332 Appendix ■ Answers
4 0. A. When data is stored in a mixed classification environment, it is typically classified
based on the highest classification of data included. In this case, the US government’s
highest classification is Top Secret. Mixed classification is not a valid classification in this
scheme.- B. A nondisclosure agreement, or NDA, is a legal agreement that prevents employees
from sharing proprietary data with their new employers. Purging is used on media,
while classification is used on data. Encryption can help secure data, but it doesn’t stop
employees who can decrypt or copy the data from sharing it. - C. By default, BitLocker and Microsoft’s Encrypting File System (EFS) both use AES
(Advanced Encryption Standard), which is the NIST-approved replacement for DES (Data
Encryption Standard). Serpent was a competitor of AES, and 3DES was created as a
possible replacement for DES. - B. Group Policy provides the ability to monitor and apply settings in a security
baseline. Manual checks by users and using startup scripts provide fewer reviews
and may be prone to failure, while periodic review of the baseline won’t result in
compliance being checked. - B. A baseline is a set of security configurations that can be adopted and modified to fit
an organization’s security needs. A security policy is written to describe an organization’s
approach to security, while DSS is the second half of the Payment Card Industry Data
Security Standard. The NIST SP-800 series of documents address computer security in a
variety of areas. - C. Record retention policies describe how long an organization should retain data and
may also specify how and when destruction should occur. Classification policies describe
how and why classification should occur and who is responsible, while availability and
audit policies may be created for specific purposes. - A. The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped
force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL
encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while
CRIME and BEAST were earlier attacks against SSL. - D. Using strong encryption, like AES-256, can help ensure that loss of removable media
like tapes doesn’t result in a data breach. Security labels may help with handling processes,
but they won’t help once the media is stolen or lost. Having multiple copies will ensure that
you can still access the data but won’t increase the security of the media. Finally, using hard
drives instead of tape only changes the media type and not the risk from theft or loss. - D. Electronic signatures, as used in this rule, prove that the signature was provided by the
intended signer. Electronic signatures as part of the FDA code are intended to ensure that
electronic records are “trustworthy, reliable, and generally equivalent to paper records and
handwritten signatures executed on paper.” Signatures cannot provide confidentiality or
integrity and don’t ensure that someone has reviewed the data. - D. Secure Shell (SSH) is an encrypted protocol for remote login and command-line
access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym
for Windows Deployment Services, which provides remote installation capabilities for
Windows operating systems.