Data Ownership and Classification Quiz

Questions and Answers

Who is responsible for defining data and asset classifications and ensuring that data and systems are properly marked?

Data owners

Who is responsible for defining requirements to protect data at different classifications?

Data owners

Where are data classifications typically defined?

Within security policies or data policies

What is the difference between PII and PHI?

PII is personally identifiable information, PHI is protected health information.

Unauthorized disclosure of sensitive information (any type of classified information) is a loss of _____?

Confidentiality

Sensitive information should be ______ in order to be considered properly managed.

Marked, handled, stored, and destroyed after use

_____ policies ensure that data is kept in a usable state while it is needed and destroyed when it is no longer needed.

Record retention policies

Which role is responsible for the systems that process the data?

System owner

Which role is responsible for owning the processes and ensuring that the systems provide value to the organization?

Business and mission owners

Which role is typically the third-party entity that processes data for an organization?

Data processor

Which role grants access to the data based on guidelines provided by the data owners?

System Administrator

Which role accesses data while performing work tasks?

Users

Which role has the day-to-day responsibility of protecting and storing data?

Data Custodian

What are the two key security controls mentioned in the GDPR?

Encryption and pseudonymization

_______ provide a listing of controls that an organization can apply as a baseline.

Security control baselines

How are due care and due diligence different?

Due care is management providing the resources; due diligence is using those resources correctly.

_____ is the removal of all relevant data so it is impossible to identify the original subject or person.

Anonymization

What is metadata?

Data about data

Data specification and modeling processing, database maintenance, ongoing audits to ensure ongoing effectiveness, and archiving for backups are part of what ______.

Data Lifecycle Control

Data should be protected in what 3 states?

At rest, in transit, and in use

The residual signal after the data is erased is referred to as _______.

Data remanence

What is the difference between information classification and information categorization?

Classification determines access; categorization assesses impact of loss.

Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement are all requirements of what ________.

Privacy Shield - US and EU

What does HIPAA stand for?

Health Insurance Portability and Accountability Act

Is PCI an industry standard or legal standard?

False

The most effective protection control for data at rest is?

Encryption of all mobile and removable devices

Which is the most secure wireless network encryption protocol: WPA2 or WEP?

WPA2

Study Notes

Data Ownership and Classification

• Data owners are responsible for defining classifications and ensuring proper labeling and protection of data.
• They establish requirements for protecting data at various classifications, such as encrypting sensitive data both at rest and in transit.
• Data classifications are typically outlined in security or data policies.

Types of Sensitive Information

• Personally identifiable information (PII) identifies individuals, while protected health information (PHI) pertains to health-related data linked to a specific person.
• Unauthorized disclosure of classified information results in a loss of confidentiality.
• Sensitive information must be marked, handled, stored, and destructed post-use to be properly managed.

Data Management Policies

• Record retention policies dictate the retention and destruction of data as per regulatory requirements or organizational policies.
• System owners are responsible for the systems that process data, while business and mission owners ensure system effectiveness.

Roles in Data Handling

• A data processor is typically a third-party entity handling organizational data.
• System administrators grant data access based on data owner guidelines.
• Users access data to perform tasks, while data custodians manage the daily protection and storage of data.

Security Controls and Compliance

• The GDPR emphasizes two key security controls: encryption and pseudonymization.
• Security control baselines serve as a reference for applicable controls within an organization.

Due Care vs. Due Diligence

• Due care involves management providing resources for effective job performance; due diligence refers to the execution of that job with those resources.

Data Protection Techniques

• Anonymization removes identifiable data elements, making original subject identification impossible and is challenging due to data inference.
• Metadata refers to data that describes other data.

Data Lifecycle Management

• Data Lifecycle Control encompasses processes like specification, modeling, database maintenance, audits for effectiveness, and backup archiving.
• Data protection must span three states: at rest, in transit, and in use.

Data Remanence

• Data remanence refers to residual signals after data is erased; countermeasures include clearing, purging, and destruction.

Information Classification and Categorization

• Information classification determines access privileges, while categorization assesses the impact of confidentiality, integrity, and availability (CIA) loss.

Privacy Requirements

• The Privacy Shield framework outlines requirements for Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement, applicable in the US and EU.

Legislative Standards

• HIPAA stands for Health Insurance Portability and Accountability Act.
• PCI (Payment Card Industry) is an industry standard for card transactions; non-compliance may hinder credit card acceptance for businesses.

Data Protection Techniques

• The most effective control for data at rest is the encryption of all mobile and removable devices.
• WPA2 is the most secure wireless network encryption protocol compared to WEP and can also incorporate VPN protections.

Description

Test your knowledge on data ownership, classification types, and data management policies. This quiz covers the roles of data owners, types of sensitive information, and best practices for data protection and retention. Challenge yourself to ensure you understand the critical aspects of managing classified information.