Chapter 2: Asset Security (Domain 2) 337
- B. Susan’s organization is limiting its risk by sending drives that have been sanitized
before they are destroyed. This limits the possibility of a data breach if drives are
mishandled by the third party, allowing them to be stolen, resold, or simply copied. The
destruction of the drives will handle any issues with data remanence, while classification
mistakes are not important if the drives have been destroyed. Data permanence and the
life span of the data are not important on a destroyed drive. - C. A digital watermark is used to identify the owner of a file or to otherwise label it. A
copyright notice provides information about the copyright asserted on the file, while data
loss prevention (DLP) is a solution designed to prevent data loss. Steganography is the
science of hiding information, often in images or files. - D. Record retention is the process of retaining and maintaining information for as
long as it is needed. A data storage policy describes how and why data is stored, while
data storage is the process of actually keeping the data. Asset maintenance is a non-
information-security-related process for maintaining physical assets. - C. The cost of the data is not directly included in the classification process. Instead, the
impact to the organization if the data were exposed or breached is considered. Who can
access the data and what regulatory or compliance requirements cover the data are also
important considerations. - B. Symmetric encryption like AES is typically used for data at rest. Asymmetric
encryption is often used during transactions or communications when the ability to have
public and private keys is necessary. DES is an outdated encryption standard, and OTP is
the acronym for onetime password. - D. Administrators have the rights to assign permissions to access and handle data.
Custodians are trusted with day-to-day data handling tasks. Business owners are typically
system or project owners, and data processors are systems used to process data. - B. The California Online Privacy Protection Act (COPPA) requires that operators of
commercial websites and services post a prominently displayed privacy policy if they
collect personal information on California residents.
The Personal Information Protection and Electronic Documents Act is a Canadian pri-
vacy law, while California Civil Code 1798.82 is part of the set of California codes that
requires breach notification. The California Online Web Privacy Act does not exist. - A. Tapes are frequently exposed due to theft or loss in transit. That means that tapes that
are leaving their normal storage facility should be handled according to the organization’s
classification schemes and handling requirements. Purging the tapes would cause the loss
of data, while increasing the classification level of the tapes. The tapes should be encrypted
rather than decrypted. - A. The correct answer is the tape that is being shipped to a storage facility. You might
think that the tape in shipment is “in motion,” but the key concept is that the data is
not being accessed and is instead in storage. Data in a TCP packet, in an e-commerce
transaction, or in local RAM is in motion and is actively being used.