Which of the following represents the GREATEST risk to data confidentiality?
Correct Answer: C
Explanation:
Generating backup tapes unencrypted represents the greatest risk to data confidentiality, as it
exposes the data to unauthorized access or disclosure if the tapes are lost, stolen, or intercepted.
Backup tapes are often stored off-site or transported to remote locations, which increases the
chances of them falling into the wrong hands. If the backup tapes are unencrypted, anyone who
obtains them can read the data without any difficulty. Therefore, backup tapes should always be
encrypted using strong algorithms and keys, and the keys should be protected and managed
separately from the tapes.
The other options do not pose as much risk to data confidentiality as generating backup tapes
unencrypted. Network redundancies are not implemented will affect the availability and reliability of
the network, but not necessarily the confidentiality of the data. Security awareness training is not
completed will increase the likelihood of human errors or negligence that could compromise the
data, but not as directly as generating backup tapes unencrypted. Users have administrative
privileges will grant users more access and control over the system and the data, but not as widely as
generating backup tapes unencrypted.
Question 2
Which of the following is MOST important when assigning ownership of an asset to a department?
Correct Answer: C
Explanation:
When assigning ownership of an asset to a department, the most important factor is to ensure
individual accountability for the asset. Individual accountability means that each person who has access to or uses the asset is responsible for its protection and proper handling. Individual accountability also implies that each person who causes or contributes to a security breach or incident involving the asset can be identified and held liable. Individual accountability can be achieved by implementing security controls such as authentication, authorization, auditing, and logging. The other options are not as important as ensuring individual accountability, as they do not directly address the security risks associated with the asset. The department should report to the business owner is a management issue, not a security issue. Ownership of the asset should be periodically reviewed is a good practice, but it does not prevent misuse or abuse of the asset. All members should be trained on their responsibilities is a preventive measure, but it does not guarantee compliance or enforcement of the responsibilities.
Question 3
Which of the following BEST describes the responsibilities of a data owner?
Correct Answer: D
Explanation:
The best description of the responsibilities of a data owner is determining the impact the
information has on the mission of the organization. A data owner is a person or entity that has the
authority and accountability for the creation, collection, processing, and disposal of a set of data. A
data owner is also responsible for defining the purpose, value, and classification of the data, as well
as the security requirements and controls for the data. A data owner should be able to determine the
impact the information has on the mission of the organization, which means assessing the potential
consequences of losing, compromising, or disclosing the data. The impact of the information on the
mission of the organization is one of the main criteria for data classification, which helps to establish
the appropriate level of protection and handling for the data.
The other options are not the best descriptions of the responsibilities of a data owner, but rather the
responsibilities of other roles or functions related to data management. Ensuring quality and
validation through periodic audits for ongoing data integrity is a responsibility of a data steward, who
is a person or entity that oversees the quality, consistency, and usability of the data. Maintaining
fundamental data availability, including data storage and archiving is a responsibility of a data
custodian, who is a person or entity that implements and maintains the technical and physical
security of the data. Ensuring accessibility to appropriate users, maintaining appropriate levels of
data security is a responsibility of a data controller, who is a person or entity that determines the
purposes and means of processing the data.
Demo Practice Mode
You are viewing only the questions marked as Demo.