Domain 2: Asset Security

Question 1

Accountability

Answer 1

Ensures that account management has assurance that only authorized users are accessing the system and using it properly.

Question 2

Asset

Answer 2

Anything of value owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

Question 3

Baseline

Answer 3

A document, the lowest level of security configuration allowed by a standard or organization.

Question 4

Categorization

Answer 4

The process of grouping sets of data, information, or knowledge that have comparable sensitivities (impact or loss ratings), and have similar security needs mandated by law, contracts or other compliance regimes.

Question 5

Classification

Answer 5

The process of recognizing the impacts to the organization if its information suffers any security compromise to its confidentiality-, integrity-, availability-, non-repudiation-, authenticity-, privacy-, or safety-related characteristics. Classifications are derived from the compliance mandates the organization must operate within, whether these are laws, regulations, contract-specified standards, or other business expectations.

Question 6

Clearing

Answer 6

The removal of sensitive data from storage devices in such a way that there is assurance the data may not be reconstructed using normal system functions or software recovery utilities.

Question 7

Data Custodian, Custodian

Answer 7

The individual who manages permissions and access on a day-to-day basis based on instructions from the data owner. Responsible for protecting an asset that has value, while in the custodian’s possession.

Question 8

Defensible Destruction

Answer 8

Eliminating data using a controlled, legally defensible, and regulatory compliant way.

Question 9

Inventory

Answer 9

Complete list of items.

Question 10

Purging

Answer 10

The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique.

Question 11

Qualitative

Answer 11

Measuring something without using numbers, using adjectives, scales, or grades.

Question 12

Quantitative

Answer 12

Using numbers to measure something—usually monetary values.

Question 13

Recovery

Answer 13

The process of jointly addressing business resiliency and restoration of critical infrastructure and functionality after a disruption.

Question 14

Responsibility

Answer 14

Obligation for doing something. Can be delegated.

Question 15

Scoping

Answer 15

Limiting the general baseline recommendations by removing those that do not apply.

Question 16

Tailoring

Answer 16

The process by which a security control baseline is modified based on (i) the application of scoping guidance, (ii) the specification of compensating security controls, if needed, and (iii) the specification of organization defined parameters in the security controls via explicit assignment and selection statements.

discoverizing

Question 17

Data Loss Prevention

Answer 17

systems attempt to detect and block data exfiltration attempts

Question 18

Marking Sensitive Data

Answer 18

Ensuring data has a classification label, important for DLP systems to deny sensitive data from leaving the organization

Question 19

Data Remanence

Answer 19

the data that remains on media after the data was supposedly erased

Question 20

degausser

Answer 20

a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disks.

Does not work with SSDs

Question 21

Erasing

Answer 21

simply performing a delete operation against a file, or selection of files

Question 22

Digital Rights Management

Answer 22

attempts to provide copywrite protection for copyrighted works

Question 23

Cloud Access Security Broker

Answer 23

software placed logically between users and cloud based resources, monitors all activity, typically provides authentication and authz,

Question 24

Shadow IT

Answer 24

The Use of IT without approval or even knowledge of the IT department

Question 25

Tokenization

Answer 25

Use of a token, random string of characters, to replace other data

Question 26

Data Owner

Answer 26

the person who has ultimate organizational responsibility for data, they identify the classification

Question 27

Asset Owners

Answer 27

person who owns the asset or system that processes sensitive data

Question 28

Data Processor

Answer 28

any system used to process data

In GDPR, a natural or legal person, public authority, agency, or other body, which processes data solely on behalf of the the data controller

Question 29

Data Subject

Answer 29

a person who can be identified from the data