ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

An organization stores customer data inside a cloud-based CRM accessed through corporate laptops. Security leadership wants to stop employees from saving exported customer lists onto personal USB flash drives, while allowing them to continue to view the data in the web portal. Which Data Loss Prevention (DLP) capability most directly addresses this requirement?

Enable storage-based DLP scanning within the SaaS CRM to tag sensitive records at rest.
Apply tokenization to customer fields before they are stored in the CRM database.
Deploy an endpoint-based DLP agent that enforces policies blocking or encrypting writes to removable media.
Implement a network DLP solution on the Internet firewall to inspect outbound SMTP and web traffic for customer data.

Report Issue

Answer Description

Preventing users from copying sensitive data to removable media is an endpoint problem, because the data have already reached the user's workstation via the browser. An endpoint-based DLP agent can inspect content as it leaves the protected host and enforce policies that block or encrypt writes to USB storage. Network DLP focused on e-mail or other egress channels would miss a local save-to-USB action that never traverses the network. Storage-based DLP in the SaaS repository can label or encrypt data at rest but cannot control what users do after legitimate download. Tokenizing data in the CRM would require application changes and, once detokenized on the endpoint, would not by itself prevent copying to external media. Therefore, deploying endpoint DLP with removable-media control is the most effective choice.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.