D2. Asset Security

Question 1

This is a critical first step toward ensuring the security of your systems and data.

Answer 1

Identifying and classifying information assets

Question 2

These are the foundational steps in establishing an information security asset management program.

Answer 2

1. Creating an inventory of what assets an organization has
2. Where the assets are located?
3. Who is responsible for the assets?

Question 3

Is the process of organizing data into groups or categories that describe the data’s sensitivity, criticality, and value.

Answer 3

What is data classification?

Question 4

A cornerstone of data security and risk management, this helps to determine the security controls necessary to manage and safeguard the confidentiality, integrity, and availability of data.

Answer 4

What is data classification?

Question 5

What are the three (3) primary steps of data classification?

Answer 5

1. Context-based
2. Content-based
3. User-based

Question 6

Derived from metadata like ownership, location, or other values that can indirectly indicate sensitivity or criticality.

Answer 6

What is context-based?

Question 7

Derived by inspecting the contents of files and directly identifying sensitive data, rather than inferring it from metadata.

Answer 7

What is content-based?

Question 8

Involves manual assignment of data classification and is based on user’s understanding of the data and your organization’ classification scheme.

Answer 8

What is user-based?

Question 9

Generally considered the highest level of classification outside of government or military organizations. The loss of this data can cause serious risk to the organization.

Answer 9

What is confidential classification scheme?

Question 10

Losing this data will raise the risk to the organization, even if it is just repetitional damage (strategy documents or inter organizational correspondence can be considered sensitive).

Answer 10

What is sensitive classification scheme?

Question 11

Usually compartmental data that might not do the company damage but must be kept private for other reasons (employee renting statistics and salary ranges).

Answer 11

What is private classification scheme?

Question 12

Data that is disclosed outside the company on a limited basis or contains information that could reduce the company’s competitive advantage, such as technical specification of a new product.

Answer 12

What is proprietary classification scheme?

Question 13

Data that if lost would have little or no impact to the company.

Answer 13

What is public classification scheme?

Question 14

Other labels used to designate documents (but not considered classifications).

Answer 14

For Official Use Only (FOUO) and Limited Official Use

Question 15

Is the process of grouping types of data with comparable sensitivity labels.

Answer 15

What is data categorization?

Question 16

Identifying the sensitivity, criticality, and value of the information systems and assets that store, process, and transmit that data, as well as the data itself.

Answer 16

What is asset classification?

Question 17

Involves grouping assets based on their relative level of sensitivity and the impact to the organization should the assets be compromised.

Answer 17

What is asset classification?

Question 18

What are the major benefits of classification?

Answer 18

1. Accurate asset inventory
2. Insight into the environment
3. Optimize change, vulnerability, and management programs
4. Maintenance windows
5. Security controls and segmentation
6. Protection of sensitive data
7. Identify rouge assets
8. Understand potential risks posed by vulnerabilities
9. Identify proprietary assets and intellectual property
10. Forecast cost
11. Compliance and Regulation controls

Question 19

Assets should be identified and controlled based on their level of.

Answer 19

What is sensitivity?

Question 20

While data classification is the most important element on a data label, asset labels may contain other information, such as.

Answer 20

1. Title of the asset
2. Data owner
3. Data retention period (if applicable)

Question 21

This helps keep asset handling efficient and cost-effective.

Answer 21

What is marketing and labeling of public data or unclassified information?

Question 22

This aids by using digital marketing to identify and prevent sensitive information from leaking out of an organization.

Answer 22

What is Data Loss Prevention (DLP)?

Question 23

These are critical to your organization’s overall asset security management.

Answer 23

What are handling and storage guidelines?

Question 24

What are the consideration to data storage?

Answer 24

1. Encryption
2. Limiting the volume of data retained
3. Backups

Question 25

The process of modifying the assigned classification of an asset to a lower level of sensitivity.

Answer 25

What is declassification?

Question 26

Methods to declassify assets include.

Answer 26

What is de-identification and tokenization?

Question 27

The process of removing information that can be used to identify an individual (PII).

Answer 27

What is Data de-identification?

Question 28

The data de-identification process involves taking any personally identifying data fields and converting them to.

Answer 28

What is masked, obfuscated, encrypted, or tokenized data fields?

Question 29

Is the process of substituting a sensitive data element with a nonsensitive set of characters or numbers called a token.

Answer 29

What is tokenization?

Question 30

This is the source to trust, if there is a conflict between what the tools are reporting, and also the source used for official reports and other data requests, such as part of an audit.

Answer 30

What is the system of record?

Question 31

What the components of a typical asset management lifecycle?

Answer 31

1. Strategy
2. Plan
3. Design
4. Procure
5. Operate
6. Maintain
7. Modify
8. Dispose

Question 32

Activities critical to implementing a formal asset management program include.

Answer 32

1. Assignment of ownership
2. IT asset management
3. Configuration management
4. Change management

Question 33

Is a set of business practices related to governing and maintaining IT assets, including hardware, software, data, and related processes.

Answer 33

What is Information technology asset management (ITAM)?

Question 34

The International Standards Organization (ISO) has established this official set of standards related to ITAM.

Answer 34

What is the ISO 19770 family of standards?

Question 35

The ISO 19770 family of standards consist of

Answer 35

ISO/IEC 19770-1: Best practices and demonstrate compliance
ISO/IEC 19770-2: Software identification (SWID)
ISO/IEC 19770-3: Common terminology for describing software entitlement rights, limitations, and metrics
ISO/IEC 19770-4: Standardize reporting of resource utilization
ISO/IEC 19770-5: overview of ITAM and defines volcabulary

Question 36

Relates to asset management and asset security, this keeping inventory current, system and software configurations must be controlled and documented

Answer 36

What is configuration management?

Question 37

Identifies the version and settings of all configuration items (CI) in a product, system, or subsystem; and answers the question ‘what do I need to build the system correctly?’

Answer 37

What is a system baseline?

Question 38

Is a minimum set of safeguards required to protect a given system.

Answer 38

What is a security baseline?

Question 39

This enables validate security products to automatically perform configuration checking using NCP checklists.

Answer 39

What is Security Content Automation Protocol (SCAP)?

Question 40

An IT discipline focused on ensuring that organizations employ standard processes to make changes to their assets, and prevent arbitrary and unexpected modifications to their hardware and software inventory.

Answer 40

What is Change management?

Question 41

What are the stages of the data lifecycle?

Answer 41

1. Collect
2. Store
3. Use
4. Share
5. Retain
6. Destroy

Question 42

This is when data is generated or aggregated?

Answer 42

What is collect?

Question 43

Term used when data is saved into a storage system or repository.

Answer 43

What is store?

Question 44

Term used data is processed and/or analyzed, by users or systems, for its intended purpose.

Answer 44

What is use?

Question 45

Term used when data is shared with authorized external users and systems.

Answer 45

What is shared?

Question 46

Term used when data is kept (archived) for a predefined period of time.

Answer 46

What is retain?

Question 47

Term used when data is deleted and permanently removed from storage, making it inaccessible and unusable.

Answer 47

What is destroy?

Question 48

A high-level process that describes how data can flow through an organization.

Answer 48

What is data lifecycle?

Question 49

This is an individual or group of individuals responsible for dictating how and why data should be used, as well as determining how the data must be secured.

Answer 49

What are data owners?

Question 50

Data owners (information owner/steward) have complete control over information and can/be

Answer 50

1. Responsible and accountable for their data
2. Held liable for negligence
3. by the organizations data policy, authorize to use, collect, share, and store
4. set access protection rules
5. in collaboration with information system owners, determine security controls for access and use in the system

Question 51

Using reasonable measures and efforts to protect assets deemed valuable or assigned sensitivity levels, is referred to as?

Answer 51

What is due care?

Question 52

Term used to describe taking all expectable or practical steps to maintain due care, including verifying that everything is being done as intended by due care.

Answer 52

What is due diligence?

Question 53

This is the person, agency, company, or other body that, alone or jointly with others, determines the purpose and means of data processing.

Answer 53

What is the data controller?

Question 54

Data controllers negotiate privacy protections for personal data with data processors via secure contractural terms and assurances, called

Answer 54

What is a data processing agreement?

Question 55

Is responsible for maintaining data on the IT infrastructure, in accordance with requirements established by the data owner and the business.

Answer 55

What is a data custodian?

Question 56

Party responsible for transferring, transmitting, or otherwise handling data on behalf of a data owner is?

Answer 56

What is a data processor?

Question 57

The data processor performs data manipulation on behalf of this role.

Answer 57

What is data controller?

Question 58

This is the customer or intended recipient of data. The party who consumes that data.

Answer 58

What is users?

Question 59

Identified or identifiable natural people from whom or about whom information is collected.

Answer 59

What is data subjects?

Question 60

Notifying a user how the information collected will be used (consent), and about a nation’s citizen or residents must be deleted from foreign systems before being removed from systems in the data subjects’s nation, is referred to as.

Answer 60

What is data location?

Question 61

What are the six steps of the data lifecycle?

Answer 61

1. (Consent) - collect
2. Store
3. Use
4. Share
5. Retain
6. Destroy

Question 62

This involves all manner of processing, analyzing, and sharing data.

Answer 62

What is use?

Question 63

Process of continuously monitoring your data and applying principles like least privilege and defense in depth.

Answer 63

What is data maintenance?

Question 64

Term used to regarding considerations made for how long data will be retained before being securely destroyed.

Answer 64

What is data retention?

Question 65

Final stage of the data lifecycle, often neglected, by regulation or for functionality, this term refers to the process to remove data.

Answer 65

What is data destruction?

Question 66

This occurs when data destruction efforts were insufficient to prevent the reconstruction of the data.

Answer 66

What is data remanence?

Question 67

This is when the data is no longer needed and they key is deleted, the data is rendered unusable or unreachable.

Answer 67

What is cryptographic erasure?

Question 68

This is the guideline for media sanitization

Answer 68

What is NIST SP 800-88?

Question 69

To achieve a level of assurance of adequate asset sanitization, the following techniques can be used:

Answer 69

1. Cleansing (digitally wiping data)
2. Purging (degaussing)
3. Destruction (shredding, burning, or pulverizing)

Question 70

You would used these requirements for specific techniques to achieve the desired level of assurance in sanitization

Answer 70

1. Zeroing (erase and overwrite with zeros)
2. Overwriting (random passes of 0 and 1 combinations to overwrite previous data)
3. Degaussing (magnetic media is erased)

Question 71

This article is commonly referred to as the right to be forgotten

Answer 71

What is EU GDPR’s Article 17 - The Right to Erasure

Question 72

Security controls are based on these:

Answer 72

1. Classification of the asset
2. Data state
3. compliance requirements
4. Industry standards

Question 73

What are the three categories of control?

Answer 73

What are technical controls, administrative controls, and physical controls?

Question 74

Security controls (technical, administrative, and physical) have applicable types of controls described as?

Answer 74

1. Deterrent
2. Preventative
3. Detective
4. Corrective
5. Recovery

Question 75

These are examples of data states

Answer 75

1. At rest
2. in motion
3. In use

Question 76

Data that is stored on a system and not actively being written to, read from, transmitted, or otherwise processed.

Answer 76

What is data at rest?

Question 77

This is a common form of security control for data at rest, and can be employed across an entire volume of storage

Answer 77

What is full-disk encryption?

Question 78

This is a microcontroller chip integrated into the computer hardware that provides a crypto processor

Answer 78

What is Trusted Platform Module (TPM)?

Question 79

This is a hard disk drive or solid state drive that automatically encrypts and decrypts drive data without the need for additional encryption software

Answer 79

What is self-encrypting drive (SED)?

Question 80

This refers to data that is actively being transmitted across a network, between multiple networks, or from one location to another. Also described as data in motion.

Answer 80

What is data in transit?

Question 81

These technologies help secure data in transit

Answer 81

What are transport layer security, HTTPS, and virtual private networks (VPN)?

Question 82

This method of data-in-transit security where the traffic is encrypted and decrypted at each network routing point

Answer 82

What is link encryption?

Question 83

This type of system of communication ensures that only the sender and recipient can read the data

Answer 83

What is End-to end encryption?

Question 84

This term refers to data that is actively being processed by an application being used by a user

Answer 84

What is data in use?

Question 85

Establishing a baseline of security controls begins with.

Answer 85

What is the scoping and tailoring process?

Question 86

Is the process the organization undertakes to consider which security controls apply and what assets they need to protect.

Answer 86

What is scoping?

Question 87

Is the process of modifying the set of controls to meet the specific characteristics and requirements of the organization.

Answer 87

What is tailoring?

Question 88

This control augments a primary control’s ability to achieve a control objective or replace the primary control to meet the given control objective

Answer 88

What are compensating controls?

Question 89

The minimum set of security controls that are required is referred to as

Answer 89

What is security baseline?

Question 90

These controls are based on specific threats or regulatory requirements of an organization or an industry

Answer 90

What are supplemental controls?

Question 91

A collection of documented policies and procedures that define how to mange an enterprises’ security

Answer 91

What is a security framework?

Question 92

Is a set of tools and processes focused on controlling the use, modification, and distribution of intellectual property (IP) throughout its life-cycle.

Answer 92

What is digital rights management (DRM)?

Question 93

Is a related technology that more broadly protects data from unauthorized access by controlling who can view, copy, delete, or otherwise modify data.

Answer 93

What is information rights management (IRM)?

Question 94

Sometimes referred to as data leakage prevention, is the set of technologies and practices used to ensure that sensitive data is not lost or accessed by unauthorized parties.

Answer 94

What is Data Loss Prevention (DLP)?

Question 95

Data Loss Prevention consists of these three core stages

Answer 95

1. Discovery (finding all instances of data) and classification (act of categorizing that data based on its sensitivity and value)
2. Monitoring (inspecting data as it moves throughout the life-cycle)
3. Enforcement (actions taken to prevent policy violations identified during the monitoring stage)

Question 96

This is a software application that sits between cloud users and cloud services and applications; actively monitors all cloud activity and implement centralized controls to enforce security.

Answer 96

What is Cloud Access Security Broker (CASB)?

Question 97

CASB aims to serve these four primary functions:

Answer 97

1. Visibility
2. Data security
3. Threat protection
4. Compliance

Question 98

What are the three primary types of CASB solutions?

Answer 98

1. Forward proxy
2. Reverse proxy
3. API-based