Chapter 11 - Data Classification and Handling Policies and Risk Management Policies

Question 1

_____________ in its simplest form is a way to identify the value of data.

Answer 1

Data classification

Question 2

Three approaches to reducing the time and effort required to classify data are:

Answer 2

1 - Classify only the most important data

2 - Classify data by storage locaftion or point of origin

3 - Classify data at time of creation or use

Question 3

The Department of Energy uses the following 3 classifications:

Answer 3

Unclassified Controlled Nuclear Information (UCNI), Formerly Restricted Data (FRD), and Restricted Data.

Question 4

The US DoD uses the following classifications:

Answer 4

Confidential, secret, and top secret

Question 5

The three most common reasons to classify data are:

Answer 5

-To protect information

-To retain information

-To recover information

Question 6

The need to protect information is often referred to as the _________________.

Answer 6

security classification

Question 7

You need to retain data for two major reasons:

Answer 7

legal obligation and needs of the business.

Question 8

In the US, financial and tax records are generally retained for _______ years.

Answer 8

7

Question 9

________________ requires all customer correspondence to be retained for three years. This is to ensure a record is kept in case of an accusation of fraud or misrepresentation.

Answer 9

The Securities and Exchange Commission (SEC) Rule 17a-4

Question 10

______________ is demonstrated through a retention policy that demonstrates how data is routinely classified, retained, and deleted.

Answer 10

“Good faith”

Question 11

There are various approaches, sometimes called _______________, to classifying data.

Answer 11

classification schemes

Question 12

When training employees on classification schemes, a good rule is to use ________________ classes. Many organizations use _________.

Answer 12

five or fewer

three

Question 13

With ____________ data, unauthorized disclosure would reasonably be expected to cause damage to national security.

Answer 13

confidential

Question 14

With ____________ data, unauthorized disclosure would reasonably be expected to cause serious damage to national security.

Answer 14

secret

Question 15

With ____________ data, unauthorized disclosure would reasonably be expected to cause grave damage to national security.

Answer 15

top secret

Question 16

__________________ is confidential data not subject to release under the Freedom of Information Act.

Answer 16

Sensitive but unclassified

Question 17

_________________ automatically removes the classification after 25 years.

Answer 17

Automatic declassification

Question 18

________________ reviews those records exempted from automatic declassification.

Answer 18

Systematic declassification

Question 19

_________________ reviews specific records when requested.

Answer 19

Mandatory declassification

Question 20

In the business world, _____________ closely align with measured business results.

Answer 20

impact definitions

Question 21

When developing a customized data classification scheme, consider the following 5 general guidelines:

Answer 21

1 - Determine the number of classification levels

2 - Define each classification level

3 - Name each level

4 - Align the classification to specific handling requirements

5 - Define the audit and reporting requirements

Question 22

You need to consider two primary issues when classifying data:

Answer 22

1 - data ownership

2 - security controls

Question 23

As with data classification, the data owner must strike a balance between ____________ and _______________.

Answer 23

protection and usability

Question 24

The majority of states today have privacy laws that fall under two types of encryption requirements:

Answer 24

1 - Laws that require private data to be encrypted

2 - Laws that require notification of breaches when private data is not encrypted

Question 25

The term _____________ refers to data that is in storage. This includes data on a server, laptop, CD, DVD, or universal serial bus (USB) thumb drive.

Answer 25

data at rest

Question 26

For encryption to be effective, security policies must establish core requirements and standards, such as:

Answer 26

1 - Encryption keys must be separated from encrypted data 2 - Encryption keys must be retrieved through a secure process 3 - Administrator rights at the OS layer do not give access to the database

Question 27

A lack of full compliance to implement encryption is due to the following three factors:

Answer 27

-Confusion over the laws -Cost to comply -Lack of a standardized approach among vendor products

Question 28

During ____________, data must be classified. That could be simply placing the data within a common storage area.

Answer 28

creation

Question 29

_____________ to data is governed by security policies. These policies provide special guidance on separation of duties (SOD). It’s important that procedures check SOD requirements before assigning this.

Answer 29

Access

Question 30

_____________ of data includes protecting and labeling information properly after its access. The data must be properly labeled and safeguarded according to its classification.

Answer 30

Use

Question 31

_______________ of data must be approved. This means that access to a device must be secured and properly controlled.

Answer 31

Storage devices

Question 32

______________ of data must be approved. This ensures that what leaves the confines of the private network is protected and tracked. The organization has an obligation to know where its data is.

Answer 32

Physical transport

Question 33

A _______________ can be any physical threat, such as a fire within the data center.

Answer 33

physical hazard

Question 34

An _______________ can be an environmental event, such as a storm or an earthquake.

Answer 34

environmental hazard

Question 35

A _____________ is a general category that covers other types of hazards that are not physical or environmental.

Answer 35

technical hazard

Question 36

The following are some benefits of a risk management approach to security policies. Such an approach:

Answer 36

-Identifies possible costs and benefits of decisions -Considers actions that may not be apparent to the leaders and forces alternative thought -Provides analytic rigor to ensure an objective consideration of risk

Question 37

The five steps in the Risk Management Continuous Improvement Model are:

Answer 37

1 - Prioritize the risk and align it with strategic objectives 2 - Identify an appropriate risk response 3 - Monitor effectiveness 4 - Identify residual and new risks whereby the cause of each is determined 5 - Assess the risk to measure the impact to the organization

Question 38

A ___________________ is an effective tool in the risk management arsenal. It allows the organization to understand its risks and their potential effects on the business. It’s a formal exercise many organizations conduct annually.

Answer 38

risk and control self-assessment (RCSA)

Question 39

A __________________ is the impact to the organization when an event occurs.

Answer 39

risk exposure

Question 40

A generally accepted formula can be used to calculate risk exposure:

Answer 40

Risk exposure = [Likelihood the event will occur] x [Impact if the event occurs]

Question 41

You can use different analytical methods to determine likelihood and impact. These methods fall into two types: ___________ and ______________.

Answer 41

quantitative and qualitative

Question 42

A vulnerability scan of a network, a scan of the source code of an application, and a scan of an operating system's open ports are examples of:

Answer 42

Tools and techniques to perform vulnerability assessments

Question 43

Security policies define when and how to perform a vulnerability assessment. The following are typical steps to be followed:

Answer 43

1 - Scope the assessment 2 - Identify dependencies 3 - Perform automated testing 4 - Analyze and generate reports 5 - Assign a rating

Question 44

The use of _______________ is best practice because they can scan a large volume of vulnerabilities within seconds.

Answer 44

automated testing tools

Question 45

Nmap, Nessus, and OWASP ZAP are examples of:

Answer 45

common vulnerability scan tools

Question 46

The key to success in patch management is to have a consistent approach to applying patches. This approach includes:

Answer 46

1 - Vetting 2 - Prioritization 3 - Implementation 4 - Post-implementation assessment

Question 47

_________________ is the act of giving confidence, the state of being certain, or the act of making certain. By contrast, ______________ is an evaluation to indicate needed corrective responses; the act of guiding a process in which variability is attributable to a constant system of chance causes.

Answer 47

Quality assurance quality control

Question 48

When creating a data classification scheme, you must keep the following in mind:

Answer 48

1 - Keep the classification simple—no more than three to five data classes. 2 - Ensure that data classes are easily understood by employees. 3 - Data classification must highlight which data is most valuable to the organization. 4 - Classify data in the most effective manner that classifies the highest-risk data first.