Domain 2 - Asset Security

Question 1

Business/Mission Owners

Answer 1

• Senior Management
• Create the information program. ensure it’s staffed, funded, etc..
• Responsible for ensure assets are protected

Question 2

Data Owners

Answer 2

• Management Employee
• Responsible for ensuring that specific data is protected
• Determine data sensitivity labels, frequency of backups
• Focus on the data itself (paper/electronic)

Question 3

System Owner

Answer 3

• Management Employee
• Responsible for the actual systems that house the data
• Includes ASSURANCE OF hardware/software configuration (updates, patching, etc…)

Question 4

Data Custodian

Answer 4

• Hands-on protection of assets, such as data
• PERFORMS backups, restoration, patches systems, configures AV, etc…
• Custodians FOLLOW ORDERS and do not make critical decisions

Question 5

Data Controller

Answer 5

• Creates and manages sensitive data within an organization

- HR employees, etc…

Question 6

Data Processor

Answer 6

• Manages data on behalf of data controllers

- Outsourced payroll, etc…

Question 7

Data Remanence

Answer 7

Data that persists beyond noninvasive means to delete it

Question 8

Memory

Answer 8

• Series of on-off switches representing bits

- May be chip-based, disk-based, tape, etc…

Question 9

Real Memory

Answer 9

“Primary Memory”

• RAM
• Directly accessible by the CPU
• Used to hold instructions and data for currently executing processes

Question 10

Secondary Memory

Answer 10

• Disk-based memory

- Not directly accessible by the CPU

Question 11

Cache Memory

Answer 11

• Fastest memory on the system (must keep up with CPU)

Question 12

Register File/Registers (memory)

Answer 12

• Fastest portion of the CPU

- Small storage locations used by the CPU to store instructions and data

Question 13

Level 1 cache (memory)

Answer 13

• Next fastest behind register
• Located on the CPU itself
• SRAM

Question 14

PROM

Answer 14

Programmable Read Only Memory

• Can be written to only once, typically at the factory

Question 15

EPROM

Answer 15

Erasable Programmable Read Only Memory

• May be flashed using ultraviolet light

Question 16

EEPROM

Answer 16

Electronically Erasable Programmable Read Only Memory

• Electronically flashable using ‘flashing programs’

Question 17

PLD

Answer 17

Programmable Logic Device

• Field-programmable device (programmed AFTER it leaves the factory)
• EPROM, EEPROM, Flash Memory

Question 18

SSD (Solid State Drive)

Answer 18

• Combination of flash memory (EEPROM) and DRAM

Question 19

What type of memory is flash memory?

Answer 19

EEPROM - Electronically Erasable Programmable Read Only Memory

Question 20

TRIM (SSD)

Answer 20

• Improves garbage collection
• Allows the drive to do garbage collection in the background
• TRIM improves performance but does NOT reliably destroy data

Question 21

Garbage Collection (SSD)

Answer 21

• Removes unallocated blocks of memory

- Works during idle time so it does not impact performance

Question 22

ATA Secure Erase

Answer 22

The only way to reliably wipe a SSD without physically destroying it

Question 23

PCI-DSS

Answer 23

Payment Card Industries Data Security Standard

- AMEX, Discover, Mastercard, Visa, others…

Question 24

PCI-DSS Core Principles

Answer 24

• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Question 25

OCTAVE

Answer 25

Operationally Critical Threat, Asset, and Vulnerability Evaluation

• Risk Management Framework from Carnegie Mellon
• Three-phase process for managing risk
• FREE

Question 26

OCTAVE Three-Phase Process

Answer 26

1. Identifies staff knowledge, assets, and threats
2. Identifies vulnerabilities and evaluates safeguards
3. Conducts risk analysis and develops risk mitigation strategy

Question 27

ISO

Answer 27

Internal Organization for Standardization

Question 28

ISO 17799/27002

Answer 28

• 17799 was renamed to 27002 in 2005 to make it consistent with the 27000 series
• Describes TECHNIQUES and best practices

Question 29

ISO 17799/27002 Areas (n=11)

Answer 29

§ Policy
§ Organization of information security
§ Asset management
§ Human resources security
§ Physical and environmental security
§ Communications and operations management
§ Access control
§ Information systems acquisition, development, and maintenance
§ Information security incident management
§ Business continuity management
§ Compliance

Question 30

ISO 27001

Answer 30

Describes REQUIREMENTS

AUDITS the best practices (from 27002)

Question 31

COBIT

Answer 31

Control Objectives for Information and Related Technology

• Framework for employing information security governance best practices
• Developed by ISACA
• Four Domains
• 34 Information Technology processes across the four domains

Question 32

COBIT Domains (n=3)

Answer 32

1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate

**There are 34 IT processes across the 4 domains

Question 33

ITIL

Answer 33

Information Technology Infrastructure Library

• ITSM Framework
• Five “Service Management Practices” publications

Question 34

ITIL Service Management Practices (n=5)

Answer 34

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement

Question 35

Public Sector Classification Levels

Answer 35

• Unclassified
• Sensitive but unclassified (SBU)
• Confidential
• Secret
• Top Secret

Question 36

Private Sector Classification Levels

Answer 36

• Public
• Proprietary
• Private
• Confidential
• Sensitive