Directory for a list of all computer objects.
B. Perform a port scan of all systems on the network.
C. Ask all staff members to fill out a form listing all of their systems and devices.
D. Use network logs to identify all connected devices and track them down from there.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer

A

D. Use network logs to identify all connected devices and track them down from there.

Explanation:
While it can be a lot of work, the most complete inventory of active systems and devices can be created by determining what is connected to the network and then finding those assets. Port scans can help to find some systems, but firewalls and other security solutions can prevent systems from being discovered. Staff may not know about all of the systems and devices on the network or may presume that someone else will provide information about shared resources such as printers, security cameras, or other devices. Active Directory is unlikely to contain all devices, particularly if an inventory is needed!

Question 60

Q

Chris knows that his inventory is only accurate at the moment it was completed. How can he best ensure that it remains up-to-date?

A. Perform a point-in-time query of network connected devices and update the list based on what is found.
B. Ensure that procurement and acquisition processes add new devices to the inventory before they are deployed.
C. Require every employee to provide an updated inventory of devices they are responsible for on a quarterly basis.
D. Manually verify every device in service at each organizational location on a yearly basis.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer

A

B. Ensure that procurement and acquisition processes add new devices to the inventory before they are deployed.

Explanation:
In most organizations, changing processes so that new systems and devices are added to inventory before they are deployed is the first step in making sure asset inventories are current. Yearly or quarterly updates are too infrequent for most organizations and will lead to gaps as devices are forgotten

Question 61

Q

Chris knows that his organization has more than just physical assets. In fact, his organization’s business involves significant intellectual property assets, including designs and formulas. Chris needs to track and inventory those assets as well. How can he most effectively ensure that he can identify and manage data throughout his organization based on its classification or type?

A. Track file extensions for common data types.
B. Ensure that data is collected in specific network share locations based on the data type and group that works with it.
C. Use metadata tagging based on data type or security level.
D. Automatically tag data by file extension type.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer

A

C. Use metadata tagging based on data type or security level.

Explanation:
Chris should use metadata tagging to allow him to use technical tools like DLP and DRM to handle and track data based on its type and content. File extensions do not reveal data security or type, and relying on network share locations to secure data or inventory will lead to gaps in security as files are moved, copied, or stored locally

Question 62

Q

Chris has been tasked with identifying intangible assets but needs to provide his team with a list of the assets they will be inventorying. Which of the following is not an example of an intangible asset?

A. Patents
B. Databases
C. Formulas
D. Employees

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer

A

D. Employees

Explanation:
Patents, databases, and formulas are all examples of intangible assets. Tangible assets include things like hardware, cables, and buildings. Personnel assets include employees, and most organizations would be quite concerned if their employees were intangible!

Question 63

Q

Which of the following is not a common requirement for the collection of data under data privacy laws and statutes?

A. Only data that is needed is collected.
B. Data should be obtained lawfully and via fair methods.
C. Data should only be collected with the consent of the individual whose data is being collected.
D. Data should be collected from all individuals equally.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer

A

D. Data should be collected from all individuals equally.

Explanation:
There is no requirement that data collection be equal or equivalent. Instead, data collection statutes and other requirements often require that only required data is collected, that individuals are made aware of the data collection, and that they consent to the collection. Similarly, data should only be collected lawfully and via fair methods.

Question 64

Q

Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan’s employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed?

A. It is cheaper to order all prelabeled media.
B. It prevents sensitive media from not being marked by mistake.
C. It prevents reuse of public media for sensitive data.
D. Labeling all media is required by HIPAA.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer

A

B. It prevents sensitive media from not being marked by mistake.

Explanation:
Requiring all media to have a label means that when unlabeled media is found, it should immediately be considered suspicious.
This helps to prevent mistakes that might leave sensitive data unlabeled. Prelabeled media is not necessarily cheaper (nor may it make sense to buy!), while reusing public media simply means that it must be classified based on the data it now contains. HIPAA does not have specific media labeling requirements.

Answer 65

A

B. Data in use

Explanation:
Data in use is data that is in a temporary storage location while an application or process is using it. Thus, data in memory is best described as data in use or ephemeral data. Data at rest is in storage, while data

Answer 66

A

C. Data remanence

Explanation:
Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence. A form like this one helps to ensure that each device has been checked and that it was properly wiped, purged, or sanitized. This can allow reuse, does not prevent destruction, and does not help with attribution, which is a concept used with encryption to prove who created or sent a file

Answer 67

A

C. It is more expensive than new media and may still fail.

Explanation:
Ensuring that data cannot be recovered is difficult, and the time and effort required to securely and completely wipe media as part of declassification can exceed the cost of new media. Sanitization, purging, and clearing may be part of declassification, but they are not reasons that it is not frequently chosen as an option for organizations with data security concerns.

Answer 68

A

D. Destruction

Explanation:
Destruction is the final stage in the lifecycle of media and can be done via disintegration, incineration, or a variety of other methods that result in the media and data being nonrecoverable. Sanitization is a combination of processes used when data is being removed from a system or media.
Purging is an intense form of clearing, and degaussing uses strong magnetic fields to wipe data from magnetic media

Answer 69

A

A. PHI

Explanation:
PHI is protected health information. Personally identifiable information (PII) is any information that can identify an individual. Proprietary data is information that helps organizations maintain a competitive edge or that they want to keep to their own organization or a controlled set of individuals. PID is not a term used for data classification.

Answer 70

A

D. To indicate the classification level of the data or system

Explanation:
Handling requirements and tools include visual indicators like a distinctive screen background and can help employees remember what level of classification they are dealing with and thus the handling requirements that they are expected to follow

Answer 71

A

C. Follow the organization’s purging process, and then downgrade and replace labels.

Explanation:
If an organization allows media to be downgraded, the purging process should be followed, and then the media should be relabeled. Degaussing may be used for magnetic media but won’t handle all types of media. Pulverizing would destroy the media, preventing reuse, while relabeling first could lead to mistakes that result in media that hasn’t been purged entering use

Answer 72

A

B. Establishes rules for appropriate use and protection of data

Explanation:
The data owner sets the rules for use and protection of data. The remaining options all describe tasks for the system owner, including implementation of security controls.

Answer 73

A

B. Categorizing and selecting controls

Explanation:
In the NIST SP 800-60 diagram, the process determines appropriate categorization levels resulting in security categorization and then uses that as an input to determine controls. Standard selection would occur at an organizational level, while baselining occurs when systems are configured to meet a baseline. Sanitization would require the intentional removal of data from machines or media.

Answer 74

A

C. A and E

Explanation:
A and E can both be expected to have data at rest. C, the internet, is an unknown, and the data can’t be guaranteed to be at rest. B, D, and F are all data in transit across network links.

Answer 75

A

C. TLS

Explanation:
B, D, and F all show network links. Of the answers provided, Transport Layer Security (TLS) provides the best security for data in motion.
AES-256 and 3DES are both symmetric ciphers and are more likely to be used for data at rest. SSL has been replaced with TLS and should not be a preferred solution.

Answer 76

A

B. Encrypt the data files and send them.

Explanation:
Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach and the file will remain secure until decrypted at location E.

Since answers A, C and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form

Answer 77

A

C. Sensitive email should be encrypted and labeled.

Explanation:
Encrypting and labeling sensitive email will ensure that it remains confidential and can be identified.
Performing these actions only on sensitive email will reduce the cost and effort of encrypting all email, allowing only sensitive email to be the focus of the organizations efforts.

Only encrypting highly sensitive email not only skips labeling but might expose other classifications of email that shouldnt be exposed.

Answer 78

A

C. By reducing the amount of data that may need to be produced for lawsuits

Explanation:
Data retention policies can reduce the amount of old logs and other files that may be produced during a legal case.

That can reduce organizational risk, but retention policies need to be in place well before a legal gold is filed.

Reducing storage in use does not reduce liability, but it can reduce financial costs, and data retention policies dont tend to limit the number of classifications in use.

Legal penalties are not impacted by a retention policy

Answer 79

A

C. Data processor

Explanation:
Systems used to process data are data processors. Data owners are typically CEOs or other very senior staff, custodians are granted rights to perform day-to-day tasks when handling data, and mission owners are typically program or information system owners.

Answer 80

A

D. ZIP code

Explanation:
Personally identifiable information includes any information that can uniquely identify an individual. This would include name, Social Security number, and any other unique identifier (including a student ID number). ZIP code, by itself, does not uniquely identify an individual.

Answer 81

A

B. PHI

Explanation:
Protected health information, or PHI, includes a variety of data in multiple formats, including oral and recorded data, such as that created or received by healthcare providers, employers, and life insurance providers. PHI must be protected by HIPAA. PII is personally identifiable information. SHI and HPHI are both made-up acronyms.

Answer 82

A

B. Tokenization

Explanation:
Tokenization replaces other data with a random string of characters. These tokens are then matched to the actual values for secure lookups as needed. Anonymization removes all personally identifiable data to ensure that the original subject cannot be identified. Data masking obscures some, but not all, data. Pseudonymization uses a pseudonym or alias to replace other information.

Answer 83

A

B. PCI-DSS

Explanation:
The Payment Card Industry Data Security Standard, or PCI-DSS, is a credit card industry data security standard that defines how businesses must handle information related to credit cards. CC-Comply was made up for this question. GLBA, or Gramm-Leach-Bliley, modernized financial institution standards, and GDPR is an EU data privacy regulation.

Answer 84

A

C. Disintegration

Explanation:
Due to problems with remnant data, the U.S. National Security Agency requires physical destruction of SSDs. This process, known as disintegration, results in very small fragments via a shredding process. Zero fill wipes a drive by replacing data with zeros, degaussing uses magnets to wipe magnetic media, and clearing is the process of preparing media for reuse.

Answer 85

A

A. Data owners, system owners, custodians

Explanation:
A. The data owner bears responsibility for categorizing information systems and delegates selection of controls to system owners, while custodians implement the controls. Users don’t perform any of these actions, while business owners are tasked with ensuring that systems are fulfilling their business purpose.

Answer 86

A

B. Step 2

Explanation:
PCI DSS provides a set of required security controls and standards. Step 2 would be guided by the requirements of PCI DSS. PCI DSS will not greatly influence step1 because all of the systems handle credit card information, making PCI DSS apply to all systems covered. Steps 3 and 4 will be conducted after PCI DSS has guided the decisions in step 2.

Answer 87

A

C. Custodians

Explanation:
Custodians are tasked with the day-to-day monitoring of the integrity and security of data. Step 5 requires monitoring, which is a custodial task. A data owner may grant rights to custodians but will not be responsible for conducting monitoring. Data processors process data on behalf of the data controller, and a user simply uses the data via a computing system.

Answer 88

A

B. Mishandling of drives by the third party

Explanation:
B. Susan’s organization is limiting its risk by sending drives that have been sanitized before they are destroyed. This limits the possibility of a data breach if drives are mishandled by the third party, allowing them to be stolen, resold, or simply copied. The destruction of the drives will handle any issues with data remanence, while classification mistakes are not important if the drives have been destroyed. Wiping the data before destruction does not make a meaningful difference for data retention policy concerns. Data permanence and the life span of the data are not important on a destroyed drive.

Answer 89

A

C. RFID tags

Explanation:
RFID tags are a common solution for tracking hardware assets and equipment. They can be queried wirelessly at varying ranges depending on the tags and may be built-in to hand-held readers or even included in doorways or arches to track items as they enter or leave a facility. Visual inventory relies on staff checking items, MAC addresses are hardware addresses for networked devices and not every asset in inventory is likely to have a wireless network capability—or to be on! Steganography is hiding messages in images and doesn’t help at all with inventory.

Answer 90

A

D. Record retention

Explanation:
Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a noninformation-security-related process for maintaining physical assets.

Answer 91

A

C. How much the data cost to create

Explanation:
The cost of the data is not directly included in the classification process. Instead, the impact to the organization if the data were exposed or breached is considered. Who can access the data and what regulatory or compliance requirements cover the data are also important considerations.

Answer 92

A

B. Symmetric encryption

Explanation:
Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is an outdated encryption standard, and OTP is the acronym for onetime password.

Answer 93

A

D. Administrators

Explanation:
Administrators have the rights to apply the permissions to access and handle data. Custodians are trusted with day-to-day data handling tasks. Business owners are typically system or project owners, and data processors are systems used to process data.

Answer 94

A

A. It identifies the individual(s) responsible for protecting the asset.

Explanation:
Knowing the asset’s owner also tells you who is responsible for protecting the asset or for delegating that task. While asset owners may be law enforcement contacts, this is not a critical item for asset security. It does not directly help you to establish the value of the asset or to set security classification levels for an asset.

Answer 95

A

A. Ensure that the tapes are handled the same way the original media would be handled based on their classification.

Explanation:
Tapes may be vulnerable to theft or loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization’s classification schemes and handling requirements. Purging the tapes would cause the loss of data, while increasing the classification level of the tapes. The tapes should be encrypted rather than decrypted.

Answer 96

A

A. Data on a backup tape that is being shipped to a storage facility

Explanation:
The correct answer is the tape that is being shipped to a storage facility. You might think that the tape in shipment is “in motion,” but the concept is that the data is not being accessed and is instead in storage rather than being sent across a network. Data in a TCP packet, in an e-commerce transaction, or in local RAM is in motion and is actively being used.

Answer 97

A

D. Review its data classifications and classify the data appropriately.

Explanation:
When the value of data changes due to legal, compliance, or business reasons, reviewing classifications and reclassifying the data is an appropriate response. Once the review is complete, data can be reclassified and handled according to its classification level. Simply relabeling the data avoids the classification process and may not result in the data being handled appropriately. Similarly, selecting a new baseline or simply encrypting the data may not handle all of the needs that the changes affecting the data create.

Answer 98

A

A. Data owners
B. Data controllers
C. Data custodians

Explanation:
Data owners, controllers, and custodians are typically found inside of a company, while data processors are typically third parties.

Answer 99

A

C. Public

Explanation:
Public data is just that—information that can be made public without any harm to the organization, and in fact, it is often information that the organization wants to make available. Private information should stay private inside of an organization, sensitive data may cause damage to the mission of the organization if exposed, and proprietary or confidential information is the most sensitive data that an organization wants to protect.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 332). Wiley. Kindle Edition.

Answer 100

A

The data elements match with the categories as follows: Data elements Medical records: B. PHI Trade secrets A. Proprietary data Social Security numbers: C. PII Driver’s license numbers: C. PII Medical records are an example of protected health information (PHI). Trade secrets are an example of proprietary data. Social Security numbers and driver’s license numbers are examples of PII; if they were used in a medical context, they may also be PHI, but this question does not ask you to consider them in that context.

Brainscape's Knowledge GenomeTM

CISSP Practice Test Chapter 2 Asset Security (Sybex) Flashcards

Brainscape's Knowledge Genome^TM