Domain 2 Asset Security

Question 1

INFORMATION LIFECYCLE

Answer 1

Life-cycle models describe the changes an entity experiences during its
lifetime.
Information can generate other information, similar to reproduction.
The life cycle of information consists of four phases: acquisition, use,
archival, and disposal.

Question 2

ACQUISITION

Answer 2

Information is typically copied or created from scratch.
Once acquired, it undergoes preparation, including the addition of
metadata and indexing.
It must be stored with policy controls, such as encryption for sensitive
data and access restrictions.
Proper planning at this stage is crucial for security and efficiency,
especially in larger organizations.

Question 3

DISPOSAL

Answer 3

Data must eventually be destroyed or transferred to another party and then
destroyed.
Ensuring data is thoroughly and correctly destroyed is essential.
Data destruction methods include wiping, degaussing, or shredding
physical devices.
Proper destruction is complex when dealing with files, database
records, or systems with multiple data copies.

Question 4

CLASSIFICATION PROCEDURE

Answer 4

1. Define classification levels.
2. Specify criteria for classifying data.
3. Identify data owners responsible for classification.
4. Identify data custodians responsible for maintaining security levels.
5. Indicate required security controls for each classification level.
6. Document any exceptions.
7. Provide methods for transferring data custody.
8. Review classifications periodically and communicate changes.
9. Outline procedures for declassifying data.
10. Include classification issues in security awareness training for all
    employees.

Question 5

LAYERS OF RESPONSIBILITY

Answer 5

Senior management sets the vision, goals, and business objectives.
Functional management understands departmental roles and security
impacts.
Operational managers and staff handle detailed technical and
procedural operations.
Each layer contributes to security practices, procedures, and controls.

Question 6

SENIOR MANAGEMENT
RESPONSIBILITY:

Answer 6

● Senior managers, especially in the C-suite, carry ultimate responsibility
for the organization.
● They are accountable for organizational failures, fraud, and ensuring
due care in information security.

Question 7

EXECUTIVE MANAGEMENT

Answer 7

● CEOs manage daily operations, strategic planning, and company growth
but cannot delegate ultimate responsibility.
● CFOs handle accounting, financial activities, and reporting to the SEC
and stakeholders.
● CIOs oversee the strategic management of information systems and
technology integration.
● CPOs ensure data privacy and compliance with legal and regulatory
requirements.

Question 8

DATA CUSTODIAN

Answer 8

Data custodians are responsible for the day-to-
day management and maintenance of data assets, including implementing and enforcing security controls defined by the data owner.

Question 9

SECURITY ADMINISTRATOR

Answer 9

Security administrators implement and maintain network security devices
and software.

Question 10

SUPERVISOR

Answer 10

Supervisors manage user activity and inform security changes based on
employee status.

Question 11

CHANGE CONTROL ANALYST

Answer 11

Change control analysts oversee the secure implementation of changes in
the network or software.

Question 12

DATA ANALYST

Answer 12

Data analysts ensure data is organized and stored effectively to support
business objectives.

Question 13

RETENTION POLICIES

Answer 13

● No global consensus on data retention duration; it varies by country and
sector.
● Essential to have a documented policy that’s regularly audited.
● Outsourced contracts should include data retention and eradication
terms.
● Using the longest legal retention time for all data can be impractical
and costly.
● Different business units may have different retention needs.
● Segregate data based on specific legal retention requirements.

Question 14

DATA OWNERS

Answer 14

● Responsible for data classification and approving disclosure requests.
● Senior managers usually act as data owners.
● Policies should be in place to guide decisions on data access, with
exceptions documented.

Question 15

DATA PROCESSORS

Answer 15

● Key to protecting or compromising data privacy.
● Need clear guidelines on acceptable behavior and policy adherence.
● Require training and routine auditing to ensure compliance with laws and
policies.

Question 16

DATA REMANENCE

Answer 16

Data remanence refers to the residual data traces that remain on a storage medium after deletion or formatting. This residual data can be recovered and pose a security risk if not properly sanitized.

Question 17

PROTECTING ASSETS

Answer 17

● Physical security combats theft, service interruptions, physical damage,
unauthorized access, and compromised system integrity.
● Real loss includes replacement costs, productivity and reputation impact,
consultant fees, and the restoration of data and production levels.
● Risk analysis involves inventory and valuation of hardware and the
valuable information within.

Question 18

DATA SECURITY CONTROLS
Data at Rest

Answer 18

Vulnerable to physical access and network threats.
- Encrypted data is safer, but it is not always the default setting.
- Organizations are moving towards policies requiring encryption for
sensitive information, especially on portable devices.

Question 19

DATA SECURITY CONTROLS
Data in Motion

Answer 19

• Most vulnerable when traversing networks.
• Strong encryption, like TLS or IPSec, is the best protection.
• Awareness of potential man-in-the-middle attacks is crucial.

Question 20

DATA SECURITY CONTROLS
Data in Use

Answer 20

• Resides in primary storage and is difficult to protect as it’s usually
  decrypted during use.
• Side-channel attacks are a risk to data in use.
• Secure software development practices are necessary to mitigate risks.

Question 21

MEDIA CONTROLS

Answer 21

● Media can be electronic or non-electronic and requires diverse controls
for data preservation.
● Proper environmental storage, access restrictions, and clear labeling are
key practices.
● Secure disposal methods are critical to prevent data breaches.

Question 22

PROTECTING MOBILE DEVICES

Answer 22

● Mobile theft is rising with a shift from hardware to data theft.
● Protection mechanisms include inventory management, OS hardening,
encryption, and remote wiping capabilities.

Question 23

PAPER RECORDS

Answer 23

● Used for storing valuable items and data backups.
● Types include wall safes, floor safes, chests, depositories, and vaults.
● Safes should have periodic combination changes and include tamper
detection features.

Question 24

SELECTING STANDARDS

Answer 24

● Standards should be cost-effective and relevant to the asset’s value.
● Adapting existing standards involves scoping (trimming) and tailoring
(modifying) to fit specific organizational needs.

Question 25

DATA LEAKAGE

Answer 25

● Data leaks can happen even with strong controls due to employee
negligence, the most common cause.
● Costs involve remediation, notification, fines, liabilities, mitigation
expenses, and direct damages.
● A company’s reputation and individuals’ identities may be at risk.

Question 26

Employee Role and Awareness in Data Leakage

Answer 26

• Employees often cause leaks due to a lack of security awareness.
• Employers must include security in routine communications, training, and
  performance reviews.
• Employees may use personal or unsecured technologies to work remotely,
  risking data security.

Question 27

DATA LEAK PREVENTION (DLP )

Answer 27

● Focused on preventing sensitive data access by unauthorized external
parties.
● Not all data is equally protected; the focus is on data considered sensitive
and valuable.
● DLP should be part of a holistic approach, integrating people, processes,
and information.

Question 28

General Approaches to DLP

Answer 28

Integration with risk management processes is crucial.
- Understanding data inventories, flows, and protection strategies is key.
- Technology alone is insufficient; a comprehensive program encompassing
policies and culture is necessary.

Question 29

Data Inventories

Answer 29

• Identify and characterize all sensitive data within the organization.
• Prioritize data based on importance, format, and media.
• Understand the value and risks associated with less critical but sensitive
  data.

Question 30

Data Flows

Answer 30

• Data must move according to business processes, requiring an
  understanding of data flows for DLP.
• DLP sensors should be placed not just at network perimeters but also
  internally, based on data flows.

Question 31

Data Protection Strategy

Answer 31

• Must consider the risk of adversaries gaining internal network access.
• Strategies include backup and recovery, data life-cycle, physical security,
  security culture, privacy, and organizational change.

Question 32

Implementation, Testing, and Tuning of DLP

Answer 32

• Select DLP solutions based on an organization’s specific requirements.
• Testing should verify that authorized processes work and that unauthorized
  processes are prevented.
• Continual maintenance and improvement are necessary.

Question 33

Network DLP (NDLP)

Answer 33

• Applies data protection policies to data in motion, typically at network
  perimeters.
• NDLP devices may not detect leaks on unprotected subnetworks or offpremises.

Question 34

Endpoint DLP (EDLP)

Answer 34

• Applies policies to data at rest and in use on each endpoint device.
• Offers protection at the point of data creation and while data is in use.
• Complexity and cost are higher, with unique challenges for each endpoint.

Question 35

Hybrid DLP

Answer 35

• Combines NDLP and EDLP for comprehensive coverage.
• Most expensive and complex but offers the best protection across an
  enterprise.

Question 36

Data disposal

Answer 36

Data disposal is the end of the data life cycle. Once data is no longer needed or has reached the end of its retention period, it should be securely and permanently destroyed. This process, known as data disposal, is crucial in preventing unauthorized access or disclosure of the information. It involves methods like degaussing, overwriting, or physical destruction for hardware and secure deletion techniques for software. Proper data disposal practices are essential in safeguarding sensitive information, even at the end of its life cycle.

Question 37

Scoping and Tailoring

Answer 37

Scoping and tailoring help organizations adapt security control frameworks to their needs and risk environment. Scoping involves determining the appropriate boundaries and scope of the security program, while tailoring involves customizing the security controls to fit the organization’s requirements, risk appetite, and unique circumstances. Scoping and tailoring ensure that the implemented security controls are relevant and effective for the organization.

Question 38

Digital Rights Management (DRM)

Answer 38

Digital Rights Management (DRM) is a technology that controls access to and usage of digital content, such as software, documents, and multimedia files. DRM can help protect intellectual property and prevent unauthorized sharing or copying of sensitive information.

Question 39

Labels

Answer 39

Labels indicate data classification, often in the form of metadata or physical markings on documents or storage media. Labels help ensure that the appropriate security controls are applied to protect the data based on classification.

Question 40

Clearance

Answer 40

Clearance is determining an individual’s eligibility to access classified information. Clearance levels should correspond to the different data classification levels to ensure that users can only access the information they need to perform their duties.

Question 41

Business or mission owners

Answer 41

Business or mission owners are responsible for the overall strategic goals and objectives of a specific business unit or mission within an organization.

Question 42

System Owner

Answer 42

The system owner is responsible for the overall operation and security of a specific information system or application.

Question 43

Data controllers

Answer 43

Data controllers determine the purposes and means of processing personal data, while data processors are responsible for processing personal data on behalf of the data controller. Both roles have specific responsibilities under various data protection regulations, such as the GDPR.

Question 44

Physical destruction

Answer 44

Physical destruction involves the destruction of the storage medium, rendering it unusable. This method is most suitable for highly sensitive data or when the storage medium has reached the end of its useful life. Standard physical destruction techniques include shredding, incineration, and crushing.

Question 45

Degaussing

Answer 45

Degaussing is a process that removes the magnetic field from a storage medium, such as a hard disk drive or magnetic tape, effectively erasing the data. This method is suitable for the destruction of data on magnetic storage media. However, it is inadequate for solid-state drives (SSDs) or other non-magnetic storage devices.

Question 46

Overwriting

Answer 46

Overwriting involves writing new data over the existing data on a storage medium, rendering the original data unrecoverable. This method can be used for magnetic and solid-state storage devices. Overwriting software often performs multiple passes, writing different data patterns to ensure the original data is completely obliterated. Overwriting is suitable for most data destruction scenarios but may not be sufficient for sensitive data.

Question 47

Cryptographic erasure

Answer 47

Cryptographic erasure involves deleting the encryption keys to encrypt data stored on a device. Without the encryption keys, the data becomes unreadable and effectively unrecoverable. This method is suitable for encryption storage devices and allows quick data erasure without physically destroying the device.

Question 48

Secure Erase

Answer 48

Secure Erase is a built-in function in many modern storage devices, such as hard disk drives and SSDs. This feature erases all data on the device by overwriting it with a predefined pattern or triggering the machine to perform an internal block erase. Secure Erase is an effective and efficient method for data destruction, provided that the storage device supports the feature.

Question 49

General Data Protection Regulation (GDPR)

Answer 49

A comprehensive data protection regulation in the European Union that applies to organizations that process the personal data of EU residents. GDPR mandates strict data protection requirements, including obtaining consent, providing notice, and implementing appropriate security measures to protect personal data.

Question 50

California Consumer Privacy Act (CCPA):

Answer 50

A data privacy law in California that grants consumers the right to know what personal information is being collected about them, the right to delete that information, and the right to opt out of the sale of their data.

Question 51

Personal Information Protection and Electronic Documents Act (PIPEDA)

Answer 51

PIPEDA is a Canadian federal privacy law governing private sector organizations’ collection, use, and disclosure of personal information during commercial activities. PIPEDA applies to organizations operating in Canada and those that collect, use, or disclose personal information about Canadian residents across provincial or national borders.

Question 52

Privacy Rule

Answer 52

Privacy Rule: Establishes standards for the use and disclosure of PHI (Protected Health Information) by covered entities and their business associates. The Privacy Rule grants patients rights to their health information, including the right to access, amend, and control who can access their PHI.

Question 53

Security Rule

Answer 53

Requires covered entities and their business associates to implement technical, physical, and administrative safeguards to protect electronic PHI (ePHI). This includes access controls, data encryption, and regular risk assessments.

Question 54

Health Insurance Portability and Accountability Act (HIPAA)

Answer 54

While primarily focused on healthcare data, HIPAA also includes provisions related to PII in the context of healthcare providers, insurers, and their business associates.