Software Licensing and Information Lifecycle

Questions and Answers

What is the primary purpose of software license management?

• To create software licenses for developers
• To eliminate duplicate or overlapping licenses (correct)
• To ensure all software is available for download
• To allow unlimited use of software across all devices

What does 'data in motion' refer to?

• Data stored in the cloud or a private server
• Data that has been archived for long-term storage
• Data being transferred across networks or devices (correct)
• Data saved on a hard drive without active access

Which of the following is NOT a phase in the information lifecycle as defined by ISO 27002?

• Analysis (correct)
• Creation
• Retention
• Processing

What challenge is associated with data storage on physical media?

Moving documents raises security concerns (B)

What does the retention phase in some models of the information lifecycle signify?

Data cannot be disposed of due to regulations (C)

What is one of the responsibilities of software inventory management?

Identifying and managing software licenses (A)

Which phase immediately precedes the deletion/destruction phase in the information lifecycle?

Storage (D)

What type of data is referred to as being 'at rest'?

Data stored on a device or in the cloud (C)

What is a recommended practice for media that is no longer needed?

Destroy using approved methods (A)

Which of the following should NOT be included in the documentation requirements for transporting media?

The weight of the media being transported (C)

What should staff or couriers understand regarding the transport of media?

Approved travel methods and special handling needs (C)

When transporting media, what must be considered about encryption?

When and how to use encryption must be defined (C)

What role do appointed custodians play in media transport?

They need to verify their identity when using external couriers (B)

What is the consequence of storing unnecessary data on media?

It presents an unacceptable security risk (D)

What procedure should be followed regarding media transport accountability?

Check-in and check-out mechanisms must be defined (C)

How should responsibilities of custodians be managed during transport?

They should be clearly stated when transfer is necessary (D)

Why is it important for an organization to have a retention strategy for sensitive information?

To comply with legal and stakeholder requirements. (A)

What type of security control includes procedures like inspecting a perimeter fence?

Physical controls (C)

Which of the following is an example of a technical or logical control?

Access control lists in software systems (A)

What should an organization do if its information disposal processes do not match retention requirements?

Seek assistance from legal and senior management. (B)

Which of the following describes group policy objects (GPOs) in Windows-based systems?

Software-defined data structures that enforce security rules. (C)

What is the primary purpose of risk mitigation controls in information security?

To protect against and reduce risks to information. (A)

What action is part of implementing physical security controls?

Walking the fence line for inspections. (A)

Which of the following best characterizes the relationship between security controls?

They are complementary and consist of physical, technical, and administrative elements. (D)

What is a key reason mature organizations review their policies?

To adapt to new circumstances or technologies (D)

Who typically needs to consider changes in policies due to external factors?

Both governance bodies and management teams (C)

What differentiates a policy from a sub-policy?

A sub-policy is derived from higher-level policies (A)

Which of the following would likely be of primary interest to management?

Specific security practices like password policy (D)

What challenge does the diverse use of the term 'policy' present in organizations?

It complicates understanding within the information security community (D)

What aspect of organizational governance may lead to more frequent policy changes?

Changing business strategy and compliance expectations (A)

How should the use of the term 'policy' be interpreted in the context of security practice?

It can differ based on organization and context (A)

Which factor may disrupt the understanding of information security practices internationally?

Cultural differences and translations (C)

What is the purpose of a configuration management plan?

To define how the organization manages configuration of hardware and software assets. (A)

What is a configuration item (CI)?

A discrete part of an IT system with configurable settings or parameters. (B)

Who manages the configuration management plan within an organization?

The configuration control board (CCB). (C)

Which of the following best describes a baseline configuration?

A formally reviewed and approved set of configurations for a configuration item. (A)

What is one of the primary roles of the change control board (CCB)?

To control and approve changes throughout the lifecycle of IT systems. (A)

Why is record-keeping essential in a configuration management and change control system?

To establish a known configuration baseline for recovery after disasters. (A)

In the context of configuration management, what is the role of a stakeholder in the CCB?

To be involved in the development of configuration policies and procedures. (A)

What could happen if a backup image does not match the known configuration baseline?

The disaster recovery process may fail to restore normal operations. (A)

Flashcards are hidden until you start studying

Study Notes

Software Licensing and Data Storage

• Software license tools can often save money by detecting and eliminating duplicate licenses.
• Data is either being used, in motion, or stored.
• Data in motion refers to the transfer of data across networks, communications links, or to and from storage devices.
• Data at rest is data stored in endpoint devices, removable media, and storage subsystems.
• Data storage on paper, removable storage media, and devices needs to be secured when in transit.

Information Lifecycle

• ISO 27002 defines the information lifecycle in five phases: creation, processing, storage, transmission, and deletion/destruction.
• Security controls are categorized as physical, technical (or logical), and administrative elements.
• Physical controls include physical barriers, security patrols, and maintenance.
• Technical controls are software and data settings that govern how systems behave.
• Administrative controls are policies and procedures that define how systems are managed.

Security Policy and Compliance

• Security policies are written statements of security rules, objectives, and strategies.
• Policy review processes should address the changing needs of external stakeholders.
• Subpolicies amplify higher-level policies and provide more specific instructions.
• A challenge for the information security community is the lack of a common language.

Data Storage and Disposal

• Organizations should have a defined set of procedures for securing and transporting media outside of controlled areas.
• Media transport procedures should include transportation methods, routes, and handling considerations.
• Every category of corporate or private-sector sensitive information should have a retention strategy defined.
• Media disposal and information retention plans must match to ensure compliance.

Configuration Management and Change Control

• A configuration management (CM) plan defines how an organization manages the configuration of its hardware and software assets.
• A configuration control board (CCB) manages the CM plan and approves changes.
• A configuration item (CI) is a single, discreet component of an IT system that has configurable settings.
• A baseline configuration is a defined set of configurations for a CI that has been formally reviewed and approved.