CCT 035: CISSP Exam Questions concerning Data Ownership (Domain 2)

CCT 035 - RCR 132- CISSP Exam Questions concerning Data Ownership (Domain 2)

[00:00:00] Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Shon Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge.

Alright, let's get started. Let's go.

Hey y'all. This is Shon Gerber with CISSP Cyber Training Podcast. How are you all doing today? Today is a wonderful Thursday, which means it is CISSP exam question Thursday, and we're gonna be talking about domain two. And in domain two we're gonna be focused on securing sensitive information.

Legal and regulatory requirements and establishing data ownership policies. Now you're probably asking yourself, yawn. Yes, that can be a challenge, but we're just gonna be talking about some [00:01:00] of the questions related to it and so you can be better prepared for the CISSP exam. So we'll just go ahead and get started off, and again, you can see all of the one real quick.

Plug, you can see all of these [email protected]. Head on over there if you want to get access to these questions. And you'll be able to get the video version as well as the audio version. Okay, so which of the following is a key requirement for securing sensitive data? Okay. A, implementing access controls based on classification.

B. Conducting regular vulnerability assessments. C, implementing intrusion detection systems, or D? None of the above. Okay. So which of the following is a key requirement for securing sensitive information? So again, like we talk about, what are the ones you can narrow out of this discussion when you're reading through the questions on the exam?

So which of the following is a key requirement for securing sensitive information? Implementing access controls based on data classification. That sounds [00:02:00] positive. Conducting regular vulnerability assessments, that really wouldn't be a key requirement. Implementing intrusion detection system, that's more of a hardware thing.

And then none of the above the first one sounded. Plausible and the second one possible, but not necessarily a requirement. So the answer would be, a, implementing access controls based on data classification is a key requirement for securing sensitive information. This ensures that not only authorized users have access to the sensitive data when you're dealing with data classification, it's one of the key aspects we've talked about in this podcast that.

Understanding the data is an important part of securing the data, and without truly understanding its sensitivity, it's really hard to secure. So I've dealt with this time and again, that if you don't have a good data classification policy and plan trying to secure the data can be very problematic.

That is usually a good go-to. All right. So next question. Which of the following is a legal and regulatory [00:03:00] requirement related to data ownership? Okay, so the question is, which of the following is a legal and regulatory requirement related to data ownership? A, ensuring data availability. B, providing open access to the data.

C. Complying with the data retention laws. Or D, all of the above. So again, the question is, which of the following is a legal and regulatory requirement related to data ownership? Okay, so legal and regulatory. That's a key question, key point in that question. A ensuring data availability. That's really not a requirement.

Legal requirement. B, providing open access to the data, possibly could be a legal requirement around that. C. Complying with all data retention laws, that would be one that I would probably glob onto if I didn't know. And then D, all the above. That's definitely not all of the above because data availability is not a legal and regulatory requirement.

It would be C. Complying with data retention laws is a legal and [00:04:00] regulatory requirement related to data ownership. So if you have to do that with your data, and there's some laws around that you may have to keep that at for a specific period of time, especially organizations must ensure that they retain the data for a specific period in accordance with legal and regulatory requirements.

I've dealt with this in the past where you've had to keep your data for dependent upon if it's a. Like an eh and s which is your environmental health and safety, you may have to hold onto that for a period of five to seven years. So there are requirements around data retention. So just, and also if you go to China, you have the data retention laws there as well.

So it's something that you very easily will run into. Okay. Next question. Which of the following is an import important consideration when establishing data ownership policies in the cloud? A, who is, who can access the data? That would be positive. B, who is, how is the data secured? That would be another one that would be important, both A and B.

Okay. C. None of the above. None of the above is. [00:05:00] It's an easy one of these when it's none of the above and one for sure is correct. So it's definitely not the D. So which of the following is an important consideration when establishing data ownership policies in the cloud? When you're dealing with the cloud, it's important to know who owns the data.

That's extremely important and also is important to know who can access the data and how is it secured. So if you look at a, A as. Who can access the data. That's an important part. B, the data is secured. Anytime you're dealing with the cloud, you wanna make sure that is your data sitting offsite in some of those data, somebody else's data center, you wanna ensure it's secured.

And then B or C is both A and B, which is the correct answer. So C, both. Both who have access to the data and how the data is secured are important considerations when establishing data ownership policies in the cloud. Organizations must ensure that they understand the cloud service providers security controls, and have ability to monitor and manage and access the data.

What that basically is saying is just that you need to understand not just how it's secured from your standpoint, but also how the cloud [00:06:00] provider is securing it. One of the things as a security professional you'll want to ensure is that as you're. Interviewing, we call 'em, SaaS providers, your softwares or service providers that they are protecting your data in a, the proper way.

Same with ias, your inf your infrastructure as a service providers, you also wanna ensure that if they're dealing with any sort of data protection, they're doing that in a proper format as well. Sorry if I sound a little congested. I am fighting a cold, so it's unfortunate in the summer, that's just not fun.

All right. Now question four, what is the purpose of the data classification scheme? A, to determine the value of the data? So it's a data classification scheme. Does it determine the value, not necessarily B, to determine the sensitivity of the data? That would be a likely option C to determine the storage requirements of the data.

It wouldn't necessarily, it would help to determine some of those storage requirements, but not necessarily. And then d all the above. I know it wouldn't determine the value. So D is out and since I [00:07:00] know it's not determining the value, the data classification doesn't then from there you will go and determine it's probably B or C.

So again, what is the purpose of data classification scheme A, to determine the value of the data. B, to determine the sensitivity of the data C to determine the storage requirements of the data or deal the above. And the answer is, B. The purpose of the data classification scheme is to determine the sensitivity of the data.

This allows organizations to implement appropriate access controls and security measures to protect the data. And that is true. You wanted to, when you're, the data classification aspects will help you as you walk through that process. What is the actual sensitivity of it Now, the sensitivity of the data, once you determine that.

Then you may determine, you, you may have an idea of what the value is before you determine the sensitivity. Cuz realist realistically, right now I've worked with some of my senior leaders around the controls of the data and around what the value is of that data. [00:08:00] And I have to understand from them once I know what the value is of it.

Then I can work with them on how to best create a data classification. But if they don't know the actual value, I still then help create that classification based on what they feel the value might be. So what is the primary challenge organizations face in enforcing data ownership policies?

Again, the question is, what is the primary challenge organizations face in enforcing data ownership policies? A limited availability of security technologies. B, lack of employee awareness and training. C, inadequate policies and procedures or D resistance from business units. Okay, so let's go with the question again.

What is the primary challenge organizations face in enforcing data ownership policies? Okay, so let's go into it's a challenge around enforcing the policies, a limited availability of security technologies. That usually is not the case, cuz you can use any sort of, [00:09:00] Technologies can be implemented that wouldn't necessarily challenge your data ownership policy.

B, the lack of employee awareness and training that is possible. C, inadequate policies and procedures, I guess that's possible too. But you may have great policies and procedures in place, but. That doesn't mean they're gonna follow it. And then resistance and business resistance from the business units.

Most of the business units understand data ownership, and so you really don't get a lot of resistance from them. So again, what is the primary challenge organizations face in enforcing data ownership policies? A limited availability of security technologies. B, lack of employee awareness and training. C, inadequate policies and procedures.

Or D resistance from the business units. The answer is B. Again, lack of employee awareness and training is a primary challenge. Organizations face in enforcing data ownership policies, and I will admit to that is the case. You can have the best policies in the world and have them published on your website, your SharePoint site, or anywhere else.[00:10:00] 

And if they don't know they exist and if they're not educated on it, They will not do well. So I've had that happen to me time and again. So again, they must be aware of their responsibilities. If they're not aware of 'em, then they, it's really hard for them to follow. Okay. Thank you so much for joining me today.

I hope you enjoyed these CISSP questions. You can go over to cissp cyber training.com and get access to these questions both in a textual form and a video form. And in an audio form. All right. Have a great day, and we'll catch you on the flip side. See ya.