Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests

6 How can a data retention policy help to reduce liabilities?By ensuring that unneeded data isn't retainedBy ensuring that incriminating data is destroyedBy ensuring that data is securely wiped so it cannot be restored for legal discoveryBy reducing the cost of data storage required by law

7 Staff in an information technology (IT) department who are delegated responsibility for day-to-day tasks hold what data role?Business ownerUserData processorCustodian

8 Helen's company uses a simple data lifecycle as shown in the figure here. What stage should come first in their data lifecycle?Data policy creationData labelingData collectionData analysis

9 Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline?It applies in all circumstances, allowing consistent security controls.They are approved by industry standards bodies, preventing liability.They provide a good starting point that can be tailored to organizational needs.They ensure that systems are always in a secure state.

10 Megan wants to prepare media to allow for its reuse in an environment operating at the same sensitivity level. Which of the following is the best option to meet her needs?ClearingErasingPurgingSanitization

11 Mikayla wants to identify data that should be classified that already exists in her environment. What type of tool is best suited to identifying data like Social Security numbers, credit card numbers, and similar well-understood data formats?Manual searchingA sensitive data scanning toolAn asset metadata search toolA data loss prevention system (DLP)

12 What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?They can be used to hide data.They can only be degaussed.They are not addressable, resulting in data remanence.They may not be cleared, resulting in data remanence.

13 Naomi knows that commercial data is typically classified based on different criteria than government data. Which of the following is not a common criterion for commercial data classification?Useful lifespanData valueImpact to national securityRegulatory or legal requirementsFor questions 14–16, please refer to the following scenario:Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.

14 What term best describes data that is resident in system memory?Data at restBuffered dataData in useData in motion

15 What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?ClassificationSymmetric encryptionWatermarksMetadata

16 What type of encryption is best suited for use on the file servers for the proprietary data, and how might you secure the data when it is in motion?TLS at rest and AES in motionAES at rest and TLS in motionVPN at rest and TLS in motionDES at rest and AES in motion

17 What does labeling data allow a DLP system to do?The DLP system can detect labels and apply appropriate protections based on rules.The DLP system can adjust labels based on changes in the classification scheme.The DLP system can modify labels to permit requested actions.The DLP system can delete unlabeled data.

18 Why is it cost effective to purchase high-quality media to contain sensitive data?Expensive media is less likely to fail.The value of the data often far exceeds the cost of the media.Expensive media is easier to encrypt.More expensive media typically improves data integrity.

19 Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle both proprietary information and highly sensitive trade secrets. Which option best describes what should happen at the end of their life (EOL) for workstations he is responsible for?ErasingClearingSanitizationDestruction

20 Fred wants to classify his organization's data using common labels: private, sensitive, public, and proprietary. Which of the following should he apply to his highest classification level based on common industry practices?PrivateSensitivePublicProprietary

21 What scenario describes data at rest?Data in an IPsec tunnelData in an e-commerce transactionData stored on a hard driveData stored in RAM

22 If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?Microsoft's Windows 10 security baselineThe CIS Windows 10 baselinePCI DSSThe NSA Windows 10 Secure Host BaselineFor questions 23–25, please refer to the following scenario:The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision.

23 The CIS benchmarks are an example of what practice?Conducting a risk assessmentImplementing data labelingProper system ownershipUsing security baselines

24 Adjusting the CIS benchmarks to your organization's mission and your specific IT systems would involve what two processes?Scoping and selectionScoping and tailoringBaselining and tailoringTailoring and selection

25 How should you determine which controls from the baseline should be applied to a given system or software package?Consult the custodians of the data.Select based on the data classification of the data it stores or handles.Apply the same controls to all systems.Consult the business owner of the process the system or data supports.

26 The company that Henry works for operates in the EU and collects data about their customers. They send that data to a third party to analyze and provide reports to help the company make better business decisions. What term best describes the third-party analysis company?The data controllerThe data ownerThe data subjectThe data processor

27 The government defense contractor that Selah works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Selah reviews the company's internal processes, she finds that she can't reuse the tapes and that the manual says they should be destroyed. Why isn't Selah allowed to degauss and then reuse the tapes to save her employer money?Data permanence may be an issue.Data remanence is a concern.The tapes may suffer from bitrot.Data from tapes can't be erased by degaussing.

28 Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information?Personally identifiable information (PII)Personal health information (PHI)Social Security number (SSN)Secure identity information (SII)

29 Which of the following information security risks to data at rest would result in the greatest reputational impact on an organization?Improper classificationData breachDecryptionAn intentional insider threat

30 Full disk encryption like Microsoft's BitLocker is used to protect data in what state?Data in transitData at restUnlabeled dataLabeled data

31 The company that Katie works for provides its staff with mobile phones for employee use, with new phones issued every two years. What scenario best describes this type of practice when the phones themselves are still usable and receiving operating system updates?EOLPlanned obsolescenceEOSDevice risk management