Domain 2 Flashcards
- Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?
a. Man-in-the-middle, VPN
b. Packet injection, encryption
c. Sniffing, encryption
d. Sniffing, TEMPEST
C. Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn’t be used to stop attacks at any normal bank.
- COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?
a. Business owners
b. Data processors
c. Data owners
d. Data stewards
A. Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are required to perform specific actions under regulations like the EU DPD. Finally, in many organizations, data stewards are internal roles that oversee how data is used.
- What term is used to describe a starting point for a minimum security standard?
a. Outline
b. Baseline
c. Policy
d. Configuration guide
B. A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority, and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isn’t the term you’re looking for here.
- When media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels?
a. The data is labeled based on its integrity requirements.
b. The media is labeled based on the highest classification level of the data it contains.
c. The media is labeled with all levels of classification of the data it contains.
d. The media is labeled with the lowest level of classification of the data it contains.
B. Media is typically labeled with the highest classification level of data it contains. This prevents the data from being handled or accessible at a lower classification level. Data integrity requirements may be part of a classification process but don’t independently drive labeling in a classification scheme.
- The need to protect sensitive data drives what administrative process?
a. Information classification
b. Remanence
c. Transmitting data
d. Clearing
A. The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn’t a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.
- How can a data retention policy help to reduce liabilities?
a. By ensuring that unneeded data isn’t retained
b. By ensuring that incriminating data is destroyed
c. By ensuring that data is securely wiped so it cannot be restored for legal discovery
d. By reducing the cost of data storage required by law
A. A data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable.
Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met.
- Staff in an IT department who are delegated responsibility for day-to-day tasks hold what data role?
a. Business owner
b. User
c. Data processor
d. Custodian
D. Custodians are delegated the role of handling day-to-day tasks by managing and overseeing how data is handled, stored, and protected. Data processors are systems used to process data. Business owners are typically project or system owners who are tasked with making sure systems provide value to their users or customers.
- Susan works for an American company that conducts business with customers in the European Union. What is she likely to have to do if she is responsible for handling PII from those customers?
a. Encrypt the data at all times.
b. Label and classify the data according to HIPAA.
c. Conduct yearly assessments to the EU DPD baseline.
d. Comply with the US-EU Safe Harbor requirements.
D. Safe Harbor compliance helps US companies meet the EU Data Protection Directive. Yearly assessments may be useful, but they aren’t required. HIPAA is a US law that applies specifically to healthcare and related organizations, and encrypting all data all the time is impossible (at least if you want to use the data!).
- Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?
a. It applies in all circumstances, allowing consistent security controls.
b. They are approved by industry standards bodies, preventing liability.
c. They provide a good starting point that can be tailored to organizational needs.
d. They ensure that systems are always in a secure state.
C. Security baselines provide a starting point to scope and tailor security controls to your organization’s needs. They aren’t always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, nor do they prevent liability.
10 What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level?
a. Clearing
b. Erasing
c. Purging
d. Sanitization
A. Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that’s completed, the media can be reused. Erasing is the deletion of files or media. Purging is a more intensive form of clearing for reuse in lower security areas, and sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.
- Which of the following classification levels is the US government’s classification label for data that could cause damage but wouldn’t cause serious or grave damage?
a. Top Secret
b. Secret
c. Confidential
d. Classified
C. The US government uses the label Confidential for data that could cause damage if it was disclosed without authorization. Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data could cause serious damage. Classified is not a level in the US government classification scheme.
- What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?
a. They can be used to hide data.
b. They can only be degaussed.
c. They are not addressable, resulting in data remanence.
d. They may not be cleared, resulting in data remanence.
D. Spare sectors, bad sectors, and space provided for wear leveling on SSDs (overprovisioned space) may all contain data that was written to the space that will not be cleared when the drive is wiped. Most wiping utilities only deal with currently addressable space on the drive. SSDs cannot be degaussed, and wear leveling space cannot be reliably used to hide data. These spaces are still addressable by the drive, although they may not be seen by the operating system.
- What term describes data that remains after attempts have been made to remove the data?
a. Residual bytes
b. Data remanence
c. Slack space
d. Zero fill
B. Data remanence is a term used to describe data left after attempts to erase or remove data. Slack space describes unused space in a disk cluster, zero fill is a wiping methodology that replaces all data bits with zeroes, and residual bytes is a made-up term.
For questions 14, 15, and 16, please refer to the following scenario:
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.
- What civilian data classifications best fit this data?
a. Unclassified, confidential, top secret
b. Public, sensitive, private
c. Public, sensitive, proprietary
d. Public, confidential, private
C. Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary. Thus public, sensitive, proprietary matches this most closely. Confidential is a military classification, which removes two of the remaining options, and trade secrets are more damaging to lose than a private classification would allow.
For questions 14, 15, and 16, please refer to the following scenario:
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.
- What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?
a. Classification
b. Symmetric encryption
c. Watermarks
d. Metadata
C. A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.
For questions 14, 15, and 16, please refer to the following scenario:
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.
- What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion?
a. TLS at rest and AES in motion
b. AES at rest and TLS in motion
c. VPN at rest and TLS in motion
d. DES at rest and AES in motion
B. AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.
- What does labeling data allow a DLP system to do?
a. The DLP system can detect labels and apply appropriate protections.
b. The DLP system can adjust labels based on changes in the classification scheme.
c. The DLP system can notify the firewall that traffic should be allowed through.
d. The DLP system can delete unlabeled data.
A. Data loss prevention (DLP) systems can use labels on data to determine the appropriate controls to apply to the data. DLP systems won’t modify labels in real time and typically don’t work directly with firewalls to stop traffic. Deleting unlabeled data would cause big problems for organizations that haven’t labeled every piece of data!
- Why is it cost effective to purchase high-quality media to contain sensitive data?
a. Expensive media is less likely to fail.
b. The value of the data often far exceeds the cost of the media.
c. Expensive media is easier to encrypt.
d. More expensive media typically improves data integrity.
B. The value of the data contained on media often exceeds the cost of the media, making more expensive media that may have a longer life span or additional capabilities like encryption support a good choice. While expensive media may be less likely to fail, the reason it makes sense is the value of the data, not just that it is less likely to fail. In general, the cost of the media doesn’t have anything to do with the ease of encryption, and data integrity isn’t ensured by better media.
- Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?
a. Erasing
b. Clearing
c. Sanitization
d. Destruction
C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means.
Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don’t make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution due to the cost involved.
20 . Which is the proper order from least to most sensitive for US government classifications?
a. Confidential, Secret, Top Secret
b. Confidential, Classified, Secret
c. Top Secret, Secret, Classified, Public, Classified, Top Secret
d. Public, Unclassified, Classified, Top Secret
A. The US government’s classification levels from least to most sensitive are Confidential, Secret, and Top Secret.
- What scenario describes data at rest?
a. Data in an IPsec tunnel
b. Data in an e-commerce transaction
c. Data stored on a hard drive
d. Data stored in RAM
C. Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive
- If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?
a. Microsoft’s Windows 10 security baseline
b. The CIS Windows 10 baseline
c. PCI DSS
d. The NSA Windows 10 baseline
C. PCI DSS, the Payment Card Industry Data Security Standard, provides the set of requirements for credit card processing systems. The Microsoft, NSA, and CIS baseline are all useful for building a Windows 10 security standard, but they aren’t as good of an answer as the PCI DSS standard itself.
Use the following scenario for questions 23, 24, and 25.
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision.
- The CIS benchmarks are an example of what practice?
a. Conducting a risk assessment
b. Implementing data labeling
c. Proper system ownership
d. Using security baselines
D. The CIS benchmarks are an example of a security baseline. A risk assessment would help identify which controls were needed, and proper system ownership is an important part of making sure baselines are implemented and maintained. Data labeling can help ensure that controls are applied to the right systems and data.
Use the following scenario for questions 23, 24, and 25.
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision.
- Adjusting the CIS benchmarks to your organization’s mission and your specific IT systems would involve what two processes?
a. Scoping and selection
b. Scoping and tailoring
c. Baselining and tailoring
d. Tailoring and selection
B. Scoping involves selecting only the controls that are appropriate for your IT systems, while tailoring matches your organization’s mission and the controls from a selected baseline. Baselining is the process of configuring a system or software to match a baseline, or building a baseline itself. Selection isn’t a technical term used for any of these processes.










