330 Appendix ■ Answers
2 4. B. Scoping involves selecting only the controls that are appropriate for your IT systems,
while tailoring matches your organization’s mission and the controls from a selected
baseline. Baselining is the process of configuring a system or software to match a baseline
or building a baseline itself. Selection isn’t a technical term used for any of these processes.- B. The controls implemented from a security baseline should match the data classification
of the data used or stored on the system. Custodians are trusted to ensure the day-to-day
security of the data and should do so by ensuring that the baseline is met and maintained.
Business owners often have a conflict of interest between functionality and data security,
and of course, applying the same controls everywhere is expensive and may not meet
business needs or be a responsible use of resources. - B. FTP and Telnet do not provide encryption for the data they transmit and should not
be used if they can be avoided. SFTP and SSH provide encryption to protect both the data
they send and the credentials that are used to log in via both utilities. - B. Many organizations require the destruction of media that contains data at higher
levels of classification. Often the cost of the media is lower than the potential costs of
data exposure, and it is difficult to guarantee that reused media doesn’t contain remnant
data. Tapes can be erased by degaussing, but degaussing is not always fully effective.
Bitrot describes the slow loss of data on aging media, while data permanence is a term
sometimes used to describe the life span of data and media. - A. NIST Special Publication 800-122 defines PII as any information that can be used to
distinguish or trace an individual’s identity, such as name, Social Security number, date
and place of birth, mother’s maiden name, biometric records, and other information
that is linked or linkable to an individual such as medical, educational, financial, and
employment information. PHI is health-related information about a specific person, Social
Security numbers are issued to individuals in the United States, and SII is a made-up term. - B. The biggest threat to data at rest is typically a data breach. Data at rest with a high
level of sensitivity is often encrypted to help prevent this. Decryption is not as significant
of a threat if strong encryption is used and encryption keys are well secured. Data integrity
issues could occur, but proper backups can help prevent this, and of course data could be
improperly classified, but this is not the primary threat to the data. - B. Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not
distinguish between labeled and unlabeled data. - B. One way to use an IPsec VPN is to create a private, encrypted network (or tunnel) via
a public network, allowing users to be a virtual part of their employer’s internal network.
IPsec is distinct from TLS and provides encryption for confidentiality and integrity, and
of course, in this scenario Sue is connecting to her employer’s network rather than the
employer connecting to hers. - D. Classification identifies the value of data to an organization. This can often help
drive IT expenditure prioritization and could help with rough cost estimates if a breach
occurred, but that’s not the primary purpose. Finally, most breach laws call out specific
data types for notification rather than requiring organizations to classify data themselves.