My Story Podcasts Blog Free Resources Contact CISSP Academy

CCT 069: CISSP Exam Questions - Data Collection, Location, and Destruction (D2.4)

Sep 07, 2023
 

Imagine a world where a simple radio command halts an entire railway system. That's exactly what happened in Poland recently, and we're here to break down the intricate details of this cyber-attack. We'll reveal how the Polish radio stop command system was exploited, unraveling the mystery behind this major disruption. From there, we'll navigate the tricky waters of personal identifiable information (PII), data destruction, and data sovereignty, arming you with insights and strategies to protect your data. Ready to ace your CISSP exam? We've got your back with a series of exam-style questions and discussions around critical topics like data encryption and degausing a tape.

Switching gears, we'll venture into the realm of CCPA Compliance and data security. If you've been wondering how to determine the scope of consumer data, or puzzled over the features of GDPR, fret no more as we demystify these concepts. And let's not forget about the importance of secure data transmission, especially when dealing with financial data. We dive into the best practices for transmitting sensitive data, address API security, and explore secure data destruction methods. To cap off the episode, we'll tackle data scraping and the perils of unauthorized data collection. So, buckle up for an exhilarating ride through the landscape of cybersecurity!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

 
Content:

Question 1

Your organization stores customer PII. Which of the following should be implemented to ensure its protection?

A. Plain Text Storage

B. Database Encryption

C. Log File Monitoring

D. Intrusion Detection System

Answer: B. Database Encryption

Explanation: PII is sensitive data that needs to be encrypted during storage to protect against unauthorized access. While log file monitoring and intrusion detection systems are good for security, they do not specifically protect stored PII.

 

Question 2

You are responsible for data destruction. What should you do after degaussing a magnetic tape?

A. Validate that data is unreadable

B. Shred the tape

C. Overwrite data on the tape

D. Nothing; degaussing is sufficient

Answer: A. Validate that data is unreadable

Explanation: After degaussing, a validation step should be taken to ensure that the data is unreadable. Degaussing can sometimes be ineffective, so this step is crucial.

 

Question 3

A company operating globally is worried about data sovereignty. Which of the following is the BEST approach?

A. Storing all data in the cloud

B. Storing data in the country of origin

C. Encrypting all data

D. Data masking

Answer: B. Storing data in the country of origin

Explanation: Data sovereignty is about data being subject to the laws of the country it is located in. Storing data in the country of origin would ensure compliance with local laws.

 

Question 4

Which of the following is most appropriate for destroying SSDs?

A. Shredding

B. Degaussing

C. Secure Erase

D. Incineration

Answer: A. Shredding

Explanation: Degaussing is not effective for SSDs, and secure erase may not be sufficient. Physical destruction like shredding is often recommended for SSDs.

 

Question 5

What consent form is explicit and needs direct action from a user?

A. Opt-in

B. Opt-out

C. Passive consent

D. Active consent

Answer: A. Opt-in

Explanation: Opt-in consent requires an explicit action from a user, such as ticking a checkbox, making it an explicit form of consent.

 

Question 6

You are asked to ensure compliance with CCPA. What is one of the FIRST steps you should take?

A. Update privacy policies

B. Identify in-scope consumer data

C. Develop a mechanism for handling consumer requests

D. Appoint a Data Protection Officer (DPO)

Answer: B. Identify in-scope consumer data

Explanation: Before updating policies or developing mechanisms, you first need to identify what data is in scope for CCPA compliance.

 

Question 7

Which of the following regulatory standards is most relevant to healthcare data in the United States?

A. GDPR

B. CCPA

C. HIPAA

D. PCI DSS

Answer: C. HIPAA

Explanation: HIPAA specifically focuses on healthcare data protection in the United States.

 

Question 8

Which of the following is a key feature of GDPR?

A. Right to opt-out of data sale

B. Data portability

C. Mandatory two-factor authentication

D. Data masking

Answer: B. Data portability

Explanation: Data portability, which allows individuals to take their data from one service provider to another, is a key feature of GDPR.

 

Question 9

You've discovered an API collecting customer PII without proper security. What's your first action?

A. Disable the API

B. Implement OAuth

C. Notify customers

D. Update privacy policy

Answer: A. Disable the API

Explanation: The immediate action should be to disable the vulnerable API to prevent further data exposure.

 

Question 10

What is the best method for securely transmitting financial data over a network?

A. SSH

B. HTTPS

C. FTP

D. SFTP

Answer: B. HTTPS

Explanation: HTTPS provides secure, encrypted web communication, which is suitable for transmitting financial data.

 

Question 11

Your company collects data from users via online forms. What should you employ to prevent SQL injection?

A. Input Validation

B. Output Validation

C. CAPTCHA

D. Data Masking

Answer: A. Input Validation

Explanation: Input validation checks data for integrity before being processed, preventing SQL injection attacks.

 

Question 12

After securely erasing a hard drive, what should be the NEXT step?

A. Validation

B. Shredding

C. Degaussing

D. Incineration

Answer: A. Validation

Explanation: Validation should be performed to confirm that the data has been securely erased and is unrecoverable.

 

Question 13

Which destruction method involves deleting cryptographic keys?

A. Degaussing

B. Shredding

C. Cryptographic Shredding

D. Secure Erase

Answer: C. Cryptographic Shredding

Explanation: Cryptographic shredding involves the deletion of the cryptographic keys used to encrypt data, making it unreadable.

 

Question 14

What is data scraping?

A. User data input manually

B. Automatic gathering of data from websites

C. Manual copy-pasting of data from websites

D. Downloading a database

Answer: B. Automatic gathering of data from websites

Explanation: Data scraping refers to the automated methods of gathering data from websites.

 

Question 15

Which of the following is NOT an authorized data collection method?

A. User consent

B. Data scraping in violation of robots.txt

C. APIs

D. Direct input methods like forms

Answer: B. Data scraping in violation of robots.txt

Explanation: Scraping data in violation of robots.txt is not an authorized method of data collection.

 

Question 16

What is data sovereignty?

A. Data available globally

B. Data stored in the cloud

C. Data subject to the laws of the country it's located in

D. Data stored within a specific domain

Answer: C. Data subject to the laws of the country it's located in

Explanation: Data sovereignty refers to data being subject to the laws of the country where it is stored.

 

Question 17

What is the FIRST step in data lifecycle management?

A. Data creation

B. Data classification

C. Data storage

D. Data disposal

Answer: A. Data creation

Explanation: The data lifecycle starts with data creation, followed by other stages like classification, storage, and disposal.

 

Question 18

Which of the following is NOT a data destruction method?

A. Shredding

B. Logging

C. Degaussing

D. Incineration

Answer: B. Logging

Explanation: Logging is for monitoring and does not destroy data.

 

Question 19

Which of the following methods is NOT suitable for destroying paper records?

A. Shredding

B. Incineration

C. Degaussing

D. Pulping

Answer: C. Degaussing

Explanation: Degaussing is a method used to destroy data on magnetic storage media, not paper records.

 

Question 20

Which of the following is a requirement under CCPA?

A. Data localization

B. Right to be forgotten

C. Data masking

D. Mandatory encryption

Answer: B. Right to be forgotten

Explanation: CCPA includes a provision that allows California residents to request the deletion of their personal information, which is commonly referred to as the 'right to be forgotten'.

 
Transcript:  
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all of Sean Gerber with the CISSP Cyber Training Podcast, and today is Thursday, and what does that mean? That means it's exam question Thursday. That's exciting news, and there's lots of little children around the world screaming for joy because today is CISSP exam Thursday. Yes, yes, it's the questions today it is. But before we get started, we're going to talk about actually, something that popped up in the news that I thought you all might be very, very interested in. As you're studying for the CISSP, you know that it's really important for you to be in a position so that you can better protect the companies that you go work for, and one of the areas that is a big thing in the news today is obviously critical infrastructure, and there was an article that is in the Washington Post that I thought was very interesting, and the fact is is it's around a disruption that occurred in Poland. It's believed that it's tied to sympathetic people with Russia and that they did an attack on the Polish railway network. One interesting question around that, though, is how did they do it? Was it like the sophisticated hackers that were attacking, from I don't know, a Russian satellite, going after a specific server in the United States, bouncing off of that going into Poland? No, was not nearly anything as sexy as that. So, basically, what they're talking about and what I read in this article is kind of interesting, is it? They dealt with this different level of sabotage that's occurred, and this occurred several incidents on Friday night and Sunday involving someone using an unauthorized emergency stop signal, and what this basically is is it's interesting. I didn't even know this happened, but they exploited a Polish radio stop command system, which brings all the trains to stop when three tonal signals are broadcast through their radio network. So I mean, I'm an old guy, but you'd have a situation where it would like something like that. That's really cool. I did a great job with that. I know I did you all like that, didn't you? No, you're actually no, but the problem is, is this small these three tones, these up down, whatever they are, cause the entire rail system to stop. So this reminds me very eerily similar to areas where they used to do this in the old days of phones and you have a certain tone that would go over a phone line and it would allow you to get international calls. Same kind of concept, but it's just. It's amazing how the fact that we are so dependent on something so small as three tones on a radio network that probably is not encrypted by any stretch of the imagination, and it caused the entire train system to stop. So the cool part is is that it actually worked. So that's a good thing to keep all the trains from going somewhere. The bad thing is is now other people will figure that out and I'm sure that they're probably scrambling very quickly to try to patch that up in other rail systems around the globe. So I guess something for you to chew on as you study your CISSP questions. So today we're going to get into domain number two. So we got a bunch of questions for you and we are going to start rolling right into those. Okay, so question number one your organization studies PII, not studies stores. Your organization stores customer PII. Which of the following should be implemented to ensure its protection. Okay, so we understand PII is personally identifiable information. So which of the following information, or which of the following should be implemented to ensure its protection? A plain text storage. B database encryption. C log file monitoring or de-intrusion detection. So if you're looking to store customer PII, you want to have some level of database encryption, again, that is designed to protect against unauthorized access while the log files are being stored. And then it's important to have all this, but the log files won't help you. The intrusion detection will help after the fact or as you're trying to get in, but when you're dealing with just protecting this, the PII on that database, then it should be database encryption. Question number two you are responsible for data destruction. What should you do after degausing a tape? A validate that the data is unreadable. Now, again, we talk about degausing. This is where a magnetic field goes across the tape and makes the contents unreadable. So, a you validate the data is unreadable. B you shred the tape. C you overwrite the data on the tape. Or D nothing Degausing is sufficient. So the answer is you validate the data is unreadable. Now I want to say that, in the fact that if you are going to go to the pains of doing a degause on a tape, a magnetic tape. You obviously had the idea that you want to reuse that tape, so you got to think about that. If don't read too far into the question, where you go, well, I'll just shred the tape. Why am I even bothering with it? The question comes into is is they're probably asking for you to reuse the tape. The easiest option is to just shred it. You don't need it. But if they are wanting to keep it, what is the policy for your organization? You may want to just validate. The data is unreadable. Question three a company operating globally is worried about data sovereignty. So that means the data stays where it's at locally. Which of the following is the best approach? Again, key words best A storing all the data in the cloud. B encrypting all the data. C data masking. Or D storing the data in the country of origin. Okay, so the company operating globally is worried about data sovereignty. Which of the following is the best approach? And the answer is D storing the data in the country of origin. So by doing that, you will ensure that it is compliant with the local laws. Now you may have a situation where you're storing this data in the cloud as well, and that cloud may be in that country, but if you're wanting to ensure that this data is best protected, you would store it and it's compliant with the laws of the local laws. You'll want to ensure that it is in the country of origin. Question number four which of the following is most appropriate for destroying SSDs? So these are solid state devices, so this is your solid state drives. These are the hard drives. These are what's moved from the standard platter hard drives to what they're at today and they're just basically a big, really big chip or group of chips that's storing data. So which of the following is most appropriate for destroying SSDs? A degausing, b securing, secure erase. C shredding or de-incineration. So which is the most appropriate for destroying SSDs? So if you're dealing with an SSD, obviously degausing doesn't work. Secure erase will leave the data there, but do you know if it's gone? Shredding is probably the best thing to do with SSDs, just to be honest, because you can't really clean them the way you can as normal plattered hard drive, so shredding them is the best Incineration. Obviously there's lots of chemicals that create these hard drives and so using incineration releases a lot of toxins into the air, so shredding is your best choice. Question five what consent form is explicit and needs direct action from the user? A opt in, b opt out? C passive consent or deactive consent? So, if you're looking for explicit consent from a user, you want a opt-in opt-in as a consent that requires explicit actions from the user. So such as taking a checkbox, joining CISP, cyber training yes, I have one of those and then may you're basically making an explicit form that you're consenting to the terms and conditions that are associated with that site, or whatever it might be. Question six you are asked to ensure compliance with CCPA. What is one of the first steps you should take? So CCPA is the California Consent Privacy Act. I think that's what it is, but it's the California Act, right, and it's about. You basically want to be forgotten. So what you are asked to be in compliance with CCPA, what is the one of the first steps you should take? A update your privacy policies. B develop a mechanism for handling consumer requests. C identify in scope customer data and then D appoint a data protection officer. So each of those are important factors in the CCPA compliance and you'll need to know that. However, what you want to determine is what consumer data is in scope, that would be C. So if you just want you to determine that scope, then you can determine how to best protect it. If you don't determine the scope, you could really fall into the trap of I'm just gonna put everything in there. Yeah, that's not a good idea. That's too hard to protect everything. So you'll want to make sure that you have defined the scope. Question seven which of the following regulatory standards is most relevant to healthcare data in the United States? Okay so, each country has a different healthcare plan. They have different ways of dealing with the standards associated with it. So we're just talking healthcare in the United States. A is GDPR, b is CCPA, c is HIPAA, d is PCI DSS. Okay so, gdpr is regulatory aspects in Europe, ccpa is California Protection Act for the consumers and D is PCI is your payment card industry data security standards. Yeah, I can't remember all these acronyms. And the last one is HIPAA. So HIPAA deals as the Health Insurance Portability Accountability Act. I think that's what it is. Again, if you understand HIPAA, it's healthcare, healthcare, regulatory. Yep, that's the right one. Answer is C. Which of the following is a key feature of GDPR? A write to opt out of data sale? B mandatory two factor authentication. C data masking or D data portability. Okay, which of the following is a key feature of GDPR? Again, each of those questions, or each of those answers, is part of GDPR, but what is a key feature in that? And data portability is the part that is the key feature in GDPR. It allows individuals to take their data from one service provider to another. That is a key feature behind it, but the key around that, though, is that, as they do those, there's data masking involved. There's two factor there's a right to opt out or there's right to be forgotten. All of that is all tied into it, but you want it to be portability. You just don't want your data to be shared with everybody else. Question nine You've discovered an API collecting customer PII without proper security. What is your first action? Okay, an API is an application programming interface, right. So you've discovered an API that's collecting this information. A disable the API. B implement OAuth. C notify customers. Or. D update your privacy policy. So if you notice that it's API is collecting it without proper security, you want to stop it immediately. So you want to disable the API. The rest of those areas are important, but if the data is leaving, you don't want to continue to leave Question 10. What is the best method for securely transmitting financial data over a network? A, ssh, b, https, c, ftp, d, sftp. So, again, you're transmitting data over a network. Https B provides the best way from a secure, encrypted and web communications. Again, it's more suitable for transmitting financial data, especially over a web protocol. Your company collects data from users via online forms. What should you employ to prevent SQL injection? A input validation, b output validation, c capture or D data masking? Okay, if you're looking for online forms, people are adding information into it and you want to prevent SQL injection, which basically is adding code to the input form, you want to have input validation. This checks the data for integrity before being processed and it does help prevent SQL injection and SQL attacks. Not perfect, but it does work. After securely erasing a hard drive, what should be the next step? A validation, b shredding, c degausing or D incineration? So, after securely erasing a hard drive, what should be the next step? So, if you securely erased it, you want to validate and ensure that the data is erased. Again, back to the point. If you're taking the time to erase it, then that's something that you want to reuse. If you don't want to erase it and you just want to destroy it, then obviously shredding is probably your better choice. Which destruction method involves deleting cryptographic keys? A degausing, b shredding, c cryptographic shredding or D secure erase. Again, focus on the question Deleting cryptographic keys. It would be cryptographic shredding. This deletes the cryptographic keys that are used to encrypt the data, making it completely unreadable. Now, this is also one of the great things that bad hackers do as well, is, they'll encrypt the data and then you don't have access to the keys. So that's also destroying your data. Question 14, what is data scraping? Data scraping is A the automatic gathering of data from websites, b user data input manually, c manual copy pasting of data from websites or D downloading a database. So data scraping is typically used by a lot of bots that are on the web and it is automatically gathering the data from websites. That is data scraping. Question 15, which of the following is not an authorized data collection method? A data scraping in violation of robotstxt. B user consent, c APIs or D direct input methods like forms. So what is a non-authorized data collection method? Obviously, data scraping is not authorized. Now the robotstxt you'll see that on WordPress websites a lot but the data scraping is being done in an automated format and then it takes this data and puts it wherever you might have it. So that is the best answer of all of those is this data scraping. What is data sovereignty? No-transcript data is available globally. C data is stored in the cloud, c data subject to laws of the country it's located in, and then D data stored within a specific domain. So data sovereignty is C. This is where it refers to data being subject to the laws in the country where it is stored, and if you have a data sovereignty concern and you want to make sure that it stays there, then you would put it there. One example is China. China does, at this point, does not have a data localization or sovereignty laws. They sort of do. It's very squishy, but that is highly likely that they will have that in the future. So you want to consider that when you're putting business in China. What is the first step in the data lifecycle management? A data classification, b data storage, c data creation or D data disposal. So what is the first step in data lifecycle management? And that is C data creation. You want data create. You got to create it before you can do anything else with it, so you can't classify, storage or dispose it. Question 18. Which of the following is not a data destruction method A shredding, b logging, c incineration or D degausing? Well, okay, the only one on here that is not destroying something is logging. Logging doesn't destroy the data, it actually keeps the data. Question 19. Which of the following methods is not suitable for destroying paper records A shredding, b incineration, c degausing or D pulping. Well, all of those deal with some level of destruction, right, but the degausing is focused on an IT aspect and therefore it is degausing. It is the other ones. You can shred paper and incinerate it, but you also can do that to IT systems, but for destroying paper, degausing is the right answer. Last question which of the following is a requirement under CCPA? A data localization, b right to be forgotten, c data masking or D mandatory encryption. And, like I mentioned earlier before, with the California Consumer Privacy Act, you have the right to be forgotten. Okay, so a provision that allows California residents in the United States to request the deletion of their personal information, which is commonly referred to as the right to be forgotten. Same concepts that fall under GDPR, and they is basically focused on the rights of the individual. All right, that's all I've got for you today. I hope you all have a beautiful, blessed day and I hope you go out to CISSP cyber training. All of these questions are there for you at CISSP cyber training. They're also in video and audio format, so you're going to get the full Monty. Everything you could ever want is there. All you got to do is go. So go check it out, cissp cyber training, and we will catch you on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!

Studying for the CISSP and want to test your knowledge?

Look no further, you can have 360 CISSP Exam Questions for FREE!
Sign up and get the following:
  • 60 Unique CISSP Exam Questions each month covering all 8 CISSP Domains for 6 months
  • Receive updated CISSP Exam Questions via email each week
  • Access to weekly podcasts that dive deep into a specific CISSP Domain and CISSP Exam Questions
  • Special promotions on my CISSP Products before they become available to the public
  • So much more…..
How can you refuse…it is all FREE, just for signing up!
What do you have to lose, you can unsubscribe at any time!
Access Your Questions Now!

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

Learn More | Start Today

Have a Question about the CISSP or your cybersecurity career?

Click the link below and let me know what you are needing, and I can see how I can help!

Contact | Need Help?