Data Classification Flashcards

1
Q

What is the most important step in properly handling and controling data?

A

Assigning responsibilities according to who has possession and legal ownership of it, which are usually associated with named roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What role collects and creates the data?

A

Data owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who is usually the data owner?

A

Cloud customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Many international treaties/frameworks refer to the data owner as…

A

The data controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who is the person/entity tasked with daily maintenance and administration of the data?

A

Data custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The _____ applies the proper security controls and processes as directed by the data owner.

A

data custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who might be the data custodian?

A

Database administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who is tasked with ensuring the data’s context and meaning are understood and data is used properly?

A

Data stewards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who manipulates, stores, or moves data on behalf of the data owner?

A

Data processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Copying, printing, destroying, and utilizing data is called…

A

Processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

From an international perspective, who is the data processor?

A

The Cloud Provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

T/F Data processors can be third parties

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

______ remain legally responsible for all data they own.

A

Data owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

T/F System owners are always data owners.

A

False - not necessarily

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • Regulatory compliance
  • Business function
  • Functional unit
  • Project
    All drive _____
A

Data categorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Who is in the best position to categorize the data?

A

Data owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Who is responsible for data classification?

A

Data owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Data classification types:

A
  • Sensitivity
  • Jurisdiction
  • Criticality
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Data classification is often based on…

A

Organizational policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is it called when data shared between orgs must be normalized and translated so that it’s meaningful to both parties?

A

Data mapping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Data classifications and labels are carried through mapping to ensure…

A

That data used in another context does not lose its security controls and oversight.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  • Date of creation
  • Date of scheduled destruction/disposal
  • Confidentiality level
  • Handling directions
  • Dissemination/distribution instructions
  • Access limitations
  • Source
  • Jurisdiction
  • Applicable regulation
A

Information a label includes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Why are labels often used as part of data management tools?

A

For lifecycle and security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a key technology component and capability in the data lifecycle?

A

Automated labeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What helps an org track where their data is flowing, what ports/protocols are in use, how data is secured, and what controls are in place?

A

Data flow diagrams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is it called when an org is creating an initial data inventory, doing electronic discovery, or using data mining tools to discover trends in data already in the inventory?

A

Data discovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a listing of traits and characteristics about specific data elements or sets?

A

Metadata

28
Q

Sorted data by meaningful attributes.

A

Structured data

29
Q

Relational databases are a type of _______?

A

Structured data

30
Q

Unsorted data, like email content, is considered ______?

A

Unstructured data

31
Q

T/F It’s easier to perform data discovery on unstructured data.

A

False - easier on structured data b/c it’s already arranged.

32
Q

________ uses tags or other elements to create fields and records w/in data w/out requiring rigid structure.

A

Semi-structured data

33
Q

What are some examples of semi-structured data?

A

XML and JSON

34
Q

What two things are key to designing and security data discovery and usage models?

A

Understanding how data will be used and analyzed.

35
Q

Data mining, real-time, and business intelligence.

A

3 types of data analytics methods

36
Q

The actions that authorized users can take and how those rights are set, applied, modified, and removed.

A

Data rights

37
Q

What rights are critical to ensuring that use of IRM does not disrupt the business while still being effective?

A

Provisioning

38
Q

What describes what can/cannot be done with data and who can/cannot perform certain actions?

A

Access Models

39
Q

_____ describe the rights a user has to content and _____ are used to validate the identify of the user/computer.

A

Licenses and certificates

40
Q
  • Rudimentary reference checks
  • Online reference checks
  • Local agent checks
  • Support-based licensing
A

4 ways IRM can be applied

41
Q
  • Replication restrictions
  • Jurisdictional conflicts
  • Agent/enterprise conflicts
  • Mapping identity and access management (IAM and IRM)
  • API conflicts
A

Challenges faced by employing IRM in the cloud

42
Q
  • Persistent protection
  • Dynamic policy control
  • Automatic expiration
  • Continuous auditing
  • Replication restrictions
  • Remote rights revocation
A

Things IRM should provide, regardless of content/format

43
Q

What is an ACL?

A

Access control list

44
Q

Retention periods are often expressed in days for _____ and years for _____.

A

Ephemeral data (logs) and business data

45
Q
  • Retention periods
  • Regulation and compliance
  • Data classification
  • Retention
  • Data deletion
  • Archiving and retrieval
  • Monitoring, maintenance, and performance
A

Things data retention policies should address.

46
Q

Who will delete the data, requirements for deletion, procedure documentation to show how secure deletion occurs/is validated, and compliance/legal requirements.

A

Things policies for data deletion should specify

47
Q

_____ involves identification/collection/production of data related to a case, and _____ ensure data required for a case is collected and preserved.

A

E-discovery and legal holds

48
Q

A legal hold occurs when an organization is notified that:

A
  1. A law enforcement/regulatory entity is commencing and investigation
  2. A private entity is commencing litigation against the org
49
Q

What rule dictates that a legal hold notice has primacy, even over federal laws like HIPPA?

A

Federal Rules of Evidence

50
Q

What can be used to regularly review, inventory, and inspect the usage and condition of owned data?

A

Data audit

51
Q

Audit periods/scope/responsibilities, processes/procedures, regulations, and monitoring/maintenance/enforcement are things to consider when conducting _____.

A

Data audits

52
Q
  1. It’s not often a priority.
  2. It’s mundane/repetitive.
  3. Reviewer needs to understand the operation.
  4. It’s expensive.
A

Challenges in reading and analyzing logs

53
Q

What are the 3 areas to consider for audit mechanism planning and implementation in cloud environments?

A
  1. Log collection
  2. Log correlation
  3. Packet capture
54
Q

You can only perform packet capture in what environment?

A

IaaS

55
Q
  1. Physical destruction
  2. Degaussing
  3. Overwriting
  4. Crypto-Shredding
A

on-premise data destruction options

56
Q

What is the only data destruction option in the cloud?

A

Crypto-shredding

57
Q
  1. Process for disposal
  2. Applicable regulations
  3. Clear direction on when data should be destroyed
A

3 things a data disposal policy should include

58
Q

Encrypting data with a strong encryption engine, then encrypting those keys with a different encryption engine, and then destroying those keys is called?

A

Crypto-shredding

59
Q

What allows data to be destroyed while leaving media intact by using multiple passes of random characters written to location where data resides?

A

Overwriting

60
Q

Applying strong magnetic fields to hardware and media where data resides is called?

A

Degaussing

61
Q

T/F Degaussing does not work with solid-state drives like SSD, flash media, and thumb drives.

A

True

62
Q

Burning, melting, impact, industrial shredding data is called?

A

Physical destruction of media and hardware

63
Q

T/F Hardware/media can always be sanitized by simply deleting the data?

A

False - deleting doesn’t erase data, it just removes the logical pointers to the data

64
Q

In SaaS and PaaS environments, data destruction can only be approached through:

A

Contractual requirements

65
Q

What is data left over after sanitization and disposal methods have been attempted?

A

Data remanence