Domain 2 CISSP Exam:Asset Security

Explanation: Employee personal information is considered sensitive data as it raises the risk to the organization if lost or disclosed. This type of data should be classified and protected accordingly.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 168 in PDF)

Explanation: Identifying and classifying information assets allows for an organization to determine which assets are more valuable than others, and which assets require additional security controls. Without this knowledge, a security program would be inefficient and costly, securing all assets equally and assuming that sensitive assets are located all over the organization when they may not be. Identifying and classifying assets helps differentiate the security approaches for each of them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 165 in PDF)

Explanation: The data owner plays a central role in the declassification process of assets, as they determine the classification level of the data and when it can change. They are responsible for determining whether there will be a manual review adjustment of data classifications and may also opt to automate the process using rules and applications to find and reclassify data assets. Therefore, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 177 in PDF)

Explanation: Both transport layer security (TLS) and virtual private networks (VPNs) are key encryption-based technologies that help secure data in transit. Transport layer security (TLS) is a protocol that provides communication security over the internet. Key internet applications such as email, web browsing, social media, and cloud services rely on TLS to secure communications. Virtual private networks (VPNs) use various protocols to securely connect remote offices or users to a private network using the internet.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 215 in PDF)

Explanation: FIPS Publication 199 provides standards for categorizing US federal information and information systems based on the level of concern for confidentiality, integrity, and availability. It sets out a standard for categorizing U.S. federal information and information systems according to a government agencys level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations if information and information systems are compromised through unauthorized access, use, disclosure, disruption, modification, or destruction.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 222 in PDF)

Explanation: A reidentification key is required to decrypt the database that has been encrypted during the de-identification process. If re-identification is necessary, the authorized individuals can use the reidentification key to re-identify the data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 178 in PDF)

Explanation: According to the text, data classification is most appropriate to occur during the data collection or creation phase. It helps ensure that the right security controls are implemented from the beginning, and any decisions made during data collection follows your data throughout its lifecycle.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 196 in PDF)

Explanation: Anti-phishing guidelines that do not disclose specific results may be considered public information and can be appropriately shared outside the organization as mentioned in the text. Public data does not have a significant impact on the company if lost, disclosed, or modified.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 168 in PDF)

Explanation: Clearing involves digitally wiping data or overwriting it with zeros or ones, but this is considered the least effective method of data deletion and may allow data to be recovered.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 204 in PDF)

Explanation: Properly classifying assets based on accurate information is an example of providing due care in terms of asset management, as it shows that reasonable measures and efforts are being taken to protect assets deemed valuable or assigned sensitivity levels.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 192 in PDF)

Explanation: Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the companys competitive advantage, such as the technical specifications of a new product.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 168 in PDF)

Explanation: A Reverse proxy CASB integrates with identity services, such as Okta, to force all traffic through the CASB for inline monitoring, which removes the need to individually install certificates on user endpoints but poses compatibility challenges for client-server applications that have hard-coded hostnames.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 228 in PDF)

Explanation: Step 5, Retain, is where data is kept (e.g., archived) for a predefined period of time.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 190 in PDF)

Explanation: Degaussing is a method of data sanitization that involves the destruction of data by exposing its storage media to a strong magnetic field, effectively erasing the data and returning it to its initial blank state.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 204 in PDF)

Explanation: NIST SP 800-53 Rev 5 is a catalog of security controls for all U.S. federal information systems except those related to national security, and is used by organizations to establish the baseline security controls, tailor security controls, and supplement security controls based on assessment of risk for the organization. This document is used to guide Federal agencies in selecting and specifying security controls for information systems under their control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 221 in PDF)

Explanation: User-based data classification involves manual assignment of data classification based on users understanding of the data and the organizations classification scheme. It is a subjective approach and relies on the users knowledge and awareness of the data they are working with.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 167 in PDF)

Explanation: Asset inventory management is critical to the secure provisioning of IT resources because it enables an organization to identify and manage potential vulnerabilities. By maintaining an accurate inventory of IT assets, organizations can identify resources that need to be patched, updated, or replaced to reduce the risk of security incidents.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 180 in PDF)

Explanation: Under the GDPR, non-compliant organizations can face fines of up to €20 million ($22 million) or 4% of global annual turnover, whichever is greater. This is a significant increase compared to the maximum fine under the previous Data Protection Directive, which was €500,000.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 165 in PDF)

Explanation: Environmental controls that maintain proper conditions and help in suppressing a fire are examples of common physical controls. All computing equipment benefits from these controls irrespective of the asset types.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 218 in PDF)

Explanation: Purging includes methods such as degaussing, which is the destruction of data by exposing its storage media to a strong magnetic field.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 204 in PDF)

Explanation: NIST Special Publication (SP) 800-60 is a guidance document that provides a how-to manual for mapping types of information and information systems to security categories, which is related to FIPS 199. FIPS 199 is a standards document that defines security categories of information and information systems. Together, they provide guidance on how to categorize information and information systems based on their security impact levels.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 166 in PDF)

Explanation: Financial statements are usually classified as confidential since they contain sensitive, proprietary information regarding the financial status of the organization. The unauthorized exposure of such data can be detrimental to the organizational reputation and incur a significant financial loss.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 168 in PDF)

Explanation: Administrative controls are people-facing policies, procedures, standards, and guidelines that an organization uses to implement technical and physical controls. The sources of administrative controls can be laws and regulations, industry best practices, and organizational mandates. Administrative controls inform the organization on roles and responsibilities, proper information protection practices, and enforcement actions if controls are not followed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 212 in PDF)

Explanation: A data retention program can help organizations avoid the costs associated with noncompliance, such as legal penalties and litigation fees. While some regulations may mandate seemingly excessive retention requirements, it may be more cost-effective to retain the data than to suffer the legal and financial consequences of noncompliance.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 206 in PDF)

Explanation: Technical controls use computer capabilities and automation to implement safeguards that defend against misuse or unauthorized access to valuable information. Access control systems that prevent unauthorized reading, writing, moving, or executing of assets, as well as filters that allow or restrict access to URLs, IP addresses, or the loading/execution of software are some examples of technical controls related to asset management.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 212 in PDF)

Explanation: The UK 10 Steps to Cyber Security is an example of a government-published advice document that is meant to help organizations focus on the main threats to reduce the greatest amount of risk. It is intended for UK organizations and is considered official. It is insufficient alone but is valuable in a portfolio of security controls to make up the baseline control set.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 220 in PDF)

Explanation: A CASB aims to provide insight into an organizations cloud usage, including which users use which cloud applications, and which devices are used to connect to cloud resources. CASBs can also help detect, monitor, and secure shadow IT, and provide threat protection against insider threats. Additionally, they help organizations demonstrate compliance with regulatory requirements like GDPR, HIPAA, and PCI DSS. Therefore, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 227 in PDF)

Explanation: The scoping and tailoring process is done to modify the set of security controls to meet the specific characteristics and requirements of the organization. This helps to eliminate unnecessary requirements and to incorporate compensating controls based on organizational variables. The purpose is not to randomly remove or alter security controls for convenience, to implement all controls in a framework without questioning their applicability, or to leave the controls as they are without any modifications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 216 in PDF)

Explanation: The primary purpose of data classification and data categorization is to sort and organize data to facilitate effective analysis and to implement appropriate security controls to protect data assets.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 166 in PDF)

Explanation: Administrative controls are the policies, procedures, standards, and guidelines that an organization uses to implement technical and physical controls. They inform the organization on roles and responsibilities, proper information protection practices, and enforcement actions if controls are not followed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 212 in PDF)

Explanation: The final stage of the data lifecycle is data destruction, which is often neglected. By logically or physically destroying unneeded data, you can both reduce your risk exposure and decrease your storage and data maintenance costs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 199 in PDF)

Explanation: ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization, and includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. This standard is intended to be applicable to all organizations, regardless of type, size, or nature.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 222 in PDF)

Explanation: The enforcement stage of DLP is where action is taken to prevent policy violations identified during the monitoring stage. These actions are configured based on the data classification and the potential impact of its loss. For less sensitive data, violations may be automatically logged and/or alerted on, while more sensitive data can actually be blocked from unauthorized exposure or loss.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 225 in PDF)

Explanation: The first stage of DLP is discovery and classification. Discovery is the process of finding all instances of data, while classification is the act of categorizing that data based on its sensitivity and value to the organization. Comprehensive discovery and proper classification is critical to the effectiveness of the remaining stages and to the success of your overall DLP implementation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 225 in PDF)

Explanation: DLP in use involves host-based (or endpoint-based) DLP technology that allows monitoring of all data in use on the endpoint and provides insights that network-based DLP systems are not able to provide (such as attempts to transfer data to removable media). It monitors data as it is being used and can protect against unauthorized copy/paste, screen capture, and other operations that involve active use of sensitive data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 226 in PDF)

Explanation: The purpose of data classification is to determine the security controls necessary to manage and safeguard the confidentiality, integrity, and availability of the data. This is achieved by organizing data into groups or categories that describe the datas sensitivity, criticality, or value.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 166 in PDF)

Explanation: Data localization or residency refers to the requirement that data must be collected, processed, or stored within a country before it can be transferred internationally. This is to ensure that local privacy or data protection laws are met. Data can still be transferred internationally, but only after meeting these local laws. This concept is increasingly important with the growth of cloud-based storage solutions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 197 in PDF)

Explanation: Data remanence occurs when data destruction efforts were insufficient to prevent the reconstruction of the data. Using an operating systems deletion command only removes the pointers to the data, not the data itself, leaving the possibility of reconstruction. This is a concern for regulated data and high sensitivity data with rigorous destruction methods required.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 200 in PDF)

Explanation: DRM is a set of tools and processes focused on controlling the use, modification, and distribution of intellectual property throughout its lifecycle. It allows restriction of access, editing, copying, and printing of digital assets, thus providing better control over who can use them and how. Protecting intellectual property is a critical security aspect, and DRM is used to achieve this goal.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 224 in PDF)

Explanation: ISO/IEC 19770-5 provides an overview of ITAM, which includes the management of IT assets and related terminology. The standard defines the different components of ITAM, such as inventory management, software asset management, and hardware asset management.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 187 in PDF)

Explanation: De-identification is used to remove personally identifiable information (PII) from sensitive data fields in order to protect the confidentiality of the data, particularly in test or development environments where the required security mechanisms may not be in place.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 177 in PDF)

Explanation: GDPR, or General Data Protection Regulation, requires organizations to identify specific individuals for specific data roles. It sets strict requirements for data protection and privacy for all individuals within the European Union and those dealing with EU citizens data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 191 in PDF)

Explanation: One of the primary functions of a CASB is to enforce security policies based on the data being used, which helps prevent data exfiltration through cloud services. CASBs also aim to provide visibility into an organizations cloud usage, guard against insider threats, and help demonstrate compliance with regulatory requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 227 in PDF)

Explanation: According to the text, There is no mandatory formula or nomenclature for asset classification categories. Each organization will have to establish names and sensitivity levels. Therefore, option C is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 170 in PDF)

Explanation: Context-based data classification is based on indirect attributes like ownership, location, or other values that can indicate sensitivity or criticality of data. Therefore, the most appropriate characteristic is that it is based on the sensitivity of the data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 167 in PDF)

Explanation: The primary function of a CASB is to monitor an organizations data security and help prevent data exfiltration through cloud services. This can include enforcing security policies based on the data being used and detecting and stopping potential security events. The other options listed, while important functions of a CASB, are not the primary purpose of a CASB in an organizations data security program.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 227 in PDF)

Explanation: Zeroing is a technique of erasing data on the disk and overwriting it with all zeros. It is one of the tactics to achieve desired levels of security assurance, as stated in NIST SP 800-88. It is a more effective method of data deletion than clearing as all data is overwritten with zeros.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 204 in PDF)

Explanation: NIST SP 800-53A Rev 4 provides a set of procedures for conducting assessments of security controls and privacy controls employed within US federal information systems and organizations, and it can be applicable to private-sector organizations. It is used as a complementary guide to NIST SP 800-53 Rev 5 and is consistent with its security and privacy controls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 221 in PDF)

Explanation: Demonstrating due care and due diligence shows that an organization has taken all reasonable precautions and made efforts to protect assets, which can reduce the possibility of being penalized in the event of an incident or data breach.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 192 in PDF)

Explanation: The destruction of media physically through shredding, burning or pulverizing is the most effective method of data deletion in asset disposal policy. This method is highlighted in NIST SP 800-88 as well. Clearing (digitally wiping data or overwriting it with zeros or ones) is the least effective method and may allow data to be recovered. Purging includes methods such as degaussing, which is the destruction of data by exposing its storage media to a strong magnetic field.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 204 in PDF)

Explanation: The CNSS Instruction No. 1253 provides guidance for security categorization and control selection for national security systems, which includes the categorization of security controls. This ensures that national security systems are secured based on their level of risk and sensitivity to ensure confidentiality, integrity, and availability of the data they contain.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 166 in PDF)

Explanation: The asset inventory tool should have a way to distinguish authorized assets from unauthorized devices and applications and the ability to send alerts when the latter are discovered. This capability helps organizations to ensure the protection of their assets and maintain control of their environment. The other options are incorrect because they do not reflect the requirements of an asset inventory tool as described in the text.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 182 in PDF)

Explanation: The NIST Cybersecurity Framework (CSF) provides security and privacy guidelines primarily targeted at helping private-sector companies improve their security. It is broken into five functions: identify, protect, detect, respond, and recover.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 220 in PDF)

Explanation: Configuration management is a critical activity to implementing a formal asset management program because it ensures that an organization has an accurate inventory of assets and their configurations, and can track changes and updates to those assets. Configuration management can help an organization identify vulnerabilities and respond to security alerts more quickly, and ultimately reduce costs, improve services, and mitigate risk. While risk management, incident response, and access control are all important security activities, they are not necessarily critical to implementing a formal asset management program.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 185 in PDF)

Explanation: When establishing information and asset handling requirements, it is important to consider laws, regulations, and standards, security level, and specific threats and vulnerabilities that could impact the assets. Company culture and values are important for creating a strong security culture within the organization, but they do not necessarily impact the specific requirements for handling sensitive information and assets.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 174 in PDF)

Explanation: API-based CASBs monitor data within the cloud itself, rather than on a perimeter-based proxy, allowing organizations to protect any user accessing cloud resources from any device, from any location. Theres no need to install anything on user devices, but a potential drawback is that not all cloud applications provide API support for these types of CASBs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 228 in PDF)

Explanation: During the “Use” phase of the secure data lifecycle, data maintenance involves continuously monitoring your data and applying security controls. It also requires balancing functionality with security to ensure that your business needs are met securely.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 198 in PDF)

Explanation: A complete and accurate asset inventory allows organizations to identify rogue assets, that is, assets that are not authorized or should not be present, and remove or isolate them as soon as possible. This helps to mitigate security risks and ensure that all critical assets are properly secured.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 181 in PDF)

Explanation: NIST SP 800-53 outlines requirements that federal agencies and government contractors need to meet for compliance with the Federal Information Security Management Act (FISMA); these NIST guidelines require data retention for a minimum of three years.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 198 in PDF)

Explanation: Content-based classification involves directly identifying sensitive data by inspecting the contents of files, rather than inferring it from metadata or other characteristics. Compliance authorities, such as HIPAA or PCI, often require content-based classifications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 167 in PDF)

Explanation: Data in use is the third state of digital data and refers to data that is actively being processed by an application being used by a user. It is typically used in RAM, CPU caches, or CPU registers to perform the transactions and tasks the end user requires. It is in a volatile state and encryption is not necessarily relevant here, nor is it a primary control used with data in use, but it can be complementary to other controls. Authentication, authorization, and accounting are important controls for data in use.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 216 in PDF)

Explanation: The monitoring stage of DLP involves inspecting data as it moves throughout the data lifecycle. During this stage, DLP technologies seek to identify data that is being misused or mishandled. DLP monitoring should happen on workstations, servers, networking devices, and other endpoints, and it should evaluate traffic across all potential exfiltration paths (such as email, internet browsers, messaging applications, etc.).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 226 in PDF)

Explanation: File-level encryption is a tailored data protection strategy that allows encryption to be applied at the individual file level. This provides additional protection from unauthorized access to a file on a hard drive in the event the full disk is decrypted. It is a more granular approach to data-at-rest protection.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 214 in PDF)

Explanation: One of the primary functions of a cloud access security broker (CASB) is to provide visibility into an organizations cloud usage and detect, monitor, and secure shadow IT. CASBs can also help prevent data exfiltration through cloud services and enforce specific security policies based on the data being used.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 227 in PDF)

Explanation: Establishing policies and procedures governing asset handling is a critical aspect of any asset security program. These policies and procedures provide rules for accessing, transmitting, transporting, and using sensitive data and other critical assets. Employee awareness and training regarding responsibilities for proper information handling is also a critical part of any asset security program.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 175 in PDF)

Explanation: The monitoring stage involves inspecting data as it moves throughout the data lifecycle. During this stage, DLP technologies seek to identify data that is being misused or mishandled. DLP monitoring should happen on workstations, servers, networking devices, and other endpoints.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 225 in PDF)

Explanation: ISO/IEC 19770-4 establishes a data standard that supports standardized reporting of resource utilization. This is especially important when managing cloud-based systems or other complex assets and licenses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 187 in PDF)

Explanation: ISO/IEC 19770-1 provides a process framework that outlines best practices for IT asset management and allows an organization to demonstrate compliance with an ITAM standard.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 186 in PDF)

Explanation: Security frameworks focus less on specific controls and more on overall processes and best practices to manage an enterprises security. The use of a framework to establish the security baseline is appropriate to assess and improve the organizations ability to prevent, detect, and respond to cyber attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 220 in PDF)

Explanation: A data controller is an entity that determines the purpose and means of processing personal data while a data processor is an entity that processes personal data on behalf of the controller. The controller is responsible for ensuring that the processing is done lawfully and fairly, while the processor is responsible for processing the data in accordance with the controllers instructions and cannot use the data for any other purpose. Therefore, the data controller is the owner of the data and the data processor is responsible for processing it.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 195 in PDF)

Explanation: ISO 19770 is a family of standards established by the International Standards Organization for governing and managing IT assets, including hardware, software, data, and related processes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 186 in PDF)

Explanation: A forward proxy CASB generally resides on a users device and uses an encrypted man-in-the-middle technique to securely inspect and forward all cloud traffic for the user. It requires certificates to be installed on every endpoint that needs to be monitored.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 227 in PDF)

Explanation: Security frameworks focus less on specific controls and more on overall processes and best practices.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 219 in PDF)

Explanation: The purpose of change management in asset security is to prevent arbitrary and unexpected modifications to assets. Organizations must develop policies and procedures to ensure standardized processes are employed when making changes to their assets, and this includes change control, enforcement, verification of changes, and audit. If change management is not handled properly, significant gaps can emerge between inventory records and reality in the environment, which can lead to a security breach.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 188 in PDF)

Explanation: The primary consideration for secure asset storage of digital information according to asset storage guidelines is encryption. Sensitive data at rest should be encrypted, whenever feasible. Encryption ensures that even if an attacker gains access to the data, it will be unreadable to them without the encryption key.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 176 in PDF)

Explanation: The Security of Information Act (SIA) in Canada aims to protect national security interests through the safeguarding of sensitive government information. It is a federal law that provides specific measures to ensure that sensitive information, both within Canada and abroad, is not disclosed to unauthorized individuals or entities. The other options listed in the question are laws in Canada that relate to privacy, electronic documents, and unsolicited commercial emails, respectively.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 165 in PDF)

Explanation: Data owners are responsible for dictating how and why data should be used and determining how the data must be secured. They can authorize or deny access to their data and remain ultimately accountable for it. They can also be held liable for negligence if sensitive data that they own is misused or disclosed in an unauthorized way.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 191 in PDF)

Explanation: The main limitation of standard network-based DLP implementations is that they cannot effectively monitor encrypted traffic, such as HTTPS. If attempting to monitor encrypted network traffic, organizations must integrate encryption and key management technologies into the overall DLP solution, which may significantly increase the complexity of a DLP implementation but is required for certain use-cases.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 226 in PDF)

Explanation: Data protection policies are an administrative control that can be applied to safeguard multiple assets. They set requirements for the handling and protection of data, such as data classification, retention, and destruction policies. All assets benefit from implementing data protection policies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 218 in PDF)

Explanation: ISO/IEC 19770-3 is a standard for describing software entitlement rights, limitations, and metrics, which provides an ITAM data standard that establishes common terminology.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 187 in PDF)

Explanation: Domain controllers are an example of a Tier 0 asset because they are essential to several business units, may handle or include data that is extremely sensitive, and compromise could have a critical impact on the businesss ability to function. They are also required to be available 100 percent of the time.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 172 in PDF)

Explanation: A security baseline is a minimum set of safeguards required to protect a given system.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 187 in PDF)

Explanation: Degaussing is the process of exposing storage media to a strong magnetic field to destroy the data it holds. This is an effective method of data deletion and is typically used when the data is deemed critical or sensitive. It is one of the techniques available for achieving the desired level of assurance in sanitization requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 205 in PDF)

Explanation: The data user is the party who consumes and receives the data. They may hold data processors accountable to SLAs and other contractual agreements that require a specific level of performance. Therefore, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 195 in PDF)

Explanation: Data controllers are responsible for conforming to the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality of personal data. They negotiate privacy protections with data processors via secure contractual terms and assurances, called data processing agreements. Thus, they must be able to demonstrate compliance with all principles relating to processing personal data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 193 in PDF)

Explanation: A medical billing system that stores patient information falls under the category of significant systems that handle protected health information (PHI) and must be protected per the standards outlined in HIPAA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 173 in PDF)

Explanation: Recognized frameworks provide flexibility for organizations to establish baseline requirements, even if they are not required to be compliant. This allows organizations to choose a recognized framework, or a combination of parts of recognized frameworks that fit their specific needs, without being forced to comply with a specific set of regulations, laws or market requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 219 in PDF)

Explanation: The three categories of controls discussed in DOMAIN 2: Asset Security are technical, administrative, and physical. Operational is not one of the categories mentioned in this context.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 212 in PDF)

Explanation: HIPAA regulates the handling of customer medical records and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 201 in PDF)

Explanation: The main focus of Domain 2 Asset Security is to identify, categorize, secure, and monitor all sources of value of an organization, including tangible and intangible assets such as information stores, databases, hardware, software, or entire networks. The domain covers the best policies, practices, and methods to assure the confidentiality, integrity, and availability of an organizations information and technology assets.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 164 in PDF)

Explanation: The most important role a security practitioner might have in asset retention is to create and maintain a policy that is informed by and adheres to regulations, meets business objectives, and is understood and followed throughout the organization. Conducting training and testing of the policy are important measures of program performance. Users have to be made aware of their responsibilities in maintaining safeguards during the entire asset lifecycle. Audits should be conducted to assure the organization that the policy and procedures are being followed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 207 in PDF)

Explanation: A cloud access security broker (CASB) is a software application that sits between cloud users and cloud services and applications; CASBs actively monitor all cloud activity and implement centralized controls to enforce security, making option B the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 227 in PDF)

Explanation: Data processors are responsible for transferring, transmitting, or otherwise handling data on behalf of a data owner. They play a distinct role in the protection of data by ensuring that the data is handled securely during transmission or processing. Data processors do not have legal responsibility and accountability for the data, as does a data controller.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 194 in PDF)

Explanation: The text explicitly mentions two key methods for protecting data as an asset: encryption and access control. Encryption ensures that data cannot be accessed even if it falls into unauthorized hands, and access control ensures that only authorized individuals have access to it. While backing up data regularly is important for disaster recovery, it is not necessarily a method for protecting data as an asset. Installing burglar alarms in the data center helps protect the physical security of the data center but does not directly protect the data itself. Only allowing access during certain hours does not provide sufficient protection against unauthorized access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 213 in PDF)

Explanation: A firewall is an example of a technical common control that can provide network boundary defense for all assets. It is a type of security device that helps to safeguard multiple assets and its implementation can be inherited across assets in an organization’s security architecture.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 218 in PDF)

Explanation: Compensating controls are used when baseline controls are not sufficient to meet control objectives. When baseline controls have potential to degrade or obstruct business operations or are cost-prohibitive, we have to explore compensating controls. In some cases, prescribed or recommended security controls may not be scoped or tailored sufficiently to meet the control objective. Therefore, in asset security, compensating controls can be used when baseline controls are cost-prohibitive or obstruct business operations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 218 in PDF)

Explanation: The Cybersecurity Information System Security Law is specific to China and contains provisions related to data protection, cross-border transfer of data, and security assessments.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 165 in PDF)

Explanation: The organization must define an appropriate frequency for updating the inventory but many agile organizations will do this on an as-needed basis. The inventory must be refreshed or updated; this includes defining an appropriate frequency for updating the inventory. In addition to the regular interval inventory updates, it is also a good practice to manually notify the inventory tool administrator when an asset is installed or removed or when the components are updated/changed in a significant way, just to verify that those changes were captured by the inventory tools.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 184 in PDF)

Explanation: Within an organization, the chief executive officer or authorized delegates have formal ownership responsibility, as defined and directed by the organizations formal governance documents, and within compliance limits of law and regulation. This responsibility includes keeping the information asset inventory up-to-date to ensure the confidentiality, integrity, and availability of the information asset (source: Official (ISC)² CISSP CBK Reference, 5th Edition, pp. 375-376).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 180 in PDF)

Explanation: As mentioned in the text, data custodians are responsible for maintaining the technical environment that ensures safe custody, transport, and storage of data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 193 in PDF)

Explanation: The Official Secrets Act (OSA) is the primary legislation governing the protection of official information within the UK. It governs the handling, storage and dissemination of government information by defining the levels of protection required for official documents.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 165 in PDF)

Explanation: A formal data policy is the primary mechanism through which an organization should establish classification levels for assets. Management can then develop controls that provide sufficient protections against specific risks and threats to assets based on these classification levels.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 169 in PDF)

Explanation: Degaussing is a method of sanitizing an asset that involves the use of strong magnetic fields to destroy the data on the storage media. It is a form of purging that ensures that the data cannot be recovered.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 204 in PDF)

Explanation: FIPS Publication 199 provides a standard for categorizing U.S. federal information and information systems according to a government agencys level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations, should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 221 in PDF)

Explanation: The NIST Cybersecurity Framework (CSF) provides security and privacy guidelines that are primarily targeted at helping private-sector companies improve their security. The NIST CSF is broken into five functions: identify, protect, detect, respond, and recover.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 220 in PDF)

Explanation: FIPS 199 is a document that provides standards for security categorization of federal information and information systems in the United States.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 166 in PDF)

Explanation: The correct answer is B. Discovery and classification involves identifying sensitive data elements and tagging them in order to monitor them later on. Monitoring involves tracking sensitive data usage and the flow of information. Finally, enforcement refers to preventing sensitive data from being lost, stolen, or accessed by unauthorized parties. Authorization, authentication, and accountability are more related to Access Control, not Asset Security. Backup, recovery, and restoration are more related to Business Continuity and Disaster Recovery.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 224 in PDF)

Explanation: HIPAA mandates a six-year record retention requirement for documentation required to maintain the policies and procedures relevant to HIPAA, such as log records pertaining to electronic protected health information (ePHI) review.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 208 in PDF)

Explanation: The process of substituting a sensitive data element with a nonsensitive set of characters or numbers called a token that can be reverse engineered back to the original data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 179 in PDF)