Page 1523 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1523
pseudonymization.
17. D. Scoping and tailoring processes allow an organization to tailor
security baselines to its needs. There is no need to implement
security controls that do not apply, and it is not necessary to
identify or re-create a different baseline.
18. D. Backup media should be protected with the same level of
protection afforded the data it contains, and using a secure offsite
storage facility would ensure this. The media should be marked,
but that won’t protect it if it is stored in an unstaffed warehouse. A
copy of backups should be stored offsite to ensure availability if a
catastrophe affects the primary location. If copies of data are not
stored offsite, or offsite backups are destroyed, security is
sacrificed by risking availability.
19. A. If the tapes were marked before they left the datacenter,
employees would recognize their value and it is more likely
someone would challenge their storage in an unstaffed warehouse.
Purging or degaussing the tapes before using them will erase
previously held data but won’t help if sensitive information is
backed up to the tapes after they are purged or degaussed. Adding
the tapes to an asset management database will help track them
but wouldn’t prevent this incident.
20. B. Personnel did not follow the record retention policy. The
scenario states that administrators purge onsite email older than
six months to comply with the organization’s security policy, but
offsite backups included backups for the last 20 years. Personnel
should follow media destruction policies when the organization no
longer needs the media, but the issue here is the data on the tapes.
Configuration management ensures that systems are configured
correctly using a baseline, but this does not apply to backup media.
Versioning is applied to applications, not backup tapes.
