Documente Academic
Documente Profesional
Documente Cultură
NEXT
PREV
Chapter 2
Asset Security (Domain 2)
1.Angelaisaninformationsecurityarchitectatabankandhasbeen
assignedtoensurethattransactionsaresecureastheytraversethe
network.SherecommendsthatalltransactionsuseTLS.Whatthreatis
shemostlikelyattemptingtostop,andwhatmethodissheusingto
protectagainstit?
1.Maninthemiddle,VPN
2.Packetinjection,encryption
3.Sniffing,encryption
4.Sniffing,TEMPEST
2.COBIT,ControlObjectivesforInformationandRelatedTechnology,isa
frameworkforITmanagementandgovernance.Whichdata
managementroleismostlikelytoselectandapplyCOBITtobalancethe
needforsecuritycontrolsagainstbusinessrequirements?
1.Businessowners
2.Dataprocessors
3.Dataowners
4.Datastewards
3.Whattermisusedtodescribeastartingpointforaminimumsecurity
standard?
1.Outline
2.Baseline
3.Policy
4.Configurationguide
4.Whenmediaislabeledbasedontheclassificationofthedataitcontains,
whatruleistypicallyappliedregardinglabels?
1.Thedataislabeledbasedonitsintegrityrequirements.
2.Themediaislabeledbasedonthehighestclassificationlevelofthedatait
contains.
3.Themediaislabeledwithalllevelsofclassificationofthedatait
contains.
4.Themediaislabeledwiththelowestlevelofclassificationofthedatait
contains.
5.Theneedtoprotectsensitivedatadriveswhatadministrativeprocess?
1.Informationclassification
2.Remanence
3.Transmittingdata
4.Clearing
6.Howcanadataretentionpolicyhelptoreduceliabilities?
1.Byensuringthatunneededdataisntretained
2.Byensuringthatincriminatingdataisdestroyed
3.Byensuringthatdataissecurelywipedsoitcannotberestoredforlegal
discovery
4.Byreducingthecostofdatastoragerequiredbylaw
7.StaffinanITdepartmentwhoaredelegatedresponsibilityfordaytoday
tasksholdwhatdatarole?
1.Businessowner
2.User
3.Dataprocessor
4.Custodian
8.SusanworksforanAmericancompanythatconductsbusinesswith
customersintheEuropeanUnion.Whatisshelikelytohavetodoifsheis
responsibleforhandlingPIIfromthosecustomers?
1.Encryptthedataatalltimes.
2.LabelandclassifythedataaccordingtoHIPAA.
3.ConductyearlyassessmentstotheEUDPDbaseline.
4.ComplywiththeUSEUSafeHarborrequirements.
9.Benhasbeentaskedwithidentifyingsecuritycontrolsforsystems
coveredbyhisorganizationsinformationclassificationsystem.Why
mightBenchoosetouseasecuritybaseline?
1.Itappliesinallcircumstances,allowingconsistentsecuritycontrols.
2.Theyareapprovedbyindustrystandardsbodies,preventingliability.
3.Theyprovideagoodstartingpointthatcanbetailoredtoorganizational
needs.
4.Theyensurethatsystemsarealwaysinasecurestate.
10.Whattermisusedtodescribeoverwritingmediatoallowforitsreusein
anenvironmentoperatingatthesamesensitivitylevel?
1.Clearing
2.Erasing
3.Purging
4.Sanitization
11.WhichofthefollowingclassificationlevelsistheUSgovernments
classificationlabelfordatathatcouldcausedamagebutwouldntcause
seriousorgravedamage?
1.TopSecret
2.Secret
3.Confidential
4.Classified
12.Whatissueiscommontosparesectorsandbadsectorsonharddrivesas
wellasoverprovisionedspaceonmodernSSDs?
1.Theycanbeusedtohidedata.
2.Theycanonlybedegaussed.
3.Theyarenotaddressable,resultingindataremanence.
4.Theymaynotbecleared,resultingindataremanence.
13.Whattermdescribesdatathatremainsafterattemptshavebeenmadeto
removethedata?
1.Residualbytes
2.Dataremanence
3.Slackspace
4.Zerofill
Forquestions14,15,and16,pleaserefertothefollowingscenario:
Yourorganizationregularlyhandlesthreetypesofdata:informationthat
itshareswithcustomers,informationthatitusesinternallytoconduct
business,andtradesecretinformationthatofferstheorganization
significantcompetitiveadvantages.Informationsharedwithcustomers
isusedandstoredonwebservers,whileboththeinternalbusinessdata
andthetradesecretinformationarestoredoninternalfileserversand
employeeworkstations.
14.Whatciviliandataclassificationsbestfitthisdata?
1.Unclassified,confidential,topsecret
2.Public,sensitive,private
3.Public,sensitive,proprietary
4.Public,confidential,private
15.Whattechniquecouldyouusetomarkyourtradesecretinformationin
caseitwasreleasedorstolenandyouneedtoidentifyit?
1.Classification
2.Symmetricencryption
3.Watermarks
4.Metadata
16.Whattypeofencryptionshouldyouuseonthefileserversforthe
proprietarydata,andhowmightyousecurethedatawhenitisinmotion?
1.TLSatrestandAESinmotion
2.AESatrestandTLSinmotion
3.VPNatrestandTLSinmotion
4.DESatrestandAESinmotion
17.WhatdoeslabelingdataallowaDLPsystemtodo?
1.TheDLPsystemcandetectlabelsandapplyappropriateprotections.
2.TheDLPsystemcanadjustlabelsbasedonchangesintheclassification
scheme.
3.TheDLPsystemcannotifythefirewallthattrafficshouldbeallowed
through.
4.TheDLPsystemcandeleteunlabeleddata.
18.Whyisitcosteffectivetopurchasehighqualitymediatocontainsensitive
data?
1.Expensivemediaislesslikelytofail.
2.Thevalueofthedataoftenfarexceedsthecostofthemedia.
3.Expensivemediaiseasiertoencrypt.
4.Moreexpensivemediatypicallyimprovesdataintegrity.
19.Chrisisresponsibleforworkstationsthroughouthiscompanyandknows
thatsomeofthecompanysworkstationsareusedtohandleproprietary
information.Whichoptionbestdescribeswhatshouldhappenattheend
oftheirlifecycleforworkstationsheisresponsiblefor?
1.Erasing
2.Clearing
3.Sanitization
4.Destruction
20.WhichistheproperorderfromleasttomostsensitiveforUSgovernment
classifications?
1.Confidential,Secret,TopSecret
2.Confidential,Classified,Secret
3.TopSecret,Secret,Classified,Public,Classified,TopSecret
4.Public,Unclassified,Classified,TopSecret
21.Whatscenariodescribesdataatrest?
1.DatainanIPsectunnel
2.Datainanecommercetransaction
3.Datastoredonaharddrive
4.DatastoredinRAM
22.IfyouareselectingasecuritystandardforaWindows10systemthat
processescreditcards,whatsecuritystandardisyourbestchoice?
1.MicrosoftsWindows10securitybaseline
2.TheCISWindows10baseline
3.PCIDSS
4.TheNSAWindows10baseline
Usethefollowingscenarioforquestions23,24,and25.
TheCenterforInternetSecurity(CIS)workswithsubjectmatterexperts
fromavarietyofindustriestocreatelistsofsecuritycontrolsfor
operatingsystems,mobiledevices,serversoftware,andnetwork
devices.YourorganizationhasdecidedtousetheCISbenchmarksfor
yoursystems.Answerthefollowingquestionsbasedonthisdecision.
23.TheCISbenchmarksareanexampleofwhatpractice?
1.Conductingariskassessment
2.Implementingdatalabeling
3.Propersystemownership
4.Usingsecuritybaselines
24.AdjustingtheCISbenchmarkstoyourorganizationsmissionandyour
specificITsystemswouldinvolvewhattwoprocesses?
1.Scopingandselection
2.Scopingandtailoring
3.Baseliningandtailoring
4.Tailoringandselection
25.Howshouldyoudeterminewhatcontrolsfromthebaselineagiven
systemorsoftwarepackageshouldreceive?
1.Consultthecustodiansofthedata.
2.Selectbasedonthedataclassificationofthedataitstoresorhandles.
3.Applythesamecontrolstoallsystems.
4.Consultthebusinessowneroftheprocessthesystemordatasupports.
26.WhatproblemwithFTPandTelnetmakesusingSFTPandSSHbetter
alternatives?
1.FTPandTelnetarentinstalledonmanysystems.
2.FTPandTelnetdonotencryptdata.
3.FTPandTelnethaveknownbugsandarenolongermaintained.
4.FTPandTelnetaredifficulttouse,makingSFTPandSSHthepreferred
solution.
27.ThegovernmentdefensecontractorthatSariaworksforhasrecentlyshut
downamajorresearchprojectandisplanningonreusingthehundreds
ofthousandsofdollarsofsystemsanddatastoragetapesusedforthe
projectforotherpurposes.WhenSariareviewsthecompanysinternal
processes,shefindsthatshecantreusethetapesandthatthemanual
saystheyshouldbedestroyed.WhyisntSariaallowedtodegaussand
thenreusethetapestosaveheremployermoney?
1.Datapermanencemaybeanissue.
2.Dataremanenceisaconcern.
3.Thetapesmaysufferfrombitrot.
4.Datafromtapescantbeerasedbydegaussing.
28.Informationmaintainedaboutanindividualthatcanbeusedto
distinguishortracetheiridentityisknownaswhattypeofinformation?
1.Personallyidentifiableinformation(PII)
2.Personalhealthinformation(PHI)
3.SocialSecuritynumber(SSN)
4.Secureidentityinformation(SII)
29.Whatistheprimaryinformationsecurityrisktodataatrest?
1.Improperclassification
2.Databreach
3.Decryption
4.Lossofdataintegrity
30.FulldiskencryptionlikeMicrosoftsBitLockerisusedtoprotectdatain
whatstate?
1.Dataintransit
2.Dataatrest
3.Unlabeleddata
4.Labeleddata
31.SuesemployerhasaskedhertouseanIPsecVPNtoconnecttoits
network.WhenSueconnects,whatdoestheIPsecVPNallowhertodo?
1.Senddecrypteddataoverapublicnetworkandactlikesheisonher
employersinternalnetwork.
2.Createaprivateencryptednetworkcarriedviaapublicnetworkandact
likesheisonheremployersinternalnetwork.
3.CreateavirtualprivatenetworkusingTLSwhileonheremployers
internalnetwork.
4.Createatunnelednetworkthatconnectsheremployersnetworktoher
internalhomenetwork.
32.Whatistheprimarypurposeofdataclassification?
1.Itquantifiesthecostofadatabreach.
2.ItprioritizesITexpenditures.
3.Itallowscompliancewithbreachnotificationlaws.
4.Itidentifiesthevalueofthedatatotheorganization.
33.Fredsorganizationallowsdowngradingofsystemsforreuseafter
projectshavebeenfinishedandthesystemshavebeenpurged.What
concernshouldFredraiseaboutthereuseofthesystemsfromhisTop
SecretclassifiedprojectforafutureprojectclassifiedasSecret?
1.TheTopSecretdatamaybecommingledwiththeSecretdata,resultingin
aneedtorelabelthesystem.
2.Thecostofthesanitizationprocessmayexceedthecostofnew
equipment.
3.Thedatamaybeexposedaspartofthesanitizationprocess.
4.TheorganizationsDLPsystemmayflagthenewsystemduetothe
differenceindatalabels.
34.Whichofthefollowingconcernsshouldnotbepartofthedecisionwhen
classifyingdata?
1.Thecosttoclassifythedata
2.Thesensitivityofthedata
3.Theamountofharmthatexposureofthedatacouldcause
4.Thevalueofthedatatotheorganization
35.Whichofthefollowingistheleasteffectivemethodofremovingdatafrom
media?
1.Degaussing
2.Purging
3.Erasing
4.Clearing
36.SafeHarborispartofaUSprogramtomeetwhatEuropeanUnionlaw?
1.TheEUCyberSafeAct
2.TheNetworkandInformationSecurity(NIS)directives
3.TheGeneralDataProtectionRegulation(GDPR)
4.TheEUDataProtectionDirective
Usethefollowingscenariotoanswerquestions37,38,and39.
ThehealthcarecompanythatLaurenworksforhandlesHIPAAdataas
wellasinternalbusinessdata,protectedhealthinformation,anddayto
daybusinesscommunications.Itsinternalpolicyusesthefollowing
requirementsforsecuringHIPAAdataatrestandintransit.
Classification
Confidential
HandlingRequirements
Encryptatrestandintransit.
(HIPAA)
Fulldiskencryptionrequiredforall
workstations.
Filescanonlybesentinencryptedform,and
passwordsmustbetransferredunderseparate
cover.
PrinteddocumentsmustbelabeledwithHIPAA
handlingrequired.
Private(PHI)
Encryptatrestandintransit.
PHImustbestoredonsecureservers,and
copiesshouldnotbekeptonlocalworkstations.
Printeddocumentsmustbelabeledwith
Private.
Sensitive
Encryptionisrecommendedbutnotrequired.
(business
confidential)
Public
Informationcanbesentunencrypted.
Usingthetable,answerthefollowingquestions.
37.WhattypeofencryptionwouldbeappropriateforHIPAAdocumentsin
transit?
1.AES256
2.DES
3.TLS
4.SSL
38.LaurensemployerasksLaurentoclassifypatientXraydatathathasan
internalpatientidentifierassociatedwithitbutdoesnothaveanywayto
directlyidentifyapatient.Thecompanysdataownerbelievesthat
exposureofthedatacouldcausedamage(butnotexceptionaldamage)to
theorganization.HowshouldLaurenclassifythedata?
1.Public
2.Sensitive
3.Private
4.Confidential
39.WhattechnologycouldLaurensemployerimplementtohelpprevent
confidentialdatafrombeingemailedoutoftheorganization?
1.DLP
2.IDS
3.Afirewall
4.UDP
40.AUSgovernmentdatabasecontainsSecret,Confidential,andTopSecret
data.Howshoulditbeclassified?
1.TopSecret
2.Confidential
3.Secret
4.Mixedclassification
41.Whattoolisusedtopreventemployeeswholeavefromsharing
proprietaryinformationwiththeirnewemployers?
1.Encryption
2.NDA
3.Classification
4.Purging
42.WhatencryptionalgorithmisusedbybothBitLockerandMicrosofts
EncryptingFileSystem?
1.Blowfish
2.Serpent
3.AES
4.3DES
43.Chrisisresponsibleforhisorganizationssecuritystandardsandhas
guidedtheselectionandimplementationofasecuritybaselinefor
WindowsPCsinhisorganization.HowcanChrismosteffectivelymake
surethattheworkstationsheisresponsibleforarebeingcheckedfor
complianceandthatsettingsarebeingappliedasnecessary?
1.Assignuserstospotcheckbaselinecompliance.
2.UseMicrosoftGroupPolicy.
3.Createstartupscriptstoapplypolicyatsystemstart.
4.Periodicallyreviewthebaselineswiththedataownerandsystem
owners.
44.Whattermisusedtodescribeasetofcommonsecurityconfigurations,
oftenprovidedbyathirdparty?
1.Securitypolicy
2.Baseline
3.DSS
4.SP800
45.Whattypeofpolicydescribeshowlongdataisretainedandmaintained
beforedestruction?
1.Classification
2.Audit
3.Recordretention
4.Availability
46.WhichattackhelpeddrivevendorstomoveawayfromSSLtowardTLS
onlybydefault?
1.POODLE
2.Stuxnet
3.BEAST
4.CRIME
47.Whatsecuritymeasurecanprovideanadditionalsecuritycontrolinthe
eventthatbackuptapesarestolenorlost?
1.Keepmultiplecopiesofthetapes.
2.Replacetapemediawithharddrives.
3.Useappropriatesecuritylabels.
4.UseAES256encryption.
48.Joeworksatamajorpharmaceuticalresearchanddevelopmentcompany
andhasbeentaskedwithwritinghisorganizationsdataretentionpolicy.
Aspartofitslegalrequirements,theorganizationmustcomplywiththe
USFoodandDrugAdministrationsCodeofFederalRegulationsTitle21.
Todoso,itisrequiredtoretainrecordswithelectronicsignatures.Why
wouldasignaturebepartofaretentionrequirement?
1.Itensuresthatsomeonehasreviewedthedata.
2.Itprovidesconfidentiality.
3.Itensuresthatthedatahasnotbeenchanged.
4.Itvalidateswhoapprovedthedata.
49.WhatprotocolispreferredoverTelnetforremoteserveradministration
viathecommandline?
1.SCP
2.SFTP
3.WDS
4.SSH
50.Whatmethodusesastrongmagneticfieldtoerasemedia?
1.Magwipe
2.Degaussing
3.Sanitization
4.Purging
51.Whatprimaryissuedoespersonnelretentiondealwith?
1.Employeesquitting
2.Employeesnotmovingontonewpositions
3.Knowledgegainedafteremployment
4.Knowledgegainedduringemployment
52.AlexworksforagovernmentagencythatisrequiredtomeetUSfederal
governmentrequirementsfordatasecurity.Tomeettheserequirements,
Alexhasbeentaskedwithmakingsuredataisidentifiablebyits
classificationlevel.WhatshouldAlexdotothedata?
1.Classifythedata.
2.Encryptthedata.
3.Labelthedata.
4.ApplyDRMtothedata.
53.BenisfollowingtheNISTSpecialPublication80088guidelinesfor
sanitizationanddispositionasshowninthefollowingdiagram.Heis
handlinginformationthathisorganizationclassifiedassensitive,which
isamoderatesecuritycategorizationintheNISTmodel.Ifthemediais
goingtobesoldassurplus,whatprocessdoesBenneedtofollow?
1.Destroy,validate,document
2.Clear,purge,document
3.Purge,document,validate
4.Purge,validate,document
54.Whatmethodsareoftenusedtoprotectdataintransit?
1.Telnet,ISDN,UDP
2.Encryptedstoragemedia
3.AES,Serpent,IDEA
4.TLS,VPN,IPsec
55.Whichdataroleisdescribedasthepersonwhohasultimate
organizationalresponsibilityfordata?
1.Systemowners
2.Businessowners
3.Dataowners
4.Missionowners
56.WhatUSgovernmentagencyoverseescompliancewiththeSafeHarbor
frameworkfororganizationswishingtousethepersonaldataofEU
citizens?
1.TheFTC
2.TheFDA
3.TheDoD
4.TheDepartmentofCommerce
Forquestions57,58,and59,usethefollowingscenario.
Chrishasrecentlybeenhiredintoaneworganization.Theorganization
thatChrisbelongstousesthefollowingclassificationprocess:
1.Criteriaaresetforclassifyingdata.
2.Dataownersareestablishedforeachtypeofdata.
3.Dataisclassified.
4.Requiredcontrolsareselectedforeachclassification.
5.Baselinesecuritystandardsareselectedfortheorganization.
6.Controlsarescopedandtailored.
7.Controlsareappliedandenforced.
8.Accessisgrantedandmanaged.
Usetheclassificationprocesstoanswerthefollowingquestions.
57.IfChrisisoneofthedataownersfortheorganization,whatstepsinthis
processishemostlikelyresponsiblefor?
1.Heisresponsibleforsteps3,4,and5.
2.Heisresponsibleforsteps1,2,and3.
3.Heisresponsibleforsteps5,6,and7.
4.Allofthestepsarehisdirectresponsibility.
58.Chrismanagesateamofsystemadministrators.Whatdatarolearethey
fulfillingiftheyconductsteps6,7,and8oftheclassificationprocess?
1.Theyaresystemownersandadministrators.
2.Theyareadministratorsandcustodians.
3.Theyaredataownersandadministrators.
4.Theyarecustodiansandusers.
59.IfChrisscompanyoperatesintheEuropeanUnionandhasbeen
contractedtohandlethedataforathirdparty,whatroleishiscompany
operatinginwhenitusesthisprocesstoclassifyandhandledata?
1.Businessowners
2.Missionowners
3.Dataprocessors
4.Dataadministrators
60.WhichofthefollowingisnotapartoftheEuropeanUnionsData
Protectionprinciples?
1.Notice
2.Reason
3.Security
4.Access
61.Benscompany,whichisbasedintheEU,hiresathirdpartyorganization
thatprocessesdataforit.Whohasresponsibilitytoprotecttheprivacyof
thedataandensurethatitisntusedforanythingotherthanitsintended
purpose?
1.Benscompanyisresponsible.
2.Thethirdpartydataprocessorisresponsible.
3.Thedatacontrollerisresponsible.
4.Bothorganizationsbearequalresponsibility.
62.MajorHunter,amemberoftheUSarmedforces,hasbeenentrustedwith
informationthat,ifexposed,couldcauseseriousdamagetonational
security.UnderUSgovernmentclassificationstandards,howshouldthis
databeclassified?
1.Unclassified
2.TopSecret
3.Confidential
4.Secret
63.Whenacomputerisremovedfromserviceanddisposedof,theprocess
thatensuresthatallstoragemediahasbeenremovedordestroyedis
knownaswhat?
1.Sanitization
2.Purging
3.Destruction
4.Declassification
64.LinuxsystemsthatusebcryptareusingatoolbasedonwhatDES
alternativeencryptionscheme?
1.3DES
2.AES
3.DiffieHellman
4.Blowfish
65.Susanworksinanorganizationthatlabelsallremovablemediawiththe
classificationlevelofthedataitcontains,includingpublicdata.Why
wouldSusansemployerlabelallmediainsteadoflabelingonlythe
mediathatcontainsdatathatcouldcauseharmifitwasexposed?
1.Itischeapertoorderallprelabeledmedia.
2.Itpreventssensitivemediafromnotbeingmarkedbymistake.
3.Itpreventsreuseofpublicmediaforsensitivedata.
4.LabelingallmediaisrequiredbyHIPAA.
66.DatastoredinRAMisbestcharacterizedaswhattypeofdata?
1.Dataatrest
2.Datainuse
3.Dataintransit
4.Dataatlarge
67.WhatissueisthevalidationportionoftheNISTSP80088sample
certificateofsanitizationintendedtohelpprevent?
1.Destruction
2.Reuse
3.Dataremanence
4.Attribution
68.Whyisdeclassificationrarelychosenasanoptionformediareuse?
1.Purgingissufficientforsensitivedata.
2.Sanitizationisthepreferredmethodofdataremoval.
3.Itismoreexpensivethannewmediaandmaystillfail.
4.Clearingisrequiredfirst.
69.NISTSP80060providesaprocessshowninthefollowingdiagramto
assessinformationsystems.Whatprocessdoesthisdiagramshow?
1.Selectingastandardandimplementingit
2.Categorizingandselectingcontrols
3.Baseliningandselectingcontrols
4.Categorizingandsanitizing
Thefollowingimageshowsatypicalworkstationandserverandtheir
connectionstoeachotherandtheInternet.Usetheimagetoanswer
questions70,71,and72.
70.Whichlettersshouldbeassociatedwithdataatrest?
1.A,B,andC
2.CandE
3.AandE
4.B,D,andF
71.WhatwouldbethebestwaytosecuredataatpointsB,D,andF?
1.AES256
2.SSL
3.TLS
4.3DES
72.WhatisthebestwaytosecurefilesthataresentfromworkstationAvia
theInternetservice(C)toremoteserverE?
1.UseAESatrestatpointA,andTLSintransitviaBandD.
2.Encryptthedatafilesandsendthem.
3.Use3DESandTLStoprovidedoublesecurity.
4.UsefulldiskencryptionatAandE,anduseSSLatBandD.
73.Incineration,crushing,shredding,anddisintegrationalldescribewhat
stageinthelifecycleofmedia?
1.Sanitization
2.Degaussing
3.Purging
4.Destruction
74.TheEuropeanUnion(EU)DataProtectionDirectivessevenprinciples
donotincludewhichofthefollowingkeyelements?
1.Theneedtoinformsubjectswhentheirdataisbeingcollected
2.Theneedtosetalimitonhowlongdataisretained
3.Theneedtokeepthedatasecure
4.Theneedtoallowdatasubjectstobeabletoaccessandcorrecttheirdata
75.Whymightanorganizationuseuniquescreenbackgroundsordesignson
workstationsthatdealwithdataofdifferentclassificationlevels?
1.Toindicatethesoftwareversioninuse
2.Topromoteacorporatemessage
3.Topromoteavailability
4.Toindicatetheclassificationlevelofthedataorsystem
76.Charleshasbeenaskedtodowngradethemediausedforstorageof
privatedataforhisorganization.WhatprocessshouldCharlesfollow?
1.Degaussthedrives,andthenrelabelthemwithalowerclassification
level.
2.Pulverizethedrives,andthenreclassifythembasedonthedatathey
contain.
3.Followtheorganizationspurgingprocess,andthendowngradeand
replacelabels.
4.Relabelthemedia,andthenfollowtheorganizationspurgingprocessto
ensurethatthemediamatchesthelabel.
77.Whichofthefollowingtasksarenotperformedbyasystemownerper
NISTSP80018?
1.Developsasystemsecurityplan
2.Establishesrulesforappropriateuseandprotectionofdata
3.Identifiesandimplementssecuritycontrols
4.Ensuresthatsystemusersreceiveappropriatesecuritytraining
78.Susanneedstoprovideasetofminimumsecurityrequirementsfor
email.Whatstepsshouldsherecommendforherorganizationtoensure
thattheemailremainssecure?
1.Allemailshouldbeencrypted.
2.Allemailshouldbeencryptedandlabeled.
3.Sensitiveemailshouldbeencryptedandlabeled.
4.Onlyhighlysensitiveemailshouldbeencrypted.
79.Whattermdescribestheprocessofreviewingbaselinesecuritycontrols
andselectingonlythecontrolsthatareappropriatefortheITsystemyou
aretryingtoprotect?
1.Standardcreation
2.CISbenchmarking
3.Baselining
4.Scoping
80.Whatdataroledoesasystemthatisusedtoprocessdatahave?
1.Missionowner
2.Dataowner
3.Dataprocessor
4.Custodian
81.Whichofthefollowingwillbesupercededin2018bytheEuropean
UnionsGeneralDataProtectionRegulation(GDPR)
1.TheEUDataProtectionDirective
2.NISTSP80012
3.TheEUPersonalDataProtectionRegulation
4.COBIT
82.WhattypeofhealthinformationistheHealthInsurancePortabilityand
AccountabilityActrequiredtoprotect?
1.PII
2.PHI
3.SHI
4.HPHI
83.Whatencryptionalgorithmwouldprovidestrongprotectionfordata
storedonaUSBthumbdrive?
1.TLS
2.SHA1
3.AES
4.DES
84.LaurensmultinationalcompanywantstoensurecompliancewiththeEU
DataProtectionDirective.Ifsheallowsdatatobeusedagainstthe
requirementsofthenoticeprincipleandagainstwhatusersselectedin
thechoiceprinciple,whatprinciplehasherorganizationviolated?
1.Onwardtransfer
2.Dataintegrity
3.Enforcement
4.Access
85.Whatisthebestmethodtosanitizeasolidstatedrive(SSD)?
1.Clearing
2.Zerofill
3.Disintegration
4.Degaussing
Forquestions86,87,and88,usethefollowingscenario.
Asshowninthefollowingsecuritylifecyclediagram(looselybasedon
theNISTreferencearchitecture),NISTusesafivestepprocessforrisk
management.Usingyourknowledgeofdatarolesandpractices,answer
thefollowingquestionsbasedontheNISTframeworkprocess.
86.Whatdatarolewillownresponsibilityforstep1,thecategorizationof
informationsystems,towhomwilltheydelegatestep2,andwhatdata
rolewillberesponsibleforstep3?
1.Dataowners,systemowners,custodians
2.Dataprocessors,custodians,users
3.Businessowners,administrators,custodians
4.Systemowners,businessowners,administrators
87.Ifthesystemsthatarebeingassessedallhandlecreditcardinformation
(andnoothersensitivedata),atwhatstepwouldthePCIDSSfirstplayan
importantrole?
1.Step1
2.Step2
3.Step3
4.Step4
88.Whatdatasecurityroleisprimarilyresponsibleforstep5?
1.Dataowners
2.Dataprocessors
3.Custodians
4.Users
89.Susansorganizationperformsazerofillonharddrivesbeforetheyare
senttoathirdpartyorganizationtobeshredded.Whatissueisher
organizationattemptingtoavoid?
1.Dataremanencewhileatthethirdpartysite
2.Mishandlingofdrivesbythethirdparty
3.Classificationmistakes
4.Datapermanence
90.Embeddeddatausedtohelpidentifytheownerofafileisanexampleof
whattypeoflabel?
1.Copyrightnotice
2.DLP
3.Digitalwatermark
4.Steganography
91.Retainingandmaintaininginformationforaslongasitisneededis
knownaswhat?
1.Datastoragepolicy
2.Datastorage
3.Assetmaintenance
4.Recordretention
92.Whichofthefollowingactivitiesisnotaconsiderationduringdata
classification?
1.Whocanaccessthedata
2.Whattheimpactwouldbeifthedatawaslostorbreached
3.Howmuchthedatacosttocreate
4.Whatprotectionregulationsmayberequiredforthedata
93.Whattypeofencryptionistypicallyusedfordataatrest?
1.Asymmetricencryption
2.Symmetricencryption
3.DES
4.OTP
94.Whichdataroleistaskedwithgrantingappropriateaccesstostaff
members?
1.Dataprocessors
2.Businessowners
3.Custodians
4.Administrators
95.WhichCalifornialawrequiresconspicuouslypostedprivacypolicieson
commercialwebsitesthatcollectthepersonalinformationofCalifornia
residents?
1.ThePersonalInformationProtectionandElectronicDocumentsAct
2.TheCaliforniaOnlinePrivacyProtectionAct
3.CaliforniaOnlineWebPrivacyAct
4.CaliforniaCivilCode1798.82
96.Fredispreparingtosendbackuptapesoffsitetoasecurethirdparty
storagefacility.WhatstepsshouldFredtakebeforesendingthetapesto
thatfacility?
1.Ensurethatthetapesarehandledthesamewaytheoriginalmediawould
behandledbasedontheirclassification.
2.Increasetheclassificationlevelofthetapesbecausetheyareleavingthe
possessionofthecompany.
3.Purgethetapestoensurethatclassifieddataisnotlost.
4.Encryptthetapesincasetheyarelostintransit.
97.Whichofthefollowingdoesnotdescribedatainmotion?
1.Dataonabackuptapethatisbeingshippedtoastoragefacility
2.DatainaTCPpacket
3.Datainanecommercetransaction
4.Datainfilesbeingcopiedbetweenlocations
98.Anewlawispassedthatwouldresultinsignificantfinancialharmto
yourcompanyifthedatathatitcoverswasstolenorinadvertently
released.Whatshouldyourorganizationdoaboutthis?
1.Selectanewsecuritybaseline.
2.Relabelthedata.
3.Encryptallofthedataatrestandintransit.
4.Reviewitsdataclassificationsandclassifythedataappropriately.
99.Edhasbeenaskedtosenddatathathisorganizationclassifiesas
confidentialandproprietaryviaemail.Whatencryptiontechnology
wouldbeappropriatetoensurethatthecontentsofthefilesattachedto
theemailremainconfidentialastheytraversetheInternet?
1.SSL
2.TLS
3.PGP
4.VPN
100.Whichmappingcorrectlymatchesdataclassificationsbetween
nongovernmentandgovernmentclassificationschemes?
1.TopSecretConfidential/Proprietary
1.SecretPrivate
2.ConfidentialSensitive
2.SecretBusinessconfidential
1.ClassifedProprietary
2.ConfidentialBusinessInternal
3.TopSecretBusinesssensitive
1.SecretBusinessinternal
2.ConfidentialBusinessproprietary
4.SecretProprietary
1.ClassifiedPrivate
2.UnclassifiedPublic
NEXT
PREV
Recommended
/ Queue
/ History
/ Topics / Tutorials
Settings / Blog / Get the App / Sign Out
Chapter 1 Security
and
Risk Management
(Domain/ 1)
2016 Safari. Terms of Service / Privacy Policy