Domain 2 - Asset Security

Question 1

What are the commercial data classifications? (From Grave Damage to No damage)

Answer 1

1. Proprietary/Confidential
2. Private
3. Sensitive
4. Public

Question 2

What are the US Government Data Classification?

Answer 2

1. TOP SECRET
2. SECRET
3. COMMERCIAL
4. Unclassified

Question 3

What principle of security does compartmentalisation apply?

Answer 3

Need-to-know

Question 4

What activities are used to assist an organisation in forming a minimum security baseline?

Answer 4

Scoping and tailoring

Question 5

What is scoping?

Answer 5

Process of determining which portions of a standard will be used by the organisation. Example is the Statement of Applicability (SoA)

Question 6

What is tailoring?

Answer 6

Tailoring is the process of customising a standard for a organiation:
1. control selection for initial security baseline
2. scoping for the remaining baseline security controls
3. Application of compensating controls

Question 7

What is pseudonymisation?

Answer 7

De-identification process to remove PII.
This can be reversed as it is like an alias.

Question 8

What is anonymisation?

Answer 8

Process to either encrypt or remove PII. This is irreversible. However data inference can still be used to counter anonymisation.

Question 9

What is tokenisation?

Answer 9

A value that is substituted to replace a sensitive data item. e.g. payment card data.

Question 10

What should asset classification be based on?

Answer 10

This should be based on the data classification. If it processes SECRET data then the computer should be classified the same.

Question 11

What should PHI, PII, financial data, employee data, payroll data be classified as?

Answer 11

Private

Question 12

What is the role of the system owner?

Answer 12

• Creation of SSP
• Ensures users receive adequate training
• Assists with identification, implementation and assessment of common security controls

Question 13

What is the role of business/mission owners?

Answer 13

• Senior executives that make the policies that govern the data security.

Question 14

What is the role of data controllers?

Answer 14

Controllers create and manage sensitive data in the organisation (e.g. HR/Payroll)

Question 15

What is the role of data processors?

Answer 15

Processors manage the data for controllers (e.g. outsourced payrolll)

Question 16

What is the role of data owners?

Answer 16

They assign sensitivity labels and backup frequency.

Question 17

What is the responsibility of security administrators?

Answer 17

• Firewalls
• IPS
• IDS
• Security patches
• Create accounts
• Assigns access to data (could also be data administrator).

Question 18

What is PROM?

Answer 18

This is programmable read only once memory

Question 19

What is EPROM?

Answer 19

This is erasable programmable read only memory where reprogramming can be done many times using ultraviolet light.

Question 20

What is EEPROM?

Answer 20

Electrically erasable programmable read only memory. Reprogrammable using electric charges.

Question 21

What type of RAM is usually embedded with CPU?

Answer 21

Static RAM (SRAM)

Question 22

What type of RAM is inserted into motherboard slots?

Answer 22

Synchronous Dynamic RAM (SDRAM). This is where DDR4, etc comes in.

Question 23

What type of RAM is embedded on graphic cards?

Answer 23

Dynamic RAM (DRAM)

Question 24

Whare are SSD Drives made up of?

Answer 24

EEPROM and DRAM

Question 25

What is flash memory made up of? (e.g USB)

Answer 25

EEPROM

Question 26

What is an example of tailoring?

Answer 26

A standard or framework might say to use AES 128bit. Tailoring could be using a stronger encryption such as AES 256bit.