Domain 2 Exam.
A minimum of 70% is required to pass.
#1. Jim is a sales representative and the data owner of the sales department. Which of the following is not the responsibility of Jim, the data owner?
〇:Verifying Data Availability
The responsibility for verifying data availability is the sole responsibility that does not belong to the data (information) owner. Rather, it is the responsibility of the data (information) controller. The data controller is also responsible for maintaining and protecting the data in accordance with the data owner’s instructions. This includes performing regular backups of data, restoring data from backup media, maintaining records of activities, and enforcing information security and data protection requirements in company policies, guidelines, and standards. Data owners work at a higher level than data managers. The data owner basically says, “This is the level of integrity, availability, and confidentiality you need to provide. Please do it now”. The data administrator is executing these permissions and following up on the installed controls to ensure they are working properly.
×:Assigning Information Classification
Incorrect as you are asking if Jim is not responsible for the assignment of information classifications because as the data owner, Jim is responsible for the assignment of information classifications.
×:Determining how to protect data
Incorrect because the data owner, such as Jim, is responsible for determining how the information is protected. The data owner has organizational responsibility for data protection and is liable for any negligence with respect to protecting the organization’s information assets. This means that Jim needs to decide how to protect the information and ensure that the data controller (a role usually occupied by IT or security) is implementing these decisions.
×:Determining how long to retain data
This is incorrect because the decision of how long to retain data is the responsibility of the data owner. The data owner is also responsible for determining who can access the information and ensuring that the appropriate access rights are used. He may approve access requests himself or delegate that function to the business unit manager. The business unit manager approves the request based on the user access criteria defined by the data owner.
#2. Which method is most appropriate when making a final decision on whether or not a particular security control measure should be implemented?
〇:Cost-benefit analysis
To require that controls be put in place to reduce risk within acceptable limits, measures need to be selected that are identified as realistic, sufficiently likely, and sufficiently impactful. Simply analyzing the costs and benefits of possible measures will help determine what measures should be taken.
×:Risk Analysis
This is incorrect because risk determination is only the first step in identifying what may be needed to control risk within acceptable thresholds.
×:ALE Consequences
Wrong because ALE informs the firm of what it could lose if a particular threat becomes real. The value of the ALE goes into the cost-benefit analysis, but the ALE does not address the costs of the countermeasure and the benefits of the countermeasure.
×:Identifying vulnerabilities and threats that pose a risk
This is incorrect because although the vulnerability and threat assessments make the need for countermeasures known, the assessments alone do not determine what the cost-effectiveness of the competing countermeasures is expected to be.
#3. We have a document that has been labeled as confidential information. Some of the text contained information that should be treated as Critical Secret Information above Confidential Information. How should this be handled?
〇:Review labeling and treat as critical confidential information.
Labeling is the process of sorting data according to its level of confidentiality. Labeling helps clarify the confidentiality level of data management. If the labeling is incorrect, it should be corrected at any time to manage the data in accordance with the confidentiality level. Therefore, “Review the labeling and treat it as critical confidential information.” is the correct answer.
×:The entire sentence should be treated as confidential information because the business should be flexible.
This is not an appropriate operation because the text containing critical confidential information is treated as confidential information.
×:As supplemental information to the document, state that “a part of the text contains material confidential information.
This is not a fundamental solution because stating this as supplementary information is in effect treating the information as different confidential levels.
×:Destroy the document because it is impossible for different confidential information to be crossed.
Destroying the document is not an appropriate operation because it is a damage to one’s own assets.
Translated with www.DeepL.com/Translator (free version)
#4. Susan is an attorney. She has been hired to fill a new position at Ride’s Chief Privacy Officer (CPO). What is her new primary role?
〇:Ensure the security of customer, company, and employee data.
The Chief Privacy Officer (CPO) is responsible for ensuring the security of customer, company, and employee data; the CPO is directly involved in setting policies regarding how data is collected, protected, and distributed to third parties. The CPO is usually an attorney and reports reports and findings to the Chief Security Officer (CSO). Thus, the correct answer is “Ensure that customer, company, and employee data is protected.” The answer is “Yes.
Perhaps you did not know what a CPO is. The point of this question is to see if you can conceive of the protection of personal information from the word privacy. When you see some words you don’t know in the actual exam, don’t throw them away because you don’t know what they mean. There are always hints.
×:Ensure the protection of partner data.
CPOs are responsible for ensuring the security of customer, company, and employee data.
There can be protection of partner data, but not in the sense of a primary role.
×:Ensuring the accuracy and protection of company financial information.
This is not considered to be a protection of privacy.
×:Ensuring that security policies are defined and implemented.
This is a common objective for all personnel/responsible parties and is not focused in the context of your role as Chief Privacy Officer (CPO).
#5. Which of the following positions would be most desirable as the person who issues or is responsible for security measures?
〇:CEO
Security measures should be raised together with business strategy and should be issued from the top, the CEO. Therefore, the correct answer is “CEO.
×:CIO
Abbreviation for Chief Information Officer. Certainly, security measures may be issued by the CIO. However, the CIO is not the correct answer here, because it is “more desirable” to have the CEO, who is the top manager responsible for management, issue the security measures.
×:Site Manager
The person who issues or is responsible for security measures should be the person responsible for management. This is not the correct answer.
×:CTO
Abbreviation for Chief Technology Officer. The Chief Technology Officer’s main role is to promote and protect the organization’s research and technology. This is not the correct answer here, as the CEO is “more desirable” when security measures, including organizational management and governance, are issued.
#6. If the media contains sensitive information, purging must be performed at the end of the media lifecycle. Which of the following adequately describes purging?
〇:To make information physically unrecoverable by any special effort.
Purging is the removal of sensitive data from disk. Software deletion of files on disk does not actually erase the data, only disconnects it from the location of the on-disk data. This means that if the data on the disk containing sensitive information cannot be completely erased, physical destruction is also necessary.
×:To change the polarization of atoms on a medium.
This is not a description of purging.
×:Do not authorize the reuse of media in the same physical environment for the same purpose.
While such an approval process may exist in practice, it is not a description of purging as data deletion.
×:To make data on media unrecoverable by overwriting it.
Simply overwriting media with new information does not eliminate the possibility of recovering previously written information.
Therefore, it does not fit the description of purging.
#7. Why install gates and fences that are physical access control?
Gates and fences are used as physical deterrents and preventative measures. Fences as small as 3 feet can be a deterrent, but as tall as 8 feet can be a deterrent and prevention mechanism. The purpose of the fence is to limit the routes in and out of the facility so that they occur only through doors, gates, and turnstiles.
#8. Which of the following means of data deletion is not possible to recover data using special skills, such as physical or forensic?
〇:Purge by overwriting
Purging means making data unavailable even by physical forensic efforts. This is typically accomplished by overwriting each sector of the medium on which the data is stored.
×:Deleting data
Wrong. Deleting data by operating system command typically leaves the data on the storage medium while marking the clusters or blocks that are stored for later reuse.
Personally, I feel that this option is better prepared for the exam. This is because the choice uses the general language of deleting data, which allows the answer to be given in a short time and in a broad sense. However, the term purge is a stronger fit for the question than the answer to this question.
×:Sanitizing media
Wrong. Although more powerful than simply deleting data with an operating system command, sanitization usually refers to making storage media reusable within the same security context.
The method-specific option “purge” is a stronger fit for the problem, since you asked for “using special skills, such as physical or forensic.”
×:None of these work!
Wrong. With appropriate prudence, purging techniques can successfully handle data residuals.
#9. Countries around the world are affected by cyber warfare in many ways. Securing water, power, oil, gas, transportation, and manufacturing systems is a priority for governments, but how does it affect utility and power grid infrastructure? These critical infrastructures are comprised of various types of industrial control systems (ICS) that provide functionality. Which of the following would not be considered an ICS?
〇:Central Control Systems
The most common types of industrial control systems (ICS) are distributed control systems (DCS), programmable logic controllers (PLC), and supervisory control and data acquisition (SCADA) systems. Although these systems provide a type of central control function, central control systems are not considered a common type of ICS because these systems are inherently distributed. DCSs are used to control product systems for industries such as water, electricity, and refineries. A DCS connects controllers that are distributed across geographic locations using a centralized supervisory control loop. This supervisory controller requests status data from field controllers and feeds this information back to a central interface for monitoring. Status data retrieved from sensors can be used in failover situations. The DCS can provide redundant protection in a modular fashion. This reduces the impact of a single failure. In other words, if a part of the system goes down, the entire system does not go down.
×:Programmable Logic Controllers
A programmable logic controller (PLC) is a common industrial control system (ICS) used to connect sensors throughout a utility network and convert this sensor signal data into digital data that can be processed by software monitoring and management. Originally created to perform simplified logic functions within basic hardware, PLCs have evolved into powerful controllers used in both SCADA and DCS systems. In SCADA systems, PLCs are most commonly used to communicate with remote field devices, while in DCS systems they are used as local controllers in supervisory control schemes. PLCs provide an application programming interface that allows communication with engineering control software applications.
×:Supervisory Control and Data Acquisition
Supervisory Control and Data Acquisition (SCADA) is used to refer to computerized systems used to collect and process data and apply operational control to components that make up a utility-based environment. This is a common type of ICS. SCADA control centers allow centralized monitoring and control of field sites (e.g., power grid, water supply systems). Field sites have remote station control devices (field devices) that provide data to the central control center. Based on the data sent from the field device, an automated process or operator can control the remote device to solve a problem or send commands to change the configuration for operational needs. This is a difficult environment to work within because the hardware and software is usually proprietary to a particular industry. It is privately owned and operated. Communication can be via telecommunication links, satellites, and microwave-based systems.
×:Distributed Control Systems
This is incorrect because Distributed Control Systems (DCS) are a common type of ICS. In a DCS, control elements are not centralized. The control elements are distributed throughout the system and managed by one or more computers. SCADA systems, DCSs, and PLCs are used in industrial sectors such as water, oil and gas, electrical, and transportation. These systems are considered “critical infrastructure” and are highly interconnected and dependent systems. Until now, these critical infrastructure environments have not used the same types of technologies and protocols as the Internet, making them very difficult to attack in isolation. Over time, these proprietary environments were converted to IP-based environments using IP-based workstations connected to networking devices. While this transition allows for centralized management and control, it also creates a type of cyber attack that is always vulnerable to the computer industry.
#10. A backup file stored on a physical disk is being transported by truck to a data center at a different location. What is the status of the data in this backup file?
Stored data is data that is stored on a disk or other media. Transmitted data is data flowing over a network. Used data is data that is in memory, cache, etc. and in use. Just because it is being transported by truck does not make it data that is being transferred. Therefore, “stored data” is the correct answer.
#11. Which of the following cannot be done by simply assigning a data classification level?
〇:Extraction of data from the database
In data classification, the data classification is used to specify which users have access to read and write data stored in the database, but it does not involve the extraction of data from the database. Therefore, the correct answer is “extraction of data from the database.
What is this? This is a question that you may think “What is this?” but you need to calmly analyze the classification of data and the manipulation of data. The more time you spend, the more tempted you are to give a difficult answer, but keeping calm is important in solving abstract problems.
×:Grouping hierarchically classified information
This is the primary activity of data classification.
×:Ensuring that non-confidential data is not unnecessarily protected
It is written in a complicated way, but it says that what does not need to be protected does not need the ability to be protected either.
×:Understanding the impact of data leakage
Although not directly, we may check the impact of a data breach in order to understand its importance in classifying data. Ka.
#12. Which of the following should NOT be done in proper hardware disposal procedures?
Deleting a file is physically recoverable. Shredding, demagnetizing, and overwriting are all methods that render the file physically unrecoverable.
#13. Why should confidential text not be shredded and put in the trash?
〇:Because the information may be in the hands of someone outside the company after it has been placed in the dumpster.
Dumpster diving, or scavenging, is finding important information in the trash. Putting it in the trash can make you feel relieved that it has been removed. However, the trash can is nothing more than a shared space between internal and external parties, such as cleaning staff. Make sure to shred any text that contains confidential information to prevent leakage.
×:When restoring documents from the trash, they will be mixed with other documents.
They will not be destroyed for the purpose of restoring them.
×:Confidential documents do not need to be destroyed.
Even confidential documents must be destroyed if they are no longer needed.
×:There is no need to shred it.
No, of course they must be shredded.
#14. As part of the data disposal process, everything on the disk is overwritten multiple times with random zeros and ones, but there are times when such measures are not necessary. But there are times when such measures are not necessary.
Overwrapping is done by writing zero or random characters to the data. Overwrapping on corrupted media is not possible.
#15. Jared plays a role in the company’s data classification system. In this role, he must use extreme caution when accessing data, ensure that data is used only in accordance with authorized policies, and follow the rules set for data classification. He does not determine, maintain, or evaluate controls. What is Jared’s role?
〇:Data User
An individual who uses data for work-related tasks is a data user. Users must have the necessary level of access to data to perform their job duties. They are also responsible for adhering to operational security procedures to ensure the confidentiality, integrity, and availability of the data to others. This means that users must take appropriate precautions and follow both security policies and data classification rules.
×:Data Owners
This is incorrect because the data owner has a higher level of responsibility in protecting the data. The data owner is responsible for classifying the data, regularly reviewing the classification level, and delegating responsibility for the data protection position to the data controller. The data owner is usually a manager or executive within the organization and is responsible for the protection of the company’s information assets.
×:Data Controller
Incorrect, as the data controller is responsible for implementing and maintaining security controls as directed by the data owner. In other words, the data administrator is the technician of the controls that protect the data. Her duties include creating backups, restoring data, implementing and maintaining countermeasures, and managing controls.
×:Information Systems Auditor
Incorrect, as they are responsible for evaluating controls. After evaluating the controls, the auditor submits a report to management, mapping the results to the organization’s acceptable level of risk. This has nothing to do with using data or being meticulous in the use of data.
#16. Michael is to develop a data classification program. Which of the following is an appropriate first step?
There is an unfamiliar term: data classification program. This is not a dictionary definition of the term. You want to classify data, what do you do to do that? What is the first step in this process? Since you are being asked about the “first step” in doing this, you can answer by listing the options in order and choosing the first option. Do not search the dictionary in your mind for the word “data classification,” think of the process flow of data classification, and recall the name of the first process.
In order, you might go from understanding the level of protection you need to provide, to specifying the data classification criteria, to determining the protection mechanisms for each classification level, to identifying the data controller. Whatever you do, the first step should be research. Then the problem is defined and the best answer is derived, which is the general solution to the problem.
#17. Sam plans to establish cell phone service using personal information stolen from his former boss. What type of identity theft is this?
〇:Identity Theft
Identity theft is a situation in which a person obtains important personal information, such as driver’s license numbers, bank account numbers, identification cards, or social security numbers, and uses that information to impersonate another person. Typically, identity thieves use personal information to obtain credit, goods, or services in the victim’s name. This can have consequences such as destroying the victim’s credit rating, creating a false criminal record, and issuing an arrest warrant to the wrong individual. Identity theft can be categorized in two ways: true name and account takeover. True name identity theft means that the thief uses your personal information to open a new account. The thief might open a new credit card account, establish cell phone service like Sam’s, or open a new checking account to obtain blank checks.
×:Phishing Scams
Incorrect because it is a type of social engineering attack intended to obtain personal information, letters of credit, credit card numbers, and financial data. Attackers use a variety of methods to entice users to divulge sensitive data. While the goal of phishing scams is to get victims to hand over their personal information, the goal of identity theft is to use that personal information for personal or financial gain. Attackers can use phishing attacks as a means of committing identity theft.
Since the specific technique is not described in the question text, it cannot be said to be a phishing scam.
×:Pharming
Incorrect, as this is a technical attack in which the victim is deceived into submitting personal information to the attacker via an unauthorized website.The victim types a web address such as “www.nicebank.com” into their browser. The victim’s system sends a request to the victimized DNS server that directs the victim to a website under the attacker’s control. The site looks like the requested Web site, and the user enters his or her personal information. The personal information can be used by the attacker for identity theft.
We cannot say that this is pharming because the specific technique is not described in the question text.
×:Account takeover
Account takeover identity theft is incorrect because it means using personal information to access a person’s existing account rather than opening a new account. Typically, the mailing address on the account is changed and a huge bill is filed before the person whose account was stolen is aware of the problem. The Internet has made it easier for identity thieves to use stolen information because they can conduct transactions without personal interaction.
#18. Which of the following are possible standards used for credit card payments?
〇:PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a framework to avoid personal information leakage when making electronic payments. Therefore, the correct answer is “PCI DSS.
By the way, if you were to ask, “Which of the following are possible?” I am tempted to argue that other frameworks may be used as well. However, in the CISSP exam, you may have to choose “the most plausible” option in some cases. Therefore, we have used this phrase.
×:HITECH
The Health Information Technology for Economic and Clinical Health Act (HITECH) is an enhanced version of HIPPA that applies not only to data management but also to health care business associates.
×:OCTAVE
OCTAVE is one of the risk assessment frameworks introduced in CERT.
×:COBIT
COBIT is a framework for measuring the maturity of a company’s IT governance. It was proposed by the Information Systems Control Association of America (ISACA) and the IT Governance Institute (ITGI).
#19. Which of the following is NOT a factor in determining the sensitivity of data confidentiality?
〇:How to use the data
How data is used does not depend on how sensitive it is. In other words, data is sensitive no matter how it is used, even if it is not used at all.
×:Identifying who needs access to the data
Wrong. This is because data classification criteria must take into account very directly who needs access to the data and their clearance level in order to see sensitive data. If data is classified at too high a level, that user will not have access. If the level is classified too low, an unauthorized user may access the data.
×:Value of the data
This is incorrect because the intrinsic value of the data directly determines the degree of protection. This is determined by its classification. This is true regardless of whether the prioritization must be confidentiality, integrity, or availability.
×:The level of damage that could occur if the data were disclosed.
This is erroneous because the degree of damage that disclosure, modification, or destruction of the data would cause is directly related to the level of protection that must be provided.
#20. Which of the following is not essential in information lifecycle management?
〇:Database Migration
The movement of accessible data from one repository to another may be required over its lifetime, but is generally not as important as the other phases provided in response to this question.
×:Data specification and classification
This is incorrect because the determination of what the data is and its classification is the first essential phase that can provide the appropriate level of protection.
×:Continuous monitoring and auditing of data access
Incorrect because without continuous monitoring and auditing of access to sensitive data, breaches cannot be identified and security cannot be guaranteed.
×:Data Archiving
Incorrect as even the most sensitive data is subject to retention requirements. This means that it must be archived for an appropriate period of time and with the same level of security as during actual use.