Chapter7- Data Security (Hard)

Questions and Answers

Which of the following is NOT a goal of data security practices?

To restrict access to information (correct)

To meet business requirements

To protect information assets

To align with privacy and confidentiality regulations

Who are the stakeholders that organizations must recognize the privacy and confidentiality needs of?

Government agencies

Suppliers and business partners

Employees and shareholders

Clients and patients (correct)

What can happen if an organization's confidential data is stolen or breached?

Improved business processes

Loss of competitive advantage (correct)

Enhanced stakeholder trust

Increased transparency

Which of the following influences data security requirements?

All of the above

Which of the following is a potential consequence of ineffective security architecture or processes?

Increased overall cost

Which step is NOT included in the overall process of implementing an operational security strategy?

Locate sensitive data throughout the enterprise

What is one potential impact of security breaches on well-established brands?

Increased financial losses

What is the purpose of capturing security classifications and regulatory sensitivity at the data element and data set level?

To prevent unauthorized access to and misuse of data assets

Which of the following is a goal of data security policies and procedures?

To enable appropriate access to data assets

Who are the stakeholders that have privacy and confidentiality needs?

Clients, suppliers, and constituents

What are the primary drivers of data security activities?

Risk reduction and business growth

Why is it important to address data security as an enterprise initiative?

To integrate information management and protection into a coherent strategy

Which of the following is an example of Critical Risk Data (CRD)?

Data that is aggressively sought for unauthorized use by both internal and external parties due to its high direct financial value

Who is usually responsible for the overall Information Security function in an enterprise?

Chief Information Security Officer (CISO)

What is the first step in the NIST Risk Management Framework?

Categorizing all enterprise information

What is the meaning of 'access' as a noun?

Having a valid authorization to the data

Which of the following is a goal of data security activities?

All of the above

What is a vulnerability in the context of information security?

A weaknesses or defect in a system that allows it to be successfully attacked and compromised

What is a threat in the context of information security?

A potential offensive action that could be taken against an organization

How can risks be prioritized in data security?

All of the above

Which of the following is true about authentication in information security?

Authentication verifies the identity of a person logging into a system

Which of the following is true about authorization in information security?

Authorization grants individuals privileges to access specific views of data

What is an entitlement in information security?

An entitlement is the sum total of all the data elements exposed to a user by a single access authorization decision

What is data integrity in information security?

Data integrity is the state of being protected from improper alteration, deletion, or addition

Which encryption methods are considered secure?

Twofish and Serpent

What is the purpose of public-key encryption?

To allow the sender and receiver to have different keys

Which encryption method is a freely available application of public-key encryption?

PGP

What does obfuscation or masking do to data?

Changes the appearance of the data without losing meaning

What is the purpose of obfuscation or masking?

To make data less available

What are the primary methods of public-key encryption mentioned in the text?

RSA Key Exchange and DiffieHellman Key Agreement