Chapter 1: The Case for Zero Trust

Posted on June 24, 2023 by seolito2014

It was still dark in the room, but Dylan couldn’t sleep any longer. He looked at the clock. It was only 4:45—not enough time to go back to sleep but too early to actually get up. Dylan was starting a new job today. Maybe his dream job if things worked out. So what if he was a little anxious? He was also genuinely excited, and he hadn’t felt that way about a job in a long time. Or maybe ever. He closed his eyes again hoping for another few minutes of sleep.

Dylan opened his eyes and turned back to the clock. It now read 4:46. He decided to get up instead of waiting for the alarm. His house slippers sat next to his running shoes in front of the nightstand. He slipped on his running shoes. He turned on the lamp and walked to the treadmill sitting on the opposite side of the room. He grabbed his right ankle with his right hand, stretching his quadricep, stretched the other leg, then hopped onto the treadmill.

He heard the warm tone of recognition as the treadmill scanned his face and loaded his profile. His three favorite workouts popped up on the curved LED screen. He tapped the fourth icon at the bottom, and he could see nine livestreams of runners from across the world. He picked the one on a beach in Costa Rica and began running. He could hear a whoop from several other runners following the livestream that he had gone on runs with before as they saw him join.

But then a funny thing happened: the livestream froze. Then instead of reconnecting him, the treadmill started to slow down to a safe speed, then stopped. The March Fitness logo appeared on the screen like when his Wi-Fi had gone out a few months back. Dylan stepped off the treadmill and checked his phone, but the Wi-Fi seemed to be working.

He decided to jump in the shower and start getting ready for work. After he had gotten dressed, he started his morning ritual of making his coffee and checking his email for any news alerts. Since he was starting at a new company, he had created an alert to send him an email whenever a news story about his new company, March Fitness, and the word “IT” or “outage” were mentioned. To his horror, his inbox was full of emails. His treadmill wasn’t the only one that wasn’t working. The whole company was down due to an outage. Worse, a cybersecurity reporter was claiming on Twitter that the company had just experienced a widespread cyberattack.

Dylan stood there, unable to move. How could this be happening? On his first day? An alarm was going off somewhere, and it took Dylan a moment to realize that it was his alarm clock. It was finally time for him to wake up.

There was still a chill in the air as Dylan ran up the steps of the headquarters building. In the center of the stairs was a giant running shoe made from a wire mesh with only the toe of the shoe attached to the slab of marble underneath. He walked through the revolving door, and more wire mesh shoes divided the length of the hallway, each in slightly different running positions, as though some giant had just run through, losing a new shoe at each point in its stride. The lobby to the headquarters of March Fitness ran the entire length of the building, separating the headquarters of the company into the north side and the south side.

The north side of the building is where all the executives of the company had their offices, along with marketing, HR, finance, and sales. The south side of the building was where the Information Technology offices were located, along with the research and development offices. Unlike when he had interviewed, there was no one at the security desk, and the security doors on either side of the building were propped wide open. There was a steady stream of what Dylan thought were interns sprinting north to south and south to north, all carrying crumpled up papers in either hand. This was a bad sign; if they had resorted to physical messengers, it meant that not only email was down but also instant messaging and the phone system. Or maybe they had taken the network itself down to prevent the attack from spreading further?

Since Dylan didn’t know where he should report, he headed toward the south side because that was where he had interviewed. He naturally broke into a jog to keep up with the messengers, and although he was in good shape and his six-foot-two-inch frame meant his steps were longer than average, the messengers darted around him like he was standing still.

He passed a bank of elevators and went into a cubicle farm where 100 employees would have normally sat. Instead, all the monitors were dark, and each had a piece of paper taped to it that read, “Do not power on.”

He followed the stream of breathless messengers to a conference room where he finally saw someone he recognized. Dr. Noor Patel, the Chief Information Officer, was sitting at the head of a conference table in the center of the room. Noor was wearing a black suit and white shirt, with her trademark black silk tie. At the opposite side of the table was Olivia Reynolds, the CEO and Founder of March Fitness. Everyone else at the table was wearing suits except for Reynolds, who was wearing one of March Fitness’s own brand of running suit.

“Dylan?” a woman whispered into his ear. She had silently moved through the standing-room-only crowd that had gathered around the meeting and startled Dylan. She had dark hair and was almost as tall as Dylan and smelled like lilacs. She was holding a binder full of papers that read Business Continuity Plan.

“I’m Isabelle… I run the Project Management Office. Noor asked me to keep an eye out for you this morning. Heck of a first day.” She turned to stand next to Dylan and watch the discussion going on at the center of the room.

She handed him his ID card, the retractable holder already attached. “You’re lucky we printed this last week. Now the whole card reader system is down, just like everything else. We started seeing some unusual activity on the network sometime Sunday evening,” Isabelle whispered to Dylan. “By this morning, things were out of control.”

He pinned the ID card to his belt, “I’m guessing you guys took the network down as a precaution? Do they know what the cause is?”

“Good guess, Dylan. Actually, a number of computers seem to have been infected with ransomware. We’re still investigating the cause, but the company is losing money every minute the network is down, so what they’re focusing on now is the fastest way to get us back online.”

Olivia Reynolds spoke softly, but everyone immediately stopped talking and turned to look at her. “How do we know this ransom isn’t just some kind of scam?” she asked. “Even if we did pay them, how do we know they’ll actually unlock our computers?”

“Ma’am,” one of the suits next to Noor spoke up. Unlike Noor, his suit was wrinkled and didn’t seem to fit quite right. “We see this issue come up frequently. There are scam ransomware actors out there. We can tell when this is the case, because they’ll use the same bitcoin wallet for all their victims. In those cases, you’ll see lots of transactions where their victims tried to pay up.”

“That’s our security consultant, Peter Liu,” Isabelle clarified quietly to Dylan.

“And in our case?” Olivia asked.

“In our case,” Noor responded before the consultant could answer, “the bitcoin wallet is brand new, with only one transaction that we believe was just the cybercriminal testing the account.”

“How does that explain anything?” asked a white-haired man wearing a blue pinstripe suit.

“That’s our General Counsel, Kofi Abara,” Isabelle clarified. “He’s one of the smartest people I’ve ever met. Also, he runs a monthly poker tournament. He was actually in the World Series of Poker a few years ago. Never bet against him.”

“It’s an accounting issue,” Peter explained. “The cybercriminal needs to know which victims have paid and which haven’t. The only way to do that is to have a different bitcoin wallet for each victim. Seeing that the bitcoin wallet is empty means this cybercriminal is serious.”

“What’s our next move?” Olivia asked.

Noor stood up and addressed the room. “We aren’t going to pay this cybercriminal if we can avoid it. We have our backups, and our team will go into overtime bringing computers back online from scratch. We’ve delayed upgrading our antivirus to a more modern EDR solution, so we’ll be doing these upgrades in parallel while we restore our devices. This will improve our visibility into systems to be able to detect and prevent further intrusions as well. Our consultants will be working with us to ensure the entire process will take hours, not days.” There were cheers from around the room from nervous IT staff ready to get to work.

Isabelle leaned over to Dylan and asked, “What’s an EDR tool?”

“It’s like antivirus software on steroids,” Dylan whispered. “It stands for endpoint detection and response. Old antivirus programs would use a kind of fingerprint to find malware, but the bad guys figured this out and would use different fingerprints. EDR works like facial recognition, so it doesn’t matter if you grow a beard or put on glasses. It can also take action to kick the bad guys out.”

Isabelle nodded thoughtfully as the conversation in the room settled back down.

“That sounds like a great plan, Dr. Patel, but what if it takes longer than you expect?” Kofi asked.

“Our cyber risk insurance company will continue negotiating with the cybercriminals on our behalf,” said a blonde woman wearing a bright red suit. She nodded to several consultants who were standing up behind her. “They’ll be working with the ransomware gang to reduce the ransom as though we intended to pay, to buy us additional time.”

“That’s Kim Self,” Isabelle added. “She’s our Chief Risk Officer. I’ll introduce you later.” Noor spoke up again, this time flanked by two directors who had been taking her notes down on their notepads.

“If our restoration goes for more than 36 hours,” Noor clarified, “working in shifts, then we’ll recommend paying the ransom. But we expect to be fully operational again in three days.”

“How much will that hurt?” Olivia asked, turning to look in Dylan’s direction.

Dylan was startled when the pink-haired woman standing on the other side of him answered. “We’ll be giving a free month of credit to all of our subscribers for the outage.” Dylan could see her nametag read Donna Chang, Chief Financial Officer. “It will hurt the same whether it’s a day or a week. We can handle it for now, but we need to start thinking about the long term. Customer melt is a concern. But frankly the bigger concern will be the recovery costs, which are still unknown.”

Olivia stood up and addressed the room, “Thank you all for being here. I’m not going to lie, the coming days will be a challenge. We will get through this challenge. We will be stronger because of it. We’ll meet back here at the same time tomorrow, and we’ll keep the video conference going so check in if you have any updates before then. Also, make sure you have the cell phone numbers for the people on your team until we can get our phone system back.”

The next several hours were a blur as Dylan worked to help whomever he could. But with no access and not much information about the network, there wasn’t much he could do. He mostly became a gopher, picking up supplies and carrying them to admins scrambling to rebuild computers from scratch.

“There you are,” said Isabelle, who was peeking over a cubicle wall. Dylan was under the desk, unplugging it to bring to an admin he was working with. He hit his head on the bottom of the desk as he came out.

“Please tell me you’ve got something for me to do? I’ve been carrying around computers all morning.”

“Boss needs you.” She was already walking away at a brisk pace, and Dylan had to run to catch up.

She took him back out into the lobby, past a giant sneaker suspended in midair, and into the north side of the building.

Dylan’s phone buzzed in his pocket. He pulled it out. It was Chuck, the recruiter whom he had worked with to get the job here at MarchFit. He silenced the call and kept following.

The smell of espresso filled the air of the executive suite. It made Dylan feel even more alert than he already was. “Is that the original stand-up desk treadmill that Olivia invented?” Dylan asked as they passed several prototype desk and treadmill concepts before the TreadMarch+ that Dylan owned came out.

They walked by a tall conference room table that had small treadmills where each of the chairs would have been. “Walking meetings,” Isabelle said. “We had several large clients ready to place orders before the pandemic hit.”

Isabelle turned to smile at him, but kept walking. They arrived at a pair of bright orange double doors. Isabelle knocked and opened the door for Dylan. He walked in, but Isabelle didn’t follow. “Best of luck” was all she said as she walked away.

The office was framed by two walls of glass with a TreadMarch+ stand-up desk facing the windows. The third wall looked like a NASCAR garage, with red tool chests and work benches covered with power tools and treadmill parts in pieces scattered everywhere. In the center of the room was a small white table surrounded by four red, modern-looking couches. On the table was a stack of several binders. The one on top was the same one Dylan had seen Isabelle carrying earlier, the Business Continuity Plan.

“Is this the guy?” said an unfamiliar gentleman sitting on one of the couches. Olivia’s office, Dylan finally realized. Noor was sitting with her arms folded across from Olivia, who was leaning on the top of her desk. Noor nodded yes in answer to the man’s question.

“Tell me, Mr. Thomas, do you believe that the incident that just happened to MarchFit could have been prevented?”

Dylan looked to Noor and Olivia. Their faces were blank, apparently waiting for him to answer. This was a serious question.

“I don’t really know enough about all our technology to answer …” Dylan responded, but was interrupted.

“This isn’t a technical question. This is a philosophical question. Do you believe that prevention is possible?” The man had tented his fingers waiting for Dylan to respond.

“I suppose,” Dylan began, “that we have to believe prevention is possible.”

The man waited several seconds for Dylan to continue, then asked, “Why do you have to believe that prevention is possible, Mr. Thomas?”

“Don’t you have to believe that success is possible in order to have success? If we didn’t believe we could prevent cybercriminals from breaking in, we’d unconsciously make it happen. Also, I’d be crazy for making this my career and not believe I could make a difference.”

“Next question. What’s the purpose of cybersecurity?” the man asked, folding his arms.

Dylan considered. “Security is only here to enable the business to keep running smoothly.” The man nodded wisely at this and was silent for a long time. “Was there another question?” Dylan asked, turning to Noor and Olivia.

“Last question,” the man said. “Do you enjoy learning?”

“Sure,” Dylan answered. “You have to love learning in IT. We’re always learning about the next new advance in technology.”

The man jumped up from his seat quickly, and before he knew it, Dylan was shaking his hand. “You’re about to learn a lot,” he said to Dylan. “He’ll do,” he said to Olivia and Noor, and began walking out the door. “I’ll see you tomorrow, Mr. Thomas.”

“I’m sorry about all of this, Dylan,” Noor said, turning to Olivia. She sat down on the couch where the man had just been sitting and gestured for Dylan to sit across from her. Olivia sat down next to Noor.

“There’s nothing to apologize for,” Olivia countered. She turned to Dylan, beaming. “This is a huge opportunity, Dylan. I’m really glad to meet you. I usually meet all our employees, but I wish we were meeting under different circumstances.”

“We could at least ask him first so that he knows what he’s getting into,” Noor said. “Dylan, I know you were planning on meeting your team today.”

“I saw a couple of them already,” Dylan responded.

“Yes. But obviously some things have come up,” Noor said. “Don’t worry, you’re not being fired or anything. But since you’ve not been trained yet, or really had any orientation time, you’re not going to be much help with the incident response.” She picked up her coffee cup and took a long, slow drink.

“Now it sounds like I’m being fired,” Dylan laughed nervously.

“Dylan,” Olivia answered, “you’re definitely not being fired. A few hours ago, I asked Dr. Patel here what the most cutting-edge security program was in the world. And Dr. Patel, you said?”

“Zero Trust,” Noor answered.

“Do you know what Zero Trust is, Dylan?” Olivia asked.

He folded his arms and crossed his legs. “I’ve heard of it, but I don’t know much about it. Isn’t that just a marketing term for security companies?”

The two women looked at each other with a knowing glance. Dylan got the uneasy feeling that this conversation had happened already.

“I asked the question, and it turns out that one of the world’s foremost experts on Zero Trust lives just a few minutes away from us,” Olivia explained. “You just met him. He’s worked with John Kindervag and Dr. Chase Cunningham, the two Forrester analysts who pioneered Zero Trust. His name is Aaron Rapaport, by the way, but I don’t think he actually introduced himself.”

“So, I’ll be what, working for him now?” Dylan asked.

“Technically, you’ll still be working for me,” Noor corrected.

Dylan turned his head to the side. “Technically?”

“She means that for the next six months you’ll have a dotted line reporting directly to me,” Olivia said.

“Oh” was all Dylan could manage. “So this consultant is my Obi-Wan? He’ll teach me the ways of Zero Trust?”

“Here’s why I’m convinced Zero Trust will work for us,” Olivia said, both to Dylan as well as to Noor. “I read that the president has issued an executive order requiring the government to adopt Zero Trust as a strategy for securing the government against other governments. When I talked to Aaron just now, he convinced me. Dylan, tell me why I’m convinced.”

“If the government is adopting it, then it must be right?” Dylan said sarcastically. The three of them burst into laughter. Noor finally relaxed in her seat.

“No. I was convinced because it’s actually a strategy for security. This is the issue that Noor and I have been debating. With any other goal or objective in our business, we’ve got a strategy for achieving it. Our goal in security is to prevent bad things from happening. I know we can go buy tools or implement more tech to add to security, but how do we know we’re on the right track? In every other area of the business we have a strategy, and Zero Trust is going to be our security strategy moving forward.”

“I’ll be leading the incident response and recovery efforts,” Noor explained. “But at the same time, we’ll be launching a transformation initiative for all of the technology in the company to fully implement Zero Trust.”

“You’ve heard that an ounce of prevention is worth a pound of cure?” Olivia asked Dylan. He nodded. “That’s what I expect of Zero Trust. That’s why Aaron asked you about whether you believe in prevention. We believe that prevention is the most efficient way of stopping breaches, and Zero Trust is the best strategy for implementing prevention in technology.”

“That makes sense,” Dylan said.

“This is a huge career opportunity. You’ll be in charge of implementing Zero Trust at a company that’s a household name. It would be crazy to turn this down,” Olivia said, looking at Noor.

“So what happens in six months?” Dylan asked. “You said I’d just be reporting to you for six months?”

“In six months, we’ll be launching a whole new product that will change the way the world looks at fitness, work-life balance, everything. We can’t afford to make a misstep that could keep us from being first to market,” Olivia said.

“We won’t take for granted that you are on board with this new challenge, Dylan,” Noor said. “You should take some time to think about this. You’ve specialized in managing IT infrastructure your whole career, and this is a different kind of challenge, and not one that you thought you had signed up for yesterday. I wouldn’t expect you to just blindly accept an offer like this.”

There was a soft knock at the door and a redheaded woman wearing a yellow suit came in without waiting for an answer. “Oh good, you’re both here,” she said as she approached Olivia and Noor. “We got a hit from our media monitoring service. The hacker has gone public with his demands.” She handed her phone to Olivia, while Noor and Dylan came closer so that the three of them could see the tweet from the cybercriminal.

A tweet from the cybercriminal 3nc0r3 publicly threatening MarchFit and confirming rumors of a cyberattack

“Dylan, this is April, our head of public relations,” Noor said. April reached out and shook Dylan’s hand.

“Who is this Encore person?” Olivia asked.

“His profile makes it seem like he’s based somewhere in Eastern Europe or Russia, but it’s not clear where he’s from. His past tweets indicate he’s ransomed several other organizations, but we’re the biggest target he’s gone after so far,” April explained, taking back her phone.

“I’ll check with the negotiator to see if this is the same person they’ve been talking to,” Noor said, standing up. “The negotiator was supposed to be stalling for more time. This could change our timeline.” She walked to the door, and Dylan followed before she stopped him. “You can take all the time you need to think about this, so long as you make your decision in the next few hours.” She winked at him. “Also, if you decide to be our Zero Trust project leader, you’re going to have a bit of homework before tomorrow.” Noor pointed to the stack of binders on the table.

Dylan began to walk outside. He was carrying one of Olivia’s designer backpacks heavy with all the paperwork he had to read. On the way out the door, he noticed MarchFit’s motto, “Every Step Matters,” written above the entrance to the building. The fresh air helped, but what he really needed was to go for a run. The stress usually just melted away when he ran.

The job he’d be doing wasn’t like anything he’d ever done before. It was an opportunity, but not the one he had been imagining just a few hours ago.

He unlocked his phone and remembered he had missed a call. He hadn’t noticed that there was a voicemail, so he pressed the button and put the phone to his ear.

“Dylan, this is Chuck. Man, I know you just started over there at MarchFit and I heard about the breach. I just heard back from one of the other companies you were interviewing with at the same time as MarchFit and they’re making you an offer. Dylan, it’s more money and you’d be in a very similar role. If you think this thing is going south, give me a call and we can get you out of there.”

Dylan collapsed onto the bench, exhausted. Things were moving too fast. He was too tired to think straight.

He looked up and saw a couple running together past the building. They waved as they passed by. Then more people ran. He realized the running trails that surrounded the headquarters building were full of runners. They were hooting their support every time one of the exhausted MarchFit employees would leave the building.

He hit the button to call Chuck.

“Dylan, hey buddy. I knew you’d be calling. You don’t need to let this job set you back… .”

“Chuck, thanks for the offer, but I’m going to see this one through.”

“Are you sure, man? Some companies don’t do so well after a breach. I’m talking layoffs. I’m giving you a safe way out, bro. You could go be a director of cloud infrastructure anywhere. You’re on your way to being a CIO soon. I’m worried this could hold you back.”

“March Fitness got me through the pandemic, Chuck. You knew me three years ago. If I hadn’t gotten that treadmill, I might not be here. I’m serious, losing all that weight has made a difference for me. I know it can make a difference for other people, and I’m going to stick it out here to make sure the company is still here to help other people.”

Key Takeaways

Trust is a vulnerability.

Zero Trust is a cybersecurity strategy that says that the fundamental problem we have is a broken trust model where the untrusted side of the network is the evil Internet and the trusted side is the stuff we control. Therefore, organizations don’t do any real security on the trusted side. However, almost all data breaches and negative cybersecurity events are an exploitation of that broken trust model. Zero Trust is about getting rid of trust when it comes to technology. How much trust should you have in a digital system? The answer is zero. Hence, Zero Trust.

Zero Trust is a strategy for success when it comes to cybersecurity. The reason that Zero Trust resonates with presidents, CEOs, and other leaders is that they recognize that having a strategy for winning in any discipline is critical to success. Every company is different, which means that how a strategy is implemented will vary from one company to the next. A successful Zero Trust implementation will be custom tailored for each business to meet their unique needs, tools, and processes.

The primary goal of Zero Trust is to prevent breaches. Prevention is possible. In fact, it’s more cost effective from a business perspective to prevent a breach than it is to attempt to recover from a breach, pay a ransom, and deal with the costs of downtime or lost customers.

Zero Trust is more than just a marketing buzzword. Zero Trust isn’t any one specific tool that you can buy, because you can use many different tools to achieve the same objectives. Zero Trust isn’t a reference architecture, because each implementation of Zero Trust will be completely customized.

Project Zero Trust will take you on the journey of a company that will successfully implement Zero Trust. You’ll learn the most important concepts, methodologies, and design principles to take back to your own organization. For any strategy to work, you need to have some critical elements in place. March Fitness already had in place backups, a risk register, inventory, and a Business Continuity Plan (BCP) so they were able to recover rather than pay the ransom. They also had cyber risk insurance and already had contracts in place with a cybersecurity breach response service, and they were able to assist with the recovery and negotiations. And they had printed out all of their critical documentation on paper to ensure that it would be available even if their computers were offline. But even if you don’t have these elements today, you can still adopt a strategy of Zero Trust.

Note that March Fitness has a Chief Information Officer (CIO) who also acts as their Chief Information Security Officer (CISO). Depending on the industry, many large organizations may or may not have a dedicated CISO or dedicated information security staff. Wherever your organization is at in its cybersecurity maturity, you can be successful at implementing a Zero Trust strategy. And if you haven’t yet begun your Zero Trust journey, the best time to start is today.

https://learning.oreilly.com/library/view/project-zero-trust/9781119884842/c01.xhtml#head-2-8

Cybersecurity News of the day

Posted on June 24, 2023 by seolito2014

Guilherme Silveira, Alura: “EdTech entrepreneurs are bound to commit the same mistakes traditional institutions made in the past” | Cybernews

Clop names PWC, Ernst & Young, and Sony in MOVEit hack | Cybernews

Global development corp IFC hacked near White House | Cybernews

Microsoft confirms blackout caused by hacker attack | Cybernews

mWISE™–Mandiant Worldwide Information Security Exchange!

Posted on June 21, 2023 by seolito2014

https://mwise.mandiant.com/conf23?&utm_campaign=mwise-conference-2023&utm_source=hatch64&utm_medium=programmatic&utm_term=registration-early&utm_content=mwise-conference-2023_hatch64_programmatic-display_1240x110_registration-early_100-percent

AWS Certified Cloud Practitioner (CLF-C01): Chapter 1 – The AWS Cloud Defined

Posted on June 15, 2023 by seolito2014

At the end of this lesson of you should be able answer and explain these questions:

What are 5 characteristics of cloud computing as defined by NIST?
What are the 3 service models?
What are the 4 deployment models?
What are 4 Compute services discussed in the chapter?
What are 4 Storage services discussed in the chapter?
What are 5 Network services discussed in the chapter?
What are 4 Database Services?
What are 3 Security services discussed in the chapter?
What are 3 Automation and Application Support services discussed in the chapter?
What are 3 Management Tools discussed in the chapter?
What are 2 Monitoring tools discussed in the chapter?

Introduction to the cloud

On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measure service

Cloud Service Models

SaaS
PaaS
IaaS

Deployment Models

Private Cloud
Community Cloud
Public Cloud
Hybrid Cloud

Introduction to the AWS Cloud

Computer Services

Elastic Compute Cloud (EC2)
Lambda
Elastic Beanstalk
Elastic Container Service (ECS)

Storage Services

Simple Storage Service (S3)
Elastic Block Store (EBS)
Glacier
Elastic File System (EFS)

Network Services

Virtual Private Cloud (VPC)
Route 53
CloudFront
API Gateway
Direct Connect

Database Services

Relational Database Service (RDS)
DynamoDB
ElastiCache
Redshift

Security Services

Identity and Access Management (IAM)
Security Groups
Network ACLs

Automation and Application Support

CodeDeploy
CloudFormation
OpsWorks

Management Tools

Service Catalog
Systems Manager
Trusted Advisor

Monitoring

CloudWatch
CloudTrail

CISSP Domain 2: Asset Security

Posted on June 15, 2023 by seolito2014

Objectives covered in this domain

· 2.1 Identify and classify information and assets

· 2.2 Establish information and asset handling requirements

· 2.3 Provision resources securely

· 2.4 Manage data lifecycle

· 2.5 Ensure appropriate asset retention (e.g. End-of-Life (EOL), End-of-Support (EOS))

· 2.6 Determine data security controls and compliance requirements

1. Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she most likely using to protect against it?

A. Man-in-the-middle, VPN

B. Packet injection, encryption

C. Sniffing, encryption

D. Sniffing, TEMPEST

2. Control Objectives for Information and Related Technology (COBIT) is a framework for information technology (IT) management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?

A. Business owners

B. Data processors

C. Data owners

D. Data stewards

3. Nadia’s company is operating a hybrid cloud environment with some on-site systems and some cloud-based systems. She has satisfactory monitoring on-site, but needs to apply security policies to both the activities her users engage in and to report on exceptions with her growing number of cloud services. What type of tool is best suited to this purpose?

A. A NGFW

B. A CASB

C. An IDS

D. A SOAR

4. When media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels?

A. The data is labeled based on its integrity requirements.

B. The media is labeled based on the highest classification level of the data it contains.

C. The media is labeled with all levels of classification of the data it contains.

D. The media is labeled with the lowest level of classification of the data it contains.

5. Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?

A. Data classification

B. Remanence

C. Transmitting data

D. Clearing

6. How can a data retention policy help to reduce liabilities?

A. By ensuring that unneeded data isn’t retained

B. By ensuring that incriminating data is destroyed

C. By ensuring that data is securely wiped so it cannot be restored for legal discovery

D. By reducing the cost of data storage required by law

7. Staff in an information technology (IT) department who are delegated responsibility for day-to-day tasks hold what data role?

A. Business owner

B. User

C. Data processor

D. Custodian

8. Helen’s company uses a simple data lifecycle as shown in the figure here. What stage should come first in their data lifecycle?

A. Data policy creation

B. Data labeling

C. Data collection

D. Data analysis

9. Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?

A. It applies in all circumstances, allowing consistent security controls.

B. They are approved by industry standards bodies, preventing liability.

C. They provide a good starting point that can be tailored to organizational needs.

D. They ensure that systems are always in a secure state.

10. Megan wants to prepare media to allow for its reuse in an environment operating at the same sensitivity level. Which of the following is the best option to meet her needs?

A. Clearing

B. Erasing

C. Purging

D. Sanitization

11. Mikayla wants to identify data that should be classified that already exists in her environment. What type of tool is best suited to identifying data like Social Security numbers, credit card numbers, and similar well-understood data formats?

A. Manual searching

B. A sensitive data scanning tool

C. An asset metadata search tool

D. A data loss prevention system (DLP)

12. What issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?

A. They can be used to hide data.

B. They can only be degaussed.

C. They are not addressable, resulting in data remanence.

D. They may not be cleared, resulting in data remanence.

13. Naomi knows that commercial data is typically classified based on different criteria than government data. Which of the following is not a common criterion for commercial data classification?

A. Useful lifespan

B. Data value

C. Impact to national security

D. Regulatory or legal requirements

For questions 14–16, please refer to the following scenario:

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.

14. What term best describes data that is resident in system memory?

A. Data at rest

B. Buffered data

C. Data in use

D. Data in motion

15. What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?

A. Classification

B. Symmetric encryption

C. Watermarks

D. Metadata

16. What type of encryption is best suited for use on the file servers for the proprietary data, and how might you secure the data when it is in motion?

A. TLS at rest and AES in motion

B. AES at rest and TLS in motion

C. VPN at rest and TLS in motion

D. DES at rest and AES in motion

17. What does labeling data allow a DLP system to do?

A. The DLP system can detect labels and apply appropriate protections based on rules.

B. The DLP system can adjust labels based on changes in the classification scheme.

C. The DLP system can modify labels to permit requested actions.

D. The DLP system can delete unlabeled data.

18. Why is it cost effective to purchase high-quality media to contain sensitive data?

A. Expensive media is less likely to fail.

B. The value of the data often far exceeds the cost of the media.

C. Expensive media is easier to encrypt.

D. More expensive media typically improves data integrity.

19. Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle both proprietary information and highly sensitive trade secrets. Which option best describes what should happen at the end of their life (EOL) for workstations he is responsible for?

A. Erasing

B. Clearing

C. Sanitization

D. Destruction

20. Fred wants to classify his organization’s data using common labels: private, sensitive, public, and proprietary. Which of the following should he apply to his highest classification level based on common industry practices?

A. Private

B. Sensitive

C. Public

D. Proprietary

21. What scenario describes data at rest?

A. Data in an IPsec tunnel

B. Data in an e-commerce transaction

C. Data stored on a hard drive

D. Data stored in RAM

22. If you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?

A. Microsoft’s Windows 10 security baseline

B. The CIS Windows 10 baseline

C. PCI DSS

D. The NSA Windows 10 Secure Host Baseline

For questions 23–25, please refer to the following scenario:

The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision.

23. The CIS benchmarks are an example of what practice?

A. Conducting a risk assessment

B. Implementing data labeling

C. Proper system ownership

D. Using security baselines

24. Adjusting the CIS benchmarks to your organization’s mission and your specific IT systems would involve what two processes?

A. Scoping and selection

B. Scoping and tailoring

C. Baselining and tailoring

D. Tailoring and selection

25. How should you determine which controls from the baseline should be applied to a given system or software package?

A. Consult the custodians of the data.

B. Select based on the data classification of the data it stores or handles.

C. Apply the same controls to all systems.

D. Consult the business owner of the process the system or data supports.

26. The company that Henry works for operates in the EU and collects data about their customers. They send that data to a third party to analyze and provide reports to help the company make better business decisions. What term best describes the third-party analysis company?

A. The data controller

B. The data owner

C. The data subject

D. The data processor

27. The government defense contractor that Selah works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Selah reviews the company’s internal processes, she finds that she can’t reuse the tapes and that the manual says they should be destroyed. Why isn’t Selah allowed to degauss and then reuse the tapes to save her employer money?

A. Data permanence may be an issue.

B. Data remanence is a concern.

C. The tapes may suffer from bitrot.

D. Data from tapes can’t be erased by degaussing.

28. Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information?

A. Personally identifiable information (PII)

B. Personal health information (PHI)

C. Social Security number (SSN)

D. Secure identity information (SII)

29. Which of the following information security risks to data at rest would result in the greatest reputational impact on an organization?

A. Improper classification

B. Data breach

C. Decryption

D. An intentional insider threat

30. Full disk encryption like Microsoft’s BitLocker is used to protect data in what state?

A. Data in transit

B. Data at rest

C. Unlabeled data

D. Labeled data

31. The company that Katie works for provides its staff with mobile phones for employee use, with new phones issued every two years. What scenario best describes this type of practice when the phones themselves are still usable and receiving operating system updates?

A. EOL

B. Planned obsolescence

C. EOS

D. Device risk management

32. What is the primary purpose of data classification?

A. It quantifies the cost of a data breach.

B. It prioritizes IT expenditures.

C. It allows compliance with breach notification laws.

D. It identifies the value of the data to the organization.

33. Fred’s organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?

A. The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system.

B. The cost of the sanitization process may exceed the cost of new equipment.

C. The data may be exposed as part of the sanitization process.

D. The organization’s DLP system may flag the new system due to the difference in data labels.

34. Which of the following concerns should not be part of the decision when classifying data?

A. The cost to classify the data

B. The sensitivity of the data

C. The amount of harm that exposure of the data could cause

D. The value of the data to the organization

35. Which of the following is the least effective method of removing data from media?

A. Degaussing

B. Purging

C. Erasing

D. Clearing

For questions 36–38, please refer to the following scenario:

The healthcare company that Amanda works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit.

Classification	Handling Requirements
Confidential (HIPAA)	Encrypt at rest and in transit.
	Full disk encryption is required for all workstations.
	Files can only be sent in encrypted form, and passwords must be transferred under separate cover.
	Printed documents must be labeled with “HIPAA handling required.”
Private (PHI)	Encrypt at rest and in transit.
	PHI must be stored on secure servers, and copies should not be kept on local workstations.
	Printed documents must be labeled with “Private.”
Sensitive (business confidential)	Encryption is recommended but not required.
Public	Information can be sent unencrypted.

36. What encryption technology would be appropriate for HIPAA documents in transit?

A. BitLocker

B. DES

C. TLS

D. SSL

37. Amanda’s employer asks Amanda to classify patient X-ray data that has an internal patient identifier associated with it but does not have any way to directly identify a patient. The company’s data owner believes that exposure of the data could cause damage (but not exceptional damage) to the organization. How should Amanda classify the data?

A. Public

B. Sensitive

C. Private

D. Confidential

38. What technology could Amanda’s employer implement to help prevent confidential data from being emailed out of the organization?

A. DLP

B. IDS

C. A firewall

D. UDP

39. Jacob’s organization uses the US government’s data classification system, which includes Top Secret, Secret, Confidential, and Unclassified ratings (from most sensitive to least). Jacob encounters a system that contains Secret, Confidential, and Top Secret data. How should it be classified?

A. Top Secret

B. Confidential

C. Secret

D. Mixed classification

40. Elle is planning her organization’s asset retention efforts and wants to establish when the company will remove assets from use. Which of the following is typically the last event in a manufacturer or software provider’s lifecycle?

A. End of life

B. End of support

C. End of sales

D. General availability

41. Amanda has been asked to ensure that her organization’s controls assessment procedures match the specific systems that the company uses. What activity best matches this task?

A. Asset management

B. Compliance

C. Scoping

D. Tailoring

42. Chris is responsible for his organization’s security standards and has guided the selection and implementation of a security baseline for Windows PCs in his organization. How can Chris most effectively make sure that the workstations he is responsible for are being checked for compliance and that settings are being applied as necessary?

A. Assign users to spot-check baseline compliance.

B. Use Microsoft Group Policy.

C. Create startup scripts to apply policy at system start.

D. Periodically review the baselines with the data owner and system owners.

43. Frank is reviewing his company’s data lifecycle and wants to place appropriate controls around the data collection phase. Which of the following ensures that data subjects agree to the processing of their data?

A. Retention

B. Consent

C. Certification

D. Remanence

44. As a DBA, Amy’s data role in her organization includes technical implementations of the data policies and standards, as well as managing the data structures that the data is stored in. What data role best fits what Amy does?

A. Data custodian

B. Data owner

C. Data processor

D. Data user

45. The company Jim works for suffered from a major data breach in the past year and now wants to ensure that it knows where data is located and if it is being transferred, is being copied to a thumb drive, or is in a network file share where it should not be. Which of the following solutions is best suited to tagging, monitoring, and limiting where files are transferred to?

A. DRM

B. DLP

C. A network IPS

D. Antivirus

46. What security measure can provide an additional security control in the event that backup tapes are stolen or lost?

A. Keep multiple copies of the tapes.

B. Replace tape media with hard drives.

C. Use appropriate security labels.

D. Use AES-256 encryption.

47. Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization’s data retention policy. As part of its legal requirements, the organization must comply with the US Food and Drug Administration’s Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement?

A. It ensures that someone has reviewed the data.

B. It provides confidentiality.

C. It ensures that the data has been changed.

D. It validates who approved the data.

48. Susan wants to manage her data’s lifecycle based on retention rules. What technique can she use to ensure that data that has reached the end of its lifecycle can be identified and disposed of based on her organization’s disposal processes?

A. Rotation

B. DRM

C. DLP

D. Tagging

49. Ben has been asked to scrub data to remove data that is no longer needed by his organization. What phase of the data lifecycle is Ben most likely operating in?

A. Data retention

B. Data maintenance

C. Data remanence

D. Data collection

50. Steve is concerned about the fact that employees leaving his organization were often privy to proprietary information. Which one of the following controls is most effective against this threat?

A. Sanitization

B. NDAs

C. Clearing

D. Encryption

51. Alex works for a government agency that is required to meet US federal government requirements for data security. To meet these requirements, Alex has been tasked with making sure data is identifiable by its classification level when it is created. What should Alex do to the data?

A. Classify the data.

B. Encrypt the data.

C. Label the data.

D. Apply DRM to the data.

52. Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?

Source: NIST SP 800-88.

A. Destroy, validate, document

B. Clear, purge, document

C. Purge, document, validate

D. Purge, validate, document

53. What methods are often used to protect data in transit?

A. Telnet, ISDN, UDP

B. BitLocker, FileVault

C. AES, Serpent, IDEA

D. TLS, VPN, IPsec

54. Which one of the following data roles bears ultimate organizational responsibility for data?

A. System owners

B. Business owners

C. Data owners

D. Mission owners

55. Shandra wants to secure an encryption key. Which location would be the most difficult to protect, if the key was kept and used in that location?

A. On a local network

B. On disk

C. In memory

D. On a public network

For questions 56–58, please refer to the following scenario:

Chris has recently been hired into a new organization. The organization that Chris belongs to uses the following classification process:

5. Criteria are set for classifying data.

6. Data owners are established for each type of data.

7. Data is classified.

8. Required controls are selected for each classification.

9. Baseline security standards are selected for the organization.

10. Controls are scoped and tailored.

11. Controls are applied and enforced.

12. Access is granted and managed.

56. If Chris is one of the data owners for the organization, what steps in this process is he most likely responsible for?

A. He is responsible for steps 3, 4, and 5.

B. He is responsible for steps 1, 2, and 3.

C. He is responsible for steps 5, 6, and 7.

D. All of the steps are his direct responsibility.

57. Chris manages a team of system administrators. What data role are they fulfilling if they conduct steps 6, 7, and 8 of the classification process?

A. They are system owners and administrators.

B. They are administrators and custodians.

C. They are data owners and administrators.

D. They are custodians and users.

58. If Chris’s company operates in the European Union and has been contracted to handle the data for a third party, what role is his company operating in when it uses this process to classify and handle data?

A. Business owners

B. Mission owners

C. Data processors

D. Data administrators

For questions 59–62, please refer to the following scenario:

Chris has been put in charge of his organization’s IT service management effort, and part of that effort includes creating an inventory of both tangible and intangible assets. As a security professional, you have been asked to provide Chris with security-related guidance on each of the following topics. Your goal is to provide Chris with the best answer from each of the options, knowing that in some cases more than one of the answers could be acceptable.

59. Chris needs to identify all of the active systems and devices on the network. Which of the following techniques will give him the most complete list of connected devices?

A. Query Active Directory for a list of all computer objects.

B. Perform a port scan of all systems on the network.

C. Ask all staff members to fill out a form listing all of their systems and devices.

D. Use network logs to identify all connected devices and track them down from there.

60. Chris knows that his inventory is only accurate at the moment it was completed. How can he best ensure that it remains up-to-date?

A. Perform a point-in-time query of network connected devices and update the list based on what is found.

B. Ensure that procurement and acquisition processes add new devices to the inventory before they are deployed.

C. Require every employee to provide an updated inventory of devices they are responsible for on a quarterly basis.

D. Manually verify every device in service at each organizational location on a yearly basis.

61. Chris knows that his organization has more than just physical assets. In fact, his organization’s business involves significant intellectual property assets, including designs and formulas. Chris needs to track and inventory those assets as well. How can he most effectively ensure that he can identify and manage data throughout his organization based on its classification or type?

A. Track file extensions for common data types.

B. Ensure that data is collected in specific network share locations based on the data type and group that works with it.

C. Use metadata tagging based on data type or security level.

D. Automatically tag data by file extension type.

62. Chris has been tasked with identifying intangible assets but needs to provide his team with a list of the assets they will be inventorying. Which of the following is not an example of an intangible asset?

A. Patents

B. Databases

C. Formulas

D. Employees

63. Which of the following is not a common requirement for the collection of data under data privacy laws and statutes?

A. Only data that is needed is collected.

B. Data should be obtained lawfully and via fair methods.

C. Data should only be collected with the consent of the individual whose data is being collected.

D. Data should be collected from all individuals equally.

64. Susan works in an organization that labels all removable media with the classification level of the data it contains, including public data. Why would Susan’s employer label all media instead of labeling only the media that contains data that could cause harm if it was exposed?

A. It is cheaper to order all prelabeled media.

B. It prevents sensitive media from not being marked by mistake.

C. It prevents reuse of public media for sensitive data.

D. Labeling all media is required by HIPAA.

65. Data stored in RAM is best characterized as what type of data?

A. Data at rest

B. Data in use

C. Data in transit

D. Data at large

66. What issue is the validation portion of the NIST SP 800-88 sample certificate of sanitization (shown here) intended to help prevent?

Source: Certificate of Sanitization.

A. Destruction

B. Reuse

C. Data remanence

D. Attribution

67. Why is declassification rarely chosen as an option for media reuse?

A. Purging is sufficient for sensitive data.

B. Sanitization is the preferred method of data removal.

C. It is more expensive than new media and may still fail.

D. Clearing is required first.

68. Incineration, crushing, shredding, and disintegration all describe what stage in the lifecycle of media?

A. Sanitization

B. Degaussing

C. Purging

D. Destruction

69. What term is used to describe information like prescriptions and X-rays?

A. PHI

B. Proprietary data

C. PID

D. PII

70. Why might an organization use unique screen backgrounds or designs on workstations that deal with data of different classification levels?

A. To indicate the software version in use

B. To promote a corporate message

C. To promote availability

D. To indicate the classification level of the data or system

71. Charles has been asked to downgrade the media used for storage of private data for his organization. What process should Charles follow?

A. Degauss the drives, and then relabel them with a lower classification level.

B. Pulverize the drives, and then reclassify them based on the data they contain.

C. Follow the organization’s purging process, and then downgrade and replace labels.

D. Relabel the media, and then follow the organization’s purging process to ensure that the media matches the label.

72. Which of the following tasks is not performed by a system owner per NIST SP 800-18?

A. Develops a system security plan

B. Establishes rules for appropriate use and protection of data

C. Identifies and implements security controls

D. Ensures that system users receive appropriate security training

73. NIST SP 800-60 provides a process shown in the following diagram to assess information systems. What process does this diagram show?

Source: NIST SP 800-60.

A. Selecting a standard and implementing it

B. Categorizing and selecting controls

C. Baselining and selecting controls

D. Categorizing and sanitizing

The following diagram shows a typical workstation and server and their connections to each other and the internet. For questions 74–76, please refer to this diagram.

74. Which letters on this diagram are locations where you might find data at rest?

A. A, B, and C

B. C and E

C. A and E

D. B, D, and F

75. What would be the best way to secure data at points B, D, and F?

A. AES-256

B. SSL

C. TLS

D. 3DES

76. What is the best way to secure files that are sent from workstation A via the internet service (C) to remote server E?

A. Use AES at rest at point A, and use TLS in transit via B and D.

B. Encrypt the data files and send them.

C. Use 3DES and TLS to provide double security.

D. Use full disk encryption at A and E, and use SSL at B and D.

77. Susan needs to provide a set of minimum security requirements for email. What steps should she recommend for her organization to ensure that the email remains secure?

A. All email should be encrypted.

B. All email should be encrypted and labeled.

C. Sensitive email should be encrypted and labeled.

D. Only highly sensitive email should be encrypted.

78. How can a data retention policy reduce liabilities?

A. By reducing the amount of storage in use

B. By limiting the number of data classifications

C. By reducing the amount of data that may need to be produced for lawsuits

D. By reducing the legal penalties for noncompliance

79. What data role does a system that is used to process data have?

A. Mission owner

B. Data owner

C. Data processor

D. Custodian

80. Which one of the following is not considered PII under US federal government regulations?

A. Name

B. Social Security number

C. Student ID number

D. ZIP code

81. What type of health information is the Health Insurance Portability and Accountability Act required to protect?

A. PII

B. PHI

C. SHI

D. HPHI

82. The system that Ian has built replaces data in a database field with a randomized string of characters that remains the same for each instance of that data. What technique has he used?

A. Data masking

B. Tokenization

C. Anonymization

D. DES

83. Juanita’s company processes credit cards and wants to select appropriate data security standards. What data security standard is she most likely to need to use and comply with?

A. CC-Comply

B. PCI-DSS

C. GLBA

D. GDPR

84. What is the best method to sanitize a solid-state drive (SSD)?

A. Clearing

B. Zero fill

C. Disintegration

D. Degaussing

For questions 85–87, please refer to the following scenario:

As shown in the following security lifecycle diagram (loosely based on the NIST reference architecture), NIST uses a five-step process for risk management. Using your knowledge of data roles and practices, answer the following questions based on the NIST framework process.

85. What data role will own responsibility for step 1, the categorization of information systems; to whom will they delegate step 2; and what data role will be responsible for step 3?

A. Data owners, system owners, custodians

B. Data processors, custodians, users

C. Business owners, administrators, custodians

D. System owners, business owners, administrators

86. If the systems that are being assessed all handle credit card information (and no other sensitive data), at what step would the PCI DSS first play an important role?

A. Step 1

B. Step 2

C. Step 3

D. Step 4

87. What data security role is primarily responsible for step 5?

A. Data owners

B. Data processors

C. Custodians

D. Users

88. Susan’s organization performs a secure disk wipe process on hard drives before they are sent to a third-party organization to be shredded. What issue is her organization attempting to avoid?

A. Data retention that is longer than defined in policy

B. Mishandling of drives by the third party

C. Classification mistakes

D. Data permanence

89. Mike wants to track hardware assets as devices and equipment are moved throughout his organization. What type of system can help do this without requiring staff to individually check bar codes or serial numbers?

A. A visual inventory

B. WiFi MAC address tracking

C. RFID tags

D. Steganography

90. Retaining and maintaining information for as long as it is needed is known as what?

A. Data storage policy

B. Data storage

C. Asset maintenance

D. Record retention

91. Which of the following activities is not a consideration during data classification?

A. Who can access the data

B. What the impact would be if the data was lost or breached

C. How much the data cost to create

D. What protection regulations may be required for the data

92. What type of encryption is typically used for data at rest?

A. Asymmetric encryption

B. Symmetric encryption

C. DES

D. OTP

93. Which data role is tasked with apply rights that provide appropriate access to staff members?

A. Data processors

B. Business owners

C. Custodians

D. Administrators

94. What element of asset security is often determined by identifying an asset’s owner?

A. It identifies the individual(s) responsible for protecting the asset.

B. It provides a law enforcement contact in case of theft.

C. It helps establish the value of the asset.

D. It determines the security classification of the asset.

95. Fred is preparing to send backup tapes off-site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility?

A. Ensure that the tapes are handled the same way the original media would be handled based on their classification.

B. Increase the classification level of the tapes because they are leaving the possession of the company.

C. Purge the tapes to ensure that classified data is not lost.

D. Decrypt the tapes in case they are lost in transit.

96. Which of the following does not describe data in motion?

A. Data on a backup tape that is being shipped to a storage facility

B. Data in a TCP packet

C. Data in an e-commerce transaction

D. Data in files being copied between locations

97. A new law is passed that would result in significant financial harm to your company if the data that it covers was stolen or inadvertently released. What should your organization do about this?

A. Select a new security baseline.

B. Relabel the data.

C. Encrypt all of the data at rest and in transit.

D. Review its data classifications and classify the data appropriately.

98. Which of the following data roles are typically found inside of a company instead of as a third-party contracting relationship? (Select all that apply.)

A. Data owners

B. Data controllers

C. Data custodians

D. Data processors

99. What commercial data classification is most appropriate for data contained on corporate websites?

A. Private

B. Sensitive

C. Public

D. Proprietary

100. Match each of the numbered data elements shown here with one of the lettered categories. You may use the categories once, more than once, or not at all. If a data element matches more than one category, choose the one that is most specific.

Data elements

1. Medical records

2. Trade secrets

3. Social Security numbers

4. Driver’s license numbers

Categories

E. Proprietary data

F. Protected health information

G. Personally identifiable information