Domain 2

Question 1

Data Lifecycle

Answer 1

Create > Store > Use > Share > Archive > Destroy

No classifying

Question 2

Information Lifecycle

Answer 2

Create > Classify > Store > Use > Archive > Destroy

No sharing

Question 3

Data Security Controls
(5 types)

Answer 3

1. Marking, label, handle, Classify
2. Handling
3. Destruction
4. Retention
5. Tape Backup Security

Question 4

Data Destruction Methods
(5 types)

Answer 4

1. Erasing: performing the Delete operation (typically recoverable)
2. Clearing (Overwrite): Preparing media for re-use and ensure data cant be recovered
3. Purging: More intense clearing, for reuse in less secure envs
4. Degausing: erasing via strong magnetic field
5. Destruction: physically destroying media (Most secure)

Question 5

Security Controls Baseline

Answer 5

Listing of controls that an org can apply as a baseline

Question 6

Data Protection

Answer 6

Confidentiality is often protected thru encryption at rest and transport

Question 7

Data Classification
Non-Government (public)

Answer 7

Class 3: Confidential / Proprietary
- Exceptionally severe damage

Class 2: Private
- Serious Damage

Class 1: Sensitive
- Damage

Class 0: Public
- No Damage

Question 8

Data Classification
Government

Answer 8

Class 3: Top Secret
- Exceptionally severe damage

Class 2: Secret
- Serious Damage

Class 1: Confidential
- Damage

Class 0: Unclassified
- No Damage

Question 9

Sensitive Data

Answer 9

Any info that is NOT public or unclassified

Question 10

Personally Identifiable Info (PII)

Answer 10

any info that can ID an individual

Question 11

Protected Health Info (PHI)

Answer 11

Health info related to a specific person

• Covered by HIPAA

Question 12

Data Roles
Data Owner

Answer 12

Usually in Senior Mgmt can delegate some day to day duties. Cannot delegate total responsibility

Question 13

Data Roles
Data Custodian

Answer 13

Usually in IT Dept. Does NOT decide which controls are needed, but implements them

TIP if ?’s mention “Day to day” duties it means the custodian

Question 14

Data Roles
Data Administrator

Answer 14

Grants access to personell via RBAC

Question 15

Data Roles
User

Answer 15

Anyone who access the data

Question 16

Data Roles
Business / Mission Owner

Answer 16

Overlaps or is same as system owner

Question 17

Data Roles
Asset Owner

Answer 17

Owns the asset that processes sensitive data and related security plans

Question 18

GDPR Terms
Data Processor

Answer 18

Natural / legal person, public authority, agency, or body which processes personal data soley on behalf of the data controller

Question 19

GDPR Terms
Data Controller

Answer 19

Person / entity that controls processing of the data

Question 20

GDPR Terms
Data Transfer

Answer 20

GDPR restricts transfers to countries outside of EU

Question 21

GDPR Terms
Anonymization

Answer 21

Removing all relevant data so it is impossible to ID original person

If done correctly, GDPR is no longer relevant

Question 22

GDPR Terms
Pseudonymization

Answer 22

Using aliases to represent the data

• Can make less stringent regulations
• Use if you need the data, but reduce exposure
• Make sure the alias mapping is secured