CCNA Asset Security Questions

52 questions · Asset Security topic · All types, answers revealed

1
MCQmedium

A financial institution is implementing a data loss prevention (DLP) solution to protect customer financial information. The DLP system must detect and block the transmission of credit card numbers via email. Which of the following is the BEST approach to ensure accurate detection while minimizing false positives?

A.Apply a regular expression that validates the Luhn algorithm in addition to pattern matching
B.Hash all outbound emails and compare against a database of known credit card hashes
C.Use a simple regular expression matching patterns like '\d{4}-\d{4}-\d{4}-\d{4}'
D.Rely on machine learning classifiers trained on past credit card data
AnswerA

Combining regex with Luhn check reduces false positives by verifying the mathematical validity of the number.

Why this answer

Option A is correct because combining a regular expression for credit card number patterns with Luhn algorithm validation significantly reduces false positives. The Luhn algorithm checks the mathematical validity of the number (e.g., checksum), ensuring that random digit sequences matching the pattern are not flagged as credit card numbers. This dual-layer approach is a standard DLP best practice for accurately detecting sensitive data like credit card numbers.

Exam trap

The trap here is that candidates may choose option C, thinking simple pattern matching is sufficient, but they overlook the need for Luhn validation to avoid false positives from non-credit-card digit sequences.

How to eliminate wrong answers

Option B is wrong because hashing outbound emails and comparing against a database of known credit card hashes is impractical; credit card numbers are unique per transaction and not pre-known, and hashing prevents detection of previously unseen numbers. Option C is wrong because using a simple regular expression like '\d{4}-\d{4}-\d{4}-\d{4}' will generate many false positives by matching any 16-digit sequence (e.g., phone numbers, order IDs) without validating the number's structure or checksum. Option D is wrong because machine learning classifiers trained on past credit card data require extensive labeled datasets and may still produce high false positive rates or miss novel patterns, and they lack the deterministic validation that Luhn provides.

2
MCQmedium

Refer to the exhibit. Which access control model is described?

A.Mandatory Access Control (MAC)
B.Discretionary Access Control (DAC)
C.Role-Based Access Control (RBAC)
D.Attribute-Based Access Control (ABAC)
AnswerA

MAC enforces clearance and need-to-know, as described.

Why this answer

The exhibit describes a system where access decisions are based on security labels (e.g., classification levels like Top Secret, Secret, Confidential) and clearances assigned to subjects, with the system enforcing the policy. This is the defining characteristic of Mandatory Access Control (MAC), where the operating system or security kernel centrally controls access based on predefined rules, and users cannot override these controls. The reference to labels and clearances without user discretion confirms MAC as the correct model.

Exam trap

The trap here is that candidates often confuse MAC with RBAC because both involve centralized policy, but MAC is uniquely defined by the use of security labels and clearances, not roles, and the exhibit's mention of 'labels' is the key differentiator that eliminates RBAC.

How to eliminate wrong answers

Option B (DAC) is wrong because DAC allows the owner of a resource to set permissions at their discretion (e.g., using file ownership and ACLs in Windows or Unix), whereas the exhibit shows a system-enforced label-based policy with no user override. Option C (RBAC) is wrong because RBAC assigns permissions based on job roles (e.g., 'admin', 'auditor'), not on security labels or clearances; the exhibit does not mention roles but rather classification levels. Option D (ABAC) is wrong because ABAC uses attributes (e.g., time, location, resource type) evaluated against policies, often via XACML, but the exhibit specifically describes a label-based system with hierarchical classifications, which is the hallmark of MAC, not ABAC's flexible attribute evaluation.

3
MCQeasy

A company wants to ensure that data is properly classified before storage. Which control should be implemented?

A.Data Classification Policy
B.Encryption
C.Data Loss Prevention (DLP)
D.Access Control Lists (ACLs)
AnswerA

A Data Classification Policy defines how data should be classified, ensuring proper handling.

Why this answer

A Data Classification Policy is the foundational control that defines the categories (e.g., public, internal, confidential) and handling requirements for data before it is stored. Without a policy, technical controls like encryption or DLP lack the classification labels needed to apply the correct rules. The policy ensures that data owners and custodians consistently label data at creation or ingestion, enabling downstream security controls to function correctly.

Exam trap

The trap here is that candidates confuse a technical control (like encryption or DLP) with the administrative control (the policy) that governs classification, leading them to pick a tool instead of the foundational directive.

How to eliminate wrong answers

Option B (Encryption) is wrong because encryption protects data confidentiality after classification but does not determine or enforce the classification itself; it is a technical safeguard applied based on policy. Option C (Data Loss Prevention) is wrong because DLP monitors and prevents unauthorized data transfers using classification labels but cannot classify data on its own—it relies on a policy to define what is sensitive. Option D (Access Control Lists) is wrong because ACLs enforce permissions on objects based on classification but do not classify the data; they are an implementation of the policy, not the policy itself.

4
MCQhard

A global manufacturing company with headquarters in Europe and factories in Asia and North America has recently experienced a data breach. The breach involved the theft of intellectual property (IP) containing product designs stored on a file server located in the Asian factory. The investigation revealed that the attacker gained access using a compromised administrator account from a contractor's laptop that was connected to the corporate VPN. The company has implemented network segmentation, but the file server resides in the same VLAN as other factory equipment. The company uses Active Directory for identity management, and all employees and contractors use the same domain. The company is now reviewing its data governance policies to prevent future incidents. The security team must recommend a set of controls that address the root cause while maintaining operational efficiency. Which of the following is the BEST course of action?

A.Create a separate Active Directory forest for contractors and establish a one-way trust to allow access only to necessary resources
B.Implement a privileged access management (PAM) solution with just-in-time (JIT) elevation and conditional access policies that require managed, compliant devices for VPN access
C.Require multi-factor authentication (MFA) for all users accessing the VPN, regardless of role
D.Isolate the file server into its own VLAN and implement strict firewall rules to limit access to only necessary personnel
AnswerB

PAM/JIT limits the time window of privileged access, and device compliance checks help ensure that only secure devices can connect, reducing the risk of compromised credentials.

Why this answer

Option C is correct because implementing privileged access management (PAM) with just-in-time (JIT) access and conditional access policies (e.g., requiring compliant devices for VPN) directly addresses the use of compromised credentials and contractor access. Option A is wrong because adding more VLANs complicates management but does not prevent credential misuse. Option B is wrong because MFA for all users would help but still allows compromised devices to log in.

Option D is wrong because a separate domain for contractors requires significant administrative overhead and may not be feasible.

5
MCQhard

An organization implements a data masking policy for production databases. Which of the following best describes the primary goal?

A.Reduce the risk of data exposure during testing
B.Ensure data availability
C.Encrypt data at rest
D.Simplify access controls
AnswerA

Masking protects sensitive data when used in development, testing, or training.

Why this answer

Data masking irreversibly replaces sensitive data with realistic but fictitious values, ensuring that production data is not exposed in non-production environments like testing or development. This directly reduces the risk of data exposure during testing, which is the primary goal of a data masking policy. Unlike encryption, masking does not preserve the ability to reverse the transformation, making it ideal for scenarios where the original data is not needed.

Exam trap

The trap here is confusing data masking with encryption, as both protect data but serve fundamentally different purposes—encryption is reversible and protects data in transit/at rest, while masking is irreversible and protects data in non-production environments.

How to eliminate wrong answers

Option B is wrong because data masking does not ensure data availability; in fact, it may reduce availability for certain use cases by obscuring the original values. Option C is wrong because data masking is not encryption; encryption is reversible with a key, while masking is typically irreversible and does not protect data at rest in the same cryptographic sense. Option D is wrong because data masking does not simplify access controls; it is a separate data obfuscation technique that may require additional access management for masked versus unmasked data.

6
MCQeasy

In asset security, which of the following is a primary responsibility of a data owner?

A.Monitoring access logs
B.Classifying data
C.Implementing security controls
D.Backing up data
AnswerB

Data owners classify the data they are responsible for.

Why this answer

The data owner is the senior-level manager who is ultimately accountable for a specific set of data. Their primary responsibility is to determine the data's sensitivity and business value, which directly drives the classification level (e.g., public, internal, confidential, restricted). Classification is the foundational step that dictates all subsequent protection requirements, making it a core duty of the data owner, not a technical implementer.

Exam trap

The trap here is that candidates confuse the data owner's strategic, accountability-based role (classification) with the data custodian's operational, hands-on tasks (monitoring, implementing controls, backups), leading them to pick a technical option like 'implementing security controls' instead of the correct classification duty.

How to eliminate wrong answers

Option A is wrong because monitoring access logs is an operational, detective control typically performed by data custodians or security administrators, not the data owner. Option C is wrong because implementing security controls (e.g., encryption, ACLs) is the responsibility of the data custodian or system administrator, who executes the technical measures based on the owner's classification and policy. Option D is wrong because backing up data is a routine operational task assigned to data custodians or backup administrators to ensure availability and recoverability, not a strategic ownership duty.

7
Matchingmedium

Match each security policy to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines allowed use of organizational assets

Categorizes data based on sensitivity

Procedures for handling security incidents

Rules for password creation and management

Why these pairings

Policies guide organizational security behavior.

8
MCQeasy

A multinational corporation must ensure that data leaving the organization's network is classified and labeled appropriately. Which of the following is the MOST effective method to enforce consistent labeling across all data types?

A.Implement automated data classification tools that scan for sensitive content and apply labels
B.Appoint data stewards in each department to manually review and label data
C.Require all employees to complete annual training on data classification
D.Encrypt all data in transit and at rest to prevent unauthorized access
AnswerA

Automated tools ensure consistent application of labels based on predefined rules.

Why this answer

Automated data classification tools (e.g., Microsoft Purview, Symantec DLP) use content inspection, pattern matching, and machine learning to scan data at rest, in use, and in transit. They apply consistent labels based on predefined policies (e.g., regex for PII, fingerprinting for IP), ensuring uniform labeling across all data types without relying on human consistency or manual effort.

Exam trap

The trap here is that candidates often confuse encryption (which protects data) with classification (which labels data), or they overestimate the effectiveness of training and manual processes for consistent enforcement at scale.

How to eliminate wrong answers

Option B is wrong because manual review by data stewards is error-prone, inconsistent across departments, and cannot scale to the volume of data in a multinational corporation, leading to labeling gaps and misclassification. Option C is wrong because annual training alone does not enforce labeling; employees may forget, ignore, or apply labels inconsistently, and training cannot ensure real-time compliance for every data item. Option D is wrong because encryption protects confidentiality but does not classify or label data; encrypted data can still be unlabeled or mislabeled, failing to meet the requirement for consistent labeling.

9
MCQmedium

Refer to the exhibit. A security engineer is reviewing the S3 bucket policy. The BackupAdmin role is intended to perform backups and restores of the entire bucket. What is the MOST significant security concern with this policy?

A.The BackupAdmin role has delete access to the entire bucket, which could lead to data loss if misused or compromised
B.The BackupAdmin role has both read and write access to the internal data, which could allow unauthorized modifications
C.The public access to the 'public/' folder is not limited to authenticated users
D.The DataAnalyst role can see the public folder contents, violating separation of duties
AnswerA

Delete access on the entire bucket is a significant risk for data destruction.

Why this answer

Option D is correct because the BackupAdmin role already has full access to the entire bucket, including deletion. This is dangerous as it allows accidental or malicious destruction of all data without additional controls. Option A is wrong because the public access is restricted to a specific IP range and folder, which is relatively safe.

Option B is wrong because while separation of duty is weak, it is not the most significant issue. Option C is wrong because the role can access internal data but the policy does not specify read-only; however, the role needs those permissions to back up.

10
MCQhard

A multinational corporation is designing a data retention schedule. Which factor is most critical when determining retention periods for personal data subject to the GDPR?

A.The length of the third-party data processing agreement
B.The purpose for which the data was collected
C.The cost of storage media
D.The duration of any pending legal holds
AnswerB

GDPR's storage limitation principle requires retention no longer than necessary for processing purposes.

Why this answer

Under the GDPR, Article 5(1)(e) establishes the 'storage limitation' principle, which mandates that personal data must be kept no longer than necessary for the purposes for which it was collected. Therefore, the purpose of collection is the primary driver for determining the retention period, as it defines the lawful basis and necessity for processing. Without a defined purpose, any retention period would be arbitrary and non-compliant with the regulation.

Exam trap

ISC2 often tests the misconception that legal holds or contractual agreements override the primary GDPR requirement, but the trap here is that candidates confuse operational constraints (cost, contracts) with the regulatory mandate that purpose must dictate retention.

How to eliminate wrong answers

Option A is wrong because the length of a third-party data processing agreement is a contractual term that may align with retention needs, but it is not the most critical factor; GDPR requires the data controller to determine retention based on purpose, not the duration of a vendor contract. Option C is wrong because the cost of storage media is an operational or financial consideration, not a legal or compliance driver; GDPR explicitly prohibits retaining data solely because storage is cheap or convenient. Option D is wrong because while legal holds can extend retention periods to comply with litigation or investigation requirements, they are an exception to the standard retention schedule, not the primary factor for setting the initial retention period; the purpose of collection remains the foundational criterion.

11
Multi-Selectmedium

Which TWO of the following are valid types of data classification labels commonly used in commercial organizations?

Select 2 answers
A.Top Secret
B.Confidential
C.Unclassified
D.Public
E.For Official Use Only
AnswersB, D

Confidential is standard for sensitive business data.

Why this answer

Commercial classification often uses labels like Public, Internal, Confidential, and Restricted. A and B are correct. Option C (Top Secret) is government/military classification.

Option D (Unclassified) is government. Option E (For Official Use Only) is also government.

12
MCQmedium

A security analyst discovers that a business unit is storing sensitive data on a file share without classification labels. What is the first step to remediate?

A.Move the data to a secure server
B.Immediately delete the data
C.Notify the data owner to classify the data
D.Encrypt the file share
AnswerC

The data owner is responsible for classification, which should precede further actions.

Why this answer

The data owner must classify the data first. Other actions are premature before classification. Encrypting or moving might be appropriate after classification.

Deleting without authorization could destroy needed data.

13
MCQhard

An organization is decommissioning a data center. Which of the following is the most secure method for sanitizing hard drives that will be reused?

A.Physical destruction
B.Deleting all files
C.Overwriting with random data multiple times
D.Quick format
AnswerC

Multiple overwrites are recognized as secure sanitization for reuse.

Why this answer

Overwriting with random data multiple times (option C) is the most secure method for sanitizing hard drives that will be reused because it ensures that the original data is irrecoverable through any known forensic technique. Unlike physical destruction, which renders the drive unusable, or file deletion and quick format, which only remove file system pointers and leave data intact, multiple-pass overwriting (e.g., using the DoD 5220.22-M standard) writes patterns over every sector, including remapped sectors, making the original data unrecoverable even with advanced magnetic force microscopy.

Exam trap

The trap here is that candidates often choose 'Physical destruction' because it seems most secure, but they overlook the explicit requirement that the drives will be reused, making destruction invalid.

How to eliminate wrong answers

Option A is wrong because physical destruction (e.g., shredding or degaussing) permanently damages the drive, preventing reuse, which contradicts the requirement that the drives will be reused. Option B is wrong because deleting all files only removes directory entries and marks clusters as available; the actual data remains on the platters and can be easily recovered with file recovery tools. Option D is wrong because a quick format only rewrites the file system metadata (e.g., boot sector and FAT) and does not touch the data areas, leaving all user data intact and recoverable.

14
MCQeasy

A healthcare organization must decommission a server containing protected health information (PHI). Which data sanitization method ensures the data is irrecoverable while complying with regulatory requirements?

A.Reformat the hard drive with a quick format
B.Degauss the hard drive
C.Physically shred the hard drive
D.Overwrite the hard drive with a single pass of zeros
AnswerB

Degaussing destroys magnetic data and is approved for PHI disposal.

Why this answer

Degaussing uses a strong magnetic field to disrupt the magnetic domains on a hard drive, rendering the data irrecoverable even with advanced forensic tools. For a healthcare organization handling PHI, degaussing meets regulatory requirements like HIPAA's disposal standards (45 CFR §164.310(d)(2)(i)) by ensuring data cannot be reconstructed. Unlike other methods, degaussing physically destroys the magnetic media's ability to store data, making it a definitive sanitization technique for magnetic hard drives.

Exam trap

The trap here is that candidates confuse 'overwriting with zeros' (clear) with 'degaussing' (purge), assuming a single pass is sufficient for PHI, but CISSP expects knowledge that regulatory compliance (e.g., HIPAA) mandates a purge-level sanitization for sensitive data, which degaussing provides by destroying the magnetic structure itself.

How to eliminate wrong answers

Option A is wrong because a quick format only clears the file system index (e.g., MFT or FAT), leaving the actual PHI data intact on the disk and easily recoverable with tools like TestDisk or Recuva. Option C is wrong because physically shredding the hard drive, while destructive, is not a data sanitization method per NIST SP 800-88 Rev. 1 (which classifies it as 'destroy' for disposal, not 'clear' or 'purge') and may not be practical for verifying complete data destruction in a regulatory audit. Option D is wrong because a single pass of zeros (overwrite) is considered 'clear' by NIST SP 800-88, which is insufficient for PHI under HIPAA; it leaves residual magnetic signatures that can be recovered using magnetic force microscopy (MFM) or other advanced techniques, and is only acceptable for non-sensitive data.

15
MCQmedium

A financial institution is implementing a data classification policy. Which role is responsible for assigning initial classification labels to data assets?

A.Data custodian
B.Data processor
C.Data owner
D.Data steward
AnswerC

Data owner is responsible for classifying data according to business sensitivity.

Why this answer

The data owner is the senior manager or business stakeholder who has ultimate accountability for a data asset and is responsible for determining its classification level based on business impact and sensitivity. In the CISSP framework, the data owner defines the classification labels (e.g., Public, Internal, Confidential, Restricted) at the time of creation or acquisition, ensuring the asset is tagged according to the organization's data classification policy. This role does not handle the technical implementation but sets the initial classification, which then drives downstream controls like encryption and access control lists (ACLs).

Exam trap

ISC2 often tests the distinction between data owner and data custodian, trapping candidates who confuse the 'owner' as the person who physically handles the data (custodian) rather than the person who has accountability for classification and risk acceptance.

How to eliminate wrong answers

Option A is wrong because the data custodian is responsible for implementing and maintaining technical controls (e.g., encryption, backups, access enforcement) based on the classification assigned by the data owner, not for assigning the initial classification label. Option B is wrong because the data processor is a third-party entity that processes data on behalf of the data controller under a contract, typically in cloud or outsourcing scenarios, and has no authority to assign classification labels—that remains with the data owner. Option D is wrong because the data steward focuses on data quality, metadata management, and compliance with data governance rules, but does not have the authority to assign initial classification labels; that decision is reserved for the data owner who bears the risk.

16
MCQhard

Refer to the exhibit. An organization uses this ACL on the external interface of a border router to control access to internal services. A security analyst discovered that an attacker from the Internet was able to SSH into the internal server at 192.168.1.100. Which of the following is the MOST likely reason for this security gap?

A.The final permit ip any any rule allows all traffic, bypassing the other rules
B.The ACL permits HTTP traffic to host 10.0.0.1 which could be used as a pivot
C.The ACL permits SSH from any source in 10.0.0.0/8 to the internal host, allowing an external attacker to spoof an internal IP
D.The ACL is applied inbound on the external interface, so it should block all external traffic, but the permit rules override
AnswerC

An attacker can spoof an IP address in the 10.0.0.0/8 range to bypass the ACL and SSH into the server.

Why this answer

Option C is correct because the ACL permits SSH (TCP port 22) from any source within the 10.0.0.0/8 range to the internal host 192.168.1.100. Since 10.0.0.0/8 is a private RFC 1918 address space, an external attacker can spoof a source IP in that range, bypassing the intended restriction that only internal hosts should use those addresses. The ACL does not validate the source IP's legitimacy, so a spoofed packet from the Internet matching the permit rule will be allowed through.

Exam trap

ISC2 often tests the misconception that an ACL's permit rule for a private IP range is safe because those addresses are not routable on the Internet, but the trap is that attackers can spoof those source IPs, and the ACL will allow the traffic if it matches the permit criteria.

How to eliminate wrong answers

Option A is wrong because the 'permit ip any any' rule is the final catch-all, but it only applies after all preceding rules are evaluated; if a packet matches an earlier permit rule (like the SSH rule), it is allowed before reaching the final rule, so the final rule is not the cause of the SSH gap. Option B is wrong because permitting HTTP to host 10.0.0.1 does not directly enable SSH access to 192.168.1.100; while a pivot could theoretically be used, the question specifically asks why the attacker was able to SSH directly into the internal server, and the HTTP rule does not permit SSH traffic. Option D is wrong because applying the ACL inbound on the external interface is correct for filtering incoming traffic; the permit rules do not 'override' the inbound direction—they define what is allowed, and the SSH rule explicitly permits the spoofed traffic, so the direction is not the issue.

17
Drag & Dropmedium

Drag and drop the steps for a forensic investigation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic process: identification, collection, preservation, analysis, and reporting.

18
MCQmedium

A hospital chain collects and stores electronic health records (EHR) for millions of patients. The EHR system is hosted in a private cloud and accessed by doctors, nurses, and administrative staff from various locations. Recently, an internal audit found that several employees shared their login credentials with colleagues to expedite workflows. The hospital must comply with HIPAA and state privacy laws. The security officer wants to implement a solution that minimizes the risk of unauthorized access due to shared credentials while still allowing efficient access for patient care. Which of the following is the BEST approach?

A.Implement single sign-on (SSO) integrated with role-based access control (RBAC) and enforce audit logging of all access
B.Enforce a policy requiring password changes every 30 days and complexity requirements
C.Replace passwords with biometric authentication (fingerprint and iris scans) for all users
D.Disable remote access to the EHR system and require all access to occur only from within the hospital's LAN
AnswerA

SSO reduces password fatigue, RBAC ensures users only have necessary access, and logging provides accountability to deter sharing.

Why this answer

SSO integrated with RBAC reduces the attack surface of shared credentials by centralizing authentication and enforcing least-privilege access based on job roles. Audit logging provides non-repudiation and traceability, which deters credential sharing and satisfies HIPAA's requirement to track access to ePHI. This combination directly addresses the root cause (shared credentials) while maintaining workflow efficiency through seamless authentication.

Exam trap

The trap here is that candidates often choose biometric authentication (C) thinking it eliminates credential sharing, but they overlook that biometrics can be bypassed or shared (e.g., a user holding a fingerprint scanner for a colleague) and introduce significant privacy and revocation challenges under HIPAA.

How to eliminate wrong answers

Option B is wrong because frequent password changes and complexity requirements do not prevent credential sharing; they often increase user frustration, leading to even more sharing or insecure storage. Option C is wrong because biometric authentication introduces privacy and usability concerns (e.g., false rejection rates, inability to revoke compromised biometrics) and does not inherently prevent users from sharing a single enrolled device or bypassing the system. Option D is wrong because disabling remote access severely impacts patient care and operational efficiency, and it does not address the core issue of credential sharing among authorized users within the LAN.

19
MCQeasy

Which data lifecycle phase involves the process of determining the value of data and assigning appropriate controls to protect it?

A.Create
B.Destroy
C.Store
D.Classify
AnswerD

Classification involves assessing data value and assigning security labels.

Why this answer

The Classify phase is where data is evaluated for its sensitivity and criticality, leading to the assignment of a classification label (e.g., public, internal, confidential, restricted). This classification directly drives the selection of appropriate security controls (encryption, access controls, retention policies) to protect the data throughout its lifecycle. Without classification, controls cannot be properly scoped or enforced.

Exam trap

The trap here is that candidates often confuse the 'Classify' phase with the 'Store' phase, assuming that controls are assigned when data is stored, but classification must logically precede storage to define the appropriate protection level.

How to eliminate wrong answers

Option A is wrong because the Create phase involves the initial generation or capture of data, not the determination of its value or the assignment of protective controls. Option B is wrong because the Destroy phase is the final stage where data is securely erased or disposed of, which occurs after classification and control assignment. Option C is wrong because the Store phase focuses on the secure retention of data on media (e.g., encrypted disks, databases), but the decision of what controls to apply is determined earlier during classification.

20
Multi-Selecthard

Which THREE of the following are valid considerations when implementing data loss prevention (DLP) controls to protect sensitive data? (Select three.)

Select 3 answers
A.Integration with all third-party applications
B.User training to reduce false positives and increase acceptance
C.Monitoring of data in use, in motion, and at rest
D.Data classification schemes to identify sensitive data
E.Blocking all data transfers to external devices
AnswersB, C, D

User training helps users understand why DLP blocks certain actions, reducing frustration.

Why this answer

Option B is correct because user training is a critical component of a successful DLP implementation. Without proper training, users may inadvertently trigger false positives by mishandling data or may attempt to bypass controls they perceive as overly restrictive. Training helps users understand classification labels and proper data handling procedures, reducing the operational burden on security teams and increasing overall acceptance of DLP policies.

Exam trap

The trap here is that candidates often assume DLP must be all-encompassing (e.g., blocking all transfers or integrating with every app), but the CISSP emphasizes risk-based, balanced controls that include user awareness and layered monitoring.

21
Multi-Selecthard

Which TWO of the following are valid data de-identification techniques?

Select 2 answers
A.Encryption
B.Access control
C.Data masking
D.Backup
E.Tokenization
AnswersC, E

Masking obscures sensitive data, often permanently.

Why this answer

Data masking is a valid de-identification technique because it irreversibly obscures specific data values, such as replacing real credit card numbers with fictional ones, while preserving the data format for testing or analytics. Unlike encryption, masking does not allow reversal to the original value, ensuring the data is no longer personally identifiable. It is commonly used in non-production environments to protect sensitive information.

Exam trap

The trap here is that candidates often confuse encryption with de-identification, but encryption is reversible and does not permanently remove the link to the individual, whereas de-identification techniques like masking and tokenization are designed to be irreversible or non-reversible in the context of the original data.

22
MCQhard

A company is decommissioning a data center and needs to dispose of hard drives that contained highly confidential financial data. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

A.Overwriting the drives with multiple passes of random data
B.Shredding the drives into small pieces
C.Degaussing the drives
D.Overwriting the drives with a single pass of zeros
AnswerB

Physical destruction makes data recovery physically impossible.

Why this answer

Shredding the drives into small pieces physically destroys the platters, making data recovery impossible regardless of the storage technology (e.g., HDD vs. SSD). This method provides the highest assurance because it eliminates any possibility of reading residual magnetic or solid-state data, even with advanced forensic tools like electron microscopy.

Exam trap

The trap here is that candidates often choose degaussing or multi-pass overwriting because they are familiar with these methods, but they fail to recognize that physical destruction is the only method that guarantees data irretrievability across all drive types, especially SSDs.

How to eliminate wrong answers

Option A is wrong because overwriting with multiple passes (e.g., Gutmann method) is effective for magnetic media but provides no assurance for SSDs or modern HDDs with high-density platters, and it is time-consuming; more importantly, it does not physically destroy the drive, so residual data could theoretically be recovered with specialized equipment. Option C is wrong because degaussing uses a strong magnetic field to erase data on HDDs, but it is ineffective on SSDs (which store data in NAND flash cells) and may leave the drive non-functional without guaranteeing complete erasure of all sectors. Option D is wrong because a single pass of zeros is sufficient for many modern HDDs (per NIST SP 800-88), but it does not address SSDs or provide the same level of assurance as physical destruction, and it leaves the drive intact for potential recovery attempts.

23
MCQeasy

A small business owner stores customer payment card information (PCI) in a legacy database that is not compliant with PCI DSS. The business is migrating to a new cloud-based point-of-sale (POS) system that uses tokenization. The owner wants to ensure that the legacy data is handled securely during the transition. Which of the following is the BEST approach?

A.Migrate the legacy data into the new POS system and have the tokenization service replace it
B.Encrypt the legacy database using AES-256 and store the encryption key on a separate server
C.Archive the legacy database to a tape backup and store it in a secure offsite vault
D.Tokenize the payment data in the legacy database, then securely purge the original cardholder data and verify the purge
AnswerD

Tokenization replaces sensitive data with a token, and purging eliminates the original data, reducing PCI scope.

Why this answer

Option C is correct because purging the legacy data after tokenization and confirming no residual sensitive data remains ensures that card data is no longer stored, reducing risk. Option A is wrong because storing legacy data encrypted increases risk of key compromise. Option B is wrong because archiving encrypted data still retains the data.

Option D is wrong because merging may complicate tokenization and risk.

24
MCQhard

A government agency's data retention policy requires that classified documents be destroyed after 10 years. Which method ensures both the information and the media are completely destroyed in a way that is verifiable and auditable?

A.Incineration in a certified facility
B.Overwriting the data seven times
C.Degaussing the storage media
D.Deleting all files and emptying the recycle bin
AnswerA

Incineration destroys both data and media, and provides audit trail via destruction certificates.

Why this answer

Incineration in a certified facility is the only option that completely destroys both the information and the physical media, leaving no residue that could be reconstructed. For classified government documents, the destruction must be verifiable and auditable, which a certified incineration facility provides through documented chain-of-custody and destruction certificates. This method ensures the media is physically reduced to ash, eliminating any possibility of data recovery, unlike logical or magnetic techniques.

Exam trap

The trap here is that candidates often confuse 'sanitization' with 'destruction' — they may choose degaussing or overwriting because those methods effectively erase data, but the question explicitly requires complete destruction of both information and media, which only physical destruction methods like incineration achieve.

How to eliminate wrong answers

Option B is wrong because overwriting data seven times (e.g., using the Gutmann method) only addresses logical data on functional media; it does not destroy the physical media itself, and for classified documents, the media must be physically destroyed to prevent reconstruction from residual magnetic patterns or platter remnants. Option C is wrong because degaussing destroys the magnetic field on storage media, rendering data unreadable, but it does not destroy the media itself; degaussed drives can still be physically intact and potentially leak information through physical inspection or advanced forensic techniques, and it is not verifiable for all media types (e.g., SSDs). Option D is wrong because deleting files and emptying the recycle bin only removes file system pointers, leaving the actual data intact on the media until overwritten; this is completely insufficient for classified destruction and provides no verifiable or auditable proof of destruction.

25
Multi-Selecthard

Which THREE of the following are key considerations when implementing a data retention policy for an organization subject to multiple legal jurisdictions?

Select 3 answers
A.Varying statutory retention periods across jurisdictions
B.Potential litigation holds that require preserving data beyond normal retention
C.The cost of maintaining long-term storage for large volumes of data
D.The organization's ability to delete data after the minimum retention period
E.The data owner's personal preference for deletion timelines
AnswersA, B, C

Different countries have different laws, must comply with the longest.

Why this answer

Option A is correct because different legal jurisdictions impose distinct statutory retention periods for various data types (e.g., GDPR requires retention no longer than necessary, while HIPAA mandates 6 years for medical records). A data retention policy must account for these varying minimums to ensure compliance across all applicable laws. Failing to reconcile conflicting periods can lead to legal penalties or data deletion before a jurisdiction’s requirement is met.

Exam trap

The trap here is that candidates often confuse operational convenience (like cost of storage) with a core legal consideration, or they mistakenly think a data owner’s preference is a valid input for a compliance-driven policy, when in fact only statutory and regulatory requirements are primary.

26
MCQhard

An organization implements a data loss prevention (DLP) solution to monitor data in motion. Which type of data is typically most challenging to detect?

A.Data in images
B.Structured data in CSV files
C.Encrypted traffic
D.Unstructured data in email attachments
AnswerC

Encryption hides content, requiring decryption or metadata analysis.

Why this answer

Encrypted traffic is the most challenging data in motion for DLP to inspect because the payload is obfuscated by encryption protocols such as TLS 1.3 or IPsec. Without decryption (e.g., via a proxy with TLS interception), the DLP sensor cannot read the content to match patterns or keywords, rendering traditional deep packet inspection ineffective.

Exam trap

The trap here is that candidates assume 'data in images' is hardest because it is non-textual, but DLP can use OCR and image analysis, whereas encrypted traffic is fundamentally opaque without decryption keys.

How to eliminate wrong answers

Option A is wrong because data in images can be detected via optical character recognition (OCR) or steganography analysis, though it is harder than plaintext, it is still inspectable. Option B is wrong because structured data in CSV files has predictable delimiters and patterns (e.g., credit card numbers, SSNs) that DLP regex rules can reliably match. Option D is wrong because unstructured data in email attachments, while varied, is still in plaintext or common binary formats (e.g., PDF, DOCX) that DLP can parse and scan for sensitive content.

27
MCQhard

You are the security architect for a multinational corporation that handles highly sensitive intellectual property (IP) and personally identifiable information (PII) for clients in multiple jurisdictions, including GDPR and CCPA regions. The company recently experienced a data breach where an attacker exfiltrated 50 GB of data from a file server by exploiting a vulnerability in the backup software. The backup software had been configured with default credentials and was accessible from the internet. The security team has implemented compensating controls, but management wants to prevent such incidents in the future. You have been asked to recommend a long-term strategy to protect sensitive data assets. The budget is limited, and the solution must minimize user friction. Current environment: On-premises Active Directory with Windows file servers, some data in AWS S3, and a mix of laptops and mobile devices. The organization uses Microsoft 365 for email and collaboration. Which of the following is the BEST course of action?

A.Deploy a data classification and labeling solution integrated with endpoint and network DLP to automatically detect and protect sensitive data
B.Implement multi-factor authentication (MFA) for all administrative accounts and backup interfaces
C.Encrypt all data at rest using AES-256 and implement strict key management policies
D.Segment the backup network from the production network and enforce strict firewall rules
AnswerA

A data-centric approach identifies sensitive data and applies automated controls, reducing the risk of exfiltration across all vectors.

Why this answer

Option A is correct because data classification and labeling, integrated with endpoint and network DLP, directly addresses the root cause: the inability to distinguish sensitive data from non-sensitive data. By automatically classifying and labeling IP and PII, the organization can enforce policy-based protections (e.g., blocking exfiltration, applying encryption) without relying solely on perimeter controls. This minimizes user friction by automating detection and response, and it scales across on-premises, cloud (AWS S3), and Microsoft 365 environments, aligning with GDPR and CCPA requirements for data protection.

Exam trap

The trap here is that candidates often choose MFA or encryption as a silver bullet, but the CISSP exam emphasizes that data classification is the foundational control for protecting sensitive assets, especially when the threat involves data exfiltration via a compromised application, not just unauthorized access or theft of media.

How to eliminate wrong answers

Option B is wrong because MFA for administrative accounts and backup interfaces is a compensating control that reduces the risk of credential theft, but it does not prevent an attacker who exploits a software vulnerability (as in the breach) from exfiltrating data; the backup software was accessible from the internet with default credentials, but MFA would not have stopped the vulnerability exploitation if the attacker bypassed authentication or used a different vector. Option C is wrong because encrypting all data at rest with AES-256 protects data if storage media is stolen, but it does not prevent exfiltration via a live file server or backup software; the attacker exfiltrated data while the server was online and decrypted, so encryption at rest is irrelevant to the attack vector. Option D is wrong because network segmentation and firewall rules reduce the attack surface but do not address the core issue of sensitive data being accessible and unlabeled; the attacker exploited a vulnerability in backup software, and segmentation alone cannot prevent exfiltration if the attacker already has access to the backup network or if the vulnerability allows lateral movement.

28
MCQmedium

A company uses a cloud storage service. Which asset security control is most important to prevent unauthorized access to data?

A.Logging and monitoring
B.Encryption in transit and at rest
C.Periodic access reviews
D.Regular vulnerability scanning
AnswerB

Encryption renders data unreadable without keys, preventing unauthorized access.

Why this answer

Encryption in transit (e.g., TLS 1.3) and at rest (e.g., AES-256) is the most important asset security control because it renders data unreadable even if the cloud storage service is compromised or an attacker gains access to the underlying infrastructure. Without encryption, all other controls (logging, reviews, scanning) are reactive and cannot prevent a direct breach of the stored data. This aligns with the CISSP principle of defense in depth, where encryption provides a strong preventive layer for data confidentiality.

Exam trap

ISC2 often tests the misconception that logging or access reviews are sufficient to prevent unauthorized access, but the trap here is that only encryption provides a strong preventive control that protects data confidentiality regardless of other failures.

How to eliminate wrong answers

Option A is wrong because logging and monitoring are detective controls that identify unauthorized access after it occurs, not preventive controls that stop it in the first place. Option C is wrong because periodic access reviews are administrative controls that verify existing permissions but do not prevent an attacker from exploiting a misconfiguration or stolen credential between reviews. Option D is wrong because regular vulnerability scanning identifies weaknesses in the system but does not directly protect the data itself; encryption is a compensating control that mitigates the risk of exploitation even if vulnerabilities exist.

29
MCQeasy

Refer to the exhibit. A project team is sending a spreadsheet marked Confidential via email. What control is required?

A.Both A and B
B.Encrypt the email and attachment
C.No additional controls if sent over internal network
D.Use a secure file transfer protocol
AnswerB

Email encryption protects the data in transit as policy requires.

Why this answer

Option B is correct because email transmissions, including attachments, are transmitted in plaintext by default using SMTP (RFC 5321). Encrypting both the email body and the attachment ensures confidentiality, protecting the spreadsheet marked Confidential from unauthorized access during transit. This aligns with the principle of protecting data at rest and in transit as required by asset security policies.

Exam trap

The trap here is that candidates assume internal networks are safe or that secure file transfer protocols are equivalent to email encryption, but CISSP tests the specific requirement to protect data in transit over any network, including internal ones, using appropriate cryptographic controls like email encryption.

How to eliminate wrong answers

Option A is wrong because it is not a distinct control but a combination of options, and since only Option B is correct, 'Both A and B' is invalid. Option C is wrong because internal networks are not inherently secure; traffic can be intercepted via ARP spoofing or network sniffing, and no additional controls would violate confidentiality requirements for sensitive data. Option D is wrong because secure file transfer protocols (e.g., SFTP, FTPS) are designed for file transfers, not for sending email; using such a protocol would not address the email transmission channel itself, leaving the email body and metadata exposed.

30
MCQeasy

Refer to the exhibit. An analyst attempts to read /data/confidential. What will be the outcome?

A.Access is granted because no 'combine' method is specified, so permit wins
B.Access is denied because Analysts are explicitly denied
C.The policy is ambiguous and will result in an error
D.Access is granted because Analysts are in the 'allowed' list
AnswerB

The deny rule explicitly blocks Analysts from /data/confidential.

Why this answer

The policy explicitly denies the 'Analysts' group access to /data/confidential. In RBAC or DAC-based file systems (e.g., Linux ACLs or Windows NTFS), an explicit deny entry overrides any conflicting allow entry, regardless of the order of evaluation. Since the analyst is a member of the 'Analysts' group, the deny rule applies, and access is denied.

Exam trap

The trap here is that candidates often assume 'permit wins' by default or that group membership in an allowed list guarantees access, forgetting that explicit deny always overrides allow in standard access control models.

How to eliminate wrong answers

Option A is wrong because when an explicit deny is present, it takes precedence over any permit or allow rule, even if no 'combine' method is specified; the default behavior is that deny wins. Option C is wrong because the policy is not ambiguous—explicit deny is a clear and deterministic rule that does not cause an error. Option D is wrong because even though the analyst may be in an 'allowed' list, the explicit deny for the 'Analysts' group overrides that allow, as deny rules are evaluated with higher priority.

31
MCQhard

Refer to the exhibit. A legal hold exception preserves FinancialRecords FIN-001 and FIN-002. What is the correct action for FinancialRecords that are not under legal hold?

A.They should be audited and then preserved indefinitely
B.They should be archived after 2555 days
C.They should be deleted after 2555 days
D.They should be deleted after 365 days
AnswerB

The rule specifies archive action for FinancialRecords.

Why this answer

The exhibit shows a retention policy for FinancialRecords with a retention period of 2555 days (7 years). Legal hold exceptions preserve FIN-001 and FIN-002, but records not under legal hold must follow the standard retention policy. The correct action is to archive them after 2555 days, as archiving retains data for compliance or future reference without indefinite preservation, aligning with the policy's lifecycle.

Exam trap

The trap here is confusing 'archive' with 'delete' — candidates often assume that after a retention period ends, data must be deleted, but archiving is a separate action that preserves data for long-term compliance or historical purposes, while deletion is only appropriate when the policy explicitly states it.

How to eliminate wrong answers

Option A is wrong because auditing and preserving indefinitely violates the principle of data lifecycle management, which requires defined retention periods; indefinite preservation is not a standard action for records not under legal hold. Option C is wrong because deletion after 2555 days would destroy records that may still be needed for compliance or operational purposes; archiving is the appropriate action to retain them beyond active use. Option D is wrong because 365 days is too short for FinancialRecords, which typically require longer retention (e.g., 7 years for tax or audit purposes), and the policy specifies 2555 days.

32
Multi-Selecthard

Which TWO of the following are essential characteristics of an effective information classification scheme?

Select 2 answers
A.Should have at least seven classification levels to capture granularity
B.Must be accompanied by mandatory training for all users
C.Should have clear labels that map to specific handling procedures
D.Should be based on the encryption algorithm used to protect the data
E.Must be applied consistently across the entire organization
AnswersC, E

Labels without procedures are ineffective; users need to know what to do.

Why this answer

Option C is correct because an effective classification scheme must have clear labels (e.g., 'Confidential', 'Secret') that directly map to specific handling procedures (e.g., encryption at rest, access control lists, retention periods). This ensures that data owners and custodians know exactly how to protect each classification level without ambiguity.

Exam trap

The trap here is that candidates confuse 'essential characteristics of the scheme' with 'supporting activities' (like training) or 'implementation details' (like encryption algorithms), leading them to select options that are good practices but not defining properties of the classification scheme itself.

33
MCQhard

During a security audit, it is discovered that a company's data classification labels are inconsistently applied across different departments. Which of the following is the BEST long-term solution to ensure consistent data classification?

A.Conduct annual retraining on data classification policies
B.Implement automated data classification tools that apply labels based on content and context
C.Adopt a single classification level for all data to eliminate confusion
D.Assign a data owner in each department to manually review and classify data
AnswerB

Automation reduces human error and ensures consistent application of classification labels.

Why this answer

Automated data classification tools use content inspection (e.g., regex patterns, keyword matching) and contextual analysis (e.g., file location, creator, metadata) to consistently apply labels across the enterprise. This eliminates human error and variability between departments, ensuring uniform enforcement of the classification policy without relying on manual interpretation or periodic training.

Exam trap

The trap here is that candidates often choose annual retraining (A) as a 'best practice' for policy adherence, but the question specifically asks for the 'BEST long-term solution' to ensure consistency, which requires automation to remove human subjectivity.

How to eliminate wrong answers

Option A is wrong because annual retraining is a temporary, human-dependent solution that does not prevent inconsistent application between training cycles; it fails to address the root cause of manual variability. Option C is wrong because adopting a single classification level for all data violates the principle of least privilege and the need for granular access controls, effectively negating the purpose of data classification. Option D is wrong because assigning a data owner in each department to manually review and classify data perpetuates the inconsistency problem, as different owners will apply subjective judgment, leading to the same cross-departmental variability.

34
Multi-Selectmedium

Which THREE of the following are valid methods to reduce the risk of data exfiltration via removable media in a high-security environment?

Select 3 answers
A.Disable USB ports via group policy and physically lock cases
B.Require annual security awareness training on data handling
C.Use full disk encryption on all endpoints
D.Deploy endpoint DLP agents that block copy operations to removable media based on content
E.Implement data classification and labeling policies to raise awareness
AnswersA, D, E

Effective and enforceable control that physically prevents use of removable media.

Why this answer

Disabling USB ports via Group Policy (using administrative templates to set 'Removable Storage: Deny write access' to 'Enabled') combined with physically locking cases (e.g., using case locks or cable locks to prevent unauthorized access to internal USB headers) provides a dual-layer preventive control. This directly eliminates the attack vector by removing both logical and physical access to removable media, which is the most effective method in a high-security environment.

Exam trap

The trap here is that candidates often confuse full disk encryption (a data-at-rest protection) with a data exfiltration prevention control, failing to recognize that encryption does not block the copy operation itself.

35
Multi-Selecteasy

Which THREE of the following are recognized roles in asset security?

Select 3 answers
A.Data custodian
B.Data owner
C.Data processor
D.Data subject
E.Data auditor
AnswersA, B, C

Data custodian implements controls on behalf of owner.

Why this answer

The data custodian (A) is responsible for implementing and maintaining security controls according to the data owner's directives, such as applying encryption, managing backups, and enforcing access controls. This role is recognized in asset security because it bridges policy and operational execution, ensuring the CIA triad is maintained on the stored or processed data.

Exam trap

The trap here is that candidates confuse the data subject (a GDPR-defined individual) with a security role, or mistakenly think the data auditor is a primary asset security role, when the CISSP framework explicitly lists only data owner, data custodian, and data processor as the recognized roles in asset security.

36
MCQmedium

A software development company uses a continuous integration/continuous deployment (CI/CD) pipeline that automatically builds and deploys code to production after passing automated tests. The code repository contains proprietary algorithms and customer data. A recent incident was traced to an attacker who injected malicious code into a library that was pulled from a public package repository during the build process. The company wants to prevent similar supply chain attacks without significantly slowing development. Which of the following is the BEST course of action?

A.Require all developers to perform manual code review of every third-party library before inclusion
B.Perform static application security testing (SAST) on the entire codebase including libraries
C.Increase the frequency of vulnerability scanning on the production environment and delay deployment of any library that has a deprecation notice
D.Implement a private repository that mirrors approved open-source libraries and enforces signature verification and hash checks before allowing use
AnswerD

A private mirror with integrity checks ensures only verified packages are used, blocking malicious ones from the public repo.

Why this answer

Option D is correct because implementing a private repository that mirrors only approved, vetted open-source libraries with enforced signature verification and hash checks directly addresses supply chain attacks by ensuring that only trusted, integrity-verified code enters the build pipeline. This approach prevents malicious code from public repositories from being pulled automatically, without requiring manual review of every library (which would slow development) or relying on post-build scanning that cannot prevent the initial injection. It aligns with the principle of secure software supply chain management by establishing a trusted source of components.

Exam trap

ISC2 often tests the distinction between reactive security controls (like SAST or vulnerability scanning) and proactive supply chain controls (like private repositories with integrity verification), and the trap here is that candidates may choose SAST (option B) because it sounds technical and comprehensive, but it fails to prevent the initial injection of malicious code during the build process.

How to eliminate wrong answers

Option A is wrong because requiring manual code review of every third-party library is impractical and would significantly slow development, defeating the goal of not slowing the pipeline; it also does not scale for large numbers of dependencies and is error-prone. Option B is wrong because performing SAST on the entire codebase including libraries would detect vulnerabilities in the code but cannot prevent the initial injection of malicious code during the build process, as SAST analyzes source code after it is already in the repository, not during the pull from a public package repository. Option C is wrong because increasing vulnerability scanning frequency on the production environment and delaying deployment of libraries with deprecation notices does not prevent the initial injection of malicious code into the build; it only identifies issues after deployment and introduces delays that conflict with the goal of not slowing development.

37
MCQmedium

A healthcare organization is moving patient records to a cloud storage service. Which of the following is the MOST important requirement to ensure data security and compliance with HIPAA?

A.Multi-factor authentication for all cloud access
B.Encryption of data in transit using TLS 1.2
C.A signed Business Associate Agreement (BAA) with the cloud provider
D.Encryption of data at rest using AES-256
AnswerC

A BAA is required under HIPAA to ensure the cloud provider handles PHI appropriately.

Why this answer

Under HIPAA, a covered entity must have a signed Business Associate Agreement (BAA) with any cloud service provider that creates, receives, maintains, or transmits protected health information (PHI). Without a BAA, the provider is not contractually bound to safeguard PHI, making the organization non-compliant regardless of technical controls. While encryption and MFA are important security measures, they cannot substitute for the legal and regulatory requirement of a BAA.

Exam trap

The trap here is that candidates often focus on technical security controls like encryption or MFA, overlooking the foundational legal and regulatory requirement of a signed Business Associate Agreement, which is the non-negotiable first step for HIPAA compliance with a cloud provider.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is a strong access control but does not address the contractual and legal obligations required by HIPAA for business associates; it is a security best practice, not a compliance requirement. Option B is wrong because encryption of data in transit using TLS 1.2 protects data during transmission but does not ensure the cloud provider is legally bound to protect PHI as a business associate; HIPAA mandates a BAA regardless of transport encryption. Option D is wrong because encryption of data at rest using AES-256 protects stored data but, like the other technical controls, does not satisfy the HIPAA requirement for a signed BAA with the cloud provider.

38
MCQmedium

A security engineer reviews the S3 bucket policy in the exhibit. What is the most significant security issue with this configuration?

A.The resource ARN does not specify a version ID
B.The policy does not enforce encryption in transit
C.The bucket allows public read access to all objects
D.The policy lacks an explicit deny statement
AnswerC

The policy grants read access to anyone, exposing sensitive data.

Why this answer

The S3 bucket policy in the exhibit grants "Effect": "Allow" with "Principal": "*" and "Action": "s3:GetObject" on the bucket ARN. This configuration effectively makes all objects in the bucket publicly readable over the internet, which is a severe data exposure risk. Option C correctly identifies this as the most significant security issue because it violates the principle of least privilege and can lead to unauthorized access to sensitive data.

Exam trap

The trap here is that candidates may focus on missing technical details like version IDs or encryption conditions, but the most critical security flaw is the explicit public read access granted to all objects, which directly leads to data exposure.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies apply to all versions of objects unless a specific version ID is required; omitting a version ID does not inherently create a security vulnerability. Option B is wrong because S3 bucket policies do not enforce encryption in transit (HTTPS); that is controlled by the bucket's policy condition using "aws:SecureTransport" or by enabling S3 Block Public Access settings, and the absence of such a condition is not the most significant issue here. Option D is wrong because an explicit deny statement is not required for security; the default implicit deny (deny by default) applies to any action not explicitly allowed, and the problem is the overly permissive allow statement, not the lack of an explicit deny.

39
MCQeasy

A data classification scheme includes Public, Internal, Confidential, and Restricted. Which classification requires the highest level of protection?

A.Restricted
B.Internal
C.Public
D.Confidential
AnswerA

Restricted is the highest classification, requiring maximum protection.

Why this answer

Restricted is the highest classification level in this scheme, indicating data that would cause severe damage to the organization if disclosed. It requires the strongest access controls, encryption (e.g., AES-256 for data at rest, TLS 1.3 for data in transit), and strict need-to-know policies. This aligns with the principle of protecting data based on its sensitivity and the potential impact of unauthorized disclosure.

Exam trap

The trap here is that candidates often confuse 'Confidential' with the highest level because it sounds more restrictive than 'Restricted', but in this scheme 'Restricted' is explicitly the top tier, requiring the most stringent controls.

How to eliminate wrong answers

Option B (Internal) is wrong because Internal data is intended for internal use only but does not require the highest level of protection; its compromise would cause moderate damage, not severe. Option C (Public) is wrong because Public data is intended for unrestricted disclosure and requires the lowest level of protection, often with no access controls. Option D (Confidential) is wrong because Confidential data requires a high level of protection but is still below Restricted; its compromise would cause serious damage, but not the most severe impact.

40
MCQeasy

An analyst reviews the exhibit showing Windows security event logs. What activity should be investigated as a potential data exfiltration attempt?

A.The user reading the PII file at 09:23:45
B.The sequence of events on the same file by the same user
C.The user deleting the PII file at 09:25:00 using cmd.exe
D.The user writing to the PII file at 09:24:10
AnswerC

Deleting a PII file using command prompt is unusual and could indicate an attempt to cover tracks.

Why this answer

Option C is correct because deleting a PII file via cmd.exe (command-line interface) shortly after reading and writing to it is a classic indicator of data exfiltration. The attacker likely read the sensitive data, wrote a copy or staged it, then used cmd.exe to delete the original file to cover tracks and avoid detection by file access audits. This sequence—read, write, delete via command line—is anomalous for normal user behavior and strongly suggests intentional removal of evidence after data theft.

Exam trap

The trap here is that candidates focus on the individual actions (read, write, delete) rather than the sequence and the tool used (cmd.exe), missing that the combination of read, write, and command-line deletion is the hallmark of a data exfiltration attempt.

How to eliminate wrong answers

Option A is wrong because reading a PII file at 09:23:45 is a normal business activity and does not alone indicate exfiltration; many users legitimately access sensitive files. Option B is wrong because a sequence of events on the same file by the same user is not inherently suspicious—it could be routine editing or review; the specific combination of read, write, and delete via cmd.exe is what raises concern. Option D is wrong because writing to a PII file at 09:24:10 could be legitimate modification or saving work; without the subsequent anomalous deletion via command line, it is not a clear exfiltration attempt.

41
Multi-Selecteasy

Which TWO of the following are principles of the data minimization concept under privacy regulations such as GDPR?

Select 2 answers
A.Ensure personal data is accurate and kept up to date
B.Collect only the personal data that is directly relevant and necessary for the specified purpose
C.Store personal data for as long as possible for future analysis
D.Limit the processing of personal data to only what is necessary for the intended purpose
E.Provide individuals with access to their data upon request
AnswersB, D

This is the core of data minimization.

Why this answer

Option B is correct because data minimization under GDPR (Article 5(1)(c)) requires that personal data collected be 'adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.' This principle directly mandates collecting only the data that is directly relevant and necessary for the specified purpose, preventing over-collection and reducing privacy risk.

Exam trap

ISC2 often tests the distinction between the seven GDPR principles (lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability) and the data subject rights (access, rectification, erasure, etc.), so candidates mistakenly select a right like access as a minimization principle.

42
MCQmedium

Refer to the exhibit. The file data.txt contains PII. What is the most likely security issue indicated by the logs?

A.The HTTP 200 status indicates the file is corrupted
B.The file permissions restrict access to root only
C.The file is being overwritten by unauthorized users
D.The file is being accessed by multiple IPs, potentially indicating data exfiltration
AnswerD

Multiple GET requests from different IPs to a PII file is suspicious.

Why this answer

The log shows the same file data.txt being accessed from multiple distinct IP addresses (10.0.0.1, 10.0.0.2, 10.0.0.3) with HTTP 200 success responses. This pattern of repeated successful reads from different sources is a classic indicator of data exfiltration, where an attacker or malicious insider is copying sensitive PII to multiple external hosts. The HTTP 200 status confirms the file was successfully retrieved each time, ruling out corruption or access failures.

Exam trap

The trap here is that candidates focus on the HTTP 200 status or file permissions as the issue, rather than recognizing that repeated successful reads from multiple IPs is the hallmark of data exfiltration.

How to eliminate wrong answers

Option A is wrong because an HTTP 200 status code means the request succeeded and the file was delivered intact, not corrupted; corruption would typically result in a 500-series error or checksum mismatch. Option B is wrong because the logs show successful reads (HTTP 200) from multiple IPs, which would be impossible if file permissions restricted access to root only; the file is clearly readable by the web server process. Option C is wrong because the logs show GET requests (reads), not PUT/POST/DELETE operations, so the file is being read, not overwritten; overwriting would require write operations and different HTTP methods.

43
MCQmedium

An organization uses a data loss prevention (DLP) system to monitor outbound emails. Which data classification type would the DLP most likely use to detect sensitive information leaving the network?

A.Context-based classification
B.Content-based classification
C.User-based classification
D.Role-based classification
AnswerB

Content-based DLP scans for patterns and data content to detect sensitive information.

Why this answer

Content-based classification inspects the actual data within outbound emails—such as credit card numbers, social security numbers, or other regex-defined patterns—to detect sensitive information. DLP systems rely on content analysis (e.g., regular expressions, exact data matching, or fingerprinting) to identify and block policy violations, making this the correct classification type for detecting sensitive data leaving the network.

Exam trap

ISC2 often tests the distinction between context-based and content-based classification, where candidates mistakenly choose context-based because they confuse 'monitoring outbound emails' with analyzing sender/recipient metadata rather than the actual data content.

How to eliminate wrong answers

Option A is wrong because context-based classification examines metadata like sender, recipient, or time of transmission, not the actual data payload, so it cannot detect sensitive content within the email body or attachments. Option C is wrong because user-based classification assigns sensitivity based on the user's identity or group membership, but it does not inspect the content of the email itself, making it insufficient for DLP detection of specific data patterns. Option D is wrong because role-based classification uses job roles to determine data access rights, but it does not analyze the content of outbound messages, so it cannot identify sensitive information in transit.

44
MCQhard

Refer to the exhibit. An organization has a lawsuit requiring preservation of all records related to a customer dispute from 2018. Which data set must be preserved beyond its scheduled retention?

A.Email logs from 2018
B.Payment card data from 2018 transactions
C.All of the above
D.Customer records from 2018 accounts that are still open
AnswerC

Legal hold applies to all relevant data, overriding retention schedules.

Why this answer

Option C is correct because a legal hold overrides any scheduled retention policy. The lawsuit requires preservation of all records related to the 2018 customer dispute, which includes email logs (for communication evidence), payment card data (for transaction records), and customer records (for account details). Under eDiscovery rules (FRCP Rule 26), any data set that may contain relevant information must be preserved, even if its normal retention period has expired.

Exam trap

The trap here is that candidates often assume only the most obvious data set (e.g., customer records) needs preservation, but the legal hold applies to all data sets that could contain relevant information, including logs and payment data, regardless of their normal retention schedules.

How to eliminate wrong answers

Option A is wrong because email logs from 2018 are directly relevant to the dispute (e.g., communications with the customer) and must be preserved under the legal hold, so they are not exempt. Option B is wrong because payment card data from 2018 transactions is relevant to the financial aspect of the dispute and must be preserved, even if PCI DSS retention schedules would normally allow deletion. Option D is wrong because customer records from 2018 accounts that are still open are also subject to the legal hold; the fact that the account is still open does not exclude it from preservation—the hold applies to all records related to the dispute, regardless of account status.

45
MCQmedium

A financial institution must retain customer transaction records for 7 years. After that, what is the most appropriate action?

A.Degauss and physically destroy
B.Securely delete using overwriting
C.Transfer to a third-party storage vendor
D.Archive to tape for additional redundancy
AnswerB

Overwriting renders data unrecoverable, meeting disposal requirements.

Why this answer

After the 7-year retention period, the most appropriate action is to securely delete the records using overwriting. This ensures that the data is irrecoverable while maintaining compliance with data disposal policies. Overwriting with multiple passes (e.g., using the Gutmann method or DoD 5220.22-M standard) prevents data remanence, which is critical for financial records.

Exam trap

The trap here is that candidates often confuse 'secure deletion' with 'physical destruction' or 'archiving,' failing to recognize that after the retention period, the primary goal is to eliminate the data securely, not to preserve or transfer it.

How to eliminate wrong answers

Option A is wrong because degaussing and physical destruction are excessive for digital records that only need secure deletion; degaussing destroys the magnetic media entirely, which is unnecessary and may not be feasible for all storage types (e.g., SSDs). Option C is wrong because transferring to a third-party storage vendor does not address the requirement to dispose of the data after retention; it merely shifts custody, which could lead to compliance violations. Option D is wrong because archiving to tape for additional redundancy retains the data beyond the required period, violating the retention policy and increasing legal and security risks.

46
Multi-Selectmedium

Which TWO of the following are essential components of a data classification policy? (Select two.)

Select 2 answers
A.Data retention periods for each classification level
B.Roles and responsibilities for data classification
C.Definition of classification levels (e.g., public, confidential, secret)
D.Methods for secure data destruction
E.Encryption standards for each classification level
AnswersB, C

Defining who is responsible for classifying data is essential.

Why this answer

Roles and responsibilities are essential because a data classification policy must clearly define who is accountable for classifying data, who can assign classification levels, and who is responsible for maintaining the labels. Without this, classification efforts become inconsistent and unenforceable, leading to security gaps. The CISSP emphasizes that governance requires clear assignment of ownership and decision-making authority for data assets.

Exam trap

ISC2 often tests the distinction between a data classification policy (which defines levels and roles) and supporting policies (retention, encryption, destruction) that operationalize the classification but are not core components of the classification policy itself.

47
MCQmedium

A financial institution is implementing a data retention policy to comply with regulatory requirements. The policy must ensure that transaction records are retained for 7 years and then securely destroyed. Which of the following is the BEST approach to implement this policy?

A.Encrypt all records and destroy the encryption keys after 7 years
B.Automatically purge records using a data management tool that overwrites data after the retention period
C.Move records to a separate archive and delete the directory pointers
D.Manually review and delete records after 7 years
AnswerB

Automated purging ensures consistent and timely destruction, reducing human error and ensuring compliance.

Why this answer

Option B is correct because automated purging using a data management tool that overwrites data ensures that the records are securely destroyed at the end of the retention period, meeting both regulatory compliance and data sanitization requirements. Overwriting (e.g., using DoD 5220.22-M or NIST SP 800-88 standards) prevents data recovery by replacing the storage media's bits with patterns, making it a reliable method for secure destruction in a financial institution's automated environment.

Exam trap

The trap here is that candidates often confuse 'cryptographic erasure' (Option A) with secure destruction, but the CISSP exam emphasizes that destroying encryption keys does not physically destroy the data and is not considered a secure destruction method for regulatory compliance unless combined with other controls.

How to eliminate wrong answers

Option A is wrong because encrypting records and destroying the encryption keys after 7 years does not securely destroy the underlying data; the ciphertext remains on the media and could potentially be decrypted in the future if the encryption algorithm is broken or if key recovery is possible, violating the 'secure destruction' requirement. Option C is wrong because moving records to a separate archive and deleting directory pointers only removes the file system references, leaving the actual data intact on the storage media, which can be recovered using forensic tools and does not constitute secure destruction. Option D is wrong because manual review and deletion after 7 years is prone to human error, lacks audit trails, and does not guarantee that data is securely overwritten or destroyed, failing to meet the policy's requirement for reliable and verifiable destruction.

48
MCQmedium

A security architect is designing controls for a cloud-based file storage service that stores personally identifiable information (PII). Which control best ensures that data remains encrypted at rest without involving the cloud provider's key management?

A.Tokenization of PII fields
B.Transport Layer Security (TLS) for data in transit
C.Client-side encryption
D.Server-side encryption with customer-managed keys
AnswerC

Client-side encryption ensures data is encrypted before leaving the client, provider cannot decrypt.

Why this answer

Client-side encryption ensures data is encrypted before it leaves the client device, so the cloud provider never has access to the plaintext or the encryption keys. This guarantees that the data remains encrypted at rest in the cloud storage without relying on the provider's key management infrastructure, meeting the requirement of keeping the provider out of the key management loop.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (Option D) as being fully independent of the provider, but in reality, the provider's key management service still handles the encryption/decryption operations, which does not satisfy the 'without involving the cloud provider's key management' requirement.

How to eliminate wrong answers

Option A is wrong because tokenization replaces PII with non-sensitive tokens, but the original data is still stored elsewhere (often in a token vault) and does not inherently encrypt the data at rest in the cloud storage; it is a data masking technique, not an encryption control. Option B is wrong because Transport Layer Security (TLS) protects data in transit between the client and server, but it does not address encryption at rest; once data reaches the cloud storage, it is decrypted and stored in plaintext unless another mechanism is applied. Option D is wrong because server-side encryption with customer-managed keys still involves the cloud provider's key management service (e.g., AWS KMS, Azure Key Vault) to encrypt/decrypt data; the provider manages the encryption process, even if the customer supplies the key material, which violates the requirement of not involving the provider's key management.

49
MCQhard

A company is implementing a data masking solution for a test database that mirrors production. Which masking technique preserves referential integrity while obfuscating sensitive values?

A.Hash-based masking
B.Static data masking
C.Deterministic encryption
D.Dynamic data masking
AnswerC

Deterministic encryption preserves referential integrity because same plaintext maps to same ciphertext.

Why this answer

Deterministic encryption (C) is correct because it uses a consistent key and algorithm to always produce the same ciphertext for a given plaintext value, allowing foreign key relationships to be maintained across tables. This preserves referential integrity while obfuscating sensitive data, as the encrypted values can still be joined reliably. Static data masking (B) replaces values with fictional but consistent substitutes, but it does not use encryption and may not guarantee the same level of consistency for complex referential constraints without careful design.

Exam trap

The trap here is that candidates confuse 'deterministic encryption' with 'static data masking' because both produce consistent outputs, but static masking does not use encryption and is not reversible, whereas deterministic encryption allows authorized decryption for legitimate use cases.

How to eliminate wrong answers

Option A is wrong because hash-based masking uses a one-way hash function (e.g., SHA-256) that, while deterministic, is not reversible and does not provide confidentiality for sensitive data; it is typically used for tokenization or integrity checks, not for preserving referential integrity with obfuscation. Option B is wrong because static data masking replaces sensitive data with realistic but non-reversible substitutes (e.g., random names or numbers) and, although it can maintain consistency, it does not use encryption and may break referential integrity if the masking algorithm is not carefully applied across all related tables. Option D is wrong because dynamic data masking alters data on-the-fly at query time based on user permissions, but it does not change the underlying stored data; referential integrity is preserved only in the unmasked production database, not in a test database where the masked view may not support consistent joins.

50
MCQeasy

A company's data classification policy labels information as 'Internal Use Only' and 'Confidential.' An employee emails a 'Confidential' document to an external partner without authorization. Which type of data security objective has been violated?

A.Non-repudiation
B.Confidentiality
C.Availability
D.Integrity
AnswerB

Unauthorized disclosure violates confidentiality.

Why this answer

Confidentiality ensures that data is not disclosed to unauthorized parties. Option B is wrong because integrity is about accuracy, not disclosure. Option C is wrong because availability is about access when needed.

Option D is wrong because non-repudiation is about proof of origin.

51
MCQeasy

An organization wants to protect sensitive data stored on laptops. Which of the following is the MOST effective control to prevent data loss if a laptop is stolen?

A.BIOS password
B.Asset tracking software
C.Full-disk encryption (FDE)
D.Remote wipe capability
AnswerC

FDE encrypts the entire drive, making data inaccessible without the key.

Why this answer

Full-disk encryption (FDE) renders the data on the laptop unreadable without the decryption key, even if the storage drive is removed and analyzed. This is the most effective preventive control against data loss from theft because it protects data at rest regardless of physical access to the device.

Exam trap

The trap here is that candidates often choose remote wipe (D) because it sounds proactive, but they overlook that it requires network connectivity and is a corrective control, whereas full-disk encryption is a preventive control that works even offline.

How to eliminate wrong answers

Option A is wrong because a BIOS password only prevents unauthorized booting of the system, but the hard drive can be removed and accessed directly via another machine, exposing all data. Option B is wrong because asset tracking software helps locate a stolen laptop but does not prevent data access or loss if the device is not recovered. Option D is wrong because remote wipe capability can delete data after theft, but it relies on network connectivity and may fail if the thief immediately disconnects the device; it is a reactive control, not a preventive one.

52
Multi-Selectmedium

Which THREE of the following are examples of data at rest?

Select 3 answers
A.Data stored on a hard drive
B.Data in an email in transit
C.Data in a database
D.Data on a backup tape
E.Data on a network cable
AnswersA, C, D

Data on a hard drive is at rest.

Why this answer

Data at rest refers to data that is physically stored on a persistent medium and is not currently moving across a network or being processed. Data stored on a hard drive is a classic example because the data resides on a non-volatile storage device, whether it is an internal HDD, SSD, or external drive. The data remains on the medium until it is read, modified, or deleted, and it is typically protected by encryption mechanisms such as BitLocker or FileVault.

Exam trap

The trap here is that candidates often confuse data in a database as data in use or data in motion, but a database stores data persistently on disk, making it data at rest unless it is being actively queried or transferred.

Ready to test yourself?

Try a timed practice session using only Asset Security questions.