Domain 2 - Asset Security

Question 1

Regarding Information Classification, define Categorization.

Answer 1

– Process of determining the impact of loss of CIA of information to an organization.

Identifies the value of the data to the organization. Not all data has same value, demonstrates business commitment to security.

Identify which information is most sensitive and vital

Question 2

Information classification : Criteria

Answer 2

Value, age, useful life, personal association

Question 3

Information classification : Levels - Government, military

Answer 3

• Unclassified (have FOUO also)
• Sensitive but unclassified
• Confidential (some damage)
• Secret (Serious damage) (Can have Country specific restrictions also

– NZAUS SECRET for New Zealand, Australia and US secret)

• Top Secret (Grave damage)

Question 4

Information classification : Levels - Private sector

Answer 4

• Public; used by public or employees
• Company Confidential; viewed by all employees but not for general use
• Company Restricted – restricted to a subset of employees
• Private; Ex. SSN, credit card info., could cause damage
• Confidential; cause exceptionally grave damage, Proprietary; trade secrets - Sensitive; internal business

TS = Confidential/Prop, Secret = Private, Confidential = sensitive

Question 5

What is a Policy?

Answer 5

Policies are high-level management directives that are mandatory.

Question 6

Senior management Statement of Policy

Answer 6

Stating importance, support and commitment

Question 7

Types of Senior management Statement of Policy

Answer 7

Regulatory
Advisory
Informative

Question 8

Regulatory Policy

Answer 8

Required due to laws, regulations, compliance and specific industry standards!)

Question 9

Advisory Policy

Answer 9

Not mandatory but strongly suggested

Question 10

Informative

Answer 10

To inform the reader

Question 11

What is an Information Policy?

Answer 11

Classifications and defines level of access and method to store and transmit information

Question 12

What are Securities Policy?

Answer 12

A document that defines the security requirements for an organization but it does not provide details how to fulfill the security needs or how to implement the policy.

Authenticates and defines technology used to control information access and distribution

Policies, standards, baselines, guidelines, and procedures.

Question 13

What are Standards?

Answer 13

Specify use of specific technologies in a uniform way

Standards are tactical documents that define the steps or methods to accomplish the goals and overall direction defined by security policies.

Question 14

What are Guidelines?

Answer 14

Same as standards but not forced to follow

Guidelines offer recommendations on how standards and baselines are implemented and serve as an operational guide for both security professionals and users.

Question 15

What are Procedures?

Answer 15

Detailed steps to perform a task

A procedure is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.

Question 16

What is a Baseline?

Answer 16

Minimum level of security

Question 17

Describe Security planning.

Answer 17

Involves security scope, providing security management responsibilities and testing security measures for effectiveness

Question 18

Strategic

Answer 18

5 years

Question 19

Tactical

Answer 19

Shorter than strategic

Question 20

Operational

Answer 20

Day to day, short term

Question 21

Data Classification Policy

Answer 21

• Who will have access to data?
• How is the data to be secured?
• How long is data to be retained?
• What method(s) should be used to dispose of data?
• Does data need to be encrypted?
• What is the appropriate use of the data?

Question 22

IT Asset Management (ITAM)

Answer 22

Full life cycle management of IT assets - CMBD; holds relationships between system components

– incidents, problems, known error, changes, and releases

• Single repository - Organizationally aligned
• scalable

Question 23

US-EU (Swiss) Safe Harbor

Answer 23

The EU Data Protection Directive To be replaced, in 2018, by the General Data Protection Regulation (GDPR) Bridge differences in approach and provide a streamlined means for U.S. organizations to comply with European Commissions.

Question 24

General Data Protection Regulation (GDPR)

Answer 24

STRENGTHING INDIVIDUALS RIGHTS

• Data obtained fairly and lawfully
• Data only used for original purpose
• Adequate, relevant, and not excessive to purpose
• Accurate and up to date
• Accessible to the subject
• Kept secure
• Destroyed after purpose is complete

Question 25

Directive on Data Protection; Seven Tenets "Daisy DANCES"

Answer 25

"Daisy DANCES" ``` Disclosure Data Integrity Access Notice Consent Enforcement Security ``` - Notice; data subjects should be given notice when their data is being collected - Consent; data should not be disclosed without the data subject’s consent - Disclosure - Onward Transfer; data subjects should be informed as to who is collecting their data - Security; collected data should be kept secure from any potential abuses - Data Integrity; reliable, only stated purpose - Access; data subjects should be allowed to access their data and make corrections to any inaccurate data - Enforcement; accountability, data subjects should have a method available to them to hold data collectors accountable for not following the above principles

Question 26

Data Processors

Answer 26

Example: When US Org classify and handle data Data processors have responsibility to protect privacy of data

Question 27

Business/Mission owners

Answer 27

EU company would be Business/Mission owners, US org. would also be Data Administrators

Question 28

What are the Roles and responsibilities of the Information security Officer?

Answer 28

Functional responsibility - Ensure policies etc. are written by app. Unit - Implement/operate CIRTs - Provide leadership for security awareness - Communicate risk to senior management - Stay abreast of current threats and technology

Question 29

What is the role of a Security Analyst?

Answer 29

Strategic, develops policies and guidelines

Question 30

Data Life

Answer 30

- Creation, use, destruction(subservient to security policy)

Question 31

Roles and responsibilities of the Data/Information Owner

Answer 31

- Ultimate organizational responsibility for data - Categorize systems and data, determine level of classification - Required controls are selected for each classification - Select baseline security standards - Determine impact information has on organization - Understand replacement cost (if replaceable) - Determine who needs the information and circumstances for release - Determine when information should be destroyed - Responsible for asset - Review and change classification - Can delegate responsibility to data custodian - Authorize user privileges

Question 32

Roles and responsibilities of the Data Custodian

Answer 32

- Day-to-day tasks, grants permission to users in DAC - Adhere to data policy and data ownership guidelines - Ensure accessibility, maintain and monitor security - Dataset maintenance, , archiving - Documentation, including updating - QA, validation and audits - Run regular backups/restores and validity of them - Insuring data integrity and security (CIA) - Maintaining records in accordance to classification - Applies user authorization - Implement security controls

Question 33

Roles and responsibilities of the System Owners

Answer 33

Select security controls

Question 34

Roles and responsibilities of the Administrators

Answer 34

Assign permission to access and handle data

Question 35

Roles and responsibilities of the End-user

Answer 35

- Uses information as their job - Follow instructions in policies and guidelines - Due care (prevent open view by e.g. Clean desk) - Use corporation resources for corporation use

Question 36

Roles and responsibilities of the Auditor

Answer 36

Examines security controls

Question 37

Quality Control

Answer 37

Assessment of quality based on internal standards

Question 38

Quality Assessment

Answer 38

Assessment of quality based on standards external to the process and involves reviewing of the activities and quality control processes.

Question 39

What are Data Remanence?

Answer 39

Residual physical representation of data that has been in some way erased. PaaS deals with it best in Cloud

Question 40

What are some methods to remove Data Remanence?

Answer 40

- Physical destruction - Degaussing - Overwriting NOT Reformatting

Question 41

Sanitizing

Answer 41

Series of processes that removes data, ensures data is unrecoverable by any means. Removing a computer from service and disposed of. All storage media removed or destroyed.

Question 42

Degaussing

Answer 42

AC erasure; alternating magnetic fields , DC erasure; unidirectional magnetic field or permanent magnet, can erase tapes

Question 43

Erasing

Answer 43

deletion of files or media, removes link to file, least effective

Question 44

Overwriting/wiping/shredding

Answer 44

overwrites with pattern, may miss

Question 45

Zero fill

Answer 45

wipe a drive and fill with zeros

Question 46

Clearing

Answer 46

Prepping media for reuse at same level. Removal of sensitive data from storage devices in such a way that the data may not be reconstructed using normal system functions or utilities. May be recoverable with special lab equipment. Data just overwritten.

Question 47

Purging

Answer 47

More intense than clearing. Media can be reused in lower systems. Removal of sensitive data with the intent that the data cannot be reconstructed by any known technique.

Question 48

Destruction

Answer 48

Incineration, crushing, shredding, and disintegration are stages of this

Question 49

How do you secure files sent through the Internet?

Answer 49

Encrypt data

Question 50

SSD Data Destruction

Answer 50

NIST says to “disintegrate” - SSD drives cannot be degaussed, space sectors, bad sectors, and wear space/leveling may hide nonaddressable data, encrypt is the solution - Erase encryption key to be unreadable - Crypto erase, sanitization, targeted overwrite (best)

Question 51

What is a Baseline?

Answer 51

Starting point that can be tailored to an organization for a minimum security standard. Common security configurations, Use Group Policies to check and enforce compliance

Question 52

What is the importance of Scoping and Tailoring?

Answer 52

Narrows the focus and of the architecture to ensure that appropriate risks are identified and addressed.

Question 53

Scoping

Answer 53

Reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect.

Question 54

Tailoring

Answer 54

Modifying the list of security controls within a baseline so that they align with the mission of the organization.

Question 55

Supplementation

Answer 55

Adding assessment procedures or assessment details to adequately meet the risk management needs of the organization.

Question 56

Link Encryption

Answer 56

Link Encryption encrypts ALL the data along a specific communication path User information, header, trailers, addresses, and routing data that are part of the packets are also encrypted.

Question 57

End to End Encryption

Answer 57

The header, trailers, addresses, and routing data are NOT encrypted. Hackers can capture the packet and read it.

Question 58

FTP and Telnet

Answer 58

Unencrypted

Question 59

SFTP and SSH

Answer 59

Provide encryption to protect data and credentials

Question 60

How do you protect Removable Media?

Answer 60

Use strong encryption, like AES256, to ensure loss of media does not result in data breach

Question 61

CIS

Answer 61

Center for Internet Security; creates list of security controls for OS, mobile, server, and network devices

Question 62

NIST

Answer 62

National Institute of Standards and Technology

Question 63

NIST SP 800 series

Answer 63

Address computer security in a variety of areas

Question 64

800-14 NIST SP

Answer 64

GAPP for securing information technology

Question 65

800-18 NIST

Answer 65

How to develop security plans

Question 66

800-27 NIST SP "Insane Dentists Invented Old Dogs"

Answer 66

Baseline for achieving security, five life cycle planning phases (defined in 800-14), 33 IT security principles "Insane Dentists Invented Old Dogs" - Initiation - Development/Acquisition - Implementation - Operation/Maintenance - Disposal

Question 67

800-88

Answer 67

NIST guidelines for sanitation and disposition, prevents data remanence

Question 68

800-122

Answer 68

NIST Special Publication – defines PII as any information that can be used to trace a person identity such as SSN, name, DOB, place of birth, mother’s maiden name

Question 69

800-137

Answer 69

build/implement info security continuous monitoring program: define, establish, implement, analyze and repor

Question 70

800-145

Answer 70

cloud computing

Question 71

FIPS

Answer 71

Federal Information Processing Standards; official series of publications relating to standards and guidelines adopted under the FISMA, Federal Information Security Management Act of 2002.

Question 72

FIPS 199

Answer 72

Standards for categorizing information and information systems

Question 73

FIPS 200

Answer 73

minimum security requirements for Federal information and information systems

Question 74

DOD 8510.01

Answer 74

establishes DIACAP

Question 75

ISO 15288

Answer 75

International systems engineering standard covering processes and life cycle stages - Agreement - Organization Project - enabling - Technical Management - Technical

Question 76

COPPA

Answer 76

California Online Privacy Protection Act, operators of commercial websites post a privacy policy if collecting personal information on CA residents

Question 77

Curie Temperature

Answer 77

Critical point where a material’s intrinsic magnetic alignment changes direction

Question 78

DAR

Answer 78

Data at rest; inactive data that is physically stored, not RAM, biggest threat is a data breach, full disk encryption protects it (Microsoft Bitlocker and Microsoft EFS, which use AES, are apps)

Question 79

DLP

Answer 79

Data Loss/Leakage Prevention, use labels to determine the appropriate control to apply to data. Won’t modify labels in realtime.

Question 80

ECM

Answer 80

Enterprise Content Management; centrally managed and controlled

Question 81

Non-disclosure Agreement (NDA)

Answer 81

legal agreement that prevents employees from sharing proprietary information

Question 82

PCI-DSS

Answer 82

Payment and Card Industry – Security Standards Council; credit cards, provides a set of security controls /standards

Question 83

Watermark

Answer 83

embedded data to help ID owner of a file, digitally label data and can be used to indicate ownership.