Chapter 2: Asset Security (Domain 2) 327
- A. When organizations merge, it is important to understand the state of the security for
both organizations. Running vulnerability scans and performing a risk assessment are
both common steps taken when preparing to merge two (or more!) IT environments. - D. Signing a noncompete or nondisclosure agreement is typically done at hiring. Exit
interviews, recovery of organizational property, and account termination are all common
elements of a termination process. - C. A security controls assessment (SCA) most often refers to a formal US government
process for assessing security controls and is often paired with a Security Test and
Evaluation (ST&E) process. This means that Laura is probably part of a government
organization or contractor. - B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease
the likelihood of the events occurring, she would have been using a reduce or risk
mitigation strategy, while simply continuing to function as the organization has would
be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid
strategy, even though it occurs!
Chapter 2: Asset Security (Domain 2)
- C. Encryption is often used to protect traffic like bank transactions from sniffing. While
packet injection and man-in-the-middle attacks are possible, they are far less likely to
occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a
specification for techniques used to prevent spying using electromagnetic emissions and
wouldn’t be used to stop attacks at any normal bank. - A. Business owners have to balance the need to provide value with regulatory, security,
and other requirements. This makes the adoption of a common framework like COBIT
attractive. Data owners are more likely to ask that those responsible for control selection
identify a standard to use. Data processors are required to perform specific actions under
regulations like the EU GDPR. Finally, in many organizations, data stewards are internal
roles that oversee how data is used. - B. A baseline is used to ensure a minimum security standard. A policy is the foundation
that a standard may point to for authority, and a configuration guide may be built from
a baseline to help staff who need to implement it to accomplish their task. An outline is
helpful, but outline isn’t the term you’re looking for here. - B. Media is typically labeled with the highest classification level of data it contains. This
prevents the data from being handled or accessed at a lower classification level. Data
integrity requirements may be part of a classification process but don’t independently drive
labeling in a classification scheme. - A. The need to protect sensitive data drives information classification. This allows
organizations to focus on data that needs to be protected rather than spending effort on
less important data. Remanence describes data left on media after an attempt is made to
remove the data. Transmitting data isn’t a driver for an administrative process to protect
sensitive data, and clearing is a technical process for removing data from media.