Chapter 2: Asset Security (Domain 2) 331
- B. Downgrading systems and media is rare due to the difficulty of ensuring that
sanitization is complete. The need to completely wipe (or destroy) the media that systems
use means that the cost of reuse is often significant and may exceed the cost of purchasing
a new system or media. The goal of purging is to ensure that no data remains, so
commingling data should not be a concern, nor should the exposure of the data; only staff
with the proper clearance should handle the systems! Finally, a DLP system should flag
data based on labels, not on the system it comes from. - A. Classification should be conducted based on the value of the data to the organization,
its sensitivity, and the amount of harm that could result from exposure of the data. Cost
should be considered when implementing controls and is weighed against the damage that
exposure would create. - C. Erasing, which describes a typical deletion process in many operating systems,
typically removes only the link to the file and leaves the data that makes up the file
itself. The data will remain in place but not indexed until the space is needed and it is
overwritten. Degaussing works only on magnetic media, but it can be quite effective on it.
Purging and clearing both describe more elaborate removal processes. - The data elements match with the categories as follows:
Data elements- Medical records: B. PHI.
- Credit card numbers: A. PCI DSS.
- Social Security numbers: C. PII.
- Driver’s license numbers: C. PII.
Medical records are an example of protected health information (PHI). Credit card
numbers are personally identifiable information (PII), but they are also covered by the
Payment Card Industry Data Security Standard (PCI DSS), which is a more specific
category governing only credit card information and is a better answer. Social Security
numbers and driver’s license numbers are examples of PII.- C. TLS is a modern encryption method used to encrypt and protect data in transit.
BitLocker is a full disk encryption technology used for data at rest. DES and SSL are both
outdated encryption methods and should not be used for data that requires high levels of
secu rit y. - C. We know that the data classification will not be the top level classification of “Confidential”
because the loss of the data would not cause severe damage. This means we have to choose
between private (PHI) and sensitive (confidential). Calling this private due to the patient’s
personal health information fits the classification scheme, giving us the correct answer. - A. A data loss prevention (DLP) system or software is designed to identify labeled data
or data that fits specific patterns and descriptions to help prevent it from leaving the
organization. An IDS is designed to identify intrusions. Although some IDS systems can
detect specific types of sensitive data using pattern matching, they have no ability to stop
traffic. A firewall uses rules to control traffic routing, while UDP is a network protocol.