Pass CompTIA CASP+ CAS-004 Exam in First Attempt Easily
Latest CompTIA CASP+ CAS-004 Practice Test Questions, CASP+ Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Check our Last Week Results!
- Premium File 229 Questions & Answers
Last Update: Feb 1, 2023
- Training Course 271 Lectures
- Study Guide 530 Pages
Download Free CompTIA CASP+ CAS-004 Exam Dumps, CASP+ Practice Test
Free VCE files for CompTIA CASP+ CAS-004 certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest CAS-004 CompTIA Advanced Security Practitioner (CASP+) CAS-004 certification exam practice test questions and answers and sign up for free on Exam-Labs.
CompTIA CASP+ CAS-004 Practice Test Questions, CompTIA CASP+ CAS-004 Exam dumps
Data Considerations (Domain 4)
1. Data Considerations (OBJ 4.3)
In this section of the course, we're going to cover the various considerations that you need to think about in relation to your organization's data. Our focus in this section is going to be on objective #4, explaining compliance frameworks and legal considerations and their organisational impact. As we move through this section, we're going to start out by providing an overview of data security and then move into the different types of data classifications and the different datatypes that your organisation may utilize. After that, we're going to dive into the requirements for data attention and data destruction, because all data has a life cycle associated with it, from birth or creation to death or destruction. Now, finally, we're going to move into the concept of data ownership and data sovereignty, which is going to become increasingly important if you work in an organisation that works with third-party vendors or utilises cloud-based servers that span multiple countries across the globe. So if you're ready to get started, let's jump into our lessons focused on data considerations.
2. Data Security (OBJ. 4.3)
Three fundamental components to information systemsecurity confidentiality, integrity, and availability. Often, when we look at the realisation of a risk, it's the result of a failure to provide for one of these three tenants of security. So let's look at each of these three tenants and how they apply to the security of our systems. The first tenant is confidentiality. Confidentiality means preventing the disclosure of data or information to unauthorised people or systems. When we deal with confidentiality, we are going to ask two main questions: how secure is the information, and how secure does that information need to be? Now, in order to increase data confidentiality, we implement systems like data encryption at rest, in transit, or in process by using access control lists on our network devices, by doing proper data classifications, by locking doors, installing fences, having security guards, and by other technical or nontechnical means.
Now, confidentiality fails if someone can obtain and view the data that we're trying to protect. This is an important distinction because if someone can hack into our network and retrieve an encrypted file, but they can't unencrypt that file and read it because they don't have the password, they have not breached our confidentiality yet. The second tenant is integrity. Now, integrity deals with protecting data from unauthorised modifications or data corruption. When we're dealing with integrity, we ask two main questions: How correct is the information? And has the data been modified during retrieval, in transit, or in storage? In order to increase data integrity, we implement systems like the hashing of files and information to ensure its accuracy, as well as providing checksums during the transmission of the data over the network.
Now, integrity fails if someone can modify the data during its retrieval, transfer, or while it's being stored, which is known as "Data at Rest." The third tenant is availability. Availability deals with ensuring that data is accessible when and where it's needed. When we deal with availability, we're going to ask two main questions: How much uptime is the system providing, and is the data always accessible by our end users? Now, in order to increase data availability, we implement systems like increasing redundancy in the system design by providing redundant components and data passes, providing detailed backup strategies, and establishing a good disaster recovery plan. Availability fails if an end user cannot access the data when they need it. A great example of this occurs if our company's servers are suffering because of a denial of service attack. Our end users can no longer access the data, even though the data still maintains its full confidentiality and integrity on our servers. Often, you'll see the CIA triangle displayed as an equilateral triangle with three equally balanced legs of that triangle.But this perfectly balanced approach is really hard to obtain in the real world. Instead, one or more of these tenants may be more important to your organization's business practices, and additional resources and controls will be applied to maintaining those components of security over the others. Now, it's a good idea to categorise potential risks by considering the impact on your organisation of each of these three tenets of the CIA triad. These potential impacts can be categorised as low, moderate, or high. For example, a low-impact risk to confidentiality means that an unauthorised disclosure of information would have a limited adverse effect.
But a moderate impact on integrity, on the other hand, might mean that there's an unauthorised modification that will have more serious adverse effects on the organization. Lastly, a high impact on availability might mean that there's a severe, potentially catastrophic effect on our organization. This categorization of low, moderate, and high impact risks is required for any information systems that are owned and operated by the US Government when they're using the Federal Information Processing Standards Publication or 199. Now, this is not mandatory for commercial businesses, but it is considered a best practise and it is diligently followed by most businesses as part of their risk management program.
3. Data Classification (OBJ. 4.3)
Data classification is based on its value to the organisation and the sensitivity of the information if it was going to be disclosed. Now, organisations should be careful to establish proper policies to help identify how data should be classified, because overclassifying your data leads to higher costs for protecting that data, including additional personnel, additional access controls, and additional investments in other technical solutions. By classifying the data, it can then be separated into different levels of protection based on those classifications. Now, there are two common classification schemes that are used by organisations depending on whether they're a commercial business or a governmental organization.
In the commercial business world, we use four common classification levels going from lowest to highest level, and these are public, sensitive, private, and confidential. Public data would have no impact on the company if it's released, and often it's posted in open-source environments like your website. Sensitive data might have a minimal impact if it's released and includes data like the organization's financial data. Private data is going to contain information such as personnel records, salary information, and other data that's only used within the organization. Confidential data is the highest level of classification, and it contains items like trade secrets, intellectual property data, source code, and other data that would seriously harm your business if it was disclosed.
In the military and government sector, there are five classification levels, going from lowest to highest. These are unclassified controlled information, unclassified information, confidential top secret, and top secret. Unclassified data generally can be released to the public under the Freedom of Information Act, or FOIA. Controlled unclassified information, or Cui, used to be called sensitive but unclassified information, and this includes unclassified information that should be protected from public disclosure, types of information like medical records, personnel files, and other items that wouldn't hurt national security if released but could impact those whose data it pertains to and is controlled under Cui. Confidential data includes data such as trade secrets and other information that could seriously affect the government if unauthorized disclosure were to occur. Secret data includes items such as military deployment plans, defensive postures, and other information that could seriously damage national security if it was disclosed. Top-secret data could include blueprints for weapons or other information that could gravely damage national security if it was known to those who are not authorized for this level of information. Now, protecting data takes resources, and therefore it's important to understand the life cycle of the data as we collect and retain it. Data should not be stored forever, and therefore our organisation needs to have policies that dictate when data is going to be retained or destroyed. These policies should be clearly documented and based on your organizational needs, in addition to following local, state, and federal laws and regulations for data retention and time requirements.
4. Data Types (OBJ. 4.3)
Is not only categorised by its classification but also by its data type. Now, what is a data type? Well, a data type is basically a tag or a label to identify a piece of data under a subcategory of a classification. For example, if I had this document labelled "Top Secret," that is its classification. But underneath that is something that says B-I-G-O-T, which stands for the British Invasion of German Occupied Territory. This was a data type that was used back in World War II. Now, over time, we have different data types that are going to be used under various classification categories.
For instance, the military no longer uses "Bi, G-O-T." because there is no German-occupied territory and we're not in World War II. But we do have data types like PII, SPI, Phi, and others that are all unclassified or controlled unclassified information categorization types. So, even though PII, SPI, Phi, and financial information are unclassified, they are still treated with a little more care than regular unclassified information, and thus they become data types beneath those categories because we don't want this type of information getting out into the wild to just anyone. For example, if I had your medical record, that's not necessarily Top Secret, secret, or even confidential information, but it should be protected. And that's why we classify it as personal health information). So let's talk a little bit more about some of the different types of health, financial, intellectual property, and personally identifiable information.
First. We have health data. Health data is normally categorized as any data related to health conditions, reproductive outcomes, causes of death, and quality of life for an individual or a population. This type of data is protected by HIPAA, which is a health insurance portability and accountability act of 1996 under US federal law. Most commonly, this type of data is labelled as "PHI," or protected health information. Second, we have financial data. Financial data consists of pieces or sets of information related to the financial health of a business. Now, this data is used by internal management to analyze the business's performance and determine if the business strategy needs to be altered. Now, why is this type of data sensitive?
Well, because access to this type of data prior to its release could provide investors an unfair advantage in the marketplace. It could lead to market manipulation of stock prices, or it could provide competitors with sensitive details about your business operations. This type of data is usually labelled as "proprietary corporate information. Third, we have intellectual property. Intellectual property, or IP, is a type of data that includes intangible creations of human intellect. Normally, this type of data is protected by a copyright, a patent, a trademark, or a trade secret designation. Again, this type of data is commonly labelled as "proprietary corporate information." Fourth, we have personally identifiable information, or PII. Now, personally identifiable information is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and be used for deanonymizing previously anonymous data could be considered PII. So let's say I have your name, your birthday, and your Social Security Number. Those three pieces of information should be labelled as PII, because I can clearly identify you using those three data points. Now, these are not the only types of data out there, though there are a tonne of other ones out there too. But these four data types are the most common. To protect these different types of data, there are a lot of different solutions out there. If you use Microsoft's Data Loss Prevention System, or DLP, for example, it has 70 different sensitive information types in it, including PII, SPI, and Phi under the unclassified classification category. So, just because something is categorized as unclassified or top secret, that isn't enough.
You have to consider its data type and the subcategory it's assigned to as well. Now, in addition to that, we have to think about the format of this data. When we talk about data format, this is the organisation of the information into preset structures or specifications. Now, there are two common data format types: structured data and unstructured data. When I talk about structured data, this might be something like a comma-separated value list. So if I export a list and it says Jason Dion, one, two, three, Main Street, that would be structured data. You know that the first thing is the first name in front of the first comma, then the last name, then a comma, and then the street address. This is the idea of a structured format.
Now, when I talk about unstructured data, this could be something like a PowerPoint slide, an email, a text file, a chat log—pretty much anything. Anything that is unstructured can be unstructured data. Now, this is where I just type things in in any particular order I want, and then I have to use specialized systems to parse that data if I want to input them. Now, different systems and different classification mechanisms have to be set up to be able to understand these different data types and these different data formats. From a protection standpoint, structured data is a lot easier to process and analyze than unstructured data. The last thing we need to consider is the data state. Now, the data state is the location of the data within a processing system. And there are really three places it can be. The data can be at rest, which means it's stored on the hard drive; somewhere it can be in motion, which means it's currently moving from one computer to another over the network; or it can be in use. And this means the data is now being read into memory, or it's sitting inside the processor, currently being worked on for a computation.
5. Data Retention (OBJ. 4.3)
When we talk about data retention, it's really just talking about a set of policies, procedures, and tools for managing the storage of persistent data. Essentially, I should think about how long I should keep a particular piece of data. Now, as an organization, we may have legal requirements that bind us to obtain certain types of data for a specified period of time to meet our compliance and e-discovery requirements. For example, let's say you work for a publicly traded American company that has a value of at least $75 million per year. Now, you have data retention standards that are dictated by the US. law known as Sarbanes oxley.Your company simply can't go and shred all their paperwork prior to a prescribed retention period. Instead, they have to wait until the time runs out, and then they can shred those documents. That's what we're talking about here when we talk about meeting compliance requirements. Now, when we talk about data retention, this is the process that an organisation is going to use to maintain the existence and control of certain data in order to comply with business policies and/or applicable laws and regulations. So your data retention doesn't just have to be told to you by law or regulation. It's also something you can self-inflict using your own business policies. Whenever you're creating your own business policies, you always need to include your legal counsel when you're developing these types of data retention policies to make sure you're not doing anything illegal. Now, why should you do this? Because your organization's legal counsel knows the laws in depth, and you, as a cybersecurity professional, probably don't. When I use the term "legal counsel," this is a fancy word for lawyers. You're going to make sure that the lawyers for your company are involved in this process because they know the exact requirements for things like Sarbanes-Oxley or HIPAA or GLBA or any other laws out there that affect your data retention policies.
The lawyers will tell you you need tokeep this type of data for two yearsor that type of data for seven years. With this type of data, you only need three months, and you'll be able to know exactly what is right and wrong because the lawyers have told you this. And it's really helpful as you're developing these policies. Now, in addition to retaining the data, you sometimes also hear the word "preservation of data." and this is slightly different. When we talk about the preservation of data, this is referring to information that's being kept for a specific purpose outside of an organization's data retention policy. For example, our data retention policy at my company doesn't cover user data specifically on our website. So when you go to our website and you take a course, we actually know which lessons you finished, what quizzes you took, and what you scored on all those. All this gets stored in our database. Now, the collection and retention of this data isn't specifically covered by my organization's data retention policy, though. Instead, we have a separate policy known as data preservation.
And this is just for us to know how long we want to keep an average customer's data. This decision is based more on our storage size, our processing capabilities, and other factors like that that affect the cost of doing business. Now, when you start trying to deal with all this data retention stuff, you have to have a way to back it all up and archive that information. And you have to have tools that you're going to use to be able to fulfil the requirements for data retention. If I need to keep some of these data types for seven years or more, it doesn't mean that I have to have seven years of online data where I can access it within 1 second. No, I can offload that data to a tape backup or to an external drive, and then we can pull it from that device if we need it in terms of a lawsuit or a regulatory finding or something like that.
Now, by putting the data into cold storage like this, I can save a lot of money while still meeting my data retention requirements. Now, when you're dealing with data retention, there are really two types: short-term and long term. When I'm talking about short-term retention, I mean how often the youngest media sets are going to be overwritten. This is essentially your online data. Let's say I have a server now, and I do backups every single night for it. Now, when I run out of space, I start overwriting the old backups with some new backups, whatever that time period is, where that oldest backup is being overwritten. That's my short-term retention. So for most companies, that might be seven days or two weeks, or it might be a month. It's usually not very long. Now, when I talk about long-term retention, this refers to any data that's moved to an archived storage location to prevent it from being overwritten.
So if I need to keep this data for seven years according to some law or regulation, but my backups are done every night and they're overwritten after seven days, that's my short-term retention period, only seven days. Now, when those seven days are up, I need to take that copy and put it into long-term storage. This can be by putting it onto a hard drive oronto a tape backup or into glacier storage on a cloud. This could be anything like that. You can even print out the documents and put them in a filing cabinet. It really doesn't matter as long as you're maintaining that data. That's the legal requirement. There are lots of different ways to do it. But the main concept here is that you have to think about whether that data is going to be retained under your short-term or long-term methods. And to make sure you don't have a lapse between the two, where the data gets deleted if you need it for the long term, you need to make sure you have a way to archive it off your system so you always have it available.
Now, when it comes to backups, how do you know how much stuff to back up? Well, remember, all of your backups take up valuable storage space, and that costs money. So can you back up everything all the time? Well, no, because you simply won't have enough time, money or space for everything you want to keep indefinitely. Instead, you have to start thinking through what will be backed up. And the first thing you're going to back up is everything you're legally required to as part of your retention policies. Next, you're going to back up what you need to based on the policies or based on your corporate operations to make sure you can do your job. After that, you can decide exactly what will be backed up because everything else is considered discretionary. Now, in addition to being able to do local backups to things like tapes or external drives, you can also backup to the cloud. And this will give you unlimited storage effectively.
But it's really not unlimited because you're still having to pay for that. And your budget may not allow you to have unlimited storage on a cloud server. So again, you may have to be picky and choosey about what you're going to back up and how much that's going to cost you. Now, when you try to figure all this out, you need to do it based on your Business Continuity Plan, or BCP. As part of your business continuity plan, you need to define your recovery point objective, or RPO. Now, the recovery point objective is defined as the maximum amount of data, as measured by time, that can be lost after recovery from a disaster, a failure, or a comparable event. Before that, data loss would exceed what was considered acceptable to an organization.
The recovery point objective will drive the recovery window and your backup plans. So if I can afford to lose a day's worth of data, then my recovery point objective will be 24 hours. If I can afford to lose five minutes of data, my recovery point objective is five minutes. Based on that recovery point objective, you're going to have to budget, fund, and design your systems around those requirements, and that includes what your recovery window should be and your backup plans. So why is your RPO so important? Well, the recovery plan objective is really important because it helps us drive that recovery window and the redundancy decisions that you need to make in your business. And these redundancy decisions and those recovery windows are going to end up driving what the retention policy is going to look like because it's all going to be based on them.
6. Data Destruction (OBJ. 4.3)
Data that's no longer required. Well, this is an important question to consider in your organisation as you determine how to conduct data removal, destruction, and sanitization. All data, at some point, will reach the end of its useful life. So what are you going to do with it to destroy Roy It?Are you going to just format the drive? Are you going to throw it away? Well, maybe.
It really depends on your policy. The important thing is that you have to make sure you securely dispose of that data that is deemed to be ready for disposal once it reaches the end of its retention period. At this point, it's said to have expired. Now, if that is on a piece of paper, it's really easy to get rid of, right? You could shred it, you could burn it, or you could recycle it. It all depends on its classification level. But data stored on hard drives and cloud-based servers gets a little trickier. Hard drives can't necessarily just be shredded very easily because you don't have a shredder in your office that's powerful enough for that. So we have to determine the best way to handle them. Now, let's talk a little bit about data removal, data disruption, and data sanitization and how they all differ when we're trying to handle this data destruction problem.
First, we have data removal. Data removal is a generic term that refers to any process that deletes or makes inaccessible some form of data. For example, if I do a simple delete command on my laptop to remove a file from the hard drive, this would be categorised as data removal. Data removal is quick and easy, but it may leave data remnants behind that a skilled attacker or data forensic technician could easily restore. For this reason, data removal should only be used with the least sensitive data types. Second, we have data destruction. Now, data destruction goes a step further than data removal in that it makes an effort to destroy the underlying data. Instead of simply deleting the file, which removes the pointer to it, we may attempt to overwrite that area of the disc with a random series of ones or zeros to ensure that data is really difficult to restore, even for a skilled forensic technician. When using data destruction, there may be some remnants left on the drive.
So if you really need to be sure that data is fully gone, it's better to use data sanitization. And this brings us to our third area, data sanitization. Data sanitization goes a step further than data destruction. In addition to overwriting the drive using distraction techniques, data sanitization also performs a verification function to ensure the data has been wiped and is no longer accessible. Even for a trained analyst, it is really difficult to recover the data if it's been properly sanitized. Now, even this isn't 100% guaranteed, though.
So for some high-security applications, organisations may decide to opt for physical destruction of the data and the device. So, for example, let's say you worked on a top-secret project for the NSA. You might need to ensure that nobody ever accesses those files or remnants on that hard drive. So in this case, you may choose to physically destroy that drive by drilling holes into the drive platters. Or you might shred it in a larger industrial shredder. Or you might use some other way to ensure the drive and the data contained are definitely destroyed.
7. Data Ownership (OBJ. 4.3)
Determine appropriate confidentiality, integrity, and availability priorities. It's always important to get input from the stakeholders who own the assets. Now, the risk management decisions cannot simply be made by the information technology department, but they should be a shared decision based upon input from all the affected stakeholders, such as the other department heads. Now, this is important for all information technology and security projects because we don't have information technology just for the sake of information technology.
But instead we're seeking to achieve a given business objective. By getting stakeholder input early and often, we can avoid costly design mistakes or having to fight for approval and acceptance of our designs. The same holds true for data classification. It's imperative that stakeholders provide the proper data classification for information security professionals. After all, who knows better than the stakeholder themselves if a certain piece of data that they created should be classified as public, private, sensitive, or confidential, right?This is why the data owner has to be identified. When we talk about "data ownership," this is the process of identifying the person responsible for confidentiality, integrity, availability, and privacy of the information asset. Now, you might think the data owner is the person who created that file, but that's not always what we're talking about here. In an enterprise environment, there are different roles that fall under this idea of data ownership. These include things like the dataowner themselves, the data steward, the data custodian, and the privacy officer. So let's take a look at each of these roles.
First, we have the data owner. This is going to be a senior executive role, and they have the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. This data owner is going to be responsible for labelling the asset and ensuring it's protected with the appropriate controls. So the data owner is going to say what type of information this is? What kind are we dealing with? Let's say, for instance, the balance sheets for the corporation and how they should be protected. In this case, financial information Now, anybody who creates it will now follow my rules and label it as financial information. Because I was the data owner and I said this type of information would be classified in this manner, The company and its IT department will now protect all the financial information by doing X, Y, and Z with whatever controls I, as the data owner, select.
This is why the role of the data owner is so important here. The next role we have is the data steward. This role is focused on the quality of the data and the associated metadata. The data steward is going to be somebody who's working for the data owner. They're going to be involved with making sure that the data is appropriately labelled and classified. So we said all the financial data should be labelled as financial data, and it should be taken care of in this way using ABC controls. Now that's going to be the role of the data steward—to make sure all that stuff is actually being done. Next we have the data custodian. This goes down one layer further. We went from the data owner to the data steward, and now we go down to the data custodian. The data custodian is a role that's responsible for handling the management of the system on which the data assets are stored. So who might the data custodian be? Well, it could be a system administrator.
These are the people responsible for enforcing the access control, the encryption, and the backup and recovery measures that protect the data based on the requirements that were set forth by the data owner and given to the data steward. The final role we need to discuss is that of a privacy officer. This is a role that is responsible for the oversight of any kind of privacy-related data. Things like personally identifiable information (PII), sensitive personal information (SPI), or protected health information (PHI) If your company is managing data marked as PHI, SPI, or Phi, then this will fall under the realm of the privacy officer.
This is the person who's really going to be on the hook if you have a data breach. Because normally when you have a data breach, what people are concerned about is the private user data that's being exfiltrated by the attackers. And so this is what they're focused on. The privacy officer has to make sure that we're complying with all the legal and regulatory frameworks, and they have to make sure that we have the right purpose, limitations, and consent to get that data. The privacy officer is also responsible for ensuring the organisation is properly performing data minimization, data sovereignty, data retention, and data destruction. So the real question is, who should own the data? Now, in a lot of organizations, they try to make the CIO and the IT department the people in charge of all the information and be the data owners for everything. But honestly, this is the wrong answer. Because of the IT personnel, they don't know about the data itself. They know about the systems and the technical controls. They should be data custodians. Instead, the data owners should be someone from the business side, the people who are actually creating this information. Each data owner can actually be specified within their own department. For example, let's say you have some data coming from the accounting department.
Well, their leader might be the data owner who tells all the other accountants how they're going to do their business and how they're going to classify their data. They now have a data owner for their information. Because I'll tell you, as an IT person, I don't know about accounting data. I don't know it well enough to be able to classify it at the right level except to say generically that it's financial data.
Now this is one of the things I think is really important; it's that people should not be the data owners, and instead the data owners should really be the people who know more about the data based on the content of the company and what its business purpose is. If your company is a software development company, then the software design department should probably be the data owners. If you're an accounting firm, it should be somebody in the financial department or the chief financial officer. Remember, it's important that somebody knows about the data and can make the right decisions as far as labelling and classification. And that person should be classified as the organization's data owner. Bye.
CompTIA CASP+ CAS-004 Exam Dumps, CompTIA CASP+ CAS-004 Practice Test Questions and Answers
Do you have questions about our CAS-004 CompTIA Advanced Security Practitioner (CASP+) CAS-004 practice test questions and answers or any of our products? If you are not clear about our CompTIA CASP+ CAS-004 exam practice test questions, you can read the FAQ below.
Purchase CompTIA CASP+ CAS-004 Exam Training Products Individually