Domain 2 - Asset Security

Question 1

Sensitive Data

Answer 1

Sensitive data is any information that isn’t public or unclassified. It can include confidential, proprietary, protected, or any other type of data that an organization needs to protect due to its value to the organization, or to comply with existing laws and
regulations.

Question 2

Personally identifiable Information (PII)

Answer 2

Personally identifiable information (PII) is any information that can identify an individual.

Eg: name, social security number, date and place of birth, mother’s maiden name, or biometric records

Question 3

Protected Health Information (PHI)

Answer 3

Protected health information (PHI) is any health-related information that can be related to a specific person. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of PHI.

Eg: health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse

Question 4

Proprietary Data

Answer 4

Proprietary data refers to any data that helps an organization maintain a competitive edge. It could be software code it developed, technical plans for products, internal processes, intellectual property, or trade secrets.

Protected by Copyrights, Patents and trade secret laws to an extent.

Question 5

Top Secret

Answer 5

Grave Damage to National Security

Question 6

Secret

Answer 6

Serious Damage to National Security

Question 7

Confidential

Answer 7

Damage to National Security

Question 8

Unclassified

Answer 8

Doesnot meet description for the other three.

Available to any one with a Freedom of Information (FOI)

Question 9

Classification Authority

Answer 9

Is the entity that applies the original classification to the sensitive data and strict rules identify who can do so.

Question 10

Confidential Email

Answer 10

1. ) Can only be viewed, not saved
2. ) Email content cant be copied and pasted into other docs
3. ) Emails cant be printed
4. ) Forwarded emails cant be opened
5. ) Only to recipients in the org

Question 11

Why do we manage Sensitive Data

Answer 11

Key goal is to prevent Data Breaches

Question 12

Handling Sensitive Data

Answer 12

Refers to the secure transportation of media through its lifetime.

Question 13

Storing Sensitive Data

Answer 13

AES-256. Use Heating, ventilation and HVAC

Question 14

Data Remanence

Answer 14

Data remanence is the data that remains on a hard drive as residual magnetic flux.

Question 15

Removing Data Remanence

Answer 15

One way to remove data remanence is with a degausser. A degausser generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives.

Degaussers using power will reliably rewrite these magnetic fields and remove data remanence. However, they are only effective on magnetic media.

Question 16

Erasing

Answer 16

Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media

Question 17

Clearing

Answer 17

Clearing, or overwriting, is a process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools. When media is cleared, unclassified data is written over all addressable locations on the media.

Question 18

Purging

Answer 18

Purging is a more intense form of clearing that prepare media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods

Question 19

Declassification

Answer 19

Declassification involves any process that purges media or a system in preparation for reuse in an unclassified environment

Question 20

Sanitization

Answer 20

Sanitization is a combination of processes that removes data from a system or from media. It ensures that data cannot be recovered by any means

Question 21

Destruction

Answer 21

Destruction is the final stage in the life cycle of media and is the most secure method of sanitizing media.

Methods of destruction include incineration, crushing, shredding,disintegration, and dissolving using caustic or acidic chemicals

Question 22

Record Retention

Answer 22

Record retention involves retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed.

An organization’s security policy or data policy typically identifies retention time frames.

Question 23

Data Owners

Answer 23

The data owner is the person who has ultimate organizational responsibility for data. The owner is typically the CEO, president, or a department head (DH). Data owners identify the classification of data and ensure that it is labeled properly.

They also ensure it has adequate security controls based on the classification and the organization’s security policy requirements.

Question 24

System Owner

Answer 24

The system owner is the person who owns the system that processes sensitive data

Question 25

Data Processor

Answer 25

A data processor is any system used to process data.

The EU Data Protection law defines a data processor as “a natural or legal person which processes
personal data solely on behalf of the data controller.”

Question 26

Administrators

Answer 26

A data administrator is responsible for granting appropriate access to personnel. They don’t necessarily have full administrator rights and privileges, but they do have the ability to assign permissions.

Question 27

Custodians

Answer 27

Data owners often delegate day-to-day tasks to a custodian. A custodian helps protect the integrity and security of data by ensuring it is properly stored and protected.

For example, custodians would ensure the data is backed up in accordance with a backup policy.