Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests

32 What is the primary purpose of data classification?It quantifies the cost of a data breach.It prioritizes IT expenditures.It allows compliance with breach notification laws.It identifies the value of the data to the organization.

33 Fred's organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system.The cost of the sanitization process may exceed the cost of new equipment.The data may be exposed as part of the sanitization process.The organization's DLP system may flag the new system due to the difference in data labels.

34 Which of the following concerns should not be part of the decision when classifying data?The cost to classify the dataThe sensitivity of the dataThe amount of harm that exposure of the data could causeThe value of the data to the organization

35 Which of the following is the least effective method of removing data from media?DegaussingPurgingErasingClearingFor questions 36–38, please refer to the following scenario:The healthcare company that Amanda works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit.ClassificationHandling RequirementsConfidential (HIPAA)Encrypt at rest and in transit.Full disk encryption is required for all workstations.Files can only be sent in encrypted form, and passwords must be transferred under separate cover.Printed documents must be labeled with “HIPAA handling required.”Private (PHI)Encrypt at rest and in transit.PHI must be stored on secure servers, and copies should not be kept on local workstations.Printed documents must be labeled with “Private.”Sensitive (business confidential)Encryption is recommended but not required.PublicInformation can be sent unencrypted.

36 What encryption technology would be appropriate for HIPAA documents in transit?BitLockerDESTLSSSL

37 Amanda's employer asks Amanda to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company's data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Amanda classify the data?PublicSensitivePrivateConfidential

38 What technology could Amanda's employer implement to help prevent confidential data from being emailed out of the organization?DLPIDSA firewallUDP

39 Jacob's organization uses the US government's data classification system, which includes Top Secret, Secret, Confidential, and Unclassified ratings (from most sensitive to least). Jacob encounters a system that contains Secret, Confidential, and Top Secret data. How should it be classified?Top SecretConfidentialSecretMixed classification

40 Elle is planning her organization's asset retention efforts and wants to establish when the company will remove assets from use. Which of the following is typically the last event in a manufacturer or software provider's lifecycle?End of lifeEnd of supportEnd of salesGeneral availability

41 Amanda has been asked to ensure that her organization's controls assessment procedures match the specific systems that the company uses. What activity best matches this task?Asset managementComplianceScopingTailoring

42 Chris is responsible for his organization's security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary?Assign users to spot-check baseline compliance.Use Microsoft Group Policy.Create startup scripts to apply policy at system start.Periodically review the baselines with the data owner and system owners.

43 Frank is reviewing his company's data lifecycle and wants to place appropriate controls around the data collection phase. Which of the following ensures that data subjects agree to the processing of their data?RetentionConsentCertificationRemanence

44 As a DBA, Amy's data role in her organization includes technical implementations of the data policies and standards, as well as managing the data structures that the data is stored in. What data role best fits what Amy does?Data custodianData ownerData processorData user

45 The company Jim works for suffered from a major data breach in the past year and now wants to ensure that it knows where data is located and if it is being transferred, is being copied to a thumb drive, or is in a network file share where it should not be. Which of the following solutions is best suited to tagging, monitoring, and limiting where files are transferred to?DRMDLPA network IPSAntivirus

46 What security measure can provide an additional security control in the event that backup tapes are stolen or lost?Keep multiple copies of the tapes.Replace tape media with hard drives.Use appropriate security labels.Use AES-256 encryption.

47 Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization's data retention policy. As part of its legal requirements, the organization must comply with the US Food and Drug Administration's Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement?It ensures that someone has reviewed the data.It provides confidentiality.It ensures that the data has been changed.It validates who approved the data.

48 Susan wants to manage her data's lifecycle based on retention rules. What technique can she use to ensure that data that has reached the end of its lifecycle can be identified and disposed of based on her organization's disposal processes?RotationDRMDLPTagging

49 Ben has been asked to scrub data to remove data that is no longer needed by his organization. What phase of the data lifecycle is Ben most likely operating in?Data retentionData maintenanceData remanenceData collection

50 Steve is concerned about the fact that employees leaving his organization were often privy to proprietary information. Which one of the following controls is most effective against this threat?SanitizationNDAsClearingEncryption

51 Alex works for a government agency that is required to meet US federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level when it is created. What should Alex do to the data?Classify the data.Encrypt the data.Label the data.Apply DRM to the data.

52 Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?Source: NIST SP 800-88.Destroy, validate, documentClear, purge, documentPurge, document, validatePurge, validate, document

53 What methods are often used to protect data in transit?Telnet, ISDN, UDPBitLocker, FileVaultAES, Serpent, IDEATLS, VPN, IPsec

54 Which one of the following data roles bears ultimate organizational responsibility for data?System ownersBusiness ownersData ownersMission owners

55 Shandra wants to secure an encryption key. Which location would be the most difficult to protect, if the key was kept and used in that location?On a local networkOn diskIn memoryOn a public networkFor questions 56–58, please refer to the following scenario:Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:Criteria are set for classifying data.Data owners are established for each type of data.Data is classified.Required controls are selected for each classification.Baseline security standards are selected for the organization.Controls are scoped and tailored.Controls are applied and enforced.Access is granted and managed.