Information Classification and Data Protection

Questions and Answers

Which one of the following identifies the primary purpose of information classification processes? (Select all that apply)

• Define the requirements for protecting sensitive data. (correct)
• Define the requirements for storing data.
• Define the requirements for backing up data.
• Define the requirements for transmitting data.

When determining the classification of data, which one of the following is the most important consideration?

• Processing system
• Value (correct)
• Accessibility
• Storage media

Which of the following answers would not be included as sensitive data?

• Proprietary data
• Data posted on a website (correct)
• Personally identifiable information (PII)
• Protected health information (PHI)

What is the most important aspect of marking media?

Classification (C)

Which would an administrator do to classified media before reusing it in a less secure environment?

Purging (B)

Which of the following statements correctly identifies a problem with sanitization methods?

Personnel can perform sanitization steps improperly. (D)

Which of the following choices is the most reliable method of destroying data on a solid state drive?

Purging (D)

Which of the following is the most secure method of deleting data on a DVD?

Destruction (A)

Which of the following does not erase data?

Remanence (B)

Which one of the following is based on Blowfish and helps protect against rainbow table attacks?

Bcrypt (C)

Which one of the following would administrators use to connect to a remote server securely for administration?

Secure Shell (SSH) (C)

Which one of the following tasks would a custodian most likely perform?

Back up data (D)

Which one of the following data roles is most likely to assign permissions to grant users access to data?

Administrator (C)

Which of the following best defines 'rules of behavior' established by a data owner?

Identifying appropriate use and protection of data. (B)

Within the context of the European Union (EU) Data Protection law, what is a data processor?

The entity that processes personal data on behalf of the data controller. (B)

What do the principles of notice, choice, onward transfer, and access closely apply to?

Privacy (C)

An organization is implementing a preselected baseline of security controls, but finds not all of the controls apply. What should they do?

Tailor the baseline to their needs. (B)

Which of the following choices would have prevented the theft of sensitive backups without sacrificing security?

Use a secure offsite storage facility. (D)

Which of the following administrator actions might have prevented the incident of data theft?

Mark the tapes before sending them to the warehouse. (C)

What policy was not followed regarding the backup media?

Record retention (A)

Study Notes

Information Classification and Data Protection

• The main goal of information classification is to define protection requirements for sensitive data.
• Data classification is based on its value to the organization, particularly the potential negative impact from unauthorized access.
• Sensitive data includes personally identifiable information (PII), protected health information (PHI), and proprietary data; data posted online is generally not considered sensitive.

Data Handling and Media Management

• The most critical aspect of marking media is its classification, which informs users about protection measures needed.
• To re-use classified media in a less secure context, media should be purged, meaning all data is irrecoverably overwritten.
• Sanitization methods may be flawed due to improper execution by personnel, impacting data security.

Data Deletion Techniques

• Purging solid-state drives (SSDs) is the most reliable method for data destruction; random data is used to overwrite existing information.
• Physical destruction is the most secure way to delete data on optical media like DVDs, while erasing or formatting typically does not fully eliminate data.

Roles in Data Management

• Administrators assign data access permissions, while custodians back up data and protect its integrity.
• Rules of behavior, established by data owners, dictate appropriate use and protection measures for data.

Data Protection Regulations

• Under EU Data Protection law, a data processor processes personal data on behalf of a data controller, who directs the processor's actions.

Privacy Principles

• The Safe Harbor principles emphasize notice, choice, onward transfer, and access, all crucial for data privacy maintenance.

Security Control Implementation

• Tailoring security controls to fit organizational needs ensures resources are not wasted on irrelevant controls.
• It is essential to use secure offsite facilities for sensitive backup media to protect against theft while maintaining availability.

Incident Response and Prevention

• Marking backup tapes before they are sent to cost-effective storage can raise awareness of their sensitivity, reducing theft risk.
• Adhering to record retention policies is vital for ensuring backups do not hold data longer than necessary, which was not complied with in a given scenario.

Overall Best Practices

• Effective data protection involves thorough classification, reliable destruction methods, proper personnel training, and adherence to regulations and guidelines for handling sensitive information across various environments.

Description

This quiz covers the key concepts of information classification, data handling, and media management. Learn about the protection requirements for sensitive data, the importance of proper data sanitization methods, and effective techniques for data deletion. Test your understanding of these essential topics in data security.