Domain 2: Asset Security

Question 1

What is the information life cycle?

Answer 1

Information goes through a life cycle that starts with its acquisition and ends with its disposal.

Question 2

How is new information prepared for use?

Answer 2

By adding metadata, including classification labels.

Question 3

What is the risk of data replication?

Answer 3

Ensuring the consistency of data

Question 4

What is an effect of data aggregation?

Answer 4

Data aggregation may lead to an increase in classification levels.

Question 5

What is an effective control during the information life cycle?

Answer 5

Cryptography can be an effective control at all phases of the information life cycle.

Question 6

What determines how information goes through the information life cycle?

Answer 6

The data retention policy drives the timeframe at which information transitions from the archival phase to the disposal phase of its life cycle.

Question 7

Why classify information?

Answer 7

Information classification corresponds to the information’s value to the organization.

Question 8

What differentiates different information classification?

Answer 8

Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed.

Question 9

Who is ultimately responsible for an organization’s security?

Answer 9

Senior executives are ultimately responsible to the shareholders for the successes and failures of their corporations, including security issues.

Question 10

Data owner

Answer 10

The data owner is the manager in charge of a specific business unit and is ultimately responsible for the protection and use of a specific subset of information.

Question 11

Data owners vs. data custodians

Answer 11

Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.

Question 12

What consideratrions go into a data retention policy?

Answer 12

The data retention policy must consider legal, regulatory, and operational requirements.

Question 13

What is a data retention policy?

Answer 13

The data retention policy should address what data is to be retained, where, how, and for how long.

Question 14

E-discovery

Answer 14

Electronic discovery (e-discovery) is the process of producing for a court or external attorney all electronically stored information (ESI) pertinent to a legal proceeding.

Question 15

NIST SP 800 - 88 , Revision 1

Answer 15

“Guidelines for Media Sanitization,” describes the best practices for combating data remanence.

Question 16

How is overwriting data accomplished?

Answer 16

Overwriting data entails replacing the 1’s and 0’s that represent it on storage media with random or fixed patterns of 1’s and 0’s to render the original data unrecoverable.

Question 17

Degaussing

Answer 17

Degaussing is the process of removing or reducing the magnetic field patterns on conventional disk drives or tapes.

Question 18

Data at rest

Answer 18

Data at rest refers to data that resides in external or auxiliary storage devices, such as hard drives or optical discs.

Question 19

How do you protect data at rest?

Answer 19

Whole-disk encryption is a good way to protect data at rest.

Question 20

Data in motion

Answer 20

Data in motion is data that is moving between computing nodes over a data network such as the Internet.

Question 21

How is cryptography used to protect data in motion?

Answer 21

• TLS
• IPSec
• VPNs

Question 22

Data in use

Answer 22

Data in use is the term for data residing in primary storage devices, such as:

• Volatile memory (e.g. RAM)
• Memory caches
• CPU registers.

Question 23

Scoping

Answer 23

Scoping is taking a broader standard and trimming out the irrelevant or otherwise unwanted parts.

Question 24

Tailoring

Answer 24

Tailoring is when you make changes to specific provisions in a standard so they better address your requirements.

Question 25

Data leak

Answer 25

A data leak means that the confidentiality of the data has been compromised.

Question 26

Data leak prevention (DLP)

Answer 26

Data leak prevention (DLP) comprises the actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data.

Question 27

Network DLP

Answer 27

Network DLP (NDLP) applies data protection policies to data in motion.

Question 28

Endpoint DLP

Answer 28

Endpoint DLP (EDLP) applies data protection policies to data at rest and data in use.

Question 29

You need to declassify a data asset. Where should you look for guidance?

Answer 29

Your organization’s policies and procedures.

Question 30

What is Data Leakage?

Answer 30

The unauthorized transmission of information to an external destination.

Question 31

In order to determine what information protection to apply to given information, what must you know first?

Answer 31

The classification level of the data.

Question 32

Erasing, purging, and degaussing are examples of what?

Answer 32

Data destruction.

Question 33

True or false: all data should be handled in the same manner.

Answer 33

False

Each classification level shold have separate handling requirements and procedures.

Question 34

Who should identify the classification of an information asset?

Answer 34

The information owner.

The information owner should:

• Understand the organization’s classification scheme
• Be familiar with legal and regulatory requirements
• Carry out classification processes in a consistent manner
• Have the processes reviewed
• Carry out declassification processes when necessary.

Question 35

What is Asset Security?

Answer 35

The concept of identifying what assets you have and determine what types of controls are appropriate for each.

The types of assets and the types of controls should be defined in your organization’s policies, standards, and procedures.

Question 36

What is the best way to ensure data privacy?

Answer 36

Limit the amount of data collected.

Question 37

Who is responsible for checking to see if controls are being implemented properly?

Answer 37

Auditor.

Question 38

Complete this sentence: “The longer you keep data, …”

Answer 38

“…the more liable you are.”

Businesses should take into account the useful life of data and associated legal and regulatory requirements to determine how long data should be retained.

Question 39

Where should Data Marking be located on documents?

Answer 39

The cover and inside.

Question 40

What is Data Archival?

Answer 40

A copy of data that is no longer in use, used in case the data is needed sometime in the future.

Question 41

What are the four basic steps of the Information Life Cycle?

Answer 41

• Acquisition
• Classification and Marking
• Use and Archival
• Destruction

There are other life cycle models but this is the one we teach in the Human Element course.

Question 42

Labeling data with the classification level is an example of what?

Answer 42

Data Marking

Question 43

True or false: data is the only asset that needs to be classified.

Answer 43

False.

Applications and systems may also need to be classified.

Question 44

What is “single pass” data overwriting?

Answer 44

Data is overwritten once with a “1” or a “0”.

Question 45

After information is acquired by an organization what three steps should be taken?

Answer 45

• Attach system metadata
• Process metadata
• Index the data

The data is indexed to facilitate searching.

Question 46

What is degaussing?

Answer 46

Magnetic scrambling of the data on a tape or disk.

Question 47

Who is responsible for maintaning data and implementing data controls?

Answer 47

Data Custodian.

Question 48

What is Data Remanence?

Answer 48

Residual representations of the data that remains after being erased.

Question 49

Roles and responsibilities for data classification should be contained in what document?

Answer 49

Data Classification Policy.

Question 50

What is a Data Backup?

Answer 50

A copy of data currently in use used for recovering from the loss of the original data.