Domain-2

Question 1

Application Encryption

Answer 1

Encryption engine is in the application using the database

Question 2

Transparent Encryption

Answer 2

Encryption engine is within the database

Question 3

common challenge w/key management

Answer 3

1. Access to the key
2. Key storage
3. Backup & replication

Question 4

Key escrow & management considerations

Answer 4

take into account of all relevant laws, regulations, & jurisdiction requirements

Question 5

When possible key management should be conducted separately from CSP, why?

Answer 5

to enforce SOD & force collusion if unauthorized data access is attempted

Question 6

Tokenization

Answer 6

The process of replacing sensitive data element with nonsensitive equivalent

Question 7

Anonymization

Answer 7

The process of removing the direct identifiers in order to prevent data analysis tools from collating or pulling data from multiple sources to identify an individual or sensitive information.

Question 8

Data Masking/Obfuscation

Answer 8

The process of hiding, omitting or replacing sensitive data from a data set.

Question 9

Bit splitting

Answer 9

Splitting up & storing encrypted information across different cloud storage services.

Question 10

Classification

Answer 10

The process of determining the impact of the loss of CIA of the information/asset to an organization

Question 11

Labeling

Answer 11

referred to as tagging the data with additional information (department, location, and creator). One of the labeling options can be classification according to a certain criteria such as top secret, secret, or classified.

Question 12

Classified data (Government/Military)

Answer 12

1. Top secret
2. Secret
3. Confidential

Question 13

Controller

Answer 13

determines the purposes & means of the processing of personal data

Question 14

Processor

Answer 14

processes personal data on behalf of the controller

Question 15

IRM protects files from

Answer 15

unauthorized copying, viewing, printing, forwarding, deleting, and editing

Question 16

DRM vs IRM

Answer 16

DRM - songs and movies

IRM - documents, spreadsheets, & presentations

Question 17

DRM primary goal

Answer 17

to protect intellectual property from being copied and distributed without properly compensating the owners of the property

Question 18

The Digital Millennium Copyright Act, amended to the US copyright law,

Answer 18

criminalized the use of techniques intended to circumvent DRM technology

Question 19

Enterprise DRM

Answer 19

aka - IRM; Focused at protecting enterprise assets such as documents and e-mails through implementation of usage rights policies

Question 20

the objective of data retention policy

Answer 20

1. to keep important information for future use or reference
2. to organize information so it can be searched and accessed at a later date
3. to dispose of information that is no longer needed

Question 21

Data retention policy should define:

Answer 21

Retention periods
Data formats
Data security
Data retrieval procedures

Question 22

Data retention policy should have:

Answer 22

• Regulatory/Statutory compliance objective(s) - what are we liable/accountable for?
• Data mapping - what types of data do we have?
• Data classification - where is the data and what is it worth?
• Retention period - How long do we need to keep data?
• Monitoring - How effective/efficient are we?

Question 23

overwriting

Answer 23

writing random data over the actual data

Question 24

Encryption

Answer 24

using an encryption method to re-write the data in an encrypted format to make it unreadable w/o encryption key

Question 25

Data archiving

Answer 25

moving data from production systems to long term storage systems

Question 26

Data archiving policy

Answer 26

• Data encryption procedures
• Data monitoring procedures
• Abilities for eDiscovery
• BCDR options
• Allowed data format and media types
• Data restoration procedures
• Legal Hold capabilities

Question 27

Legal hold

Answer 27

aka-litigation hold, a notification sent from an organization’s legal team to employees instructing them not to delete electronically stored information (ESI). OR discard paper documents that may be relevant to a new or imminent legal case

Question 28

Spoilation

Answer 28

deletion or modification of potentially relevant evidence

Question 29

Relevant cloud SLA contract (IaaS)

Answer 29

1. Cloud or network perimeter network logs
2. Logs from DNS Servers
3. VM monitor (VMM) logs
4. Host OS & Hypervisor logs
5. API access logs
6. Management portal logs
7. Packet captures
8. Bill records

Question 30

Self-authenticating

Answer 30

evidence pertains to any item a party can submit without offering additional proof showing its authenticity