Chapter 2: Asset Security (Domain 2) 329
- C. A watermark is used to digitally label data and can be used to indicate ownership.
Encryption would have prevented the data from being accessed if it was lost, while
classification is part of the set of security practices that can help make sure the right
controls are in place. Finally, metadata is used to label data and might help a data loss
prevention system flag it before it leaves your organization. - B. AES is a strong modern symmetric encryption algorithm that is appropriate for
encrypting data at rest. TLS is frequently used to secure data when it is in transit. A
virtual private network is not necessarily an encrypted connection and would be used for
data in motion, while DES is an outdated algorithm and should not be used for data that
needs strong security. - A. Data loss prevention (DLP) systems can use labels on data to determine the appropriate
controls to apply to the data. DLP systems won’t modify labels in real time and typically
don’t work directly with firewalls to stop traffic. Deleting unlabeled data would cause big
problems for organizations that haven’t labeled every piece of data! - B. The value of the data contained on media often exceeds the cost of the media, making
more expensive media that may have a longer life span or additional capabilities like
encryption support a good choice. While expensive media may be less likely to fail, the
reason it makes sense is the value of the data, not just that it is less likely to fail. In general,
the cost of the media doesn’t have anything to do with the ease of encryption, and data
integrity isn’t ensured by better media. - C. Sanitization is a combination of processes that ensure that data from a system cannot
be recovered by any means. Erasing and clearing are both prone to mistakes and technical
problems that can result in remnant data and don’t make sense for systems that handled
proprietary information. Destruction is the most complete method of ensuring that data
cannot be exposed, and some organizations opt to destroy the entire workstation, but that
is not a typical solution due to the cost involved. - The US government’s classification levels from least to most sensitive are:
C. Unclassified
B. Confidential
A. Secret
D. Top S e c re t- C. Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an
e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive. - C. PCI DSS, the Payment Card Industry Data Security Standard, provides the set of
requirements for credit card processing systems. The Microsoft, NSA, and CIS baseline
are all useful for building a Windows 10 security standard, but the PCI DSS standard is a
better answer. - D. The CIS benchmarks are an example of a security baseline. A risk assessment would
help identify which controls were needed, and proper system ownership is an important
part of making sure baselines are implemented and maintained. Data labeling can help
ensure that controls are applied to the right systems and data.