Page 1522 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1522

11.  D. SSH is a secure method of connecting to remote servers over a
                    network because it encrypts data transmitted over a network. In

                    contrast, Telnet transmits data in cleartext. SFTP and SCP are good
                    methods for transmitting sensitive data over a network but not for
                    administration purposes.

               12.  D. A data custodian performs day to day tasks to protect the
                    integrity and security of data, and this includes backing it up. Users
                    access the data. Owners classify the data. Administrators assign

                    permissions to the data.
               13.  A. The administrator assigns permissions based on the principles

                    of least privilege and need to know. A custodian protects the
                    integrity and security of the data. Owners have ultimate
                    responsibility for the data and ensure that it is classified properly,
                    and owners provide guidance to administrators on who can have
                    access, but owners do not assign permissions. Users simply access

                    the data.

               14.  C. The rules of behavior identify the rules for appropriate use and
                    protection of data. Least privilege ensures that users are granted
                    access to only what they need. A data owner determines who has
                    access to a system, but that is not rules of behavior. Rules of
                    behavior apply to users, not systems or security controls.

               15.  A. The European Union (EU) Global Data Protection Regulation
                    (GDPR) defines a data processor as “a natural or legal person,

                    public authority, agency, or other body, which processes personal
                    data solely on behalf of the data controller.” The data controller is
                    the entity that controls processing of the data and directs the data
                    processor. Within the context of the EU GDPR, the data processor
                    is not a computing system or network.

               16.  A. Pseudonymization is the process of replacing some data with an
                    identifier, such as a pseudonym. This makes it more difficult to

                    identify an individual from the data. Removing personal data
                    without using an identifier is closer to anonymization. Encrypting
                    data is a logical alternative to pseudonymization because it makes
                    it difficult to view the data. Data should be stored in such a way
                    that it is protected against any type of loss, but this is unrelated to
   1517   1518   1519   1520   1521   1522   1523   1524   1525   1526   1527