CISSP - Asset Security Mock

Where would we store the Basic Input/Output System (BIOS)?

Options are :

  • Non-volatile memory. (Correct)
  • Flash memory.
  • Referential memory.
  • Volatile memory.

Answer : Non-volatile memory.

Explanation The BIOS on a computer, router or switch is the low-level operating system and configuration. The firmware is stored on an non-volatile embedded device like PROM, EPROM or EEPROM.

When we are talking about data remanence, what does that refer to?

Options are :

  • Data we are actively using and therefore can't encrypt.
  • Files saved locally and not on a remote storage device.
  • All the data on our systems.
  • Data left over after normal removal and deletion. (Correct)

Answer : Data left over after normal removal and deletion.

Explanation Data Remanence: Data left over after normal removal and deletion of data.

Looking at the data classifications classes of the US government: data that, if disclosed, won't cause any harm to national security, would be classified as?

Options are :

  • Unclassified. (Correct)
  • Common knowledge.
  • Secret.
  • Unregulated.

Answer : Unclassified.

Explanation Unclassified information isn't sensitive, and unauthorized disclosure won't cause any harm to national security.

Using EEPROM makes work easier for our IT staff, what is one of the dangers associated with it?

Options are :

  • Flashing with an UV light can damage your eyes.
  • There are no dangers, it is completely safe.
  • Since it is programmable, attackers can attack it. (Correct)
  • Anyone can easily access it.

Answer : Since it is programmable, attackers can attack it.

Explanation EEPROM (Electrically Erasable Programmable Read Only Memory) – These are Electrically Erasable, you can use a flashing program. This is still called Read Only. The ability to write to the BIOS makes it vulnerable to attackers.

Which of these types of data destruction would we use to ensure there is no data remanence on our PROM, flash memory, and SSD drives?

Options are :

  • Formatting.
  • Overwriting.
  • Shredding. (Correct)
  • Degaussing.

Answer : Shredding.

Explanation We can't overwrite, format or degauss PROM. The only way to ensure destruction is shredding.

When our organization is using mandatory access control. What would subjects have?

Options are :

  • Labels.
  • Objects.
  • Assets.
  • Clearance. (Correct)

Answer : Clearance.

Explanation Subjects have Clearance assigned to them. A formal decision on a subject’s current and future trustworthiness. The higher the clearance, the more in-depth the background checks should be (always in military, not always in business).

Which of these could be a COMMON attack on our data in motion?

Options are :

  • Shoulder surfing.
  • Cryptanalysis.
  • Eavesdropping. (Correct)
  • All of these.

Answer : Eavesdropping.

Explanation Data in Motion (Data being transferred on a Network). We encrypt our network traffic, end to end encryption, this is both on internal and external networks.

In designing our data retention policy, which of these should NOT be a consideration?

Options are :

  • How to safely destroy the data after the retention has expired? (Correct)
  • How long do we keep the data?
  • Which data do we keep?
  • Where do we keep the backup data?

Answer : How to safely destroy the data after the retention has expired?

Explanation A data destruction policy would address how we deal with data no longer needed, the retention policy would only deal with what, how long, where and similar topics.

Bob is working on updating our data destruction policy for senior management's approval. Which of these would be some of the things he could include to ensure NO data remanence on spinning disk drives? (Select all that apply).

Options are :

  • Degaussing the disk. (Correct)
  • Overwriting the disk with all 0s. (Correct)
  • Deleting all the files on the disk.
  • Formatting the disk.
  • Shredding the disk (Correct)
  • Crushing the disk. (Correct)

Answer : Degaussing the disk. Overwriting the disk with all 0s. Shredding the disk Crushing the disk.

Explanation Degaussing, shredding, overwriting and crushing could all be part of our spinning disk data destruction policy. We would often do more than one of them. If we format the drive or delete the files they would still be recoverable, that is NOT proper data destruction.

When using the formal approval process, what is required to access data?

Options are :

  • Permission from the data owner.
  • Higher clearance than the object requires and data owner approval.
  • Appropriate clearance.
  • Appropriate clearance and data owner approval. (Correct)

Answer : Appropriate clearance and data owner approval.

Explanation Formal Access Approval: Document from the data owner approving access to the data for the subject. Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed. Appropriate Security Clearance is required as well as the Formal Access Approval.

Who is responsible for the day to day IT operations of our organization?

Options are :

  • The CSO.
  • The CEO.
  • The CFO
  • The CIO. (Correct)

Answer : The CIO.

Explanation The Chief Information Officer oversees and is responsible for the day to day technology operations of an organization.

Which of these is a personally identifiable indicator protected under the HIPAA rules?

Options are :

  • All of these. (Correct)
  • Zip code.
  • Name.
  • License plate.

Answer : All of these.

Explanation Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care: 1 Names. 2 All geographical identifiers smaller than a state. 3 Dates (other than year). 4 Phone numbers. 5 Fax numbers. 6 Email addresses. 7 Social Security numbers. 8 Medical record numbers. 9 Health insurance beneficiary numbers. 10 Account numbers. 11 Certificate/license numbers. 12 Vehicle identifiers and serial numbers, including license plate numbers. 13 Device identifiers and serial numbers. 14 Web Uniform Resource Locators (URLs). 15 Internet Protocol (IP) address numbers. 16 Biometric identifiers, including finger, retinal and voice prints. 17 Full face photographic images and any comparable images. 18 Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

We are wanting to erase EPROM memory to update to the latest firmware. How would we do that?

Options are :

  • It can't be erased once it has been written.
  • Taking the chip out of the motherboard and degauss it.
  • We can use programs to erase the content.
  • Shine an UV light on the chip. (Correct)

Answer : Shine an UV light on the chip.

Explanation EPROM (Erasable Programmable Read Only Memory) – Can be erased (flashed) and written many times, by shining an ultraviolet light (flash) on a small window on the chip (normally covered by foil).

We are looking at the data we send over our network. What we send determines our security posture. Which of these is NOT considered PII?

Options are :

  • IP address. (Correct)
  • Birthday.
  • Address.
  • Marital status.

Answer : IP address.

Explanation PII is any information about an individual that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

For which type of data would we want to use end-to-end encryption?

Options are :

  • Data in use.
  • All of these.
  • Data at rest.
  • Data in motion. (Correct)

Answer : Data in motion.

Explanation Data in Motion (Data being transferred on a Network). We encrypt our network traffic, end to end encryption, this is both on internal and external networks.

Which of these should NOT be part of our proper hardware disposal procedures?

Options are :

  • Deleting all files on the hard drive. (Correct)
  • Degaussing.
  • Overwriting all bits on the disks with 0s.
  • Disk crushing.

Answer : Deleting all files on the hard drive.

Explanation Deleting a file just removes it from the table. Everything is still recoverable. Crushing, degaussing and overwriting should all be non-recoverable.

Which type ROM can only be programmed once?

Options are :

  • EPROM.
  • APROM.
  • PROM. (Correct)
  • EEPROM.

Answer : PROM.

Explanation PROM (Programmable Read Only Memory) – Can only be written once, normally at the factory.

As part of our backup policy we are deciding on how long we should keep our backups. What should we base that decision on?

Options are :

  • Forever, we can never get rid of backup data.
  • 1 month, as long as we have a full backup of everything.
  • As long as it is useful or required, whichever is longer. (Correct)
  • All data is required to be kept 1 year.

Answer : As long as it is useful or required, whichever is longer.

Explanation Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).

Which of these would be something we should encrypt if we are dealing with sensitive data?

Options are :

  • Data sent over the network.
  • Backup tapes.
  • All of these. (Correct)
  • Hard disks.

Answer : All of these.

Explanation When dealing with sensitive data we want to encrypt as much as possible while still keeping data availability acceptable.

In building a new system, we need to ensure we protect the Protected Health Information (PHI) in accordance with the HIPAA standard. Which of these is protected under the HIPAA standard?

Options are :

  • IP addresses.
  • All of these. (Correct)
  • URLs.
  • Full dates.

Answer : All of these.

Explanation Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care: 1 Names. 2 All geographical identifiers smaller than a state. 3 Dates (other than year). 4 Phone numbers. 5 Fax numbers. 6 Email addresses. 7 Social Security numbers. 8 Medical record numbers. 9 Health insurance beneficiary numbers. 10 Account numbers. 11 Certificate/license numbers. 12 Vehicle identifiers and serial numbers, including license plate numbers. 13 Device identifiers and serial numbers. 14 Web Uniform Resource Locators (URLs). 15 Internet Protocol (IP) address numbers. 16 Biometric identifiers, including finger, retinal and voice prints. 17 Full face photographic images and any comparable images. 18 Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

Which of these is NOT an acceptable form of dealing with remanence?

Options are :

  • Degaussing.
  • Overwriting.
  • Disk shredding.
  • Formatting. (Correct)

Answer : Formatting.

Explanation Formatting puts a new file structure over the old one, the data is still recoverable in most cases.

When physically storing sensitive data in a secure way, which of these has slots where staff can easily slip sensitive paperwork into?

Options are :

  • Vault.
  • Data center.
  • Depository. (Correct)
  • Wall safe.

Answer : Depository.

Explanation A depository is a safe with slots or an opening where staff can add sensitive physical data. Think depositing money at the bank outside of their operating hours in the envelopes at the ATMs.

We have 12 old servers that have been decommissioned. Each server had 4 hard drives. Which of these would NOT be an acceptable way for us to deal with remanence?

Options are :

  • Overwriting.
  • Disk shredding.
  • E-recycle as is. (Correct)
  • Degaussing.

Answer : E-recycle as is.

Explanation It is acceptable to e-recycle hardware after it has been shredded, degaussed and/or overwritten, not before.

Which of these is a COMMON attack against data at rest?

Options are :

  • Keyloggers.
  • MITM.
  • Stealing unencrypted laptops. (Correct)
  • Screen scrapers.

Answer : Stealing unencrypted laptops.

Explanation If we do not encrypt our laptops which uses the data from our database, it is a very good attack vector for someone wanting to steal our data.

If our organization have role-based access control and need to know policies, which of these actions are allowed?

Options are :

  • Accessing your colleagues payroll data to see how much they get paid.
  • Accessing data you need to do your job. (Correct)
  • Browsing around random data to just see what it contains.
  • Accessing data you don't need to do your job.

Answer : Accessing data you need to do your job.

Explanation Role based access control assigns access to roles, with added need to know, just because you have access does not mean you are allowed the data. You need a valid reason for accessing the data. If you do not have one you can be terminated/sued/jailed/fined.

Jane is explaining the different states of data to an executive. Where would you find data at rest? (Select all that apply).

Options are :

  • Traversing our network.
  • On a hard disk. (Correct)
  • In use on a workstation.
  • On our routers.
  • On a CD. (Correct)
  • On tapes. (Correct)

Answer : On a hard disk. On a CD. On tapes.

Explanation Data at Rest (Stored data): This is data on disks, tapes, CDs/DVDs, USB sticks, etc. We use disk encryption (full/partial), USB encryption, tape encryption (avoid CDs/DVDs).

Who is responsible for the financial day to day leadership of our organization?

Options are :

  • The CEO.
  • The CSO.
  • The CIO.
  • The CFO (Correct)

Answer : The CFO

Explanation The Chief Financial officer is responsible for the organizations accounting and financial activities.

When our data is in use, we must choose different types of countermeasures to ensure our data is safe. Which of these is a COMMON attack against dat