334 Appendix ■ Answers
6 0. B. The GDPR does include requirements that data be processed fairly, maintained
securely, and maintained accurately. It does not include a requirement that information
be deleted within one year, although it does specify that information should not be kept
longer than necessary.- D. Under EU regulations, both the organization sharing data and the third-party data
processor bear responsibility for maintaining the privacy and security of personal information. - D. The U.S. government specifies Secret as the classification level for information that,
if disclosed, could cause serious harm to national security. Top Secret is reserved for
information that could cause exceptionally grave harm, while confidential data could be
expected to cause less harm. Unclassified is not an actual classification but only indicates
that the data may be released to unclassified individuals. Organizations may still restrict
access to unclassified information. - A. Sanitization is the combination of processes used to remove data from a system or
media. When a PC is disposed of, sanitization includes the removal or destruction of
drives, media, and any other storage devices it may have. Purging, destruction, and
declassification are all other handling methods. - D. Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both
replacements for DES, while Diffie-Hellman is a protocol for key exchange. - B. Requiring all media to have a label means that when unlabeled media is found, it should
immediately be considered suspicious. This helps to prevent mistakes that might leave
sensitive data unlabeled. Prelabeled media is not necessarily cheaper (nor may it make sense
to buy!), while reusing public media simply means that it must be classified based on the
data it now contains. HIPAA does not have specific media labeling requirements. - B. Data in use is data that is in a temporary storage location while an application or
process is using it. Thus, data in memory is best described as data in use or ephemeral
data. Data at rest is in storage, while data in transit is traveling over a network or other
channel. Data at large is a made-up term.
6 7. C. Validation processes are conducted to ensure that the sanitization process was
completed, avoiding data remanence. A form like this one helps to ensure that each device
has been checked and that it was properly wiped, purged, or sanitized. This can allow
reuse, does not prevent destruction, and does not help with attribution, which is a concept
used with encryption to prove who created or sent a file.- C. Ensuring that data cannot be recovered is difficult, and the time and effort required to
securely and completely wipe media as part of declassification can exceed the cost of new media.
Sanitization, purging, and clearing may be part of declassification, but they are not reasons
that it is not frequently chosen as an option for organizations with data security concerns. - D. Destruction is the final stage in the lifecycle of media and can be done via
disintegration, incineration, or a variety of other methods that result in the media and
data being nonrecoverable. Sanitization is a combination of processes used when data
is being removed from a system or media. Purging is an intense form of clearing, and
degaussing uses strong magnetic fields to wipe data from magnetic media.