CISSP - 2: Asset Security

In the event of a security incident, one of the primary objectives of the operations staff is to ensure that:
A. the attackers are detected and stopped.
B. there is minimal disruption to the org's mission.
C. appropriate documentation about the event is maintained as chain of evidence.
D. the affected systems are immediately shut off to limit to the impact
Good data management practices include data quality procedures at ____ stages of the data management process, verification and validation of accuracy of the data, adherence to ____ data management practices, ____ data audit to monitor the use and assess effectiveness of management practices and the integrity of existing data.
A. all / agreed upon / ongoing
B. some / agreed upon / ongoing
C. all / discussed / ongoing
D. all / agreed upon / intermittent
Issues to be considered by the security practitioner when establishing a data policy include:
A. Cost, Due Care and Due Diligence, Privacy, Liability, Sensitivity, Existing Law & Policy Requirements, Policy and Process
B. Cost, Ownership and Custodianship, Privacy, Liability, Sensitivity, Future Law & Policy Requirements, Policy and Process
C. Cost, Ownership and Custodianship, Privacy, Liability, Sensitivity, Existing Law & Policy Requirements, Policy and Procedure
D. Cost, Ownership and Custodianship, Privacy, Liability, Sensitivity, Existing Law & Policy Requirements, Policy and Process
The information owner typically has the following responsibilities determine the impact the information has on the ____ of the organization, understand the replacement cost of the information, determine who in the organization or outside of it has a need for the information and under what circumstances the information ____, know when the information is inaccurate or no longer needed and should be ____
A. mission / should be released / archived
B. mission / should be released / destroyed
C. policies / should not be released / destroyed
D. mission / shoudl be released / destroyed
QA/QC mechanisms are designed to prevent data contamination, which occurs when a process or event introduces either of which two fundamental types of errors into a dataset (choose 2)
A. Errors of commission.
B. Errors of insertion.
C. Errors of omission.
D. Errors of creation
A, C
Some typical responsibilities of a data custodian may include (choose all that apply):
A. Adherence to appropriate and relevant data policy and data ownership guidelines.
B. Ensuring accessibility to appropriate users, maintaining appropriate levels of dataset security.
C. Fundamental dataset maintenance, including but not limited to data storage and archiving.
D. Assurance of quality and validation of any additions to a dataset, including periodic audits to assure ongoing data integrity
A, B, C, D
The objectives of data documentation are to (choose all that apply):
A. Ensure the longevity of data and their re-use for multiple purposes.
B. Ensure that data users understand the content context and limitations of datasets.
C. Facilitate the confidentiality of datasets.
D. Facilitate the interoperability of datasets and data exchange
A, B, D
Benefits of data standards include more efficient data management, ____ data sharing, ___ quality data, improved data consistency, ____ data integration, better understanding of data, improved documentation of information resources
A. decreased / higher / increased
B. increased / higher / increased
C. increased / medium / decreased
D. increased / highest / increased
When classifying data, the security practitioner needs to determine the following aspect of the policy (choose all that apply):
A. who has access to the data.
B. what methods should be used to dispose of the data.
C. how the data is secured.
D. whether the data needs to be encrypted
A, B, C, D
The major benefit of information classification is to
A. map out the computing ecosystem.
B. identify the threats and vulnerabilities.
C. determine the software baseline.
D. identify the appropriate level of protection needs
When sensitive information is no longer critical but still within scope of a record retention policy, that information is BEST:
A. Destroyed.
B. Re-categorized.
C. Degaussed.
D. Released
What are the FOUR phases of equipment lifecycle?
A. Defining requirements, acquiring and implementing, operations and maintenance, disposal and decommission.
B. Acquiring requirements, defining and implementing, operations and maintenance, disposal and decommission.
C. Defining requirements, acquiring and maintaining, implementing and operating, disposal and decommission.
D. Defining requirements, acquiring and implementing, operations and decommission, maintenance and disposal
Which of the following BEST determines the employment suitability of an individual?
A. Job rank or title.
B. Partnership with the security team.
C. Role.
D. Background investigation
The best way to ensure that there is no data remanence of sensitive information that was once stored on a DVD-R media is by:
A. Deletion.
B. Degaussing.
C. Destruction.
D. Overwriting
Which of the following processes is concerned with not only identifying the root cause but also addressing the underlying issue?
A. Incident management.
B. Problem management.
C. Change management.
D. Configuration management
Before applying a software update to production systems, it is MOST important that:
A. Full disclosure information about the threat that the patch addresses is available.
B. The patching process is documented.
C. The production systems are backed up.
D. An independent third party attests the validity of the patch
Set of high-level principles that establish a guiding framework for data management
Data policy
Has legal rights over data, right to exploit the data, and the right to destroy it
Data owner
Ensures that important datasets are developed, maintained and are accessible within their defined specifications
Data custodian
Defined as data fitness for use or potential use
Data quality
Assessment of quality based on internal standards, processes and procedures established to control and monitor quality
Quality control
Assessment of quality based on standards external to the process and involves reviewing of the activities and quality control processes to insure final products meet predetermined standards of quality
Quality assurance
Two factors considered when setting them:
- Frequency of incorrect data fields or records
- Significance of error within a data field
Data quality expectations
Errors which include those caused by data entry or transcription or by malfunctioning equipment
Errors of commission
Errors which often include insufficient documentation of legitimate data values, which could affect the interpretation of those values
Errors of omission
Its objectives are to:
- Ensure the longevity of data and their re-use for multiple purposes
- Ensure that data users understand the content context and limitations of datasets
- Facilitate the discovery of datasets
- Facilitate the interoperability of datasets and data exchange
Data documentation
Data about data, provides information on the identification, quality, spatial context, data attributes, and distribution of datasets, using a common terminology and set of definitions that prevent loss of the original meaning and value of the resource
- Data specification and modeling processing and database maintenance and security
- Ongoing data audit, to monitor the use and continued effectiveness of existing data
- Archiving, to ensure data is maintained effectively
Data lifecycle control
Methodology that identifies the path to meet user requirements
Data modeling
Residual physical representation of data that has been in some way erased
Data remanence
Data is magnetically written onto this type of drive by altering the magnetic field of the hard drive platter
Hard disk drive
Uses flash memory to store data. Flash memory electrically stores bits of data in many arrays of memory cells
Solid state drive
Removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software file/data recovery utilities, but may be with special laboratory techniques
Removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique
Removal of sensitive data by applying an alternative field that is reduced in amplitude over time from an initial high value
AC erasure degaussing
Removal of sensitive data by applying a unidirectional field
DC erasure degaussing
Erase of the encryption key of encrypted data
Its goal is to ensure information is marked in such a way that only those with an appropriate level of clearance can have access to the information
Data classification
Process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization
Data categorization
Private, company restricted, company confidential and public are examples of...
Data categorization
Captures the basics of what assets are on hand, where they reside and who owns them
Inventory management
Centralized inventory repository with configuration information
Configuration management database
Its three primary enablers are:
- A single, centralized and relational repository
- Organizational alignment and defined processes
- Scalable technologies and infrastructure
Assessment management
Three examples are:
- Self-encrypting USB drives
- Media encryption software
- File encryption software
Encryption tools
Encrypts all of the data along a communication path
Link encryption
Encrypts the data at the start of the communications channel or before and data remains encrypted until they are decrypted at the remote end
End to end encryption
Provides an enterprise with specific terms and conditions on the applicability and implementation of individual security controls
Gives an enterprise the flexibility needed to avoid assessment approaches that are unnecessarily complex or costly while simultaneously meeting the assessment requirements established by applying the fundamental concepts of a risk management framework
CSIS initiative defines five critical tenets:
- Offense informs defense
- Prioritization
- Metrics
- Continuous monitoring
- Automation
CSIS stands for?
Center for Strategic and International Studies
NIST also created the SCAP which provides 5 specification categories:
- Languages
- Reporting formats
- Enumerations
- Measurement and scoring systems
- Integrity
SCAP stands for?
Security Content Automation Protocol