Page 1520 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1520

Chapter 5: Protecting Security of Assets




                1.  A. A primary purpose of information classification processes is to

                    identify security classifications for sensitive data and define the
                    requirements to protect sensitive data. Information classification
                    processes will typically include requirements to protect sensitive
                    data at rest (in backups and stored on media), but not
                    requirements for backing up and storing all data. Similarly,
                    information classification processes will typically include
                    requirements to protect sensitive data in transit but not necessarily
                    all data in transit.


                2.  B. Data is classified based on its value to the organization. In some
                    cases, it is classified based on the potential negative impact if
                    unauthorized personnel can access it. It is not classified based on
                    the processing system, but the processing system is classified based
                    on the data it processes. Similarly, the storage media is classified
                    based on the data classification, but the data is not classified based

                    on where it is stored. Accessibility is affected by the classification,
                    but the accessibility does not determine the classification.
                    Personnel implement controls to limit accessibility of sensitive
                    data.

                3.  D. Data posted on a website is not sensitive, but PII, PHI, and
                    proprietary data are all sensitive data.

                4.  D. Classification is the most important aspect of marking media

                    because it clearly identifies the value of the media and users know
                    how to protect it based on the classification. Including information
                    such as the date and a description of the content isn’t as important
                    as marking the classification. Electronic labels or marks can be
                    used, but they are applied to the files, not the media, and when
                    they are used, it is still important to mark the media.

                5.  C. Purging media removes all data by writing over existing data

                    multiple times to ensure that the data is not recoverable using any
                    known methods. Purged media can then be reused in less secure
   1515   1516   1517   1518   1519   1520   1521   1522   1523   1524   1525