Скачать книгу

type of health information is the Health Insurance Portability and Accountability Act required to protect?PIIPHISHIHPHI

      82 The system that Ian has built replaces data in a database field with a randomized string of characters that remains the same for each instance of that data. What technique has he used?Data maskingTokenizationAnonymizationDES

      83 Juanita's company processes credit cards and wants to select appropriate data security standards. What data security standard is she most likely to need to use and comply with?CC-ComplyPCI-DSSGLBAGDPR

      84 What is the best method to sanitize a solid-state drive (SSD)?ClearingZero fillDisintegrationDegaussingFor questions 85–87, please refer to the following scenario:As shown in the following security lifecycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Using your knowledge of data roles and practices, answer the following questions based on the NIST framework process.

      85 What data role will own responsibility for step 1, the categorization of information systems; to whom will they delegate step 2; and what data role will be responsible for step 3?Data owners, system owners, custodiansData processors, custodians, usersBusiness owners, administrators, custodiansSystem owners, business owners, administrators

      86 If the systems that are being assessed all handle credit card information (and no other sensitive data), at what step would the PCI DSS first play an important role?Step 1Step 2Step 3Step 4

      87 What data security role is primarily responsible for step 5?Data ownersData processorsCustodiansUsers

      88 Susan’s organization performs a secure disk wipe process on hard drives before they are sent to a third-party organization to be shredded. What issue is her organization attempting to avoid?Data retention that is longer than defined in policyMishandling of drives by the third partyClassification mistakesData permanence

      89 Mike wants to track hardware assets as devices and equipment are moved throughout his organization. What type of system can help do this without requiring staff to individually check bar codes or serial numbers?A visual inventoryWiFi MAC address trackingRFID tagsSteganography

      90 Retaining and maintaining information for as long as it is needed is known as what?Data storage policyData storageAsset maintenanceRecord retention

      91 Which of the following activities is not a consideration during data classification?Who can access the dataWhat the impact would be if the data was lost or breachedHow much the data cost to createWhat protection regulations may be required for the data

      92 What type of encryption is typically used for data at rest?Asymmetric encryptionSymmetric encryptionDESOTP

      93 Which data role is tasked with apply rights that provide appropriate access to staff members?Data processorsBusiness ownersCustodiansAdministrators

      94 What element of asset security is often determined by identifying an asset's owner?It identifies the individual(s) responsible for protecting the asset.It provides a law enforcement contact in case of theft.It helps establish the value of the asset.It determines the security classification of the asset.

      95 Fred is preparing to send backup tapes off-site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility?Ensure that the tapes are handled the same way the original media would be handled based on their classification.Increase the classification level of the tapes because they are leaving the possession of the company.Purge the tapes to ensure that classified data is not lost.Decrypt the tapes in case they are lost in transit.

      96 Which of the following does not describe data in motion?Data on a backup tape that is being shipped to a storage facilityData in a TCP packetData in an e-commerce transactionData in files being copied between locations

      97 A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this?Select a new security baseline.Relabel the data.Encrypt all of the data at rest and in transit.Review its data classifications and classify the data appropriately.

      98 Which of the following data roles are typically found inside of a company instead of as a third-party contracting relationship? (Select all that apply.)Data ownersData controllersData custodiansData processors

      99 What commercial data classification is most appropriate for data contained on corporate websites?PrivateSensitivePublicProprietary

      100 Match each of the numbered data elements shown here with one of the lettered categories. You may use the categories once, more than once, or not at all. If a data element matches more than one category, choose the one that is most specific.Data elementsMedical recordsTrade secretsSocial Security numbersDriver's license numbersCategoriesProprietary dataProtected health informationPersonally identifiable information

Chapter 3 Security Architecture and Engineering (Domain 3)

       SUBDOMAINS:

       3.1 Research, implement and manage engineering processes using secure design principles

       3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)

       3.3 Select controls based upon system security requirements

       3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)

       3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

       3.6 Select and determine cryptographic solutions

       3.7 Understand methods of cryptanalytic attacks

       3.8 Apply security principles to site and facility design

       3.9 Design site and facility security controls

      1 Matthew is the security administrator for a consulting firm and must enforce access controls that restrict users' access based upon their previous activity. For example, once a consultant accesses data belonging to Acme Cola, a consulting client, they may no longer access data belonging to any of Acme's competitors. What security model best fits Matthew's needs?Clark-WilsonBibaBell-LaPadulaBrewer-Nash

      2 Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?IncipientSmokeFlameHeat

      3 Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?CCTVIPSTurnstilesFaraday cages

      4 Harry would like to retrieve a lost encryption key from a database that uses m of n control, with m = 4 and n = 8. What is the minimum number of escrow agents required to retrieve the key?24812

      5 Fran's company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran's company considering?SaaSIaaSCaaSPaaS

      6 Bob is a security administrator with the U.S. federal government and wants to choose a digital signature approach that is an approved part of the federal Digital Signature Standard under FIPS 186-4. Which one of the following encryption algorithms is not an acceptable choice for use in digital signatures?DSAHAVALRSAECDSA

      7 Harry would like to access a document owned by Sally and stored on a file server. Applying the subject/object model to this scenario, who or what is the subject of the resource request?HarrySallyServerDocument

      8 Michael is responsible for forensic investigations and is investigating a medium-severity security incident that involved the defacement of a corporate website. The web server in question ran on a virtualization platform, and the marketing

Скачать книгу