[02/Rubicon/03]

Questions and Answers

Which team is responsible for classifying data attributes for security?

• Data warehouse team
• Source systems
• Data Security Office (DSO) (correct)
• Data Vault satellite splits

What is the main reason why DSO refuses to classify data attributes?

• Lack of resources
• Lack of communication
• Lack of knowledge of data security guidelines (correct)
• Lack of knowledge of the source systems

Why do source systems not classify data attributes?

• Lack of knowledge of data security guidelines
• Lack of resources
• Lack of communication
• Lack of knowledge of the source systems (correct)

True or false: The naive expectation is to receive classified metadata directly from the source systems?

True (A)

True or false: The data warehouse team is responsible for classifying data attributes for security?

False (B)

True or false: Lack of knowledge of the source systems is one of the reasons why DSO refuses to classify data attributes?

True (A)

Match the following entities with their roles in the data attribute classification process:

Source systems = Provide metadata to DSO DSO (Data Security Office) = Classifies metadata Data warehouse team = Performs the work of classification Naive expectation = Receive metadata from source

Match the following entities with the reasons they give for not classifying data attributes:

DSO (Data Security Office) = Lack of knowledge of the source systems Source systems = Lack of knowledge of data security guidelines Data warehouse team = This never works Naive expectation = DSO refuses to classify

Match the following steps with their place in the data attribute classification process:

Receive metadata from source = Naive expectation Receive classified metadata = DSO Apply Data Vault satellite splits = This never works Do Sign-off = Data warehouse team

Match the following steps with their descriptions in the data attribute classification process:

Identify the data attributes that need to be classified = Review the data inventory and identify the most sensitive or valuable data Identify the security classes that you need to use = Consider the organization's security policies, procedures, and relevant regulations Map the data attributes to the security classes = Decide which security class each data attribute belongs to Document the data classification = Create clear and concise documentation that is easy for users to understand

Match the following tips with their descriptions for classifying data attributes regarding security classes:

Use a risk-based approach = Consider the risks associated with each attribute when classifying Use a consistent approach = Ensure that data attributes are classified consistently across the organization Keep the classification up-to-date = Regularly review and update the data classification to reflect the organization's current security posture and associated risks

Match the following entities with their roles in the data attribute classification process:

Data warehouse team = Responsible for classifying data attributes for security Source systems = Do not classify data attributes DSO = Refuses to classify data attributes due to lack of knowledge of the source systems

Match the following reasons with the entities that give them for not classifying data attributes:

Lack of knowledge of the source systems = DSO Naive expectation to receive classified metadata directly = Source systems

Match the following statements with their correctness based on the text:

The data warehouse team is responsible for classifying data attributes for security = True Source systems classify data attributes = False The naive expectation is to receive classified metadata directly from the source systems = True Lack of knowledge of the source systems is one of the reasons why DSO refuses to classify data attributes = True

Match the following data attribute security classes with their corresponding examples:

High-risk = Customer financial information, medical records, trade secrets, and intellectual property Medium-risk = Employee contact information, sales data, and marketing data Low-risk = Public website content and publicly available information

Match the following data attribute security controls with their corresponding risk levels:

Encrypt data = High-risk Restrict access = Medium-risk Back up data = All data

Match the following actions with their corresponding data attribute security controls:

Encrypt = Protect from unauthorized access Restrict access = Protect from unauthorized use Back up = Protect from destruction

Match the following risks with their corresponding data attribute security controls:

Unauthorized access = Encryption Unauthorized use = Access restriction Destruction = Data backup

Match the following data attributes with their corresponding risk levels:

Customer financial information = High-risk Employee contact information = Medium-risk Public website content = Low-risk

Match the following examples with their corresponding data attribute security controls:

Trade secrets = Encryption Sales data = Access restriction Public website content = No specific security control

Match the following data attribute classifications with their corresponding actions:

High-risk = Encrypt Medium-risk = Restrict access Low-risk = No specific action

Match the following actions with their corresponding data attribute classifications:

Encryption = High-risk Access restriction = Medium-risk No specific action = Low-risk

Match the following levels of data risk with their corresponding data attribute classifications:

High = High-risk Medium = Medium-risk Low = Low-risk

Match the following data attribute security controls with their corresponding risk levels:

Encryption = High-risk Access restriction = Medium-risk Data backup = All data

Which of the following is considered a high-risk data attribute classification?

Trade secrets (C)

Which of the following is considered a medium-risk data attribute classification?

Public website content (C)

Which of the following is considered a low-risk data attribute classification?

Public website content (C)

What is one example of an appropriate security control for high-risk data?

Encrypting high-risk data (B)

What is one example of an appropriate security control for medium-risk data?

Restricting access to medium-risk data (B)

What is one example of an appropriate security control for low-risk data?

Backing up all data (B)

What is the purpose of classifying data attributes regarding security classes?

To prevent unauthorized access to data (A)

Why is it important to classify data attributes for security?

To comply with legal regulations (C)

What are some examples of high-risk data attribute classifications?

Customer financial information, medical records, trade secrets, and intellectual property (B)

What are some examples of medium-risk data attribute classifications?

Employee contact information, sales data, and marketing data (A)

Which of the following steps is NOT involved in classifying data attributes regarding security classes?

Reviewing and updating the data classification regularly (A)

When classifying data attributes, what approach should be used?

A consistent approach (A)

What should be considered when mapping data attributes to security classes?

The sensitivity of the data attribute (B)

What should the documentation of data classification be?

Clear and concise (D)

What is the purpose of using a risk-based approach when classifying data attributes?

To consider the risks associated with each attribute (C)

Why should the data classification be kept up-to-date?

To ensure the classification reflects the organization's current security posture (B)

What is the responsibility of the data warehouse team in classifying data attributes for security?

Identifying the data attributes that need to be classified (D)

Which of the following is NOT a tip for classifying data attributes regarding security classes?

Use a reactive approach (B)

What should be considered when identifying the data attributes that need to be classified?

The data attributes that are most valuable (C)

True or false: Data classification helps to protect an organization's data from unauthorized access?

True (A)

True or false: High-risk data attributes include customer financial information and trade secrets?

True (A)

True or false: Medium-risk data attributes include employee contact information and sales data?

True (A)

True or false: Low-risk data attributes include publicly available information?

True (A)

True or false: Data classification is not necessary for implementing appropriate security controls?

False (B)

True or false: Encrypting high-risk data is an example of an appropriate security control?

True (A)

True or false: Restricting access to medium-risk data is an example of an appropriate security control?

True (A)

True or false: Backing up all data is an example of an appropriate security control?

True (A)

True or false: Source systems do not classify data attributes?

True (A)

True or false: To classify data attributes regarding security classes, you need to identify the data attributes that need to be classified.

True (A)

True or false: Using a risk-based approach is not important when classifying data attributes?

False (B)

True or false: Mapping the data attributes to the security classes involves deciding which security class each data attribute belongs to.

True (A)

True or false: Documenting the data classification is not necessary in the data attribute classification process.

False (B)

True or false: Using a consistent approach to classifying data attributes is not important.

False (B)

True or false: It is not important to keep the data classification up-to-date.

False (B)

True or false: A risk-based approach should not be used when classifying data attributes.

False (B)

True or false: The data warehouse team is responsible for classifying data attributes for security.

False (B)

True or false: Lack of knowledge of the source systems is one of the reasons why DSO refuses to classify data attributes.

True (A)

True or false: The naive expectation is to receive classified metadata directly from the source systems.

True (A)