Data Protection

Question 1

Based on the value to the organization and the sensitivity of the information, determined by the data owner

Answer 1

Data Classification

Question 2

Information that, if accessed by unauthorized persons, can result in the loss of security or competitive advantage for a company

Over classifying data leads to protecting all data at a high level

Answer 2

Sensitive Data

Question 3

Why is Data Classification Important?

Answer 3

■ Helps allocate appropriate protection resources
■ Prevents over-classification to avoid excessive costs
■ Requires proper policies to identify and classify data accurately

Question 4

What are the Commercial Business Classification Levels?

Answer 4

Public Data (No impact if released)
Sensitive (Minimal Impact if released ex. financial data)
Private (Contains internal personnel or salary info)
Confidential (Holds trades secrets, intellectual property, code, etc)
Critical (Extremely valuable and restricted info)

Question 5

What are the Govermnet Classification Levels?

Answer 5

Unclassified (Generally releasable to public)
Sensitive but Unclassified (includes medical records, personnel files)
Confidential (Contains info that could affect the goverment)
Secret (Holds data like military deployment plans, defensive postures)
Top Secret (Highest level, includes highly sensitiv national security info)

Question 6

Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets

Answer 6

Data Ownership

Question 7

A senior executive responsible for labeling information assets and ensuring they are protected with appropriate controls

Answer 7

Data Owner

Question 8

Entity responsible for determining data storage, collection, and usage purposes and methods, as well as ensuring the legality of these processes

Answer 8

Data Controller

Question 9

A group or individual hired by the data controller to assist with tasks like data collection and processing

Answer 9

Data Processor

Question 10

Focuses on data quality and metadata, ensuring data is appropriately labeled and classified, often working under the data owner

Answer 10

Data Steward

Question 11

Responsible for managing the systems on which data assets are stored, including enforcing access controls, encryption, and backup measures

Answer 11

Data Custodian

Question 12

Oversees privacy-related data, such as personally identifiable information (PII), sensitive personal information (SPI), or protected health information (PHI), ensuring compliance with legal and regulatory frameworks

Answer 12

Privacy Officer

Question 13

Data Owner Responsibility

Answer 13

The IT department (CIO or IT personnel) should not be the data owner; data owners should be individuals from the business side who understand the data’s content and can make informed decisions about classification

Question 14

Selection of Data Owners

Answer 14

Data owners should be designated within their respective departments based on their knowledge of the data and its significance within the organization

Question 15

Data stored in databases, file systems, or storage systems, not actively moving

Answer 15

Data at Rest

Question 16

Data at Rest - Encryption Methods

Answer 16

Full Disk Encryption (FDE) - entire hard drive
Partition Encryption - Specific Partitions
File Encryption - individual files
Volume Encryption - selected files/directories
Database Encryption - database column,row, or table
Record Encryption - speicific fields within a database

Question 17

Data actively moving from one location to another, vulnerable to interception

Answer 17

Data in Transit (Data in Motion)

Question 18

Data in Transit - Transport Encryption Methods

Answer 18

SSL (Secure Sockets Layer)
TLS (Transport Layer Security)
VPN (VIrtual Private Network)
IPSec (Internet Protocol Security)

Question 19

Data actively being created, retrieved, updated, or deleted

Answer 19

Data in Use

Question 20

Data in Use - Protection Measures

Answer 20

Encryption at Application Level
Access Controls
Secure Enclaves
Machanisms like INTEL Software Guard

Question 21

Information controlled by laws, regulations, or industry standards

Compliance requirements
● General Data Protection Regulation (GDPR)
● Health Insurance Portability and Accountability Act (HIPAA)

Answer 21

Regulated Data

Question 22

Information used to identify an individual (e.g., names, social security numbers, addresses)

Targeted by cybercriminals and protected by privacy laws

Answer 22

PII (Personal Identification Information)

Question 23

Information about health status, healthcare provision, or payment linked to a specific individual

Protected under HIPAA

Answer 23

PHI (Protected Health Information)

Question 24

Confidential business information giving a competitive edge (e.g., manufacturing processes, marketing strategies, proprietary software)

Legally protected; unauthorized disclosure results in penalties

Answer 24

Trade Secrets

Question 25

Creations of the mind (e.g., inventions, literary works, designs)

Protected by patents, copyrights, trademarks to encourage innovation

Unauthorized use can lead to legal action

Answer 25

Intellectual Property (IP)

Question 26

Data related to legal proceedings, contracts, regulatory compliance

Requires high-level protection for client confidentiality and legal privilege

Answer 26

Legal Information

Question 27

Data related to financial transactions (e.g., sales records, tax documents, bank statements)

Targeted by cybercriminals for fraud and identity theft

Subject to PCI DSS (Payment Card Industry Data Security Standard)

Answer 27

Financial Information

Question 28

Understandable directly by humans (e.g., text documents, spreadsheets)

Answer 28

Human-Readable Data

Question 29

Requires machine or software to interpret (e.g., binary code, machine language)

Contains sensitive information and requires protection

Answer 29

Non-Human-Readable Data

Question 30

Digital information subject to laws of the country where it’s located

Gained importance with cloud computing’s global data storage

Answer 30

Data Sovereignty

Question 31

Protects EU citizens’ data within EU and EEA borders

Compliance required regardless of data location

Non-compliance leads to significant fines

Answer 31

GDPR (General Data Protection Regulation)

Question 32

Require data storage and processing within national borders

Challenge for multinational companies and cloud services

Answer 32

Data Sovereignty Laws (e.g., China, Russia)

Question 33

Virtual boundaries to restrict data access based on location

Compliance with data sovereignty laws

Prevent unauthorized access from high-risk locations

Answer 33

Geographic Restrictions (Geofencing)

Question 34

Transform plaintext into ciphertext using algorithms and keys

Protects data at rest and in transit

Requires decryption key for data recovery

Answer 34

Encryption

Question 35

Converts data into fixed-size hash values

Irreversible one-way function

Commonly used for password storage

Answer 35

Hashing

Question 36

Replace some or all data with placeholders (e.g., “x”)

Partially retains metadata for analysis

Irreversible de-identification method

Answer 36

Masking

Question 37

Replace some or all data with placeholders (e.g., “x”)

Partially retains metadata for analysis

Irreversible de-identification method

Answer 37

Tokenization

Question 38

Make data unclear or unintelligible

Various techniques, including encryption, masking, and pseudonyms

Hinder unauthorized understanding

Answer 38

Obfuscation

Question 39

Divide network into separate segments with unique security controls

Prevent lateral movement in case of a breach

Limits potential damage

Answer 39

Segmentation

Question 40

Define data access and actions through ACLs or RBAC

Restrict access to authorized users

Reduce risk of internal data breaches

Answer 40

Permission Restrictions

Question 41

Aims to monitor data in use, in transit, or at rest to detect and prevent data theft

are available as software or hardware solutions

Answer 41

Data Loss Prevention (DLP)

Question 42

Types of DLP (Data Loss Prevention) Systems

Answer 42

Endpoint DLP System
Network DLP System
Storage DLP System
Cloud-Based DLP System