ISC2 CISSP Practice Test

Implementing role-based access controls ensures that individuals are granted access based on their specific job responsibilities, minimizing the risk of unauthorized access to sensitive information. In contrast, requiring users to create complex passwords might enhance security, but it does not restrict access based on roles. Restricting access solely to the IT department does not address the need for appropriate access control for other authorized personnel, and merely conducting access reviews annually may lead to time gaps where unauthorized access could occur.

Scheduling regular data-cleansing and validation routines identifies duplicates, inconsistent formats, and obsolete fields so they can be corrected or removed. This proactive process maintains data integrity and keeps information reliable for day-to-day operations. Rotating encryption keys improves confidentiality but does not address data quality. Moving old records to cold storage is an archival control that does nothing for the accuracy of active data. Applying read-only permissions protects against unauthorized changes but will not fix existing errors or outdated information.

A comprehensive asset-inventory program requires two key elements: first, every physical and information asset must be recorded in a centralized register with details such as owner, location, and classification; second, the records must be validated through scheduled physical or logical audits. ISO / IEC 27002 control 5.9 explicitly calls for an accurate, up-to-date inventory and recommends regular reviews to ensure accuracy. Adding digital items to an existing physical checklist, relying solely on automated discovery tools, or focusing on intangible assets alone each addresses only part of the requirement and therefore does not fully satisfy management's objective.

The primary purpose of establishing handling requirements based on a 'Confidential' classification is to protect the information from unauthorized access and disclosure. While availability, cost optimization, and streamlining access for compliance are all valid business and security considerations, the core principle of handling 'Confidential' data is to maintain its secrecy. The data classification level dictates that confidentiality is the foremost priority over other aspects of the CIA triad or other operational goals.

The correct answer is They verify the absence of specific classes of vulnerabilities with mathematical certainty. Formal verification methods use mathematical techniques to prove that code adheres to specific security properties or is free from certain vulnerability classes with mathematical certainty. Unlike testing, which can only show the presence of bugs, formal verification can demonstrate their absence for specified properties. This provides a higher level of assurance than can be achieved through testing or conventional static analysis alone.

They scan code faster than traditional static analysis tools is incorrect because formal verification methods are typically much more computationally intensive and time-consuming than traditional static analysis tools. The rigor of mathematical proving usually comes at the cost of performance.

They automatically fix identified vulnerabilities is incorrect because formal verification methods identify violations of specifications but do not automatically fix issues. They provide proof of correctness or counterexamples, but remediation still requires developer intervention.

They are easier to implement than standard code reviews is incorrect because formal verification methods are generally much more complex and difficult to implement than standard code reviews. They require specialized expertise, formal specifications, and significant computational resources.

The correct answer is the data owner, as this role encompasses the responsibility for defining how data should be accessed, who can access it, and what protections are to be implemented around it. Other roles, such as custodians and stewards, are tasked with managing the physical storage and administration of the data according to the policies set by the owner, but they do not have the authority to define those policies. Similarly, processors manage the data processing tasks but follow predefined guidelines without authority to set those guidelines, while users primarily interact with the data without control over its management.

The process of categorizing data is known as data classification. This involves assigning a label to data which informs users and systems how it should be handled according to its sensitivity. Different classifications help guide security protocols, access control, and the implementation of appropriate protective measures. For instance, sensitive information may require stronger access controls and encryption compared to less sensitive data.

Data classification is the systematic approach used to categorize data by its level of sensitivity. This process helps organizations apply appropriate security measures based on potential risk. In contrast, terms like 'data mapping' or 'data encoding' do not encapsulate this concept, as they pertain to organizing or translating data rather than assessing sensitivity levels.

Sensitive assets require stricter handling because unauthorized disclosure could adversely affect individuals or the organization. Employee salary records contain personal financial details that, if exposed, could lead to workplace disputes, privacy violations, or even identity-theft risk. Company announcements, marketing collateral, and already published historical data are intended for broad distribution and therefore do not warrant the sensitive label.

Internal data-retention schedules must be cross-checked against all applicable laws and industry regulations. Statutes such as HIPAA require covered documentation to be kept for six years, Sarbanes-Oxley requires certain audit records to be retained for seven years, and GDPR mandates that personal data not be stored longer than necessary. Failing to align internal policy with these external requirements can lead to fines, litigation, or regulatory action. Therefore, the only accurate statement is that internal policies must align with applicable legal and regulatory requirements.

Issuing the drive's Secure Erase (cryptographic erase) command performs a purge-level sanitization recognized by NIST SP 800-88. The command overwrites user-accessible and hidden cells or destroys the encryption key, rendering residual data mathematically unrecoverable while leaving the SSD functional for resale. Physical shredding would also eliminate the data but destroys the asset, contradicting the reuse goal. Quick format and simple deletion only alter file-system metadata and can be reversed with basic forensic tools.

The correct answer defines where data resides, which is crucial for managing data privacy, compliance, and access control. Knowing the specific location of data helps in implementing appropriate security controls and effectively handling data according to regulations and organizational policies. The other options relate to aspects of data management but do not specifically indicate the concept of data location.

Ensuring the elimination of sensitive data from retired hardware is crucial to prevent potential data breaches. This action needs to involve secure methods of data removal that make information irretrievable. Other options state concrete activities, but they do not necessarily result in the correct outcome. These options do not result in proper data deletion, risking exposure to unauthorized access and undermining the organization's data security posture.

The correct answer is the data owner. The data owner is the role with the ultimate authority and accountability for data. This includes classifying the data and making decisions about protection, handling requirements, and access controls. While a data custodian implements technical controls and a data processor acts on the data, the data owner is the one who defines the policies and is answerable for the data's protection throughout its lifecycle. The data subject is the individual to whom the data pertains and does not have data management responsibilities.

The team should prioritize collecting a thorough inventory of all resources, as this is essential for identifying what the organization possesses and managing risks associated with those resources. This inventory facilitates compliance with security protocols and helps in identifying any vulnerabilities. The other options, while relevant to security, do not directly address the need for accurate documentation of resources.

Transport Layer Security (TLS) 1.3 establishes an encrypted channel that uses authenticated-encryption-with-associated-data (AEAD) ciphers. The encryption protects confidentiality, while the integrated message-authentication codes verify that packets have not been altered, thereby ensuring integrity. Controls such as IDS/IPS or firewalls focus on detection or traffic filtering, role-based access control secures data at rest or in use, and hashing files before transfer provides integrity only. None of those alternatives ensure both confidentiality and integrity for data crossing an untrusted network.

According to NIST 800-88, physical destruction (Destroy) provides the highest level of assurance that data is irrecoverable. For SSDs, methods like shredding to a small particle size ensure that the memory chips are physically destroyed, making data recovery impossible. Cryptographic erase is a valid 'Purge' method but relies on the correct implementation of the drive's firmware and encryption, which carries a residual risk if compromised. Degaussing is ineffective on SSDs as they are not magnetic media. Multipass overwriting is also not recommended for SSDs due to wear-leveling and over-provisioning, which can leave data remnants in unaddressable areas.

Because the files are actively moving between two locations, they are in the "in transit" state. Data in transit should be protected with controls such as strong end-to-end encryption and authenticated connections. Data at rest would apply once the files are stored at either site, and data in use would apply only when the files are opened and processed in memory. The term "archived" refers to long-term inactive storage, which is not occurring during the copy operation.

Documenting and disclosing, in advance, the exact personal data fields and the specific lawful purposes for each satisfies the GDPR's requirement that data be collected only for "specified, explicit and legitimate purposes." This transparency lets data subjects understand how their information will be used and allows auditors to verify compliance. The other choices either encourage collecting data 'just in case,' rely on blanket consent for undefined future uses, or omit purpose statements altogether-all of which breach the purpose-limitation and transparency obligations.

The data owner is the individual who is ultimately responsible for the data. They have the authority to make decisions regarding data handling, classification, and access. This role includes defining who can access the data and determining what protections are necessary. Other options, like users or custodians, have responsibilities, but they do not have the final authority on data management decisions.