Domain 2 - Asset security

Question 1

Data Security Controls

Answer 1

○ Marking, labeling, handling, classification - classification is the most important
○ Data handling - shipping, chain of custody, don’t open boxes!
○ Data destruction - erasing, clearing (overwriting w/ unclassified data)
○ Record retention - if retention policy is 1 year, it should be destroyed when it ages out (1 year)
Tape backup security - secure facility, tapes labeled ensures all understand the classification of the data

Question 2

Erasing (data destruction method)

Answer 2

performing a “delete” operation. Can be recoverable

Question 3

Clearing aka overwriting (data destruction method)

Answer 3

prepping media for reuse and ensuring data cannot be recovered using traditional recovery tools

Question 4

Purging (data destruction method)

Answer 4

-more intense form of clearing that preps media for reuse in less secure environments
-US gov does not approve this for top secret data

Question 5

degaussing (data destruction method)

Answer 5

uses a magnetic field to erase data on physical media

Question 6

destruction (data destruction method)

Answer 6

final stage in media lifecycle, most secure method of sanitizing media

Question 7

Data classification

Answer 7

Top Secret - Class 3 - Confidential/ proprietary (grave damage)

Secret - Class 2 - Private (serious damage)

Confidential - Class 1 - Sensitive (damage)

Unclassified - Class 0 - Public (no damage)

Question 8

PII

Answer 8

info that can identify and individual (name, SSN, birthdate, biometrics, etc)

Question 9

PHI

Answer 9

health related info that can be linked to a person, covered by HIPAA

Question 10

Data owner

Answer 10

usually senior management, can DELEGATE day to day duties, cannot delegate total responsibility

Question 11

Data Custodian

Answer 11

usually someone in IT, DAY TO DAY, does not decide what controls are needed, but does implement controls for data owner

Question 12

Data administrators (data ownership)

Answer 12

grants appropriate access to personnel (often via RBAC)

Question 13

Business owner (data ownership)

Answer 13

can overlap responsibilities of the system owner or be the same role

Question 14

Asset owner (data ownership)

Answer 14

owns an asset that processes sensitive data and associated sec plans

Question 15

Data processor (GDPR term)

Answer 15

natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller, THIRD PARTY USUALLY

Question 16

Data controller (GDPR term)

Answer 16

person or entity that controls processing of the data

Question 17

Data transfer (GDPR term)

Answer 17

GDPR restricts data transfers to countries outside the EU

Question 18

Anonymization

Answer 18

process of removing all relevant data so that it is impossible to identify original subject or person,

if done effectively GDPR is no longer relevant for the anonymized data, good if you don’t need the data

Question 19

Pseudonymization

Answer 19

process of using pseudonyms (aliases) to represent the data,

need info but want to mask identities,

i.e. creating a patient number instead of a name, can result in less stringent requirements than would normally apply under GDPR

Question 20

Device fingerprinting

Answer 20

can require user auth, can gather data like OS, versions, software info, and other info to uniquely identify a system

Question 21

DRM

Answer 21

digital rights management

methods:
persistent online authentication, automatic expiration, continuous audit trail