Chapter 2: Asset Security (Domain 2) 333
- B. Degaussing uses strong magnetic fields to erase magnetic media. Magwipe is a made-up
term. Sanitization is a combination of processes used to remove data from a system or
media to ensure that it cannot be recovered. Purging is a form of clearing used on media
that will be reused in a lower classification or lower-security environment. - B. Nondisclosure agreements (NDAs) are used to enforce confidentiality agreements with
employees and may remain in effect even after an employee leaves the organization. Other
controls, such as sanitization, clearing, and encryption, would not be effective against
information in an employee’s memory. - C. Data labels are crucial to identify the classification level of information contained on the
media. Digital rights management (DRM) tools provide ways to control how data is used,
while encrypting it can help maintain the confidentiality and integrity of the data. Classifying
the data is necessary to label it, but it doesn’t automatically place a label on the data. - D. The NIST SP 800-88 process for sanitization and disposition shows that media that
will be reused and was classified at a moderate level should be purged and then that purge
should be validated. Finally, it should be documented. - D. Data in transit is data that is traversing a network or is otherwise in motion. TLS,
VPNs, and IPsec tunnels are all techniques used to protect data in transit. AES, Serpent,
and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols.
BitLocker and FileVault are both used to encrypt data, but they protect only stored data,
not data in transit. - C. The data owner has ultimate responsibility for data belonging to an organization and is
typically the CEO, president, or another senior employee. Business and mission owners typically
own processes or programs. System owners own a system that processes sensitive data. - D. The US Department of Commerce oversees Privacy Shield. Only US organizations
subject to the jurisdiction of the Federal Trade Commission (FTC) or US air carriers and
ticket agents subject to the jurisdiction of the Department of Transportation (DOT) are
permitted to participate in Safe Harbor. - A. Chris is most likely to be responsible for classifying the data that he owns as well
as assisting with or advising the system owners on security requirements and control
selection. In an organization with multiple data owners, Chris is unlikely to set criteria
for classifying data on his own. As a data owner, Chris will also not typically have direct
responsibility for scoping, tailoring, applying, or enforcing those controls. - B. The system administrators are acting in the roles of data administrators who grant
access and will also act as custodians who are tasked with the day-to-day application of
security controls. They are not acting as data owners who own the data itself. Typically,
system administrators are delegated authority by system owners, such as a department
head, and of course they are tasked with providing access to users. - C. Third-party organizations that process personal data on behalf of a data controller are
known as data processors. The organization that they are contracting with would act in
the role of the business or mission owners, and others within Chris’s organization would
have the role of data administrators, granting access as needed to the data based on their
operational procedures and data classification.