CCT 211: Practice CISSP Questions - Data Security Controls and Compliance Requirements (Domain 2.3)

Unlock the secrets to acing your CISSP exam with insights that blend real-world cybersecurity wisdom and innovative study strategies. Ever wondered how a data breach, like the one at SuperDraft, can teach you crucial lessons about protecting your information? We'll explore how securing your data and freezing your credit are essential steps in the fight against password reuse risks. Join Sean Gerber as we unpack the vital role of asset owners in defining access control policies and delve into the challenges of managing virtual assets in cloud environments, where virtual machine sprawl poses significant threats. Plus, get excited about potential new tools and a gamified platform that could revolutionize your CISSP study experience.

Prepare to navigate the complex realm of data security and asset management as we spotlight the critical need for security and compliance in handling both tangible and intangible assets. Discover the hidden risks of inadequate encryption and learn why regular audits of hardware and software inventories are non-negotiable. We’ll emphasize the importance of tagging cloud resources for cost management and explore the secure disposal of sensitive data. With discussions on data classification schemes, configuration management systems, and the dangers of shadow IT, you’ll gain the insights needed to maintain consistent configurations and ensure license compliance, all while reducing security vulnerabilities. Tune in to arm yourself with the knowledge that will propel your cybersecurity career forward.

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.

Speaker 2: 0:22 

Cybersecurity knowledge All right, let's get started. Hey all, it's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP Question Thursday, yeah, so we are super excited to talk about some questions today. They're going to be related to domain 2.3 and this was based on the podcast that we had on Monday. So the overall goal of this again is for CISSP Question Thursday is to go over questions that would be potentially related to the content that we provided on Monday, which was over domain 2.3 of the ISC Squared manual.

Speaker 2: 0:59 

So before we get started, I had an article well, actually it wasn't really an article, I saw it through I have been pwned. Um, there's a great website out there called I have been pwned and that talks about some of the various different sites that have been pwned out there on the web, and one that just went to uh was released recently, was super draft. Now I don't know if you all have any sort of fantasy football leagues. As far as the united states goes, there is a draft thing called SuperDraft and you can go out and actually draft your teams and then play them in football and you'll see how your stats do. One of the points that came up with SuperDraft is that they had about 24 gigs of data that was taken, including email addresses, usernames, transactions, latitudes and longitudes, date of birth and various Bcrypt password hashes. So what does this mean? Well, the part that I want to kind of come back to on this is, if you go to, I've been pwned. There's gazillions of sites that are available to you that have been pwned by hackers, and so a couple things that kind of come out of this One. If you haven't already, you want to at least. If you're in the United States, you want to freeze your credit, and I know you as security professionals, you guys are probably already on top of that, but I get busy in life and I forget to do things. But if you haven't frozen your credit with the various credit agencies, you need to do that as soon as you possibly can, because, as we know, your information has been compromised more times than you can probably count, and so, therefore, the bad guys and girls have access to your most sensitive information.

Speaker 2: 2:27 

Now, when it comes to the super draft situation here, the reason I say this is a little bit more concerning is, let's just go with the attitude that most people they reuse their passwords, and if they reuse their passwords, they use them on different sites. Well, let's just take into account if you are creating a fantasy football league, odds are pretty good that you might be doing some online betting, and if you are doing some online betting, then your accounts probably are maybe just maybe very similar to the ones you would have with Superdraft. So if you have used the Superdraft app and you do online betting, you definitely want to make sure that you have some multi-factor enabled, but don't just rely on that. I would go in and change your passwords and information, but at the end of the day, if your email addresses and all these financial transactions are out there in the open, yeah, you better really lock down your credit and I would really keep a good close eye on any sort of financial transactions you might be making in your behalf or in somebody else's behalf. So just kind of something to consider, as we're related to Superdraft.

Speaker 2: 3:32 

Okay, so let's go ahead and get started. So this is again. You can get all these questions at cisspcybertrainingcom and you can get access to all of my content. I'm actually looking to potentially roll out a new platform that's going to be more on the lines of quizzing and be able to give you some maybe potential real-time feedback and some gamification around these questions. The ultimate goal is to help give you the tools you need to pass the cissp exam and we're looking at different ways to help you do that. So head on over to cissp cybertrainingcom and gain access to all of my content. You can get access to these questions at cissp cyber trainingcom and you can go through them. There might be an opportunity in the future. We might be looking at some different kinds of capabilities, potentially some gamification, but we will see. It's still in the works. I'm hoping to roll something out, maybe a beta test of it, within the next couple weeks and if you are on my mailing list, you will be some of the first people to have a look at it. Suit you think? Alright, so let's get started again.

Speaker 2: 4:28 

This is domain 2.3 and we're gonna get into question number one. Question one which of the following best describes the primary responsibility of an asset owner? A defining asset control policies and data classification for an asset. B implementing operational security controls for an asset. C monitoring the daily usage of an asset. Or. D performing backups and disaster recovery tests of a specific asset? So which of the following best describes the primary responsibilities of an asset owner, and it would be A defining access, control policies and data classification for the asset. Now, all of those can be valuable, but the primary responsibility would be to define the control policies and the data classification.

Speaker 2: 5:11 

Question number two what is a significant risk associated with virtual asset management in a cloud environment? So what is a significant risk associated with virtual asset management in a cloud environment? A high hardware costs. B lack of patching mechanisms. C virtual machine sprawl. Or D the inability to configure encryption. So which is a significant risk associated with virtual asset management? And it is virtual machine sprawl. It's C. Okay, again, machine sprawl is a big problem. We had it even when they had regular physical devices. But now, when you're getting into the overall virtual machine aspects of it, it can happen even quicker and it can become very expensive. Whereas before you may have had some checks and balances as of purchasing any sort of hardware, with the virtual machine piece you may not have those same level of rigor around checks and balances.

Speaker 2: 6:07 

Question three in configuration management, what is the primary purpose of baseline configuration? The primary purpose of baseline configuration? A to provide a unique identifier for all assets. C to establish initial approved state of the asset. C to manage hardware and software inventories. Or D to track authorized physical devices. Again, in configuration management. What is the primary purpose of a baseline configuration? And it is, b to establish an initial approved state of the specific asset. Again, if you don't really know, again, baseline, initial approved state, you want to kind of consider putting those words together. But the ultimate goal is to have an initial state of the asset serving as a reference point for future changes and that's the ultimate goal of the configuration management piece.

Speaker 2: 6:56 

Question number four which tool would be most appropriate for managing cloud-based assets in AWS? So which tool would be most appropriate for managing cloud-based assets in Amazon? Aws, a, ansible, b, puppet, c, chef or D AWS Config? Yeah, I figured you probably would figure this one out. It would be AWS Config, right? So many of these other ones will provide that. But if you're in AWS environment, having the AWS Config is a really good way to help you with that. The other ones Puppet and Ansible are general configuration management tools, whereas AWS is very specific.

Speaker 2: 7:34 

Question number five what is the role of a configuration item or CI in a configuration management system or CMS? So what is the role of a configuration item in a configuration management system. A it provides encryption mechanism for data. B it represents a tracked component such as hardware or software. C it defines a topology for the physical assets. Or. D it stores user access credentials and the CI deals specifically with an item. Right, so that would be. It represents a tracked component such as hardware or software. That's a component managed by the CMS, but it was focused on specifically servers, applications and potentially network devices as well. That is the difference.

Speaker 2: 8:18 

Question six which of the following is a key security risk when managing intangible assets? What is a key security risk when managing intangible assets? A physical theft, b inventory inaccuracies, c licensing violations or D lack of encryption? Which of the following is a key security risk when managing intangible? Intangible, not tangible, something you can touch, intangible, something you cannot touch assets. And it is D lack of encryption. Intangible assets, such as data and intellectual property, are vulnerable to unauthorized access. So you get access controls and you have encryption. So proper encryption and access controls are critical, obviously, to protect them, and that's an important part. Seen it, been there, done it, got the t-shirt to go with it.

Speaker 2: 9:04 

Question seven what is the main reason for performing regular audits of hardware and software inventory. So what is the main reason for performing a regular audit of hardware and software inventories? A to increase operational efficiency, b to identify and remove outdated licenses, c to maintain data integrity. Or D to detect unauthorized assets. So what is the main purpose or main reason for performing regular audits of hardware and software? And it is D To detect unauthorized access. Again, regular audits help identify unauthorized or rogue devices and software, ensuring that only approved assets are present in the environment. Right, you just want to make sure that you have the right people or the right systems are in there and that you don't have extra shadow IT.

Speaker 2: 9:51 

Question eight why is tagging cloud resources important in cloud-based asset management? So why is tagging cloud resources important in cloud-based management? A to simplify cost management and tracking. B to reduce network latency. C to enhance encryption algorithms. Or D to enable multi-factor authentication. So why is tagging cloud resources important? And it is A to simplify cost management and tracking. When you tag cloud resources, it does allow you to have the ability to track usage, monitor compliance and then simplify your cost and, as we know, anything dealing with the cloud can get expensive. Just the little pennies add up and next thing you know you're spending some real money and then you have questions from your senior leadership why are you spending all my money and what is the value out of it? And then it gets very complicated very quickly.

Speaker 2: 10:43 

Question nine which activity is associated with secure disposal phase in asset lifecycle management? Okay, that's a lot of words. Which activity is associated with the secure disposal phase in asset lifecycle management? So again, secure disposal in lifecycle management. What is it? What activity? A encryption of data at rest. B securely wiping and destroying sensitive data. C conducting risk assessments or D updating access control policies. And the answer is B securely wiping and destroying sensitive data. C conducting risk assessments. Or D updating access control policies. And the answer is B right Secure wiping and destroying of sensitive data. Anytime you're dealing with the asset lifecycle management, that is where it would come into play, right? So it prevents unauthorized access to sensitive information by retiring and destroying this equipment. So you want to keep that in mind. You also want to get very closely set up with people in procurement when they buy stuff that may have some sort of data retention in it. In the past it used to be hard drives and printers, which really isn't the case that much anymore, but there's other types of equipment that does have onboard storage.

Speaker 2: 11:42 

Question 10, which of the following describes a data classification scheme? Which of the following describes a data classification scheme A a method to configure network firewalls. B a system of labeled data based on sensitivity labels. C a strategy for managing hardware assets. Or D a framework for software development? So which of the following describes a data classification schema? And it is B a system to label data based on sensitivity labels, right? So data classification we talk about is an important part of any sort of organization security plan and you need to have a scheme around that. And this would be you'd have these labels set up. These are public, confidential, top secret, super secret, do not touch secret, whatever you want to call them, but you want to have these labels that are consistent within your organization.

Speaker 2: 12:30 

Question 11. What is the key advantage of using configuration management systems using a CMS? What is the advantage of using a CMS, which we talked about a little bit earlier with CIs and the CMS? What is the advantage of using it? A reducing software licensing fees. B preventing data corruption. C ensuring consistent configurations and reducing risk. And D encrypting virtualized environments, and we kind of already mentioned this a little bit. It's around consistent configurations and reducing your overall risk. Again, understanding what you have within your organization, reducing the configuration errors and then potentially dealing with the security vulnerabilities that are associated with it and then potentially dealing with the security vulnerabilities that are associated with it.

Speaker 2: 13:10 

Question 12, which of the following best describes shadow IT? Again, what is shadow IT? How does it work? What is it? A a backup system for critical infrastructure. C an advanced encryption method for cloud computing. C unauthorized assets or systems used in an organization without formal approval. Or. D redundant physical asset inventory. You all probably figure this out it might be a redundant asset inventory, physical asset inventory, possibly that was then repurposed to give you unauthorized assets or systems, but what ends up, comes right down to, is an unauthorized asset or system used in an organization without formal approval.

Speaker 2: 13:45 

Question 13 what is the primary purpose of a software asset inventory? A to ensure license compliance and reduce of security risks. B to manage encryption keys. C to monitor physical device locations. Or D to classify intellectual property. So what is the primary purpose of a software asset inventory? And the answer is A to ensure license compliance with reduced security risks and reduced security risks. Reduce security risks and reduce security risks. So that's the purpose. What's the primary purpose of a software asset inventory is to, again, you want to make sure you have the right software and you are in compliance with the overall licensing agreements. Now that also helps in conjunction with managing your security of these software assets as well. So all of that is an important part of what you do.

Speaker 2: 14:31 

Question 14, which of the following of intangible assets would a customer records be classified as? So which type of intangible asset would customer records be classified as A physical inventory? B data and databases. C intellectual property or D brand reputation? So which of the type of intangible assets would customer records be classified as it would be under? B data and databases? Right, customer records are a form of data stored within a database and must be managed according to the data security policies. Right, the ultimate data of your customers is there, and we just kind of talked about that with your sports duel piece of this right or whatever fan duel Not fan duel, but sports book. I can't remember what I talked about just with your sports duel piece of this right or whatever fan duel not fan duel, but sports book. I can't remember what I talked about just a little bit ago, but the bottom line is is all that data is part of your customer records?

Speaker 2: 15:24 

Question 15, why is access controls critical for managing intellectual property as an intangible asset? Why is access controls critical for managing intellectual property as an intangible asset? Is access controls critical for managing intellectual property as an intangible asset? So again, your access controls. What are they there? You're dealing with intellectual property and it is intangible. So what does this mean? So why are they critical? A it allows for creation of encryption keys. B it enables physical or it enables secure physical storage. C attracts asset depreciation or D it prevents unauthorized use and theft of proprietary information. So why are access controls critical for managing intellectual property as an intangible asset? Because, d it prevents unauthorized use and theft of property, of proprietary information. Gosh, that's a lot of words. So that's that right. It's. D prevents the unauthorized use. So that is all I have for you today. Gosh, that's a lot of words. So that's that right. It's. D prevents the unauthorized use. So that is all I have for you today.

Speaker 2: 16:18 

Again, there's 15 questions at cisspcybertrainingcom. You can go there and get access to these questions immediately. I have hundreds of questions that you can go through. I have a blueprint to walk you through if you're self-studying for the CISSP, because that's the ultimate purpose of CISSP. Cyber training is to help you with your to pass the test the first time. That's the goal, right, because I didn't. But we also have lots of questions and lots of partners that work with us as well. Again, got a little ticklers, maybe something coming in the future. We'll see how that plays out.

Speaker 2: 16:48 

I'm hoping it'll be very, very useful for everybody. I hope it will, because I think it will. It has a lot of potential. Also, go to ReduceCyberRiskcom. You can head there. If you are a person that's looking for cybersecurity consulting firms or capabilities, we have that available with you at ReduceCyberRiskcom. That's all there, from insider risk, disaster recovery, you name it pen testing, certified ethical hacker stuff, you name it, we've all got it there at ReduceCyberRiskcom. That's the goal. So again, if you need a CISSP training, we've got it at CISSP Cyber Training. If you need consulting, we've got it at ReduceCyberRiskcom. Okay, have a wonderful, wonderful day, everybody, and have a safe trip going into work or wherever you're listening to this podcast, we will catch you all on the flip.