CISSP Q v1.4 -- Domain2: Asset Security Flashcards
Kevin uploads a configuration file to the company web server using FTPS. The company webserver receives the file and stores it on a hard drive that features full disk encryption (FDE). Which of the data states below is not being protected in this scenario?
A. Data in motion
B. Data in use
C. Data at rest
D. Data in transit
B. Data in use
FTP stands for File Transfer Protocol. The FTPS version is encrypted using SSL/TLS certificates. This tells us that the data in motion/transit is secure. SSH would have been another secure option.
Full disk encryption indicates that the data at rest is also safe.
While there’s no clear reason to believe the data in use (data in the processor/ram) is at risk, there is no indication that the data in use has been encrypted. Thereby, it is not being protected based off of the limited information above.
At which point in the data lifecycle should an owner be assigned to the data?
A. When it needs to be shared
B. Before it is destroyed
C. At the moment it is created
D. At the time it is stored
C. At the moment it is created
The moment the data is created, it needs an owner!
Then, the owner should immediately classify it in accordance with company policy.
An admin reads about a new type of worm that can quickly spread between Windows servers without detection and believes their company’s servers could be at risk. They take this information to the Chief Information Security Officer (CISO) who documents all of the admin’s findings and concerns. What describes the phase of risk management that the CISO is currently performing?
A. Risk Response
B. Risk Identification
C. Risk Calculation
D. Risk Assessment
B. Risk Identification
The CISO is still gathering information about the nature of the threat. As such, they have NOT yet begun to Assess (D) the impact or likelihood of the issue nor have they made any decisions (A) about how to deal with the problem. Thus, they are still operating in the Identification phase.
You’ve been asked to determine the classification of several new company assets. Of the options below, what would be the most important to consider when determining the classification?
A. Business value
B. Total cost of ownership
C. Missing controls
D. Residual risk
A. Business value
Which of the following statements MOST accurately describes what a data classification policy should include?
A. Who has access to the data, how the data will be secured, where the data originated.
B. Who has access to the data, how the data will be secured, whether the data should be encrypted.
C. How to dispose of the data, whether the data should be encrypted, whether the data are of foreign origin.
D. How to secure the data, who can use the data, and what the fines are for misuse of the data.
B. Who has access to the data, how the data will be secured, whether the data should be encrypted.
Match the terms below with their proper definitions.
A. Classification
B. Categorization
C. Asset Management
D. CMDB
- Determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization.
- Capturing the basics of what assets are on hand, where they reside, and who owns them.
- Helps ensure information is marked in such a way that only those with an appropriate level of clearance can have access to the information.
- A logical entity with key integration points that supports and enables processes in service delivery, service support, and other IT disciplines.
1: B. CATEGORIZATION
2: C. ASSET MGMT
3: A. CLASSIFICATION
4: D. CMDB
Protection and security of information is the responsibility of everyone within the company. Which of the following describes an individual or function that protects the information on behalf of the owner?
A. The Data Custodian
B. The Information Systems Auditor
C. The Help Desk Administrator
D. The Business Continuity Planner
A. The Data Custodian
Of the choices below, which are the three BEST mechanisms for maintaining confidentiality?
A. Data classification, encryption, and destruction.
B. Clustering, server backups, and purging.
C. Data classification, quality assurance, and degaussing.
D. Server backups, encryption, and training.
A. Data classification, encryption, and destruction.
Clustering, backups and QA do not maintain confidentiality. Degaussing would have no effect on SSDs, and note that purging is not as good as destruction, as it only gives assurance that data removed cannot be recreated by “known techniques.”
Which of the following is NOT a primary enabler of data management success?
A. Ensuring that the data owner and the data custodian share the same duties.
B. Organizational alignment and defined data handling processes.
C. Scalable technologies and infrastructure.
D. A single centralized and relational repository.
A. Ensuring that the data owner and the data custodian share the same duties.
Match the concepts below with their proper definitions.
A. Data management
B. Data policy
C. Data categorization
D. Information owner
- The individual or group that creates, purchases, or acquires the data.
- Includes a broad range of technical and administrative activities to be followed in order to properly handle data.
- Identifying the what a loss of security for a given set of data would be to the organization.
- Strategic long-term goals for data across all aspects of a project or enterprise.
1: D. INFORMATION OWNER
2: A. DATA MANAGEMENT
3: C. DATA CATEGORIZATION
4: B. DATA POLICY
Good data management practices include which of the following?
- Clearly defining strategic goals and objectives
- Establishing data ownership for all project phases.
- Proper documentation and descriptive metadata.
- Installing adequate data quality procedures.
A.1, 2, and 3
B. 2, 3, and 4
C. 1, 3, and 4
D. 1, 2, 3, and 4
D. 1, 2, 3, and 4
Which statement below is most accurate?
A. The data custodian creates the data and makes it available to users when they need it.
B. The data owner classifies the data and sets the rules for user privileges, then delegates the day-to-day data maintenance to the data custodian.
C. The data custodian provides user permissions and access to the data after the data owner has secured the data.
D. The data owner provides permissions to the data based on users’ need-to-know, and the data custodian implements the
classifications.
B. The data owner classifies the data and sets the rules for user privileges, then delegates the day-to-day data maintenance to the data custodian.
The custodian does not create the data, implement the classifications, or provide user permissions.
Which of the following is considered Payment Card Industry (PCI) data?
A. Job title
B. Marital status
C. Educational background
D. Primary Account Number
D. Primary Account Number
PCI data fields include Primary Account Number (PAN), expiration date, CVV and service code.
Which is NOT a common activity undertaken during the data life cycle?
A. Sanitizing the data upon receiving it.
B. Acquiring the data and putting it to use.
C. Decommissioning and disposing of the data.
D. Defining data requirements.
A. Sanitizing the data upon receiving it.
Which of the following would best improve the quality of data?
A. Anonymizing all incoming data to avoid data leakage.
B. Using data quality, validation, and verification techniques.
C. Doing a yearly audit of all financial data.
D. Metadata, improving data quality by making the data more accurate.
B. Using data quality, validation, and verification techniques.
(A) Anonymizing all data is not always appropriate.
(C) Yearly audits may not be enough to meet some regulations and is too infrequent.
(D) If data is entered wrongly, metadata will not make the data more accurate.
