CCNA Cissp Asset Security Questions

46 questions · Cissp Asset Security topic · All types, answers revealed

1
MCQhard

An organization uses full disk encryption on all laptops containing sensitive data. A laptop is to be decommissioned, and the data must be sanitized. The laptop's SSD cannot be overwritten reliably due to wear-leveling. Which method is most appropriate?

A.Degaussing
B.DoD 5220.22-M 7-pass overwrite
C.Cryptographic erasure by destroying the encryption key
D.Physical destruction (shredding)
AnswerC

Cryptographic erasure is effective for encrypted SSDs.

Why this answer

Cryptographic erasure (destroying the encryption key) renders data inaccessible if encryption is strong, suitable for SSDs.

2
Multi-Selectmedium

An organization is developing a new application that collects and processes European customers' personal data. To comply with the privacy by design principles under GDPR, which THREE measures should be implemented? (Select THREE.)

Select 3 answers
A.Retain the data only as long as necessary to fulfill the purpose (storage limitation)
B.Encrypt all personal data at rest and in transit
C.Use the data only for the purpose for which it was collected (purpose limitation)
D.Obtain explicit consent from users before data collection
E.Collect only the personal data necessary for the specified purpose (data minimization)
AnswersA, C, E

Correct. Storage limitation ensures data is not kept indefinitely.

Why this answer

Privacy by design principles include data minimization (collect only necessary data), purpose limitation (use data only for specified purpose), and storage limitation (retain data only as long as needed). Encryption is a security measure, not a privacy by design principle. Consent is important but not a design principle per se.

3
MCQmedium

A company's software asset management team discovers an unauthorized copy of a licensed application installed on several employee workstations. What is the primary risk associated with this finding?

A.Legal liability for software piracy
B.Reduction in employee productivity
C.Increased storage consumption
D.Incompatibility with other systems
AnswerA

Correct. Unauthorized software violates licensing agreements and can lead to legal penalties.

Why this answer

Unauthorized software can expose the organization to legal liability for copyright infringement, security vulnerabilities due to lack of patching, and compliance issues.

4
Multi-Selectmedium

A data custodian is responsible for implementing controls to protect data. Which TWO of the following are typical responsibilities of a data custodian? (Select 2)

Select 2 answers
A.Classifying data according to sensitivity
B.Defining data usage policies
C.Performing regular backups of data
D.Restoring data from backups when needed
E.Determining data retention periods
AnswersC, D

Backups are a custodial task.

Why this answer

Data custodians handle day-to-day management, implement security controls, and perform backups and restoration.

5
MCQmedium

A healthcare organization must decommission an old server containing patient health information (PHI) stored on solid-state drives (SSDs). Standard overwriting techniques are ineffective for SSDs due to wear-leveling and bad block mapping. Which sanitization method is most appropriate for these drives?

A.Cryptographic erasure by deleting the encryption key
B.Degaussing with a high-coercivity degausser
C.Physical destruction such as shredding or pulverizing
D.Overwriting with the DoD 5220.22-M 7-pass standard
AnswerC

Correct. Physical destruction ensures all memory cells are destroyed and data cannot be recovered.

Why this answer

Physical destruction (e.g., shredding or pulverizing) is recommended for SSDs because overwriting may not reach all cells, and degaussing does not affect flash memory.

6
MCQeasy

Which phase of the data lifecycle involves the removal of data from active storage and placement into long-term storage for potential future use?

A.Use
B.Archive
C.Destroy
D.Store
AnswerB

Correct. Archiving is the process of moving data to long-term storage for retention.

Why this answer

The archive phase moves data from active use to long-term storage for retention purposes, often for compliance or historical reference.

7
MCQmedium

A government contractor handles data classified as 'Secret'. According to government data classification levels, which of the following is the correct order from most restrictive to least restrictive?

A.Confidential, Secret, Top Secret, Unclassified
B.Top Secret, Secret, Confidential, Unclassified
C.Unclassified, Confidential, Secret, Top Secret
D.Secret, Top Secret, Confidential, Unclassified
AnswerB

Correct order.

Why this answer

Government classification levels, from most restrictive to least restrictive, are: Top Secret, Secret, Confidential, Unclassified.

8
MCQmedium

A government contractor handles classified information up to the Secret level. The company's data classification policy recently changed, requiring that all documents marked as 'Confidential' be reclassified as 'Secret' after review. Who is ultimately accountable for ensuring that reclassification is performed correctly?

A.Data custodian
B.Data subject
C.Data steward
D.Data owner
AnswerD

Correct. The data owner is accountable for classification and ensuring compliance with policy.

Why this answer

The data owner is the senior-level manager accountable for data classification and protection. They have the authority and responsibility to assign classification levels and ensure data is properly classified.

9
MCQhard

A company has a data retention policy requiring customer transaction records to be kept for 7 years. After 7 years, the data should be destroyed. Which phase of the data lifecycle governs this action?

A.Use
B.Share
C.Archive
D.Destroy
AnswerD

Destruction is the final phase after retention expires.

Why this answer

The destroy phase is where data is permanently removed according to retention policies.

10
MCQmedium

An organization uses a configuration management database (CMDB). Which of the following is the PRIMARY purpose of a CMDB?

A.Manage user passwords
B.Monitor network performance
C.Record asset relationships and configurations
D.Track software licenses
AnswerC

CMDB captures relationships and configurations of IT assets.

Why this answer

A CMDB stores information about hardware and software assets and their relationships, aiding in configuration management and change impact analysis.

11
MCQmedium

A security administrator needs to ensure that data stored on a server is unrecoverable after decommissioning. The server uses SSDs. Which sanitization method is MOST appropriate?

A.Quick format
B.Standard overwriting with multiple passes
C.Physical destruction (shredding)
D.Degaussing
AnswerC

Shredding SSDs ensures data is physically destroyed.

Why this answer

SSDs cannot be reliably overwritten due to wear leveling; physical destruction or cryptographic erasure is recommended.

12
Multi-Selecthard

A security professional is tasked with sanitizing a set of hard drives that contain sensitive corporate data. The organization wants to ensure that data cannot be recovered, even by advanced forensic methods. According to NIST SP 800-88, which THREE methods are considered appropriate for sanitization? (Select THREE.)

Select 3 answers
A.Physically shredding the drive into small pieces
B.Degaussing the drive with a high-energy magnetic field
C.Deleting all files and emptying the recycle bin
D.Overwriting the entire drive with multiple passes of random data
E.Reformatting the drive and reinstalling the operating system
AnswersA, B, D

Correct. Physical destruction is a sanitization method.

Why this answer

NIST SP 800-88 defines clearing, purging, and destroying as sanitization methods. Overwriting is a form of clearing/purging, degaussing is purging for magnetic media, and physical destruction is destroying. Cryptographic erasure is effective for encrypted media but is not a separate category in the standard.

13
MCQeasy

Which term describes the process of modifying data so that it cannot be attributed to a specific individual without additional information that is kept separately?

A.Anonymisation
B.Differential privacy
C.Pseudonymisation
D.Encryption
AnswerC

Pseudonymisation allows re-identification with a key.

Why this answer

Pseudonymisation replaces identifying information with pseudonyms, allowing re-identification with additional data kept separately.

14
Multi-Selecthard

An organization is developing a privacy program. Which THREE of the following are core principles of privacy by design? (Select 3)

Select 3 answers
A.Open data sharing
B.Data minimization
C.Purpose limitation
D.Maximum data retention
E.Storage limitation
AnswersB, C, E

Collect only necessary data.

Why this answer

Privacy by design includes data minimization, purpose limitation, and storage limitation among its principles.

15
MCQhard

An organization is implementing privacy by design in a new application that collects user location data. Which practice best aligns with the data minimization principle?

A.Encrypting location data both at rest and in transit
B.Anonymizing location data after collection
C.Obtaining explicit consent from users before collection
D.Collecting location data only when the app is actively in use
AnswerD

Correct. This minimizes the collection of location data to what is strictly necessary for functionality.

Why this answer

Data minimization requires collecting only the data necessary for the specified purpose. Collecting location data only when the app is actively in use reduces unnecessary data collection.

16
MCQmedium

A company is implementing a data classification scheme. Which category should be assigned to internal memos about employee benefit plans that are not intended for public disclosure?

A.Private/Internal
B.Confidential/Restricted
C.Public
D.Sensitive
AnswerA

Private/Internal is appropriate for internal communications that should not be shared externally.

Why this answer

Commercial classification schemes typically use 'Private' for internal data that could cause harm if disclosed, such as employee benefit details.

17
MCQmedium

An organization is required to declassify a document that was previously classified as 'Secret' under government guidelines. What process must be followed before the document can be released to the public?

A.The data owner must reclassify it as 'Unclassified' without further action
B.The document can be released immediately after the classification period expires
C.A declassification review by authorized personnel must be conducted
D.The document should be shredded and a new version created without classified markings
AnswerC

Correct. Declassification requires a formal review to ensure no sensitive information is disclosed.

Why this answer

Declassification is a formal review process to determine if the information still requires protection. It must be performed by authorized personnel following established procedures.

18
MCQhard

An organization wants to ensure that data is protected throughout its lifecycle. Which step in the data lifecycle is most critical for enforcing data retention policies?

A.Archive
B.Use
C.Create/Collect
D.Share
AnswerA

Archiving implements retention by storing data for the required period.

Why this answer

The 'archive' phase is when data is moved to long-term storage based on retention requirements, and the retention policy dictates how long it must be kept.

19
MCQmedium

An organization is decommissioning a server containing magnetic hard drives that stored sensitive data. The data has been backed up to tape and the drives are to be reused. Which media sanitization method is most appropriate to ensure data cannot be recovered while preserving the drives for reuse?

A.Degaussing
B.Overwriting the entire drive with a recognized standard
C.Physical destruction (shredding)
D.Cryptographic erasure
AnswerB

Overwriting sanitizes the drive and allows it to be reused.

Why this answer

Overwriting (e.g., DoD 5220.22-M) is effective for magnetic media and allows reuse; degaussing and destruction do not allow reuse.

20
MCQeasy

What is the primary purpose of a configuration management database (CMDB) in asset management?

A.Monitor network traffic for anomalies
B.Store and manage data classification labels
C.Track software licenses and compliance
D.Provide a repository of configuration items and their relationships
AnswerD

Correct. CMDB is a central repository for IT asset configurations and relationships.

Why this answer

A CMDB is used to store information about configuration items (CIs) and their relationships, helping manage IT assets and their interdependencies.

21
MCQeasy

Which phase of the data lifecycle includes the act of securely deleting data that is no longer needed, in accordance with retention policies?

A.Store
B.Share
C.Archive
D.Destroy
AnswerD

The destroy phase covers secure deletion.

Why this answer

The destroy phase involves secure disposal of data when it is no longer required, often through purging or destruction.

22
MCQhard

A financial institution stores customer PII, including Social Security numbers (SSNs). Under privacy regulations, SSNs are considered sensitive PII. Which of the following techniques would best reduce the risk of re-identification while preserving the utility of the data for statistical analysis?

A.Anonymization by removing all direct identifiers
B.Encrypting the entire dataset at rest
C.Differential privacy by adding calibrated noise to the dataset
D.Pseudonymization by replacing names with random identifiers
AnswerC

Differential privacy provides strong mathematical guarantees against re-identification.

Why this answer

Differential privacy adds noise to query results to protect individual records while allowing aggregate analysis, balancing privacy and utility.

23
MCQeasy

Which type of data is considered sensitive PII and requires enhanced protection?

A.Name and email address
B.Job title
C.Phone number
D.Social Security number
AnswerD

SSNs are sensitive PII due to identity theft risk.

Why this answer

Sensitive PII includes information that could cause serious harm if disclosed, such as Social Security numbers, biometric data, and medical records.

24
Multi-Selecthard

An organization is reviewing its media sanitization procedures. Which TWO methods are considered acceptable for sanitizing solid-state drives (SSDs) according to NIST SP 800-88 guidelines?

Select 2 answers
A.Degaussing
B.Cryptographic erase
C.Physical destruction (shredding or pulverizing)
D.Overwriting with a random pattern
E.Data wiping software
AnswersB, C

Destroying the encryption key makes data inaccessible.

Why this answer

For SSDs, cryptographic erase and physical destruction are recommended. Overwriting is unreliable due to wear-leveling, and degaussing does not work on SSDs.

25
Multi-Selectmedium

A company is implementing a data retention policy for customer records. Which THREE factors should be considered when determining retention periods?

Select 3 answers
A.Legal and regulatory requirements
B.Storage cost
C.Maximum possible retention without consequence
D.Data owner's personal preference
E.Business operational needs
AnswersA, B, E

Laws and regulations often mandate minimum retention periods.

Why this answer

Retention periods are influenced by legal requirements, business needs, and regulatory obligations.

26
Multi-Selectmedium

A data breach has occurred involving a database that contains personally identifiable information (PII). As part of incident response, the organization needs to identify all roles responsible for data protection. Which TWO roles are primarily accountable for data classification and protection requirements according to typical data governance frameworks?

Select 2 answers
A.Senior management
B.Data subject
C.Data steward
D.Data custodian
E.Data owner
AnswersA, E

Senior management is ultimately accountable for the organization's data protection.

Why this answer

The data owner is accountable for classification and protection requirements, while senior management has ultimate accountability.

27
MCQhard

A company is designing a database that will contain personally identifiable information (PII). To reduce privacy risk, they decide to add controlled noise to query results. This technique is known as:

A.Data masking
B.Tokenization
C.Differential privacy
D.Anonymization
AnswerC

Differential privacy adds noise to preserve privacy.

Why this answer

Differential privacy adds noise to query outputs to protect individual privacy while allowing aggregate analysis.

28
MCQhard

A company uses differential privacy to release aggregate statistics from a dataset containing sensitive employee information. Which of the following is true regarding differential privacy?

A.It works by adding noise to the data or query results to protect individual privacy
B.It ensures that no individual's data can ever be inferred from the released statistics
C.It requires that data be encrypted before release
D.It is a method of pseudonymization that replaces identifiers with pseudonyms
AnswerA

Correct. Noise is added to achieve differential privacy, balancing accuracy and privacy.

Why this answer

Differential privacy adds calibrated noise to query results to mask individual contributions, ensuring that the inclusion or exclusion of any single record does not significantly affect the output.

29
MCQmedium

A government contractor handles documents classified as 'Secret.' Which of the following represents the correct handling of these documents when they are no longer needed?

A.Overwrite the data using a 7-pass method.
B.Recycle them as part of a standard office recycling program.
C.Deposit them in a secure disposal bin for later incineration.
D.Shred them using a cross-cut shredder to particles of a specified size.
AnswerD

Cross-cut shredding to approved particle size is an accepted method for destroying Secret documents.

Why this answer

Secret-level documents require secure destruction methods approved by the government, such as incineration or shredding to a specified particle size, to prevent unauthorized disclosure.

30
MCQhard

During an audit, it is discovered that a database containing personally identifiable information (PII) has been retained for 10 years beyond the regulatory requirement. The data owner has not approved the retention extension. Which data lifecycle principle is primarily being violated?

A.Storage limitation
B.Data minimization
C.Purpose limitation
D.Integrity
AnswerA

Storage limitation requires data deletion after the retention period.

Why this answer

Storage limitation requires that data be retained only as long as necessary; exceeding the retention period violates this principle.

31
MCQmedium

Under GDPR, a company processes personal data on behalf of a data controller. Which role does the company fulfill?

A.Data custodian
B.Data controller
C.Data processor
D.Data subject
AnswerC

The processor acts on behalf of the controller.

Why this answer

A data processor processes data on behalf of the controller, subject to strict contractual and regulatory obligations.

32
MCQeasy

Which role is ultimately accountable for the classification of data within an organization?

A.Data steward
B.Data custodian
C.Data processor
D.Data owner
AnswerD

The data owner decides classification levels.

Why this answer

The data owner is the senior-level person who has the authority and accountability for data classification and protection.

33
MCQhard

A data warehouse contains anonymized customer transaction data used for analytics. The anonymization process removed direct identifiers and applied k-anonymity with k=10. An attacker obtains the dataset and attempts to re-identify individuals using auxiliary information. Which of the following best describes the residual privacy risk?

A.No risk because anonymization eliminates all PII
B.High risk because k=10 is too small to provide meaningful privacy
C.Low risk because k=10 ensures a group of at least 10 individuals
D.Moderate risk because k-anonymity does not protect against attribute disclosure if the group is homogeneous
AnswerD

Correct. If all individuals in a group share the same sensitive attribute, that attribute is disclosed despite k-anonymity.

Why this answer

k-anonymity means each record is indistinguishable from at least k-1 other records, but attacks like homogeneity or background knowledge can still lead to re-identification, especially if auxiliary data is available.

34
MCQmedium

A company wants to ensure that data labeled 'Internal Use Only' is not inadvertently disclosed to unauthorized parties. What is the most effective way to communicate handling requirements to employees?

A.Using data loss prevention (DLP) software
B.Implementing a data classification policy and training employees on labeling and handling procedures
C.Encrypting all data at rest
D.Restricting access to the data through role-based access control
AnswerB

Policy and training are key to communicating requirements.

Why this answer

Clear labeling and documented handling procedures ensure employees know how to treat data appropriately.

35
MCQmedium

A financial institution is preparing to dispose of magnetic tape backups containing transaction records. The tapes are no longer needed for retention. Which sanitization method is most effective for rendering the data unrecoverable on magnetic tape?

A.Cryptographic erasure
B.Degaussing
C.Overwriting with zeros
D.Physical destruction by incineration
AnswerB

Correct. Degaussing neutralizes the magnetic field and erases data on magnetic tape.

Why this answer

Degaussing uses a strong magnetic field to erase data on magnetic media, including tapes, and is highly effective for sanitization.

36
MCQhard

A company collects PII from European customers for order processing. Under GDPR, they engage a third-party logistics provider to handle shipping. Which role does the logistics provider typically assume in this scenario?

A.Data controller
B.Data custodian
C.Data processor
D.Data subject
AnswerC

Correct. The logistics provider is a data processor processing data on behalf of the controller.

Why this answer

A data processor processes personal data on behalf of the data controller (the company). The logistics provider handles data for shipping but does not determine purposes or means.

37
MCQeasy

A data owner has classified a dataset as 'Confidential' in a commercial organization. Which of the following best describes the primary responsibility of the data owner for this dataset?

A.Determining the data's classification and ensuring it is labeled appropriately
B.Ensuring the data is accurate and complete
C.Implementing technical controls to protect the data
D.Performing daily backups of the data
AnswerA

The data owner classifies data and determines handling requirements.

Why this answer

The data owner is accountable for data classification and assigning protection requirements, while the custodian implements controls.

38
MCQmedium

A company must destroy a set of hard drives containing sensitive customer data. The drives are magnetic (HDDs). Which destruction method provides the highest assurance of data irrecoverability?

A.Overwriting with a single pass of zeros
B.Physical destruction by drilling
C.Degaussing
D.Cryptographic erasure
AnswerC

Degaussing renders magnetic media completely unreadable.

Why this answer

Degaussing disrupts the magnetic field on HDDs, making data unrecoverable, and is considered highly effective for magnetic media.

39
Multi-Selectmedium

A multinational corporation is implementing a data classification policy for commercial data. Which TWO labels are commonly used in commercial classification schemes? (Select TWO.)

Select 2 answers
A.Public
B.Secret
C.Unclassified
D.Private
E.Top Secret
AnswersA, D

Correct. Public is a commercial label for data that can be freely distributed.

Why this answer

Commercial classification often includes 'Public' for non-sensitive data and 'Private' for internal data. 'Top Secret' and 'Unclassified' are government labels.

40
MCQeasy

Which of the following is the primary purpose of a configuration management database (CMDB) in asset management?

A.Store information about hardware and software components and their relationships
B.Track software licenses and compliance
C.Perform vulnerability scanning
D.Monitor network performance
AnswerA

CMDB captures configuration items and relationships.

Why this answer

A CMDB stores information about configuration items (CIs) and their relationships, aiding in change and incident management.

41
MCQhard

An organization is implementing privacy by design for a new application that processes PII. Which practice BEST aligns with the data minimization principle?

A.Collecting only the PII required for the stated function.
B.Anonymizing data after collection.
C.Obtaining explicit consent from users.
D.Collecting all possible PII in case it is needed later.
AnswerA

This directly implements data minimization.

Why this answer

Data minimization means collecting only the personal data that is directly necessary for the specified purpose.

42
MCQeasy

An organization wants to implement a data classification scheme for internal use. Which of the following is an example of a commercial data classification label?

A.Unclassified
B.Top Secret
C.Confidential
D.Private
AnswerD

Correct. 'Private' is a common label in commercial classification schemes for internal data.

Why this answer

Commercial classification labels often include 'Internal' or 'Confidential/Restricted' for internal business data, as opposed to government labels like 'Top Secret'.

43
MCQmedium

An organization's data retention policy specifies that customer records must be retained for five years after the end of the business relationship. After that period, what should be done with the data according to best practices?

A.Continue retaining the data indefinitely for future use
B.Securely destroy the data
C.Archive the data to offline storage
D.Anonymize the data and keep it
AnswerB

Correct. Data should be destroyed at the end of its retention period to minimize risk.

Why this answer

Once the retention period expires, data should be securely destroyed to prevent unauthorized access and comply with privacy regulations.

44
MCQeasy

An organization's data retention policy requires that financial records be kept for seven years. After that period, the records must be destroyed in a manner that prevents reconstruction. Which of the following is the best sanitization method for paper records containing sensitive financial data?

A.Cross-cut shredding
B.Overwriting with random patterns multiple times
C.Cryptographic erasure
D.Degaussing with a strong magnetic field
AnswerA

Correct. Cross-cut shredding physically destroys paper records, preventing reconstruction.

Why this answer

Cross-cut shredding reduces paper to small particles, making reconstruction extremely difficult and is a common method for destroying paper records.

45
MCQmedium

A database administrator (DBA) is responsible for implementing access controls and backup procedures for a customer database containing PII. The DBA reports to the data owner regarding security measures. Which role best describes the DBA's responsibilities?

A.Data steward
B.Data owner
C.Data custodian
D.Data processor
AnswerC

Correct. The DBA, as a custodian, implements security controls and manages the data on behalf of the owner.

Why this answer

The data custodian is responsible for the day-to-day management and security of data, including implementing controls, backups, and access management, on behalf of the data owner.

46
MCQmedium

Under the GDPR, which role is responsible for determining the purposes and means of processing personal data?

A.Data processor
B.Data controller
C.Data subject
D.Data protection officer
AnswerB

The controller determines the purposes and means.

Why this answer

The data controller decides why and how personal data is processed, as defined in GDPR.

Ready to test yourself?

Try a timed practice session using only Cissp Asset Security questions.