Domain 3:Compare and contrast concepts and strategies to protect data

Question 1

Personally Identifiable Information (PII):

Answer 1

PII is data that is unique to a person, for example, their social security number, biometric data, driving license number, employee records, mobile phone number, or email address.

Question 2

Protected Health Information (PHI)

Answer 2

PHI is health data that is unique to a person, such as their medical history, including diseases and treatments and various test results, such as MRI scans or X-rays.

Question 3

Financial data

Answer 3

This is data related to electronic payments, including bank account details, credit card information, and transaction records, and is subject to financial regulations and laws, such as those related to consumer privacy, anti-money laundering, and fraud prevention, including monitoring of payments and defaults.

Question 4

Trade secrets

Answer 4

Trade secrets include confidential business dealings that provide a competitive advantage. Protecting trade secrets requires a combination of legal and technical measures, such as Non-Disclosure Agreements (NDAs) and employment contracts, while technical measures involve restricting access to trade secret information and monitoring data flows

Question 5

Propriety data

Answer 5

Often overlapping with IP or trade secrets, propriety data is data generated by a company, and can also include research or product development work.

Question 6

Human - readbale data

Answer 6

This is information that can be easily understood by humans, such as text, images, and audio. This data is then encrypted for security.

Question 7

Non human readable

Answer 7

This data includes binary code, machine language, and encrypted data. To protect non-human-readable data, cryptographic algorithms, secure key management, and secure hardware modules are essential to safeguard sensitive information.

Question 8

General Data Protection Regulation (GDPR)

Answer 8

EU laws guarding personal data rights and privacy in the digital realm

Question 9

Health Insurance Portability and Accountability Act (HIPAA)

Answer 9

U.S. regulations securing the privacy of health information.

Question 10

California Consumer Privacy Act (CCPA)

Answer 10

California legislation empowering consumer data rights and privacy.

Question 11

Sarbanes-Oxley Act (SOX)

Answer 11

U.S. law ensuring financial transparency and accountability for public companies.

Question 12

Gramm-Leach-Bliley Act (GLBA)

Answer 12

U.S. act imposing privacy and security rules on financial institutions.

Question 13

Sensitive data

Answer 13

: Sensitive data, often referred to as “privileged information,” encompasses any information that, if exposed, could lead to harm or undesirable consequences for individuals or organizations. It is a treasure trove

Question 14

Confidential data: Research and Development (R&D

Answer 14

confidential data as disclosure would cause damage to the company. They have strict legal protection, an example of which is attorney-client privilege. Access to confidential data typically requires authorization or special permission.

Question 15

Critical data

Answer 15

This is data that is critical for the running of the organization, such as backups or encryption keys, that could cause operation failure if corrupted or lost. It could also be classified and encrypted to prevent an outside party from accessing it.

Question 16

Private data

Answer 16

Private data is data that an individual does not want to disclose. It is data that is not meant for public consumption and is typically kept within a restricted circle of trust and that, if exposed, could cause critical damage.

Question 17

Restricted Data

Answer 17

Restricted data, also known as “confidential” information, signifies data that should have limited access and necessitates heightened security measures. It implies specific, often more stringent, limitations or conditions on how the data can be used, distributed, or accessed. Restricted data might include information that not only requires authorization for access but also has legal, regulatory, or policy-imposed constraints on its use.

Question 18

Public data

Answer 18

This is data that is available to anyone, such as yesterday’s news, leaflets, or brochures that have been distributed everywhere.

Question 19

Geolocation

Answer 19

Geolocation assists security teams in identifying the geographic/physical origins of a request for data or user authentication. Its purpose is to help verify the legitimacy of access requests by confirming whether the user or device is in an expected location. This is particularly important for online banking, two-factor authentication, and remote access to secure systems.

Question 20

Geographical restrictions

Answer 20

Geographic restrictions limit data access to users or devices based in a specified region. This approach is valuable for ensuring data compliance with specific jurisdictional regulations. However, it may pose challenges for remote work and global collaborations.

Question 21

Hashing

Answer 21

Hashing converts data into a fixed-length string of characters. It is a one-way function and cannot be reverse engineered. Hashing is used to securely store passwords in databases, but its main purpose is to ensure data integrity.

Question 22

Permission restrictions

Answer 22

Permission restrictions control who can access and modify data according to user roles and privileges. This strategy ensures that only authorized personnel can interact with sensitive information.

Question 23

DATA MASKING

Answer 23

: Data masking, akin to wearing a mask for anonymity, involves disguising sensitive data by replacing original values with fictitious ones. This technique is crucial for creating safe testing environments and sharing data for analysis without compromising privacy:

Question 24

XOR DATA MASKING

Answer 24

Exclusive OR (XOR): XOR is a logical operation that works by comparing two binary values (typically bits, that is, 0s and 1s) and producing an output based on a specific rule:
If the two input bits are the same (both 0 or both 1), XOR outputs 0.
If the two input bits are different (one is 0 and the other is 1), XOR outputs 1.

Question 25

Supervisory Control and Data Acquisition (SCADA)

Answer 25

systems are sophisticated automated industrial control systems (ICS) that encompass various stages of production

Question 26

SCADA systems run on

Answer 26

The SCADA system runs on the same software as client computers and is vulnerable to the same threats.

Question 27

Four phases of ScADA (level 0)

Answer 27

Plant Level (Level 0): This is the lowest level in the SCADA system hierarchy. It includes the physical equipment and processes on the factory floor, such as sensors, actuators, motors, pumps, and other industrial devices. These devices gather data and perform actions as directed by the higher-level controllers.

Question 28

SCADA level 1

Answer 28

Controller Level (Level 1): This level is responsible for the real-time control of the physical processes. It includes devices such as Programmable Logic Controllers (PLCs) that receive input from sensors on the plant floor, process the data, and send commands to actuators and other devices to control the industrial processes. Level 1 controllers ensure that the plant operates efficiently and safely.

Question 29

SCADA level 2

Answer 29

Coordinating Computer Level (Level 2): At this level, there are supervisory computers or Human-Machine Interface (HMI) systems that provide a centralized view of the plant’s operations. They collect data from Level 1 controllers, display it to operators, and often include control functions for higher-level coordination. Operators can monitor the plant’s status, make adjustments, and respond to alarms and events.

Question 30

SCADA level 3

Answer 30

This level is responsible for managing and controlling the overall production process. It often involves more advanced software systems that can coordinate multiple production lines or areas within the plant. Level 3 systems may also include functions such as recipe management, production scheduling, and data logging for analysis and reporting.

Question 31

Real time operating systems

Answer 31

At its core, an RTOS is a specialized OS designed for applications for which timing is of paramount importance, such as light control or navigation systems, where everything happens in real time.

Question 32

Embedded systems

Answer 32

Embedded systems are specialized computing systems designed for specific tasks within a broader system or product.

Question 33

Annualized Loss Expectancy

Answer 33

ALE): This is calculated by taking the SLE and multiplying it by the ARO and represents the total expected loss per year, providing a foundation for insurance and risk management decisions.

Question 34

ECC/RSA/DSA

Answer 34

How does ECC compare to RSA and DSA? The biggest difference between ECC and RSA/DSA is the greater cryptographic strength that ECC offers for equivalent key size. An ECC key is more secure than an RSA or DSA key of the same size.