Domain 2. Asset Security

Question 1

Highest Level government Data Classification Label

Answer 1

Top Secret

Question 2

Common data classification label NOT used in government

Answer 2

Confidential

Question 3

Data Owner

Answer 3

Management level, they assign sensitivity labels and backup frequency.

This could be you or a Data Owner from HR, Payroll or other departments.

Often the same as System Owner

Question 4

Mission/Business Owner

Answer 4

Senior executives make the policies that govern our data security.

Question 5

System Owner

Answer 5

Management level and the owner of the systems that house the data.

Often a Data Center Manager or an Infrastructure Manager.

Often the same as Data Owner

Question 6

Data Custodian

Answer 6

Technical, hands-on employees who do the things.

Follow directions of Data Owner

Question 7

Data Users

Answer 7

Data User is any employee, contractor or third-party provider who is authorized by the Data Owner to access information assets.

Question 8

Data Controller

Answer 8

Same as Data Owner when Data Owner doesn’t exist.

Question 9

Data Processor

Answer 9

Processors manage the data for Controllers. Often a third party. i.e (Outsourced Payroll)

Question 10

Only approved way to deal with Top Secret data when no longer needed.

Answer 10

Destruction

Question 11

Does Asset Handling and Management include phishing training/employee education?

Answer 11

YES

Question 12

Who is responsible for ensuring due diligence and due care is followed?

Answer 12

Generally the data owner

Question 13

NGO data classifications

Answer 13

Public
Sensitive
Private
Confidential

Question 14

EOL vs EOS

Answer 14

End of Life vs End of Support.

End of Life: Manufacturer no longer produces a product for sale.

End of Support: Manufacturer no longer supports the product, provides replacment parts, patches, or updates.

Question 15

EOS or EOSL

Answer 15

EOS (end-of-support) and EOSL (end-of-service-life) are synonymous terms used to describe a product or solution that is no longer actively supported by its manufacturer.

Question 16

Tailoring sec controls vs Scoping sec controls

Answer 16

Tailoring is customizing a set of existing security controls to align with an organization’s mission and objectives.

Scoping is reviewing and selecting initial security controls for a new information system.

Question 17

NIST 800-53

Answer 17

NIST SP 800-53 is a set of standards that federal agencies are required to meet. NIST SP 800-53 was created in response to the passage of the Federal Information Security Management Act (FISMA).

Security and Privacy Controls for Information Systems and Organizations

Question 18

Anonymization

Answer 18

Anonymization is the process of removing data to the point that it is impossible to identify the subject(s). This is most effective with large data sets with many categories. Anonymization also cannot be reversed, making it impossible to use a secondary data set to retrace steps associated with the anonymization process. What sets it apart is anonymization can’t be reversed because the technique requires the shuffling of a large data set and no database to link that random data back to the original subject(s).

Question 19

Tokenization

Answer 19

Tokenization replaces sensitive data with a string of characters or a token. The original data is held by a third party but NOT retrievable.

Question 20

Pseudonymization

Answer 20

Replaces data with a pseudonym or alias to protect privacy.

A separate database holds the actual identities and mappings to the pseudonym.

Question 21

Military and Government data classifications

Answer 21

Unclassified
Sensitive but Unclassified
Confidential
Secret
Top Secret

Question 22

Private/Civilian data classifications

Answer 22

Public
Sensitive
Private
Confidential

Question 23

Kerckhoffs’s principle

Answer 23

Kerckhoffs’s principle is often described as “the enemy knows the system.” It assumes that everything about a cryptographic system is public knowledge except for the key.

Question 24

Marking/Labeling

Answer 24

Marking and Labeling is when the classification level is physically added to the document or media.

Question 25

Blowfish

Answer 25

Symmetric

Blowfish was invented by Bruce Schneier who chose not to patent it, but made it available for free, public use. Blowfish has a fixed block size of 64 bits and a variable key size anywhere from 32-448 bits. Blowfish uses 16 rounds of encryption, regardless of key length.

Question 26

Poodle attack

Answer 26

In 2014, an attack known as the Padding Oracle On Downgraded Legacy Encryption (POODLE) demonstrated a significant flaw in the SSL 3.0 fallback mechanism. SSL is considered insecure and should be replaced by a new version of TLS.

Question 27

Should PII be classified as Confidential?

Answer 27

Personally identifiable information (PII) generally does not help a company maintain a competitive edge over other companies. PII should be classified as Private, not Confidential.

TO DO - review: CISSP All-in-One Exam Guide, 8th Edition. Pg 198-201.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 182-185.

Question 28

NIST SP 800-122

Answer 28

PII

Guide to protecting PII

Question 29

NIST SP 800-124

Answer 29

Guidelines for Managing the Security of Mobile Devices in the Enterprise

Question 30

NIST SP 800-171

Answer 30

Protecting controlled unclassified info in nonfederal info systems and orgs.

Used by non-government orgs when contracted by the us fed gov.

Question 31

Data Protection Directive (DPD)

Answer 31

Non-enforceable predecessor to the GDPR

The Data Protection Directive (DPD) was not directly enforceable, forcing every European state to create their own individual laws pertaining to data privacy. This ultimately led to the United States creating their Safe Harbor Privacy Principles to comply with this European directive.

Question 32

GDPR

Answer 32

General Data Privacy Requirement. Enacted in 2018.

Question 33

Tagging -

Answer 33

Technique to attach additional information about a file, i.e. date of creation, creator, purpose, disposal timelines, etc.

Question 34

e-Discovery

Answer 34

Electronic discovery (e-Discovery) is a term used to describe the process of identifying and producing electronically stored information (ESI) requested by a court subpoena.

Question 35

Legal hold (AKA litigation hold)

Answer 35

Legal request that information is not destroyed.

Question 36

Intangible Asset

Answer 36

Asset that you can’t touch. ALSO includes copyrights, trademarks, patents, and similar intellectual property.

Question 37

Tangible Asset

Answer 37

Asset that you can touch.

Question 38

Cryptoshredding

Answer 38

Secure data destruction process.

Delete data, overwrite with junk, encrypt the junk, throw away the encryption key.

Question 39

NIST 800-37

Answer 39

NIST SP 800-37 introduces the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations.

Question 40

Sanitization

Answer 40

Sanitization is a process that completely removes data or renders it impossible to recover from media. Sanitization can include the destruction of the media.

This is a parent term for all data removal methods.

Question 41

Baseline

Answer 41

A baseline is the minimum level of acceptable security applied to a system. Baselines are used to standardize security levels across multiple systems.

Question 42

Guidelines

Answer 42

Guidelines are recommended actions or behaviors if a standard does not apply.

Question 43

Standards

Answer 43

Standards document, in detail, the security requirements for a subset of technology. Standards are generally referenced by and enforced in a separate security policy.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 24-25.

Question 44

Procedure

Answer 44

Procedures are step-by-step instructions to accomplish a task.

Question 45

Policy

Answer 45

Policies are high-level documents that align security objectives with business objectives.