CISSP - Asset Security Mock

For our servers, we are using Random Access Memory (RAM). What is one of the KEY FEATURE of RAM?

Options are :

  • Flash memory.
  • Volatile. (Correct)
  • Predictive.
  • Non-volatile.

Answer : Volatile.

Explanation RAM (Random Access Memory) is volatile memory. It loses the memory content after a power loss (or within a few minutes). This can be memory sticks or embedded memory.

Which type of Random Access Memory (RAM) could be embedded in the Central Processing Unit (CPU)?

Options are :

  • SDRAM.
  • DDR SDRAM.
  • DRAM.
  • SRAM. (Correct)

Answer : SRAM.

Explanation SRAM (Static RAM): Fast and Expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.

We are getting 50 old spinning disk hard drives. What would we use on the damaged ones to ensure there is NO data remanence, but needed the drive to stay intact?

Options are :

  • Format.
  • Overwrite.
  • Shred.
  • Degauss. (Correct)

Answer : Degauss.

Explanation Degaussing should ensure no data remanence, we can't overwrite or format a damaged drive, and shredding would not leave the drive intact.

We have many different types of memory. Which type is volatile?

Options are :

  • PROM.
  • Flash Memory.
  • DRAM. (Correct)
  • EEPROM.

Answer : DRAM.

Explanation RAM (Random Access Memory) is volatile memory. It loses the memory content after a power loss or within a few minutes. ROM (Read Only Memory) is nonvolatile it retains memory after power loss.

To ensure we have proper layered defense, we have implement a clean desk policy. Which of these should be part of that?

Options are :

  • Cleaning your desk of all the clutter.
  • Full disk encryption on your hard disk.
  • Lock sensitive paper records away as soon as we are done with it. (Correct)
  • Picking up anything you print as soon as you print it.

Answer : Lock sensitive paper records away as soon as we are done with it.

Explanation As part of a clean desk policy we should lock sensitive paperwork away as soon as we are done with it for the day.

In the US government data classification scheme, data that, if disclosed, could cause damage to national security is classified as?

Options are :

  • Top Secret.
  • Unclassified.
  • Confidential. (Correct)
  • Secret.

Answer : Confidential.

Explanation Confidential information is information that, if compromised, could cause damage to national security.

What would we do during the e-discovery process?

Options are :

  • Delete data that has been requested if the retention period has expired.
  • Make sure we keep data long enough in our retention policies for us to fulfil the legal requirements for our state and sector.
  • Discover all the electronic files we have in our organization.
  • Produce electronic information to our internal legal team who will present it in court. (Correct)

Answer : Produce electronic information to our internal legal team who will present it in court.

Explanation e-Discovery or Discovery of electronically stored information (ESI) is the process of producing all relevant documentation to our legal council, who will then present it in court or or external attorneys in a legal proceeding.

In our technology refresh cycle we need to dispose of old hardware. What would we do for proper data disposal of SSD drives if we need to keep the drives intact?

Options are :

  • Overwriting. (Correct)
  • Formatting.
  • Deleting all files.
  • Degaussing.

Answer : Overwriting.

Explanation SSD drives can't be degaussed and formatting or deleting the files only removes the file structure, most if not all files are recoverable. We would need to overwrite all the data with random 0s and 1s.

In our data roles and responsibilities, the business owner is responsible for which of these?

Options are :

  • Make the policies, procedures and standards that govern our data security. (Correct)
  • Be trained in the policies, procedures and standards.
  • Assign the sensitivity labels and backup frequency of the data.
  • Perform the backups and restores.

Answer : Make the policies, procedures and standards that govern our data security.

Explanation Mission/Business Owner: Senior executives make the policies that govern our data security.

Which of these would NOT have any data remanence after the system has been completely disconnected from power for 10 minutes?

Options are :

  • Tapes.
  • Read only memory.
  • Random access memory. (Correct)
  • Hard disks.

Answer : Random access memory.

Explanation RAM (Random access memory) would lose its data remanence after a few seconds to a few minutes after the loss of power.

Jane is using an industry framework to help her team to do self-directed risk management. Which framework is Jane using?

Options are :

  • FRAP.
  • COBIT.
  • OCTAVE. (Correct)
  • COSO.

Answer : OCTAVE.

Explanation OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation: Self-Directed Risk Management.

In our organization we do not own a degasser or disk crusher. What should we do with our old hard disks when we need to dispose of them?

Options are :

  • We can pay another company to do it. (Correct)
  • Since we have no means of destroying them, we have done our due care and we can recycle them with the rest of the electronic waste.
  • We can overwrite all the functional disks and the rest we can ignore since they are damaged anyways.
  • We can throw them in a lake or the ocean.

Answer : We can pay another company to do it.

Explanation If we do not have the means for proper data destruction, we can pay another company to do so. They obviously have to be licensed to do so and adhere to all our security policies.

Where would be somewhere we would have data at rest?

Options are :

  • Traversing our network or the internet.
  • On our storage devices. (Correct)
  • In a unsecured box.
  • In memory.

Answer : On our storage devices.

Explanation Data at Rest (Stored Data): This is data on Disks, Tapes, CDs/DVDs, USB Sticks. We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs). Encryption can be Hardware or Software Encryption.

One of the senior directors at your organization has asked what data mining is. Which of these would be the BEST answer to give him?

Options are :

  • The data's use.
  • The data content. (Correct)
  • Data remanence.
  • How long we keep the data.

Answer : The data content.

Explanation We do appropriate data mining on the data.

In the US government's data classification scheme, what would data "if disclosed, could cause serious damage to national security", be classified as?

Options are :

  • Top Secret.
  • Secret. (Correct)
  • Unclassified.
  • Confidential.

Answer : Secret.

Explanation Secret information is information that, if compromised, could cause serious damage to national security.

Which of these would be something we do during the e-discovery process?

Options are :

  • Discover all the electronic files we have in our organization.
  • Delete data that has been requested if the retention period has expired.
  • Produce electronic information to internal or external attorneys or legal teams. (Correct)
  • Make sure we keep data long enough in our retention policies for us to fulfil the legal requirements for our state and sector.

Answer : Produce electronic information to internal or external attorneys or legal teams.

Explanation e-Discovery or Discovery of electronically stored information (ESI) is the process of producing all relevant documentation and data to a court or external attorneys in a legal proceeding.

Our organization has a lot of different and diverse leadership. Who is responsible for the day-to-day leadership?

Options are :

  • The CFO
  • The CEO. (Correct)
  • The CIO.
  • The CSO.

Answer : The CEO.

Explanation The Chief Executive Officer is responsible for the day to day leadership of the organization, the board may provide the direction.

When we apply standards and framework, we can use tailoring to do what?

Options are :

  • To implement the full standard or framework, but implement different standards in some areas. (Correct)
  • To pick and chose which parts of the standard or framework we want to implement.
  • Find out how much the implementation will cost us.
  • To see if the standard is a good fit for our organization.

Answer : To implement the full standard or framework, but implement different standards in some areas.

Explanation Tailoring is customizing a standard to your organization. We will apply this standard, but we use a stronger encryption (AES 256-bit).

Which of these is a COMMON attack on our data "in use"?

Options are :

  • Cryptanalysis.
  • Eavesdropping.
  • All of these.
  • Shoulder surfing. (Correct)

Answer : Shoulder surfing.

Explanation Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.

We have chosen to use multiple types of data destruction on our sensitive data. Why would we do that?

Options are :

  • To ensure data is still accessible after the destruction.
  • Because it is easier than just a single type of data destruction.
  • To make sure we have the old drives available.
  • To ensure there is no data remanence. (Correct)

Answer : To ensure there is no data remanence.

Explanation It is common to do multiple types of data destruction on sensitive data (both degaussing and disk crushing/shredding). While it may not be necessary, it is a lot cheaper than a potential $1,000,000 fine or loss of proprietary technology or state secrets.

Which of these would NOT be an acceptable form of dealing with remanence?

Options are :

  • Degaussing.
  • Disk shredding.
  • Deleting files. (Correct)
  • Overwriting.

Answer : Deleting files.

Explanation Deleting a file just removes it from the table; everything is still recoverable.

An attacker has stolen one of our backup tapes. What could prevent the data on the tape from being accessible?

Options are :

  • Proper data storage.
  • Proper data handling.
  • Proper data encryption. (Correct)
  • Proper data retention.

Answer : Proper data encryption.

Explanation Proper encryption can prevent data compromise even if the physical tape is lost. This obviously requires that the encryption is strong enough.

Which of these should NOT be part of a data retention policy?

Options are :

  • Which data do we keep?
  • How long do we keep the data?
  • Where do we keep the backup data?
  • Which backup system we use for backing our data up. (Correct)

Answer : Which backup system we use for backing our data up.

Explanation A backup policy would address which systems and media we would use, the retention policy would only deal with what, how long, where and similar topics.

What are we trying to get rid of with when we do our data disposal?

Options are :

  • The data content.
  • How long we keep the data.
  • Data remanence. (Correct)
  • The data in use.

Answer : Data remanence.

Explanation When we dispose of our data media we are making sure there is no data remanence on our hard disks, tapes, etc.

We need to get rid of some old hard drives, and we need to ensure proper data disposal and no data remanence. Which of these options has NO known tools that can restore the data, once that specific disposal process has been used?

Options are :

  • Deleting files.
  • Overwriting. (Correct)
  • Formatting the hard drive.
  • Installing a new OS over the old one.

Answer : Overwriting.

Explanation We can still recover files from deleted, formatted or reinstalled drives. Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).

Which of these would be something we can implement to better protect our data in use? (Select all that apply).

Options are :

  • Workstation locking. (Correct)
  • View angle privacy screen for monitors. (Correct)
  • Encryption.
  • Clean desk policy. (Correct)
  • Print policy. (Correct)

Answer : Workstation locking. View angle privacy screen for monitors. Clean desk policy. Print policy.

Explanation Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean desk policy, print policy, allow no ‘shoulder surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.

We are implementing some new standards and framework in our organization. We chose to use scoping on one of the standards we are implementing. What does scoping mean?

Options are :

  • To implement the full standard or framework, but implement higher standards in some areas.
  • To pick and chose which parts of the standard or framework we want to implement. (Correct)
  • To see if the standard is a good fit for our organization.
  • To find out how much the implementation will cost us.

Answer : To pick and chose which parts of the standard or framework we want to implement.

Explanation Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.

When we are talking about the different states of data, where would we have data in use?

Options are :

  • In memory. (Correct)
  • In a unsecured box.
  • On our storage devices.
  • Traversing our network or the internet.

Answer : In memory.

Explanation Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation. We would also use disk encryption for workstations when locked or shut off, the data is still there, if not encrypted someone can steal a laptop and access our data.

How can we safely we dispose of damaged SSD drives and ensure there is no data remanence?

Options are :

  • Formatting.
  • All of these.
  • Shredding. (Correct)
  • Overwriting.

Answer : Shredding.

Explanation SSD drives: Formatting just deletes the file structure, most if not all files are recoverable. Since the drive is damaged we can't overwrite it, we would need to rely on just shredding it.

Which of these would be something we would consider for proper data disposal of SSD drives?

Options are :

  • Shredding. (Correct)
  • Formatting.
  • Deleting all files.
  • Degaussing.

Answer : Shredding.

Explanation SSD drives can't be degaussed and formatting or deleting the files only removes the file structure, most if not all files are recoverable. We would need to shred the SSD drives.

When assigning sensitivity to our data, which of these should NOT be a factor?

Options are :

  • What the data is worth.
  • How bad a data exposure would be.
  • Who will have access to the data.
  • How the data will be used. (Correct)

Answer : How the data will be used.

Explanation Who will access it, the value of the data and how impactful a disclosure would be should all factor into our sensitivity labels, how we use the data should not.

We have added logs to our backup servers to see which of our employees is accessing which data. What is this an example of?

Options are :

  • Proper data encryption.
  • Proper data storage.
  • Proper data retention.
  • Proper data handling. (Correct)

Answer : Proper data handling.

Explanation Data Handling: Only trusted individuals should handle our data; we should also have policies on how, where, when, why the data was handled. Logs should be in place to show these metrics.

As part of our data disposal process, we overwrite all of the disks multiple times with random 0s and 1s. Sometimes that is NOT an option. When would that be?

Options are :

  • When it involves SSD drives.
  • When it involves spinning disk hard drives.
  • When the disk is still in the system.
  • When the disk is damaged. (Correct)

Answer : When the disk is damaged.

Explanation Overwriting is done by writing 0s or random characters over the data. As far as we know, there is no tool available that can recover even single pass overwriting (not possible on damaged media).

We are making our procedures on proper use and disposal of SSD drives. Which type of which drives are they?

Options are :

  • EEPROM and DRAM. (Correct)
  • EPROM and DRAM.
  • Spinning disk.
  • PROM.

Answer : EEPROM and DRAM.

Explanation A SSD is a combination of flash memory (EEPROM) and DRAM.

Senior leadership has approved the use of flash drives. Which type of memory do they use?

Options are :

  • DRAM.
  • PROM.
  • SDRAM.
  • EEPROM. (Correct)

Answer : EEPROM.

Explanation Flash Memory: Small portable drives (USB sticks are an example); they are a type of EEPROM.

Using Mandatory Access Control (MAC), we would use clearance for assigning which of these?

Options are :

  • Authorization. (Correct)
  • Availability.
  • Authentication.
  • Auditing.

Answer : Authorization.

Explanation The level of clearance determines what a subject is authorized to access.

When collecting personal information about our employees and customers, how much should we collect?

Options are :

  • Nothing.
  • The least amount possible for us to do what we need to. (Correct)
  • Everything they enter as well as everything we can find online.
  • As much as possible.

Answer : The least amount possible for us to do what we need to.

Explanation When collecting personal data we need to collect just enough to do what we need to and no more, a majority of countries in the world has laws with verbiage to this effect.

What would we do during the e-discovery process?

Options are :

  • Discover all the electronic files we have in our organization.
  • Ensure we keep data preserved and safe, even if it is past the datas retention period. (Correct)
  • Delete data that has been requested if the retention period has expired.
  • Make sure we keep data long enough in our retention policies for us to fulfil the legal requirements for our state and sector.

Answer : Ensure we keep data preserved and safe, even if it is past the datas retention period.

Explanation e-Discovery or Discovery of electronically stored information (ESI) is the process of producing all relevant documentation to our legal council, who will then present it in court or or external attorneys in a legal proceeding. We need to ensure data is kept past the retention date if it could be relevant to the case.

Which of these is one of the data owner’s responsibilities?

Options are :

  • Make the policies, procedures and standards that govern our data security.
  • Assign the sensitivity labels and backup frequency of the data. (Correct)
  • Perform the backups and restores.
  • Be trained in the policies, procedures and standards.

Answer : Assign the sensitivity labels and backup frequency of the data.

Explanation Data/Information Owner: Management level, they assign sensitivity labels and backup frequency. This could be you or a Data Owner from HR, Payroll or other departments.

We keep our backup data for as long as the information is usable or if we are required to by law, standards, or regulations. What is this an example of?

Options are :

  • Proper data storage.
  • Proper data handling.
  • Proper data encryption.
  • Proper data retention. (Correct)

Answer : Proper data retention.

Explanation Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).

When a system has been certified, what does that mean?

Options are :

  • It has met the data owners security requirements. (Correct)
  • The data owner has accepted the certification and the residual risk, which is required before the system is put into production.
  • It has met the data stewards security requirements.
  • The data steward has accepted the certification and the residual risk, which is required before the system is put into production.

Answer : It has met the data owners security requirements.

Explanation Certification is when a system has been certified to meet the security requirements of the data owner. Certification considers the system, the security measures taken to protect the system, and the residual risk represented by the system.

We have many policies we need to adhere to in our organization. Which of these would be part of our clean desk policy?

Options are :

  • Cleaning your desk of all the clutter.
  • Picking up anything you print as soon as you print it.
  • Minimal use of paper copies and only used while at the desk and in use. (Correct)
  • Shred all paper copies everything.

Answer : Minimal use of paper copies and only used while at the desk and in use.

Explanation As part of a clean desk policy we should only use paper copies of sensitive data when strictly needed.

We are getting rid of a pile of old hard drives. Which of these would we use on the regular spinning disk drives, to ensure there is no data remanence?

Options are :

  • All of these. (Correct)
  • Degauss.
  • Shred.
  • Overwrite.

Answer : All of these.

Explanation With regular spinning disk hard drives, degauss, overwrite and shred are all good options. Often done with more than one of them just to be sure.

Which of these is a COMMON attack against data in motion?

Options are :

  • Screen scrapers.
  • MITM. (Correct)
  • BCP.
  • Stealing unencrypted laptops.

Answer : MITM.

Explanation Man in the middle attacks are common attacks on our data as it traverses the internet.

Different types of memory are made for specific tasks and functions in our hardware. Which of these are types of nonvolatile memory? (Select all that apply).

Options are :

  • SRAM (Static RAM)
  • PLD (Programmable logic devices) (Correct)
  • DRAM (Dynamic RAM)
  • EEPROM (Electrically erasable programmable read only memory) (Correct)
  • ROM (Read Only Memory) (Correct)

Answer : PLD (Programmable logic devices) EEPROM (Electrically erasable programmable read only memory) ROM (Read Only Memory)

Explanation ROM (Read Only Memory) is nonvolatile (retains memory after power loss). EEPROM (Electrically erasable programmable read only memory) – These are electrically erasable, you can use a flashing program. This is still called read only. The ability to write to the BIOS makes it vulnerable to attackers. PLD (Programmable logic devices) are programmable after they leave the factory (EPROM, EEPROM and flash memory). Not PROM.

We want to ensure there is no data remanence when we dispose of our old hard disks. When we overwrite a hard disk, what does the overwrite program do?

Options are :

  • Writes random letters over used sections of the disk.
  • Writes 0's over all the sectors with active data on it.
  • Writes 0's over all the sectors. (Correct)
  • Writes random numbers over all the sectors.

Answer : Writes 0's over all the sectors.

Explanation Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).

Which of these COMMON frameworks focuses on Information Technology Service Management (ITSM)?

Options are :

  • ITIL. (Correct)
  • PCI-DSS.
  • COSO.
  • COBIT.

Answer : ITIL.

Explanation ITIL - Information Technology Infrastructure Library. IT Service Management (ITSM).

Looking at our data management, what is the users role?

Options are :

  • Make the policies, procedures and standards that govern our data security.
  • Perform the backups and restores.
  • Assign the sensitivity labels and backup frequency of the data.
  • Be trained in the policies, procedures and standards. (Correct)

Answer : Be trained in the policies, procedures and standards.

Explanation Users: These are the users of the data. User awareness must be trained; they need to know what is acceptable and what is not acceptable, and the consequences for not following the policies, procedures and standards.

Which of these is something that does NOT belong in our data retention policy?

Options are :

  • How long do we keep the data?
  • Which data do we keep?
  • How to restore safely from backup tape. (Correct)
  • Where do we keep the backup data?

Answer : How to restore safely from backup tape.

Explanation How to restore would be covered by a DRP or a walkthrough, the retention policy would only deal with what, how long, where and similar topics.

When assigning sensitivity to our data, which of these should NOT be a factor?

Options are :

  • How bad a data exposure would be.
  • Where we will store the data. (Correct)
  • What the data is worth.
  • Who will have access to the data.

Answer : Where we will store the data.

Explanation Who will access it, the value of the data and how impactful a disclosure would be should all factor into our sensitivity labels, where we store the data should not. If it is sensitive it should be stored in an appropriate location.

As part of our hardware disposal and no data remanence policy, we are getting rid of a pile of hard drives. What would we use on the damaged SSD drives to ensure there is NO data remanence?

Options are :

  • Format.
  • Incinerate. (Correct)
  • Degauss.
  • Overwrite.

Answer : Incinerate.

Explanation We can't degaussing SSDs, formatting does nothing, we can't overwrite since it is damaged, only option of the 4 is to incinerate the drive.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions