Domain 2 - Asset Security

Question 1

List Data Destruction Methods

Answer 1

Erasing: performing a delete operation against a file (data typically recoverable)
Clearing (overwriting): prepare media for reuse, ensuring data cannot be recovered using recovery tool, some bad sector on hard disk may contain data remanance
Purging: intense form of clearing, in less secure enviroment
but doesn’t prevent recovery completely
Degaussing: create strong magnetic field that erase data on media, doesn’t work on SSD
Declassification: Any process that purges media or a system to prepare it for use in an unclassified environment, more expensive than buy new media
Sanitization: Process of rendering target data on the media infeasible for a given level of recovery effort, should be enough
Destruction: The final stage in media, the most secure method, Shredding, Acid
Disintegration: SSD shredding process using approved hardware that reduces the drives to ultra-fine particles measuring no more than 4mm square

Question 2

What is Record Retention policy?

Answer 2

Record retention policies ensure that data is kept in a usable state while it is needed and destroyed when it is no longer needed

Question 3

4 Data Classification Level

Answer 3

Class 0:
> No Damage
Government (unclassified) : Available upon request, has been declassified
Public (public) : Website, ads, any information that publically accessible

Class 1 :
> Damage
Government (confidential) : Operational or battle report
Public (sensitive) : Networking, IP assignments, system information

Class 2 :
> Serious Damage
Government (secret) : Troop Plan, weakness reports
Public (private) : PHI, PII, payroll

Class 3 :
> Exceptionally grave damage
Government (top secret) : Weapon blueprints, war plan, espionage data
Public (proprietary) : trade secrets, source code

Question 4

What is sensitive data?

Answer 4

any information that isn’t public or unclassified.

> PII (Personally Identifiable Information) any information that can identify an individual, biometric record, name, birthdate
PHI (Personal Health Information) health related information that can be related to specific person

Question 5

What is Role of Data Owner?

Answer 5

Usually a member of senior management. Can delegate some day-to-day duties. Cannot delegate total responsibility

Question 6

What is Role of Data Custodian?

Answer 6

Some in IT Department. Does not decide what controls are needed, but does implement controls and monitor control for data owner

Question 7

What is role of Data Administrator?

Answer 7

Responsible for granting appropriate access to person/user

User : any person who accessess data via a computing system to accomplist work task

Security Administrator: Responsible for Firewall, IPS, IDS, security patches, grant access

Question 8

Difference between Mission/Business Owner and Data Owner

Answer 8

Mission Owners typically own process and program, make policies that govern our data security. Data Owner: management levels, plans security control, assign sensitivity labels and backup frequency

Question 9

Methods for Reducing GDPR Exposure

Answer 9

Anonymization: The process of removing all relevant data so that it is impossible to identify original subject or person, GDPR no longer relevant

Pseudonymization: process of replacing some data elements with pseudonyms or aliases. It removes privacy data so that a dataset can be shared. However, the original data remains available in a separate dataset.

Question 10

What is tokenization?

Answer 10

Tokenization replaces data elements with a string of characters or a token. Credit card processors replace credit card data with a token, and a third party holds the mapping to the original data and the token.

Question 11

The Information Life Cycle

Answer 11

Data Acquisition (data is created or copied from other location) > Data use (How we ensure data is kept Confidential, not altered, available when needed (CIA) <> Data Archival (data will be used later or retention required by law) > Data disposal (How do we dispose data properly)

Archive vs. Backup
Archive for long-term retention, Backup less useful for long time

Question 12

3 Type of Data States

Answer 12

Data at Rest : is any data stored on media such as system hard drives, solid-state drives (SSDs), external USB drives, storage area networks (SANs), and backup tapes. Protection: Strong symmetric encryption protects data at rest

Data in Transit : is any data transmitted over a network, Protection: a combination of symmetric and asymmetric encryption protects data in transit

Data in Use : data in memory or temporary storage buffers while an application is using it. Protection: Use good practice, clean desk policy, print policy, no shoulder surfing, locking computer screen when leave

Question 13

Who approve data access request?

Answer 13

Clearance request approved by Data Owner, especially if data was labelled as Top Secret

Question 14

What is Clean Desk policy?

Answer 14

Clean desk policy requires employees to not have sensitive (or any at all) paperwork on their desks unless they are at the desk

Question 15

Ensure security on Data handling, Data storage, and Data Retention?

Answer 15

Data handling: Only trusted individuals should handle our data; should have policy on how, where, why data was handled. Logs should be in place

Data Storage: should kepts in a secure, climate-controlled facility, and not far away.

Data Retention: should not kept beyond period of usefulness or legal requirement, HIPAA or PCI-DSS may require certain retention 1, 3, 7 years or infinity)

Question 16

Difference between Data Controller and Data Processors?

Answer 16

Data Controller: creates and manage sensitive data in the organization (HR/Payroll)

Data Processor: Manage the data for controllers (Outsourced Payroll)

Question 17

What is Data Remanance?

Answer 17

Data left over after normal and deletion of data

Question 18

What is Data Destruction?

Answer 18

When we no longer need a certain media, we must dispose it in manner that ensure the data cannot be retrieved.

Question 19

Difference between volatile and nonvolatile memory?

Answer 19

Volatile Memory: Loses memory content after power loss, example: RAM
Nonvolatile Memory: Retains memory after power loss, example: ROM, Hard Disk

Question 20

What is Data Labelling?

Answer 20

Purpose: defining data classification in order to apply appropriate protection

Question 21

DLP process

Answer 21

Data Loss Prevention : attempt to detect and block data exfiltration attempts

Network DLP > for data in motion : scans all outgoing data looking for specific data.
Endpoint DLP > for data in use and at rest : scan files stored on a system as well as files sent to external devices, such as printers

Question 22

How we decide and deploy security control?

Answer 22

Scoping : determining which portion of standard we will deploy in our organization

Tailoring : customizing a standard to your organization

Certification : A system meet the security requirement set by the data owner by regulation

Accreditation : The data owner accepts the certification and the residual risk

Question 23

Differences between standards, Baseline, Guideline

Answer 23

Standard = mandatory, must meet EXACTLY, no more, no less, ex: HIPAA sha-256

Baseline = mandatory, must meet AT LEAST, can do more than it requires, ex: any encryption, at least sha-256 or higher

Guideline = suggested practices, not mandatory, ex: use mcafee if it is available on your operating system

Question 24

What is Digital Rights Management?

Answer 24

Data protection methods that used technology to protect copyrighted digital media. purpose is to prevent the unauthorized use, modification, and distribution of copyrighted works.

Question 25

What is CASB?

Answer 25

A cloud access security broker (CASB) is a software placed logically between users and cloud resources. It can apply internal security controls to cloud resources. The CASB component can be placed on-premises or in the cloud.

Question 26

What is CIS Benchmark

Answer 26

best practices/baseline for the secure configuration of a target system

Question 27

TLS vs SSL

Answer 27

TLS is really just the more modern, secure version of SSL.

List of attack on SSL: Heartbleed, POODLE, BEAST and CRIME

Question 28

How to make sure Windows settings and compliance checked

Answer 28

using Microsoft Group Policy, Group Policy is a feature provided by Windows operating systems in order to manage the different operating systems, user, account, and similar settings.

Question 29

GDPR 7 rights to for individuals

Answer 29

> The right to be informed
Both data processors and controllers are now obliged to provide information to data subjects about the personal data being collected, how it is going to be used, who it will be shared with, for how long it will be kept and the purpose of its processing.

> The right of access
With request, individual data subjects are entitled to confirmation that their data is being processed, access to that data as well as further information regarding any automated decision making, or the envisioned period of retention.

> The right to rectification
With its corresponding principle in ‘accuracy’, data subjects hold the right to have personal data rectified should it be either inaccurate or incomplete.

> The right to erasure
Also known as ‘the right to be forgotten’, this right allows data subjects to request the removal or deletion of data in the eventuality there is no compelling reason for its continued processing or availability

> The right to restrict processing
Processing is any operation performed on personal data. This includes using, viewing, altering or deleting the data.

> The right to data portability
Allowing individuals to obtain and reuse their personal data across different services, this right means an individual’s data should be available in a commonly used machine-readable format, in a way which allows data not to be constantly resubmitted.

> The right to object
Allowing individual to object (for certain reasons) to the processing of their personal data, as well as obliging organisations to inform individuals of this right at the time of first communication.

Question 30

GPDR Requirements

Answer 30

• data processed fairly
• data maintained securely
• data presented accurately

Question 31

NIST SP 800-60 lifecycle

Answer 31

Step 1 - Categorize Systems and Data, responsibilty: data owner
Step 2 - Select Security Controls, responsibilty: system owner
Step 3 - Implement Security Controls, responsibility: data custodians
Step 4 - Assess Security Controls, responsibility: system owner
Step 5 - Monitor Security, responsibility: data custodians

Question 32

What is COPPA, California Civil Code 1798.82, and PIPEDA?

Answer 32

COPPA: California Online Privacy Protection Act requires website operator to display if they collect personal information.

California Civil Code 1798.82 : requires breach notification

PIPEDA : Personal Information Protection and Electronic Documents Act, law in Canada, control how business collect, use, disclose personal information

Question 33

What is Data emanation?

Answer 33

Data emanation is a form of electronic eavesdropping. When data travels within a computer or through the network wires, an electromagnetic field is generated.

By reading the magnetic field, unauthorized users can get the confidential data. This act is known as data emanation. By blocking these electrical fields, data emanation can be stopped. A Faraday cage can be helpful to stop data emanation.