328 Appendix ■ Answers
6. A. A data retention policy can help to ensure that outdated data is purged, removing
potential additional costs for discovery. Many organizations have aggressive retention
policies to both reduce the cost of storage and limit the amount of data that is kept on
hand and discoverable. Data retention policies are not designed to destroy incriminating
data, and legal requirements for data retention must still be met.- D. Custodians are delegated the role of handling day-to-day tasks by managing and
overseeing how data is handled, stored, and protected. Data processors are systems used to
process data. Business owners are typically project or system owners who are tasked with
making sure systems provide value to their users or customers. - D. Privacy Shield compliance helps US companies meet the EU General Data Protection
Regulation. Yearly assessments may be useful, but they aren’t required. HIPAA is a US
law that applies specifically to healthcare and related organizations, and encrypting all
data all the time is impossible (at least if you want to use the data!). PCI DSS is a global
contractual regulation for the handling of credit card information. - C. Security baselines provide a starting point to scope and tailor security controls to your
organization’s needs. They aren’t always appropriate to specific organizational needs, they
cannot ensure that systems are always in a secure state, and they do not prevent liability. - A. Clearing describes preparing media for reuse. When media is cleared, unclassified data
is written over all addressable locations on the media. Once that’s completed, the media
can be reused. Erasing is the deletion of files or media. Purging is a more intensive form
of clearing for reuse in lower-security areas, and sanitization is a series of processes that
removes data from a system or media while ensuring that the data is unrecoverable by
any means. - C. The US government uses the label Confidential for data that could cause damage
if it was disclosed without authorization. Exposure of Top Secret data is considered to
potentially cause grave damage, while Secret data could cause serious damage. Classified
is not a level in the US government classification scheme. - D. Spare sectors, bad sectors, and space provided for wear leveling on SSDs
(overprovisioned space) may all contain data that was written to the space that will not be
cleared when the drive is wiped. Most wiping utilities only deal with currently addressable
space on the drive. SSDs cannot be degaussed, and wear leveling space cannot be reliably
used to hide data. These spaces are still addressable by the drive, although they may not be
seen by the operating system. - B. Data remanence is a term used to describe data left after attempts to erase or remove
data. Slack space describes unused space in a disk cluster, zero fill is a wiping methodology
that replaces all data bits with zeroes, and residual bytes is a made-up term. - C. Information shared with customers is public, internal business could be sensitive
or private, and trade secrets are proprietary. Thus, public, sensitive, proprietary
matches this most closely. Confidential is a military classification, which removes two
of the remaining options, and trade secrets are more damaging to lose than a private
classification would allow.