336 Appendix ■ Answers
8 0. C. Systems used to process data are data processors. Data owners are typically CEOs or
other very senior staff, custodians are granted rights to perform day-to-day tasks when
handling data, and mission owners are typically program or information system owners.- D. Personally identifiable information includes any information that can uniquely identify
an individual. This would include name, Social Security number, and any other unique
identifier (including a student ID number). ZIP code, by itself, does not uniquely identify
an individual. - B. Protected health information, or PHI, includes a variety of data in multiple formats,
including oral and recorded data, such as that created or received by healthcare providers,
employers, and life insurance providers. PHI must be protected by HIPAA. PII is
personally identifiable information. SHI and HPHI are both made-up acronyms. - C. AES is a strong symmetric cipher that is appropriate for use with data at rest. SHA1 is
a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and
insecure symmetric encryption method. - D. The principle of data portability says that the data subject has the right to receive
personal information and to transfer that information to another data controller. The
principle of data integrity states that data should be reliable and that information should
not be used for purposes other than those that users are made aware of by notice and that
they have accepted through choice. Enforcement is aimed at ensuring that compliance with
principles is assured. Onward transfer limits transfers to other organizations that comply
with the principles of notice and choice. - C. Due to problems with remnant data, the US National Security Agency requires
physical destruction of SSDs. This process, known as disintegration, results in very small
fragments via a shredding process. Zero fill wipes a drive by replacing data with zeros,
degaussing uses magnets to wipe magnetic media, and clearing is the process of preparing
media for reuse. - A. The data owner bears responsibility for categorizing information systems and delegates
selection of controls to system owners, while custodians implement the controls. Users
don’t perform any of these actions, while business owners are tasked with ensuring that
systems are fulfilling their business purpose.
8 7. B. PCI DSS provides a set of required security controls and standards. Step 2 would be
guided by the requirements of PCI DSS. PCI DSS will not greatly influence step 1 because
all of the systems handle credit card information, making PCI DSS apply to all systems
covered. Steps 3 and 4 will be conducted after PCI DSS has guided the decisions in step 2.- C. Custodians are tasked with the day-to-day monitoring of the integrity and security of
data. Step 5 requires monitoring, which is a custodial task. A data owner may grant rights
to custodians but will not be responsible for conducting monitoring. Data processors
process data on behalf of the data controller, and a user simply uses the data via a
computing system.