Data Security

Question 1

Masking/ encryption will

Answer 1

render the data unreadable without the keys

Question 2

13 guiding priciples of data security

Answer 2

1. responsible trustee of data
2. comply with regulations
3. Use CRUD matrices to help map data access needs
4. data security policy should be updated and approved by the data governance council (DGSC)
   5.identify application security requirements on projects
5. classify all enterprise data for confidentiality
6. Passwords show follow complexity guidlines
7. security role groups
8. request, track and approve all user and group authorisations
9. centrally manage user identity data and group membership data
10. use views or partitions to restrict access to sensitive columns or specific views
11. strictly limit and consider every use of share or service user accounts
12. monitor data access activity to understand trends

Question 3

Classifications of data

Answer 3

PII, business critical financially critical

Question 4

Password best practise

Answer 4

3/4 random words

Question 5

Goldilocks Principle

Answer 5

balance must be met based on the damage/harm that could be caused

Question 6

Four sources of data security requirements

Answer 6

• business needs
• government regulations
• stakeholder concerns
• legitimate business concerns

Question 7

Security control legislation EU

Question 8

Security control legislation EU

Answer 8

• EU GDPR
• BASEL II and Solvency II
• BCBS 239 Basel committee
• PCI-DSS

Question 9

Security control legislation US

Answer 9

• HIPAA
• Sarbanes-Oxley Act
• CCPA
• CPRA

Question 10

Four As

Answer 10

Authentication
Authorisation
Access
Audit

Question 11

Sarbanes-Oxley Act

Answer 11

prevents unauthorised modification of financial transactions

Question 12

Solvency II

Answer 12

Protecting lineage of data feeding risk models

Question 13

Active Audit

Answer 13

Parsing instructions and data before its returned to the user

Question 14

Passive Audit

Answer 14

Looking what has happened

Question 15

CCPA

Answer 15

statute to enhance privacy right and consumer protection (california)

Question 16

ISO standards

Answer 16

set out critical requirements for information secuirty standard in an organisation

Question 17

ISO/IEC 29100

Answer 17

about the technology e.g. firewalls

Question 18

ISO/IEC 27001

Answer 18

how to manage information security

Question 19

ISO/IEC 27701

Answer 19

extension of 27001 relating to GDPR

Question 20

Standards should influence

Answer 20

• access control
• use of devices
• disposal processes

Question 21

CIA

Answer 21

confidentiality, integrity, availability

Question 22

CIA Integrity

Answer 22

preventing undetectable modification of information

Question 23

3 categories of controls

Answer 23

• Administrative controls
• Logical controls
• physical ocntrols

Question 24

Administrative controls

Answer 24

precedural security e.g., training, policies

Question 25

Logical controls

Answer 25

software security e.g., passwords, firewalls, encryption

Question 26

Physical Controls

Answer 26

Workplace Security e.g., doors, locks, CCTV, sprinkler system

Question 27

Risk Assessment Stages

Answer 27

1. categorise the threats e.g., environmental vs manmade 2. categorise the vulnerabilities e.g., physical, technological, human 3. Probability - what's the likelihood that a threat exploits a vulnerability 4. Impact - how will this effect the organisation 5. Give a suggested mitigation

Question 28

How does ISO 27001 suggest to treat risks

Answer 28

- terminate the risk - treat the risk - transfer the risk - tolerate the risk (accept the risk)

Question 29

IT Security Threats: Privilege Escalation

Answer 29

Exploiting the bugs in software. Mechanism that people use to load further bad software, to use it as a node for further attacks

Question 30

IT Security Threat: Root kits

Answer 30

Activated as system boots up (hard to detect), allow the installation of files and accounts to intercept sensitive information

Question 31

IT Security Treat: Ransomware

Answer 31

Malware that encrypts your data and payment is demanded before the data is returned

Question 32

SMART

Answer 32

specific, measurable, achievable. realistic, timely

Question 33

The planning development and execution of security policies and procedures to provide proper authentication, authorisation access and auditing of data and information assets

Answer 33

Data security management

Question 34

HIPAA is relevant

Answer 34

for US healthcare providers

Question 35

PCI-DSS is relevant for

Answer 35

online card payments

Question 36

The implementation and administration of database security is the responsibility of

Answer 36

The DBA

Question 37

Responsibility of the data governance council in defining an information security policy

Answer 37

review and approve the high-level data security policy

Question 38

What is the benefit of using role groups to implement data security policies

Answer 38

reduces the effort to assign access rights to users if they inherit rights from their group

Question 39

Different ways to encrypt

Answer 39

Hash, private key, public key & Obfuscation/masking

Question 40

Two types of masking

Answer 40

persistent & dynamic

Question 41

Persistant masking

Answer 41

Permanently alters the data

Question 42

Persistant masking two types

Answer 42

in flight (moving between source and place e.g. between production and non production) in place (when source and destination are the same)

Question 43

Dynamic Masking

Answer 43

Changes the appearance without changing the data

Question 44

Temporal variance

Answer 44

move dates + - a number of days (type of masking)

Question 45

cookie

Answer 45

a small data file that is downloaded on to a computers hard drive, to identify returning visitors and profile their preferences

Question 46

DMZ

Answer 46

The area of the edge/ perimeter of an organisation, with a firewall between it and the organisation.

Question 47

One of the main approaches to managing sensitive data is classifying them and enforcing a common standard. This process is also part of:

Answer 47

Metadata Management

Question 48

Guiding Principles for data security

Answer 48

- requires collaboration - enterprise wide approach - proactive management

Question 49

Authentication

Answer 49

verifying the user identities of those who are accessing your data

Question 50

Classifying data (important metadata)

Answer 50

define confidentiality levels

Question 51

encrypting data at rest

Answer 51

encrypting data when it's stored on a device

Question 52

secure data in transit

Answer 52

encrypting data which its being transitted between locations

Question 53

Which role is responsible for determining the right confidentiality levels

Answer 53

data stewards

Question 54

Organisations are turning increasingly into cloud based computing environments. What are some measures needed to adapt to this new emergence?

Answer 54

Tweaking or creating a new data security management policy centered on cloud computing Data security policies must account for distribution of data across different service models ed to adhere to the same security policy as the rest of the organisation In cloud computing, defining chain of custody of data and defining ownership and custodianship rights should be a priority Internal cloud data-center architecture need to adhere to the same security policy as the rest of the organisation

Question 55

One of the main approaches to managing sensitive data is classifying them and enforcing a common standard. This process is also part of:

Answer 55

Metadata Management

Question 56

While the Information security team enforces and protects the network, which role is responsible for determining the right confidentiality levels?

Answer 56

Data stewards