Скачать книгу

are often used to protect data in transit?Telnet, ISDN, UDPBitLocker, FileVaultAES, Serpent, IDEATLS, VPN, IPsec

      54 Which one of the following data roles bears ultimate organizational responsibility for data?System ownersBusiness ownersData ownersMission owners

      55 Shandra wants to secure an encryption key. Which location would be the most difficult to protect, if the key was kept and used in that location?On a local networkOn diskIn memoryOn a public networkFor questions 56–58, please refer to the following scenario:Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:Criteria are set for classifying data.Data owners are established for each type of data.Data is classified.Required controls are selected for each classification.Baseline security standards are selected for the organization.Controls are scoped and tailored.Controls are applied and enforced.Access is granted and managed.

      56 If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for?He is responsible for steps 3, 4, and 5.He is responsible for steps 1, 2, and 3.He is responsible for steps 5, 6, and 7.All of the steps are his direct responsibility.

      57 Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process?They are system owners and administrators.They are administrators and custodians.They are data owners and administrators.They are custodians and users.

      58 If Chris's company operates in the European Union and has been contracted to handle the data for a third party, what role is his company operating in when it uses this process to classify and handle data?Business ownersMission ownersData processorsData administratorsFor questions 59–62, please refer to the following scenario:Chris has been put in charge of his organization's IT service management effort, and part of that effort includes creating an inventory of both tangible and intangible assets. As a security professional, you have been asked to provide Chris with security-related guidance on each of the following topics. Your goal is to provide Chris with the best answer from each of the options, knowing that in some cases more than one of the answers could be acceptable.

      59 Chris needs to identify all of the active systems and devices on the network. Which of the following techniques will give him the most complete list of connected devices?Query Active Directory for a list of all computer objects.Perform a port scan of all systems on the network.Ask all staff members to fill out a form listing all of their systems and devices.Use network logs to identify all connected devices and track them down from there.

      60 Chris knows that his inventory is only accurate at the moment it was completed. How can he best ensure that it remains up-to-date?Perform a point-in-time query of network connected devices and update the list based on what is found.Ensure that procurement and acquisition processes add new devices to the inventory before they are deployed.Require every employee to provide an updated inventory of devices they are responsible for on a quarterly basis.Manually verify every device in service at each organizational location on a yearly basis.

      61 Chris knows that his organization has more than just physical assets. In fact, his organization's business involves significant intellectual property assets, including designs and formulas. Chris needs to track and inventory those assets as well. How can he most effectively ensure that he can identify and manage data throughout his organization based on its classification or type?Track file extensions for common data types.Ensure that data is collected in specific network share locations based on the data type and group that works with it.Use metadata tagging based on data type or security level.Automatically tag data by file extension type.

      62 Chris has been tasked with identifying intangible assets but needs to provide his team with a list of the assets they will be inventorying. Which of the following is not an example of an intangible asset?PatentsDatabasesFormulasEmployees

      63 Which of the following is not a common requirement for the collection of data under data privacy laws and statutes?Only data that is needed is collected.Data should be obtained lawfully and via fair methods.Data should only be collected with the consent of the individual whose data is being collected.Data should be collected from all individuals equally.

      64 Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan's employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed?It is cheaper to order all prelabeled media.It prevents sensitive media from not being marked by mistake.It prevents reuse of public media for sensitive data.Labeling all media is required by HIPAA.

      65 Data stored in RAM is best characterized as what type of data?Data at restData in useData in transitData at large

      66 What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization (shown here) intended to help prevent?Source: Certificate of Sanitization.DestructionReuseData remanenceAttribution

      67 Why is declassification rarely chosen as an option for media reuse?Purging is sufficient for sensitive data.Sanitization is the preferred method of data removal.It is more expensive than new media and may still fail.Clearing is required first.

      68 Incineration, crushing, shredding, and disintegration all describe what stage in the lifecycle of media?SanitizationDegaussingPurgingDestruction

      69 What term is used to describe information like prescriptions and X-rays?PHIProprietary dataPIDPII

      70 Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels?To indicate the software version in useTo promote a corporate messageTo promote availabilityTo indicate the classification level of the data or system

      71 Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?Degauss the drives, and then relabel them with a lower classification level.Pulverize the drives, and then reclassify them based on the data they contain.Follow the organization's purging process, and then downgrade and replace labels.Relabel the media, and then follow the organization's purging process to ensure that the media matches the label.

      72 Which of the following tasks is not performed by a system owner per NIST SP 800-18?Develops a system security planEstablishes rules for appropriate use and protection of dataIdentifies and implements security controlsEnsures that system users receive appropriate security training

      73 NIST SP 800-60 provides a process shown in the following diagram to assess information systems. What process does this diagram show?Source: NIST SP 800-60.Selecting a standard and implementing itCategorizing and selecting controlsBaselining and selecting controlsCategorizing and sanitizingThe following diagram shows a typical workstation and server and their connections to each other and the internet. For questions 74–76, please refer to this diagram.

      74 Which letters on this diagram are locations where you might find data at rest?A, B, and CC and EA and EB, D, and F

      75 What would be the best way to secure data at points B, D, and F?AES-256SSLTLS3DES

      76 What is the best way to secure files that are sent from workstation A via the internet service (C) to remote server E?Use AES at rest at point A, and use TLS in transit via B and D.Encrypt the data files and send them.Use 3DES and TLS to provide double security.Use full disk encryption at A and E, and use SSL at B and D.

      77 Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?All email should be encrypted.All email should be encrypted and labeled.Sensitive email should be encrypted and labeled.Only highly sensitive email should be encrypted.

      78 How can a data retention policy reduce liabilities?By reducing the amount of storage in useBy limiting the number of data classificationsBy reducing the amount of data that may need to be produced for lawsuitsBy reducing the legal penalties for noncompliance

      79 What data role does a system that is used to process data have?Mission ownerData ownerData processorCustodian

      80 Which one of the following is not considered PII under US federal government regulations?NameSocial Security numberStudent

Скачать книгу