Chapter 2: Asset Security (Domain 2) 335
- D. The GDPR does include the need to collect information for specified, explicit, and
legitimate purposes; the need to ensure that collection is limited to the information
necessary to achieve the stated purpose; and the need to protect data against accidental
destruction. It does not include a specific requirement to encrypt information at rest. - D. Visual indicators like a distinctive screen background can help employees remember
what level of classification they are dealing with and thus the handling requirements that
they are expected to follow. - C. If an organization allows media to be downgraded, the purging process should be
followed, and then the media should be relabeled. Degaussing may be used for magnetic
media but won’t handle all types of media. Pulverizing would destroy the media,
preventing reuse, while relabeling first could lead to mistakes that result in media that
hasn’t been purged entering use. - B. The data owner sets the rules for use and protection of data. The remaining options all
describe tasks for the system owner, including implementation of security controls. - B. In the NIST SP 800-60 diagram, the process determines appropriate categorization
levels resulting in security categorization and then uses that as an input to determine
controls. Standard selection would occur at an organizational level, while baselining
occurs when systems are configured to meet a baseline. Sanitization would require the
intentional removal of data from machines or media. - C. A and E can both be expected to have data at rest. C, the Internet, is an unknown,
and the data can’t be guaranteed to be at rest. B, D, and F are all data in transit across
network links. - C. B, D, and F all show network links. Of the answers provided, Transport Layer
Security (TLS) provides the best security for data in motion. AES-256 and 3DES are both
symmetric ciphers and are more likely to be used for data at rest. SSL has been replaced
with TLS and should not be a preferred solution.
7 7. B. Sending a file that is encrypted before it leaves means that exposure of the file in transit
will not result in a confidentiality breach and the file will remain secure until decrypted
at location E. Since answers A, C, and D do not provide any information about what
happens at point C, they should be considered insecure, as the file may be at rest at point
C in an unencrypted form.
- C. Encrypting and labeling sensitive email will ensure that it remains confidential and
can be identified. Performing these actions only on sensitive email will reduce the cost
and effort of encrypting all email, allowing only sensitive email to be the focus of the
organization’s efforts. Only encrypting highly sensitive email not only skips labeling but
might expose other classifications of email that shouldn’t be exposed. - D. Scoping is performed when you match baseline controls to the IT system you’re
working to secure. Creation of standards is part of the configuration process and may
involve the use of baselines. Baselining can mean the process of creating a security baseline
or configuring systems to meet the baseline. CIS, the Center for Internet Security, provides
a variety of security baselines.