Domain 2: Asset Security; Classifying Data

Question 1

Labels are used with subjects or objects?

Answer 1

Objects.

Question 2

When is an object labeled “Top Secret”?

Answer 2

“Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.

Question 3

When is an object labeled “Secret”?

Answer 3

“Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.

Question 4

When is an object labeled “Confidential”?

Answer 4

“Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to national security.

Question 5

What is SBU?

Answer 5

Sensitive but Unclassified.

Question 6

What is FOUO?

Answer 6

For Official Use Only.

Question 7

What labels do private sector companies use?

Answer 7

“Internal Use Only” and “Company Proprietary”.

Question 8

What is unclassified?

Answer 8

Data that is not sensitive.

Question 9

Who applies a label to an object?

Answer 9

Security Administrator.

Question 10

What are Security Compartments?

Answer 10

Compartments allow additional control over highly sensitive information. This is called Sensitive Compartmented Information (SCI).

Question 11

Some compartments used by the United States are HCS, COMINT (SI), GAMMA (G), TALENT KEYHOLE (TK). What do they require?

Answer 11

These compartments require a documented and approved need to know in addition to a normal clearance such as top secret.

Question 12

What is clearance?

Answer 12

A clearance is a formal determination of whether or not a user can be trusted with a specific level of information.

Question 13

What does a clearance require?

Answer 13

Each clearance requires a myriad of investigations and collection of personal data. Once all data has been gathered (including a person’s credit score, arrest record, interviews with neighbors and friends, and more), an administrative judge makes a determination on whether or not this person can be trusted with U.S. national security information.

Question 14

What are the two most popular reasons why people are not granted U.S. Government clearance?

Answer 14

Drug use and foreign influence.

Question 15

What is formal access approval?

Answer 15

Documented approval from the data owner for a subject to access certain objects, requiring the subject to understand all of the rules and requirements for accessing data, and consequences should the data become lost, destroyed, or compromised.

Question 16

In addition to clearance, what does a subject need to access compartmented information?

Answer 16

Formal access approval from the compartmented information’s data owner.

Question 17

What is ‘need to know’?

Answer 17

Need to know refers to answering the question: does the user need to know the specific data they may attempt to access?

Question 18

Which is more granular, need to know or least privilege?

Answer 18

Need to know is more granular. Unlike least privilege which groups access together, need to know access decisions are based on each individual object.

Question 19

Whereever the data exists, there must be processes to ensure…

Answer 19

1. The data is not destroyed or inaccessible.
2. Disclosed.
3. Altered.

Question 20

People handling sensitive data should be…

Answer 20

1. Trusted individuals who have been vetted by the organization.
2. Understand their role in the organization’s information security posture.

Question 21

What should policies require in regards to handling sensitive media?

Answer 21

Policies should require the inclusion of written logs detailing the person responsible for the media.

Question 22

How should sensitive data at rest be stored?

Answer 22

When storing sensitive information, it is preferable to encrypt the data. Encryption of data at rest greatly reduces the likelihood of data being disclosed in an unauthorized fashion due to security issues.

Question 23

If data is encrypted, is strong physical security needed?

Answer 23

Yes, care should be taken to ensure there are strong physical security controls whereever media containing sensitive information is accessible whether it is encrypted or not.

Question 24

How long should sensitive information be retained?

Answer 24

Retention of sensitive data should not persist beyond the usefulness or legal requirement (whichever is greater). There may be regulatory or legal reasons to keep the data beyond it’s time of utility.