1-TestChapter1 PDF

Summary

This document covers various aspects of data security and protection, including methods to protect data in transit, at rest, and in use. It outlines the importance of data loss prevention systems and data minimization techniques. The document also includes review questions on topics such as threat assessment, security controls, and cybersecurity objectives.

Full Transcript

reputational damage may be difficult to quantify, but it also may
have a lasting impact. In some cases, organizations may suffer
operational damage if they experience availability damages,
preventing them from accessing their own information.
Data must be protected in transit, at rest, and in use.
Attackers may attempt to eavesdrop on network transmissions
containing sensitive information. This information is highly
vulnerable when in transit unless protected by encryption
technology. Attackers also might attempt to breach data stores,
stealing data at rest. Encryption serves to protect stored data as well
as data in transit. Data is also vulnerable while in use on a system
and should be protected during data processing activities.
Data loss prevention systems block data exfiltration
attempts. DLP technology enforces information handling policies
to prevent data loss and theft. DLP systems may function at the host
level, using software agents to search systems for the presence of
sensitive information. They may also work at the network level,
watching for transmissions of unencrypted sensitive information.
DLP systems detect sensitive information using pattern-matching
technology and/or digital watermarking.
Data minimization reduces risk by reducing the amount of
sensitive information that we maintain. In cases where we
cannot simply discard unnecessary information, we can protect
information through deidentification and data obfuscation. The tools
used to achieve these goals include hashing, tokenization, and
masking of sensitive fields.

Review Questions
1. Matt is updating the organization's threat assessment process.
What category of control is Matt implementing?
A. Operational
B. Technical
C. Corrective
D. Managerial
2. Jade's organization recently suffered a security breach that
affected stored credit card data. Jade's primary concern is the
fact that the organization is subject to sanctions for violating the
provisions of the Payment Card Industry Data Security
Standard. What category of risk is concerning Jade?
A. Strategic
B. Compliance
C. Operational
D. Financial
3. Chris is responding to a security incident that compromised one
of his organization's web servers. He believes that the attackers
defaced one or more pages on the website. What cybersecurity
objective did this attack violate?
A. Confidentiality
B. Nonrepudiation
C. Integrity
D. Availability
4. Gwen is exploring a customer transaction reporting system and
discovers the table shown here. What type of data minimization
has most likely been used on this table?
 A. Destruction
B. Masking
C. Tokenization
D. Hashing
5. Tonya is concerned about the risk that an attacker will attempt
to gain access to her organization's database server. She is
 searching for a control that would discourage the attacker from
attempting to gain access. What type of security control is she
seeking to implement?
A. Preventive
B. Detective
C. Corrective
D. Deterrent
6. Greg is implementing a data loss prevention system. He would
like to ensure that it protects against transmissions of sensitive
information by guests on his wireless network. What DLP
technology would best meet this goal?
A. Watermarking
B. Pattern recognition
C. Host-based
D. Network-based
7. What term best describes data that is being sent between two
systems over a network connection?
A. Data at rest
B. Data in transit
C. Data in processing
D. Data in use
8. Tina is tuning her organization's intrusion prevention system to
prevent false positive alerts. What type of control is Tina
implementing?
A. Technical control
B. Physical control
C. Managerial control
D. Operational control
9. Which one of the following is not a common goal of a
cybersecurity attacker?
 A. Disclosure
B. Denial
C. Alteration
D. Allocation
10. Tony is reviewing the status of his organization's defenses
against a breach of their file server. He believes that a
compromise of the file server could reveal information that
would prevent the company from continuing to do business.
What term best describes the risk that Tony is considering?
A. Strategic
B. Reputational
C. Financial
D. Operational
11. Which one of the following data elements is not commonly
associated with identity theft?
A. Social Security number
B. Driver's license number
C. Frequent flyer number
D. Passport number
12. What term best describes an organization's desired security
state?
A. Control objectives
B. Security priorities
C. Strategic goals
D. Best practices
13. Lou mounted the sign below on the fence surrounding his
organization's datacenter. What control type best describes this
control?
 Source: Gabriel Cassan / Adobe Stock
A. Compensating
B. Detective
C. Physical
D. Deterrent
14. What technology uses mathematical algorithms to render
information unreadable to those lacking the required key?
A. Data loss prevention
B. Data obfuscation
C. Data minimization
D. Data encryption
15. Greg recently conducted an assessment of his organization's
security controls and discovered a potential gap: the
organization does not use full-disk encryption on laptops. What
type of control gap exists in this case?
A. Detective
 B. Corrective
C. Deterrent
D. Preventive
16. What compliance regulation most directly affects the operations
of a health-care provider?
A. HIPAA
B. PCI DSS
C. GLBA
D. SOX
17. Nolan is writing an after action report on a security breach that
took place in his organization. The attackers stole thousands of
customer records from the organization's database. What
cybersecurity principle was most impacted in this breach?
A. Availability
B. Nonrepudiation
C. Confidentiality
D. Integrity
18. Which one of the following objectives is not one of the three
main objectives that information security professionals must
achieve to protect their organizations against cybersecurity
threats?
A. Integrity
B. Nonrepudiation
C. Availability
D. Confidentiality
19. Which one of the following data protection techniques is
reversible when conducted properly?
A. Tokenization
B. Masking
 C. Hashing
D. Shredding
20. Which one of the following statements is not true about
compensating controls under PCI DSS?
A. Controls used to fulfill one PCI DSS requirement may be
used to compensate for the absence of a control needed to
meet another requirement.
B. Controls must meet the intent of the original requirement.
C. Controls must meet the rigor of the original requirement.
D. Compensating controls must provide a similar level of
defense as the original requirement.