Domain 2 - Asset Security

Question 1

Assigning labels to data within an organization. It also identifies the value of data and is critical to protect confidentiality and integrity. This ultimately drives what controls we put in place.

Answer 1

Data Classification

Question 2

Government Data Classification Levels

Answer 2

Top Secret, Secret, Confidential, Unclassified

Question 3

Commercial Data Classification Levels

Answer 3

Confidential, Private, Sensitive and Public

Question 4

Responsible for defining data classifications and ensuring systems and data are properly marked.

Answer 4

Data Owner

Question 5

Person who owns the system that processes sensitive data. Typically the same person as data owner

Answer 5

System Owner

Question 6

Person who assigns permissions based on the principle of least privilege and the need to know.

Answer 6

Data Administrator

Question 7

They help protect the integrity and security of data by ensuring it is properly stored and protected.

Answer 7

Data Custodian

Question 8

Any person who accesses data via a computing system to accomplish work tasks.

Answer 8

Users

Question 9

Any information that can identify an individual.

Answer 9

Personally Identifiable Information (PII)

Question 10

Any health related info that can be related to a specific person.

Answer 10

Protected Health Information (PHI)

Question 11

Data that remains on a hard drive as residual magnetic flux.

Answer 11

Data remanence

Question 12

Simply performing a delete operation against a file, a selection of files, or the entire media.

Answer 12

Erasing

Question 13

A process of preparing media for reuse and assuring that the cleared data cannot be recovered using traditional recovery tools.

Answer 13

Clearing, or overwriting

Question 14

An intense form of clearing that prepares media for reuse in less secure environments.

Answer 14

Purging

Question 15

Involves any process that purges media or a system in preparation for reuse in an unclassified environment.

Answer 15

Declassification

Question 16

A combination of processes that removes data from a system or from media.

Answer 16

Sanitization

Question 17

Process to create a strong magnetic field that erases data on some media.

Answer 17

Degaussing

Question 18

The final stage in the life cycle of media and is the most secure method of sanitizing media.

Answer 18

Destruction

Question 19

Process includes marking, handling, storing and destroying sensitive information.

Answer 19

Managing sensitive information

Question 20

They provide a listing of controls that an organization can apply as a baseline for security.

Answer 20

Security Control Baselines

Question 21

Run by US Dept of Commerce. The goal is to prevent unauthorized disclosure of information, handled by data processors, and transmitted between data processors and the data controller.

Answer 21

Safe Harbor principles

Question 22

Safe Harbor principles

Answer 22

• Notice: An organization must inform individuals about the purposes for which it collects and uses information about them.
• Choice: An organization must offer individuals the opportunity to opt out.
• Onward transfer: Organizations can only transfer data to other than organizations that comply with the Notice and Choice principles.
• Security: Organizations must take reasonable precautions to protect data.
• Data integrity: Organizations may not use information for purposes other than what they stated in the Notice principle and users selected in the Choice principle. Additionally, organizations should take steps to ensure the data is reliable.
• Access: Individuals must have access to personal information an organization holds about them. Individuals also have the ability to correct, amend, or delete information, when it is inaccurate.
• Enforcement: Organizations must implement mechanisms to assure compliance with the principles.

Question 23

A process of identifying and documenting hardware components, software and the associated settings. The goal is to move beyond the original design to a hardened, operationally sound system.

Answer 23

Configuration Management. Config management also includes Change management and Patch management.