Domain 2: Asset Security

Question 1

Information lifecycle

Answer 1

Acquisition, Use, Archival and Disposal

Question 2

Define the Acquisition information lifecycle stage?

Answer 2

This includes creation or copying of data and applying policy controls, such as encryption

Question 3

Define the Use information lifecycle stage?

Answer 3

Where data is read or modified by users. Need to ensure confidentiality, integrity and availability are applied here.

Question 4

Define the Archival information lifecycle stage?

Answer 4

Process of archiving or backing-up data for business or regulatory purposes

Question 5

Define the Disposal information lifecycle stage?

Answer 5

Process of destruction of data that is no longer needed. Data must be rendered sufficiently difficult for an adversary to recover so that the risk of such recovery is acceptable to our organisation.

Question 6

Define Data Classification

Answer 6

Development of sensitivity labels based on value of data

Question 7

Define PII

Answer 7

Personally Identifiable Information. This is any information about an individual. This can include name, social security number, DOB, biometric records.

Question 8

Define PHI

Answer 8

Protected Health Information. This is any health related information that can be related to a specific person. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of PHI.

Question 9

Types of data that classification levels apply to?

Answer 9

ALL data, regardless of format, including digital, paper, video, fax, audio etc

Question 10

Define common levels of classifications for Government/Military use

Answer 10

Top Secret, Secret, Confidential, Sensitive but unclassified, and Unclassified

Question 11

Define common levels of classifications for private/commercial use

Answer 11

Confidential, Private, Sensitive, Public

Question 12

Define information classification

Answer 12

Process of understanding the value and assigning classification labels for both physical assets, and digital assets

Question 13

Define asset classification

Answer 13

Ensure that physical assets are also adequately protected, through use of sensitivity classification

Question 14

Data protection key considerations

Answer 14

Who has access to the data, what controls are in place, and what devices can be used to access data.

Question 15

Three states of data

Answer 15

Data at Rest, Data in Transit, Data in Use

Question 16

Define Data at Rest

Answer 16

Involves data stored on media such as system hard drives, external USB drives, and backup tapes. Use of encryption is popular here.

Question 17

Define Data in Transit

Answer 17

Involves data transmitted over a network. Use of TLS is applied here

Question 18

Define Data in Use

Answer 18

Refers to data in memory or temporary storage buffers, while an application is using it. Application buffers are typically cleared after use

Question 19

Define data breach

Answer 19

Any event in which an unauthorised entity can view or access sensitive data

Question 20

Define data leak

Answer 20

Where the confidentiality of data has been compromised

Question 21

Role of Executives

Answer 21

Hold ultimate responsibility for everything that happens in their organisation

Question 22

CSO vs CISO

Answer 22

CSO focused on broader security risks (including, physical security), while CISO is typically much more technology focused

Question 23

Define role of Data Owners

Answer 23

Responsible for ensuring the necessary security controls are in place, defining the security classifications and requirements. Owners can be held liable for negligence if they fail to perform due diligence in establishing and enforcing security policies to protect and sustain sensitive data.

Question 24

Rules of Behaviour

Answer 24

Clearly delineate responsibilities and expected behavior of all individuals with access to the system.

Question 25

Data custodians

Answer 25

Help protect data on a day-to-day basis. This includes, implementing and maintaining security controls, performing regular backups, validating integrity of data, restoring from backup media, retaining audit logs.

Question 26

Asset/System Owner

Answer 26

Person who owns the asset. Ensures system is labelled accurately and that appropriate security controls are in place.

Question 27

Business/Mission Owners

Answer 27

Responsible for ensuring systems provide value to business

Question 28

Data processors

Answer 28

Any system/person that processes personal data on behalf of data controller

Question 29

Data controllers

Answer 29

Person or entity that controls processing of data

Question 30

Data Administrator

Answer 30

Responsible for granting appropriate access to personnel

Question 31

Users

Answer 31

Any person who has access to data to accomplish work tasks

Question 32

Security Administrator

Answer 32

Responsible for implementing and maintaining specific security network devices and software in the enterprise

Question 33

Supervisor

Answer 33

Responsible for all user activity and any assets created and owned by these users

Question 34

Change control analyst

Answer 34

Responsible for approving or rejecting requests to make changes to the network, systems, or software

Question 35

Data analyst

Answer 35

Ensures company data is stored properly and follows a standardised naming scheme

Question 36

Auditor

Answer 36

Auditors check that the organisation complies with its own policies, and applicable laws and regulations.

Question 37

Four principles of retention

Answer 37

Taxonomy: scheme for classifying data, such as HR-1
Classification: use of sensitivity labels
Normalisation: retained data can come in a variety of formats, but can be read universally
Indexing: data can be accessed quickly

Question 38

E-Discovery

Answer 38

Process of collecting and processing electronic material for use in litigation.

1. Identification
2. Preservation
3. Collection
4. Processing
5. Review
6. Analysis
7. Production
8. Presentation

Question 39

Pseudonymisation

Answer 39

Use of alias, to represent other data. Such as use of patient number, instead of name.

Question 40

Anonymisation

Answer 40

Process of removing all relevant data so that it is impossible to identify the original

Question 41

Data Masking

Answer 41

Masks data in individual columns, so it cannot be identified

Question 42

Erasing

Answer 42

Simply deleting a file from the device

Question 43

Clearing (overwriting)

Answer 43

Overwriting a file with other junk

Question 44

Purging

Answer 44

More intensive version of clearing. This overwrites data multiple times, however, is not suitable for top secret data.

Question 45

Degaussing

Answer 45

Use of magnetic fields to destroy HDD’s and magnetic tapes

Question 46

Scoping

Answer 46

Process of taking a broader standard and trimming out the irrelevant or otherwise unwanted parts

Question 47

Tailoring

Answer 47

Customising specific provisions so they better address your requirements.

Question 48

Define DLP

Answer 48

Data Loss Prevention, focused on preventing unauthorised external parties from gaining access to sensitive data. NOT for internal parties.

Question 49

Four Step DLP Process

Answer 49

1. Data Inventory: identify the most important data
2. Data Flows: ensure that DLP tools are used strategically through specific network pathways.
3. Data Protection Strategy: Through a risk assessment
4. Implementation, Testing, and Tuning: Focus on ensuring the accuracy, interoperability, and policy engine are adequate for organisation’s needs.

Question 50

Types of DLP

Answer 50

1. Network DLP: Usually implemented at network perimeter, for the protection of data in motion.
2. Endpoint DLP: Applies protection policies to data at rest and in use on endpoint devices.
3. Hybrid DLP: Combination of both NDLD and EDLP

Question 51

EU-US Privacy Shield

Answer 51

It is a framework for regulating exchange of information between EU and USA. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws, meant to protect European Union Citizens.

Question 52

7 Principles of EU-US Privacy Shield

Answer 52

1. Notice: an organisation must inform individuals about the purposes for which it collects and uses information about them
2. Choice: an organisation must offer individuals the opportunity to opt out
3. Accountability for onward transfer: organisations can only transfer data to other orgnaisations that comply with Notice and Choice principles.
4. Security: must take reasonable precautions to protect personal data.
5. Data integrity and purpose limitation: organisations should only collect data that is needed for processing purposes identified in the Notice principle.
6. Access: individuals must have access to personal information on organisation holds about them.
7. Recorse, enforcement, and liability: organisations must implement mechanisms to ensure compliance with the principles and provide mechanisms to handle individual complaints.

Question 53

System hardening

Answer 53

Removing unncessary services, and changing default settings

Question 54

Obfuscation

Answer 54

Process of hiding, replacing or omitting sensitive information

Question 55

Tokenisation

Answer 55

Process of using tokens to represent other data, this is is similar to pseudonymization.