Domain 2

Question 1

The information Lifecycle includes:

Answer 1

1) Classification
2) Categorization
3) Ownership
4) Maintenance

Question 2

Governance Data Classification Labels in level of secrecy are:

Answer 2

1) Top Secret - highest level of information classification and can cause EXCEPTIONALLY GRAVE DAMAGE to national security
2) Secret - can cause SERIOUS DAMAGE to national security
3) Confidential - can cause DAMAGE to national security
4) Sensitive but Unclassified (SBU) - does not cause damage to national security
5) Unclassified - neither sensitive or classified and public release does not violate confidentiality

Question 3

Compromise of data means:

Answer 3

“severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals”

Question 4

What are the data classification criteria that determine how data is classified?

Answer 4

1) Value - what is the information worth to the company and what if it is lost or compromised?
2) Age - How current is the information? does your organization need data that is five years old? Is real-time information more important ?
3) Useful Life - At what point is data in your system no longer worth protecting?
4) Personal Association - PII, PHI, financial information

Question 5

What can require the release of information that would otherwise remain protected?

Answer 5

1) Court orders, legal statutes
2) FOIA (Freedom of Information Act) - requests seek release of government information
3) Contractual obligations
4) Senior level management approval - e.g., NDA on file for the recipient of the data

Question 6

Data Ownership: _____ is ultimately responsible for the success of an organization. They are high-ranking officials who are responsible for establishment of an organization’s computer security program and goals. They set priorities to support the mission of the org. They must implement an effective and appropriate data classification program and provide adequate funding and manpower to implement, maintain and enforce the program policy when needed. They should also oversee an audit program and receive periodic reports of violations

Answer 6

Business/mission owners

Question 7

Data Ownership: _____ are members of management responsible for ensuring appropriate protection of specific data. They have the final corporate responsibility for protection of specific data. They must take measures to adequately protect their information and networks from all significant threats.

Answer 7

Data Owners / Information Owners

They have the final say towards security, decide what is appropriate, ultimately responsible for the data, and determines who can access it.

They also:

• Assign classification
• Ensure proper security controls are in place to protect the information
• regularly review who has access to the information
• Serve as the main point of contact to approve access to data
• Name someone else to replace them in case of absence

Question 8

Data Ownership: _____ are responsible for the computer system (hardware or software) and the system design, plan, updates and training (also the procurement, development, integration, modification, operation and maintenance of the system.

Answer 8

System Owner

Question 9

Data Ownership: _____ performs hands on activities to achieve data protection requirements dictated by owners. They conduct any activities regarding the maintenance of the data. They provide the hands on management of the data as dictated by the data owner. They do not make critical decisions, they just implement the decisions about the data

Answer 9

Custodian

• Performing, testing and verifying data backups
• Data restoration from backups
• Patching of operating systems and applications
• Maintaining endpoint security software

Question 10

Data Ownership: ____ are those individuals who have been granted access to and leverage data during the course of their job. The most important responsibility is adhering to the security policies and proper use of data and files

Answer 10

Users

Acceptable Use Policies are one way to make sure users know what is expected of them. They should be trained in the security policies and procedures and held accountable if they fail to adhere to the policies. They should take adequate measures to protect the data (e.g., strong passwords, locking your station)

Question 11

Sensitive Data Collection - limitation is:

Answer 11

limitation on the collection of sensitive data - organizations should collect the minimum amount of sensitive data required to provide a given service.

Organizations must clearly define roles involved with creation and access to sensitive data.

The Organization for Economic Cooperation and Development (OECD) states - there should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.”

Question 12

Data Ownership: _____ is the organization that creates/manages sensitive data (e.g., salary data managed by HR).

Answer 12

Data Controller - must legally ensure the security of data accessed by data processors

Question 13

Data Ownership: _____ are third-party companies that access an organizations sensitive data (e.g., outsourced payroll company - ADP).

Answer 13

Data Processor

Question 14

_____ is information that persists on media after attempted removal.

Answer 14

Data Remanence

Question 15

Data destruction and re-use types:

Answer 15

Magnetic media: (magnetic tape, floppy disks, hard disk drives)

• sector by sector overwrite
• degaussing (oven that destroys the data) - also referred to as purging

Physical destruction ** - best way to get rid of data

Paper reports:

• shredding
• burning

Types of data removal:

• clearing - overwriting the data multiple times (not worth doing this. Never guarantees complete removal)
• Purging - refers to degaussing magnetic media
• destruction - physically destroying media by burning or crushing

Question 16

Data storage directly accessibly by the CPU is:

Answer 16

Real, main or primary memory
- higher speed data retreival

Examples are registers, SRAM and DRAM

Question 17

Data stored in a location not able to be directly accessed by the CPU is:

Answer 17

Secondary memory / storage
- slower retreival and use of data stored in secondary memory

Examples are disk-based storage

Question 18

Power must be supplied for data to . If separated from power, the ____ will lose data

Answer 18

Volatile storage

e.g., registers, SRAM and DRAM - this is random access memory (RAM)

Question 19

If power is lost, _____ will maintain data

Answer 19

Non-volatile storage

e.g., secondary storage like hard disk drives, solid state drives and firmware. This is read-only memory - ROM

Question 20

____ are storage devices that are read and written to in a sequential order

Answer 20

Sequential access memory/storage

- older and slower technology used by magnetic tape. Think, VHS player

Question 21

____ are storage devices that allow for jumping to a location and reading or writing of data

Answer 21

Random access memory / storage (RAM)

- faster technology that is more complex than sequential access storage

Question 22

RAM vs. ROM

Answer 22

RAM:

• volatile
• three types - registers, SRAM and DRAM
• faster and more expensive
• larger storage capacity
• read and write capability
• can be modified

ROM:

• Non-volatile
• Three types - PROM, EPROM, EEPROM
• slower and less expensive
• smaller storage capacity
• Read only
• data cannot be modified
• allows system to be rebooted
• firmware is a type of ROM but can be updated but expected to be done infrequently

Most systems contain a large amount of RAM and just a small amount of ROM

Question 23

Types of RAM:

Answer 23

1) Registers: small storage locations used by the CPU to store instructions and data. Located in the CPA. Fastest of all RAM
2) SRAM - Static RAM: very fast, less amount, used for cache memory - static and cache are the same. Does not need to be refreshed like DRAM. More expensive than DRAM but faster. As long as the system is supplied with electricity, SRAM keeps its contents safe without requiring constant refresh cycles. It is much faster. It is much more expensive which makes it unsuitable for main memory use. Instead it is used as cache memory - a special fast storage buffer that holds copies of data or instructions likely to be requested soon by the CPU
3) DRAM - dynamic RAM: refreshed on a regular basis. Cheapest and most common. The main memory. The system needs to continually refresh the data stored or it is lost

The fastest memory is the closest to the CPU

Question 24

_____ is a type of program somewhere between hardware and software.

Answer 24

Firmware

• Does not typically allow modification (writing or deleting) of data via simple means such as those used with traditional hard disks. Firmware is generally the controlling software for a device that is placed in a special type of ROM, which can be updated as new releases become available

Question 25

Types of ROM:

Answer 25

PROM - programmable ROM

• modified once
• firmware
• like a ROM but blank when received so a system designer can program it later

EPROM - erasable and programmable ROM

• Can be erased and reprogrammed
• Nor the norm
• Allowed for “flashing” with an ultraviolet light, ehich erased the contents and allowed for programming anew

EEPROM - Electrically erasable ROM

• related to and sometimes referred to as flash memory (USB stick)
• Can be written and rewritten
• Flash storage / USB drives are a special type of EEPROM that allows for operating on larger blocks of data for improved speed

Programmable Logic Devices: The general technology for all programmable ROMs.
- Integrated circuit that can be modified programmatically

Question 26

Remanence of Flash drives and SSDs

Answer 26

USB Flash drives use EEPROMS

Solid-State Drives (SSDs) use a combo of EEPROM and DRAM

• Degaussing has no effect on EEPROMS
• Sector by sector overwrites can also miss data

Best methods for these devices is to:

• always use encyrption
• for un-encrypted data use:
  
  • — ATA secure erase (easier and cheaper and more thorough than sector by sector overwrite). However, the risk is that physical damage can prevent an overwrite
  • — Physically destroy the device (more expensive but more secure)

Question 27

Examples of WORM Media and what it stands for:

Answer 27

WORM = write once, read many.

Commonly used for legal purposes.

Examples are CD and DVD

Destruction is the best method - they cannot be overwritten and degaussing has no effect on them.

Question 28

A key component to any baseline security configuration is____

Answer 28

Principle of lease privilege / minimum necessary: establishing the minimum necessary services and applications needed to perform the required functions (principle of lease privilege / minimum necessary).

Allow only those applications and services that are required for necessary business functions. disable or remove any component that is not determined to be required.

Question 29

Guidance for security configuration include:

Answer 29

CIS (Center for Internet Security)

Microsoft Security Guides

NIST SP 800s

DISA STIGs - Technical implementation guides from the Defense Information Systems Agency (required reading for the US DoD

Question 30

International Standards and best practices organizations include:

Answer 30

ISO, NIST, IETF (Internet Engineering Task Force)

ISO 27001 - auditing standards - Provides a set of requirements which means organizations can be audited the standard for compliance. Used as a means of attestation

ISO 27002 - best practice standards - provides guidance on enterprise security. It provides standards on how to coordinate an Information Security Management System (ISMS)

NIST 800 series:

• 800-53 - Risk management
• 800-37 - Recommended security controls
• 800-34 - Contingency Planning
• 800-115 - Security Testing and Assessment

IETF - focused on internet standards. Manages Requests for Comments (RFC) which are internet standards documents.

Question 31

ISO 27002 replaced which standard?

Answer 31

ISO 17799

Question 32

Scoping of standards involves:

Answer 32

determining applicable portions of a standard that will be followed. For example, an org that does not use wireless networks will declare wireless security controls out of scope

Question 33

Tailoring a standard is:

Answer 33

customizing a standard for an organization. It begins with scoping and then adds compensating controls and parameters (security config settings). example parameter = min password length