July 3, 2025 • 25 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Ready to master data classification for your CISSP exam? This episode delivers exactly what you need through fifteen practical questions that mirror real exam scenarios, all focused on Domain 2.1.1.
The cybersecurity world is constantly evolving, and our discussion of the newly formed ARPA-H demonstrates this perfectly. Modeled after DARPA but focused on healthcare innovation, this agency represents a $50 million opportunity for security professionals to tackle the persistent ransomware threats plaguing the healthcare industry.
Diving into our practice questions, we explore how marketing materials receive "sensitive" classifications, while revolutionary battery technology blueprints warrant "class three severe impact" protection. We clarify why social security numbers in healthcare settings fall under Protected Health Information rather than just PII, and why government agencies use distinctive classification schemas including terms like "top secret" that aren't merely arbitrary labels.
The episode tackles complex scenarios including cloud storage responsibilities (you retain ownership of customer data even when stored by third parties), the limitations of DLP solutions for printed documents, and proper breach response protocols. Each question provides context-rich explanations that go beyond simple answers to build your understanding of the underlying principles.
Perhaps most valuable is our exploration of classification system design - revealing why simply labeling all non-public information as "sensitive" creates security vulnerabilities by failing to distinguish between different impact levels. This practical insight helps you not just memorize concepts but understand how to implement effective classification in real-world environments.
Whether you're studying for your CISSP exam or wanting to strengthen your organization's security posture, these fifteen questions provide the perfect framework for mastering data classification principles. Visit cisspcybertraining.com to access our complete blueprint and mentoring services guaranteed to help you pass the CISSP exam on your first attempt.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:26):
All right, let's get started.
Good morning it's Sean Gerberwith CISSP Cyber Training, and
hope you all are having awonderful day today.
Yes, today is CISSP QuestionThursday, so that's exciting
stuff.
We're going to be talking aboutsome awesome CISSP questions
related to domain 2.1.1.
And that is all a follow-on forour podcast that we had on
(00:47):
Monday that goes over thevarious concepts that we talked
about, right?
So data classification and soforth.
So that is what today's CISSPquestions are going to be about.
One thing that we wanted tobring up though obviously we had
you try to have something in atthe beginning a little bit
about, maybe, some news that Isaw that I thought was
interesting, and especially asit relates to the CISSP, if
(01:09):
possible.
But this was an interestingarticle that just came out, as
it relates to in the registerand it's around.
I don't know if you all haveheard of a not a company, it's
not the right word, but anorganization within the US
government called DARPA, andDARPA is the US Defense Advanced
Research Projects Agency and,to put it in perspective, these
(01:30):
guys come up with really coolGucci stuff.
They work with the US SkunkWorks and they have like really
neat weapons that they developand some of these weapons
actually are brought into thecivilian sector not necessarily
to destroy and kill people,unfortunately, into the civilian
sector.
Not necessarily to destroy andkill people, unfortunately, but
(01:50):
they are designed in other waysthan they advance research
projects that get put into thecommercial side.
Well, I guess, according to acouple of years ago, there was a
new agency that was stood upcalled ARPA-H, and what it is is
it's the same thing, it's avery similar concept as DARPA,
but it's for the hospital andhealthcare industry, and it's an
same thing.
It's a very similar concept asDARPA, but it's for the hospital
and healthcare industry, andit's an interesting piece.
They actually have a videointerview from the inaugural
(02:12):
director, kind of going overlooking for technology in the
healthcare space to be able tohelp create more innovative
ideas, and so it's really coolin the fact that it's they see
ways that it can help withpeople's, because right now, you
see, all the new technologythat's coming out is going to be
a dramatic impact to thehealthcare industry as well.
(02:33):
I'd say the one thing that'sgoing to hurt the healthcare
industry the most is thebureaucracy of getting stuff
through.
But because they stood this up,this is going to be an amazing
thing.
I feel it's going to be reallygreat to help the overall
industry as a whole.
Well, what they had they alsomentioned the fact is that, as
we all know, ransomware has beena huge factor in the healthcare
(02:54):
industry for years, and itcontinues to be a big thing, and
, like I mentioned in thepodcast a few weeks ago, how it
impacted me and my familydirectly, how it impacted me and
my family directly Well, theneat part about this is there's
going to be money available forhealthcare professionals that
want to do more research in thisspace, and it can help, as it
includes cybersecurity, andthat's a really neat area in the
(03:17):
fact of now there's other waysto help provide some sort of
funding and, potentially, somehelp in regards to correcting
issues that deal with ransomwarein the healthcare industry as
well.
So I saw it was kind of aninteresting piece of this.
So they're only starting offwith $50 million, and I say only
, I mean right, all of us thatwould go okay.
(03:38):
I just take like 1 millionwould be amazing.
It would totally change my lifeforever.
But $50 million, they'restarting off small, but the
ultimate goal, though, is thatthey're trying to figure out
different ways to utilize thetech industry in the healthcare
aspect.
So if you are a researcher andyou're studying for your CISSP
and you're trying to figure outother ways to help that industry
(04:00):
, arpa-h is an option for youand it's an article that was in
the register.
It basically says this is thetitle from Rupert Goodwin's take
two APIs and call me in themorning.
But the ultimate goal is youcan kind of dig into it a little
bit and figure out what worksbest for you.
It's just.
The neat part is that there aremore and more options available
to you, especially in security.
(04:21):
As you can see, this space isjust exploding and it's really
great that you all are workingto get your CISSP, just because,
or if you're in the techindustry as a whole, because
there is so much opportunityhere for you and is in such
desperate need for individualslike yourselves that are wanting
to get into security to helpmake a difference.
(04:42):
Okay so, let's roll into ourquestions for this week.
Okay, so, again, as I talkedabout, you are a become a member
of the CISSP Cyber TrainingClub.
You can gain access to all ofthese questions directly and
test your skills on what youknow.
But if you don't and you wantthe free content, hey, that is
totally fine too, I get it andthat is available to you at
(05:02):
CISSP Cyber Training.
You can actually just watch thevideos on the blog or you can
go to YouTube and you'll seethem eventually at some point in
time as well.
So those are available to you.
But if you want to actually gotake the test,
cisspcybertrainingcom is thebest place to go to get that.
And again, we've talked aboutbefore these questions are
examples of what you may see onthe CISSP exam.
(05:25):
They are not CISSP questionsthat somehow, miraculously, I
got a hold of yeah, no, they'renot that.
But they will give you an ideaof what you may experience as it
relates to the exam.
So you're better prepared todeal with it.
Well, let's get started.
Question one a company developsa new marketing campaign with
catchy slogans and productimages.
(05:45):
The information is most likelyclassified as A confidential
data, b private data, csensitive data or D public data.
Okay, so this is catchy slogans, product images.
What would it be consideredfrom a data classification
standpoint?
And the answer is C sensitive.
(06:07):
Well, the information isn'thighly confidential because they
didn't say that.
Right, catchy slogans andproduct images may not be
something that is thatconfidential.
They would be consideredsensitive and you wouldn't
necessarily want it all to beout to the public.
Now you're probably saying,well, it's going to be released
to the public anyway, yes, butwhat happens is when you add
those catchy slogans to thosepictures before they are
(06:28):
potentially released, that wouldbe sensitive data, obviously.
Once they're released to thepublic, then all bets are off.
It doesn't really matter atthat point.
Question two you are a securityanalyst for a health care
provider.
A new regulation mandatesstricter controls for patient
social security numbers.
Those are SSNs, you may see theabbreviation.
These controls would likelyfall under the umbrella of A PII
(06:52):
, that's, personal identifiableinformation.
B PHI personal health care orhealth information.
C proprietary data or Dgovernment classified
information.
Okay, so social securitynumbers and you're looking for a
health care provider.
So that probably would fallunder, potentially, the PHI.
Now, ssns are typically PII,but they fall under the stricter
(07:16):
regulations of HIPAA and healthcare data.
Then this is why it would fallunder the PHI.
It's a tough one, right?
You may want to bite off on thefact that.
Well, it's a social securitynumber.
The key part is understandingthe healthcare provider piece of
this.
Question three your company isdeveloping a revolutionary new
battery technology.
The blueprints andspecifications of this
(07:38):
technology would be consideredwhat?
A?
Class zero low impact.
B.
Class one moderate impact.
C.
Class two high impact.
Class three severe impact.
Again, you're developing arevolutionary battery technology
.
So what would it be?
It would be class three severeimpact, such as a data breach,
(08:01):
would have devastating resultson the company's competitive
advantage, and so, therefore, itwould be a class three.
Question four you are designinga data classification policy for
your organization.
Which of the following is theleast important factor to
consider?
Again, you're designing thisdata classification policy for
(08:22):
your organization.
Which of the following is theleast important factor to
consider?
A regulatory compliance forrequirements.
B sensitivity of the data.
C the ease of implementationfor the employees.
Or D alignment to theorganization's risk tolerance.
So now, all of those, obviously, are important, except for C.
(08:44):
Right, we want to make thesethings as easy as possible for
our employees, because the morecomplex you make it, they're
just not going to do it.
So you want to have some levelof ease or comfort in helping
deploy these solutions.
However, that is the leastimportant factor in the ones
that were provided Every one ofthose other ones are very
(09:05):
important, especially with yourorganization's risk tolerance.
This is one thing that I'veseen.
Companies really need to trulyunderstand what is their risk
around IP or data loss.
And it's the thing you have tounderstand.
If you are a business owner andyou're dealing with IP, you
will lose data.
It's a given.
It's a matter of not if, butwhen.
The question comes into is howsensitive is that data and how
(09:27):
much of that data are youwilling to lose?
That's what will really drivethe fact of.
Do you want to put in a DLPproduct or other type of
protection around yourintellectual property?
Question five a hacker gainsaccess to database containing
employee names, email addressesand salary information.
This scenario represents abreach of what type of data?
(09:47):
A public data, b non-classified, sensitive data.
C personally identifiableinformation or D all of the
above?
Okay, a database contains names, email addresses and salary
information.
Which is that of?
It?
Is D all of the above rightPublic data, non-classified and
personal data.
It's all involved in thisbreach?
(10:10):
Question five If you are an ITmanager at a governmental agency
, a report details thedeployment schedule for a new
national security system, thisinformation would be considered
or classified as A unclassified,b sensitive but unclassified, c
secret or D top secret.
(10:31):
Say you are the IT manager for agovernment agency.
The report details a deployment, a report, a report details the
deployment schedule for a newnational security system.
This information would be wouldlikely be classified as what?
And the answer is C secret.
Right Now you're probablyasking well, what could it be
(10:51):
Top secret?
It possibly could, but thequestion is that with this
question here, I would defaultto the lower part.
Now, if it mentioned that itwas dealing with military
secrets or something along thoselines, then top secret may be
the better option.
But you're going to have to.
This is the ultimate goal ishow are you thinking through
this as a manager?
(11:12):
It's an IT manager for agovernment agency.
To put it in perspective, itpeople within the government
have pretty much everybody has asecret clearance that
especially you deal with anysort of systems within the
government.
They all, everybody gets secret, where very few people get top
secret, and so therefore, ifyou're looking at a system
that's dealing with the USgovernment.
(11:32):
Secret is probably the highestlevel most people will deal with
.
So unless it got into veryspecific questions around the
military system, then I woulderr to the fact that it would
just be secret, not top secret.
Question seven which of thefollowing security controls is
most effective in protectingdata at rest?
(11:52):
A data loss prevention, baccess controls, c encryption or
D activity monitoring.
So which of the followingsecurity controls is most
effective most in protecting thedata at rest?
And the answer is C, obviously,encryption.
Right.
Encrypted data at rest rendersit potentially unreadable, right
(12:14):
, without the decryption key.
As long as you have.
Hey, you've used a goodencryption algorithm to do this,
but it offers the bestprotection when you're dealing
with data at rest.
Question eight your company usescloud storage device to store
customer credit card information.
Which of the following bestdescribes the data ownership and
(12:35):
responsibilities in thisscenario?
So your company uses cloudstorage service to store
customer credit card information.
Which of the following bestdescribes the data ownership and
the responsibilities in thisscenario?
A a cloud service provider ownsthe data and solely responsible
for its security.
B your company retainsownership of the data but shares
(13:00):
responsibility with the cloudprovider C, the customer who
provided the credit cardinformation owns the data, and D
ownership is irrelevant.
Both companies and cloudproviders are responsible for
security.
So those seem pretty good.
Right, but we're looking atwhat best describes the data
ownership and responsibilitiesin this specific scenario.
(13:21):
So a company uses cloud storageto store a customer's credit
card information.
So the customer gave the creditcard over to the purchaser or
the vendor.
The vendor then put it in thecloud and the cloud stores it,
right?
Well, you, as a company whoprovided that service to the
from the so basically, thecustomer gave you their card you
(13:43):
provided that information tothe cloud you own, you retain
the ownership of the data, butyou share the responsibility
with the cloud provider.
You never lose responsibility.
The moment you take that datafrom the customer, you now own
it, and so, therefore, if it'sbreached, it's just as much your
fault as the cloud provider'sfault as well.
You can try to pass the buckand point fingers at them, but
(14:06):
at the end of it, let's say, forexample, they take the data and
they store the data and they doall that they can to protect it
, but the breach occurs andyou're like well, I didn't do it
, I had no control over the dataat all.
That's true.
However, you have thereputational aspects that you'll
take a hit on, so you havejoint ownership of this Question
.
Nine you suspect a data breachhas occurred involving employee
(14:30):
performance reviews.
What is the most importantaction to take after confirming
the breach?
You suspect a data breach hasoccurred involving employee
performance reviews.
What is the most importantaction to take after confirming
the breach?
A Implement a new dataencryption protocol.
B Terminate the employeeresponsible for the breach.
C notify infected employees ofthe regulatory bodies, if
(14:53):
applicable.
And then D conduct a securityawareness training for all
employees.
Okay, so all of those thingsare probably going to be in
factor right, to include,probably most likely terminating
the employee who is responsible, depending upon the situation,
obviously, but the best or themost important action is to
notify the affected employeesand the regulatory bodies as
soon as you possibly can.
(15:14):
So, again, when you're dealingwith all of these aspects and
you don't want to go and startdoing this right away, right,
you want to figure out whatactually occurred.
How did it occur?
But there are regulatory timersthat are enabled if you get a
data breach of some kind rightor an incident of some kind.
So therefore, it's importantthat you do notify the employees
(15:36):
and the regulatory bodies inthe event that that happens and
then start going through thelaundry list of things you
should do to help mitigate theproblem even further.
Question 10.
A company implements a dataclassification system with four
categories public, internal,confidential and top secret.
Okay, so they came up withtheir own strategy and they got
public, internal, confidentialand top secret.
(15:58):
This classification scheme ismost likely used by whom?
Okay, a a government agency, ba healthcare provider, c a
financial institution or D aretail store chain.
And the answer is A agovernment agency.
Now, like we mentioned before,the government agencies
typically will follow a certainpath.
(16:18):
However, they don't have to.
They can have their own thatthey want to use, except, I will
say, the top secret piece ofthis the secret, top secret.
If you deal with any sort ofsecret or top secret information
, that labeling is done byitself.
Same with unclassified.
But if you're going to labeltop secret, you better be using
(16:39):
top secret.
You can't just arbitrarily comeup with your own idea on that
term.
So the top secret piece reallykind of lends itself to being a
government agency.
Question 11, which of thefollowing statements about data
classification is most accurate?
Okay, again, most accurate Alldata within the organization
should be classified at the samelevel.
B the data classificationshould be a one-time process
(17:03):
upon data creation.
C data classification helpsorganizations prioritize
security controls based onimpact.
And then D publicly availabledata always requires the least
stringent security measures.
So question 11 is which of thefollowing statements about data
classification is most accurate?
(17:23):
And the answer is C dataclassification helps
organization prioritize securitycontrols based on impact.
So again you have.
You ultimately go as you wantto classify the data.
You now can understand how doyou best protect it if you know
that the impact would besubstantial and therefore you
will then protect it better orput different controls in place
(17:43):
to manage its risk.
Question 12, you are a securityconsultant tasked to improving a
company's data security postureand ie, reduce cyber risk.
Question 12.
You are a security consultanttasked to improving a company's
data security posture and ie,reduce cyber risk.
Sean Gerber, by the way, I gotto throw a plug, got to throw a
plug.
The current classificationsystem defines sensitive data as
any information not publiclyavailable.
This approach is a problematicbecause, okay, so your security
(18:06):
consultant asks what's improvingcompany's data security posture
.
The current classificationsystem defines sensitive data as
an information not publiclyavailable.
This approach is problematicbecause why?
A it doesn't consider thepotential impact of a data
breach.
B it creates an overly complexclassification schema.
(18:27):
C it doesn't differentiatebetween internal and external
use.
And.
D it provides insufficientguidance for employees.
Okay, so their currentclassification system defines
sensitive data as anyinformation not publicly
available.
Okay, so that's a lot?
Right, that's totally a lot.
And what ends up happening isit doesn't really consider the
(18:50):
potential impact of a databreach, right?
So not all non-public data hasthe same impact.
So sensitive data should befurther classified based on the
potential harm of a breach.
So you're going digging deeperinto this.
If you say, well, everything issensitive.
Well, okay, so you buy.
(19:11):
I'll use an example.
I'm trying to find a goodexample in my head as I sent an
email to Bill about thedeployment of a F5 load balancer
is considered sensitive.
Well, I didn't tell himanything about IPs.
I didn't tell him anythingabout the location of where it's
going to be in the data center.
I just said we have F5 loadbalancers and when are you going
to put those in?
That is not as sensitive asokay, well, this is the IP
(19:33):
address, this is where it's at,this is so-and-so and so-and-so
and so forth, that would be twoseparate things.
And if I want bad guys to tryto get in my network and they go
well, hey, you've got an F5load balancer.
Well, so what right?
I mean I say that looselybecause they could figure out
ways to potentially pop the boxon it, break it open.
However, if I'm not given amuch more detail other than the
(19:54):
fact that it's a load balancer,it's not nearly to the same
level of sensitivity as if Itold them hey, this one's in the
DMZ, this is the IP address,hey, by the way, we have some
vulnerabilities with it, butwe're not able to patch because
X, y and Z.
That is much more sensitivethan just saying I have a load
balancer, all right.
(20:14):
Question 13.
A company implements data lossprevention solution to prevent
unauthorized data exfiltration.
Which of the following datatypes would DLP be least
effective in protecting?
Okay, so they're implementing aDLP solution to prevent
unauthorized data exfiltration.
Which would be the leasteffective in protecting?
A customer credit cardinformation stored
(20:36):
electronically.
B printed documents containingconfidential trade secrets.
C employee messages withsensitive company information.
Or D.
All the above, because they allcan be protected with DLP with
proper configurations.
And the answer is B obviously,printed documents containing
confidential trade secrets.
Yeah, if they're not digital,dlp is not going to help you a
(20:56):
whole lot.
Now, if they printed it off andit has a watermark across the
front, that would help.
I mean, it would help a little,but printed documents have
always been a problem for DLPfor any sort of electronic data
management.
Question 14.
Your company is developing a newmobile map application that
collects user geolocation data.
What security considerations aremost important when handling
(21:19):
this type of data?
Okay so, new app collectinguser geo data, and what are the
most important things whenhandling this kind of
information?
A implementing strong accesscontrols and encryption for the
data?
B obtaining explicit userconsent for the data collection
and usage?
C minimizing the amount ofgeolocation data collected to
what is strictly necessary forthe app and for the means, or?
(21:43):
D all of the above, they're allimportant.
And the answer is D all of theabove, right, they're all very
important.
When you're dealing with thistype of data and obviously you
get with Apple or any of theseother ones they have to allow
the use of it, even thoughpeople click through it, and all
of these are an importantfactor when you're dealing with
geolocation data.
Again, it's very sensitive If Iknow where Bill is walking and
(22:06):
I'm a bad guy or girl and I wantto go mug Bill.
Well, now I can follow and trackhim or her.
I saw this in a I'll just kindof a real quick tangent.
I know of some very I know ofpeople that have like in the
stars and individuals that aremore out there.
They have ways to track theirkids, watch what their kids are
(22:29):
doing.
Well, this is a good example ofhow they would do that.
All right, the last question,question 15.
A company experiences a databreach involving a database
containing customer purchasehistory and product reviews.
The scenario highlights theimportance of what.
Again, a company experienced adata breach involving a database
containing customer purchasehistory and product reviews.
(22:52):
This highlights the importanceof what A.
Implementing multi-factor forall user accounts.
B regularly updating softwareand patching vulnerabilities.
C conducting penetrationtesting to identify and address
security weaknesses.
Or.
D all of the above securitypractices as they are important
for preventing data breaches.
And the answer is D all of theabove right Multi-factor is
(23:16):
important for all user accountsIf you can do it regularly.
Updating software and patchingvulnerabilities is extremely
important, and conducting pentests to identify and address
security weaknesses is extremelyimportant.
And conducting pen tests toidentify and address security
weaknesses is an importantfactor.
Now, again, we talk about pentests, though Keep in mind, pen
tests are only a point in timeand space.
They also are very targeted.
They are not a broad brushassessment.
(23:37):
So pen tests are great, butthey're not always the best for
every situation.
You have to kind of decidewhich is best for you and your
organization is the best forevery situation.
You have to kind of decidewhich is best for you and your
organization.
All right, that is all I havefor today.
So, if you like what you heard,go to CISSP Cyber Training,
check it out.
There's a great information.
My blueprint is there.
It'll help you pass the CISSP,guaranteed it will.
(23:57):
It'll walk you through step bystep by step.
If you're interested in someconsulting services, I've got
that available to you as well.
Through CISSP Cyber TrainingI've got.
Or through Reduce Cyber Risk,I've got mentoring.
Through CISSP Cyber Training,there's mentoring available.
I actually mentor quite a fewindividuals on their
cybersecurity programs as wellas through helping them grow
(24:19):
their cybersecurity businessesand their CISSP as well.
So I'm here for you to give youthe experience you need.
I bring in 20 some years ofexperience with backgrounds from
military to multinationalcorporations to now consulting,
and I can help you.
If you need it, I guarantee Ican, and if I can't, I can also
find you people that will helpyou with what you need.
(24:40):
All right, have a wonderful,wonderful day and we will catch
you on the flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:26):
All right, let's get started.
Good morning it's Sean Gerberwith CISSP Cyber Training, and
hope you all are having awonderful day today.
Yes, today is CISSP QuestionThursday, so that's exciting
stuff.
We're going to be talking aboutsome awesome CISSP questions
related to domain 2.1.1.
And that is all a follow-on forour podcast that we had on
(00:47):
Monday that goes over thevarious concepts that we talked
about, right?
So data classification and soforth.
So that is what today's CISSPquestions are going to be about.
One thing that we wanted tobring up though obviously we had
you try to have something in atthe beginning a little bit
about, maybe, some news that Isaw that I thought was
interesting, and especially asit relates to the CISSP, if
(01:09):
possible.
But this was an interestingarticle that just came out, as
it relates to in the registerand it's around.
I don't know if you all haveheard of a not a company, it's
not the right word, but anorganization within the US
government called DARPA, andDARPA is the US Defense Advanced
Research Projects Agency and,to put it in perspective, these
(01:30):
guys come up with really coolGucci stuff.
They work with the US SkunkWorks and they have like really
neat weapons that they developand some of these weapons
actually are brought into thecivilian sector not necessarily
to destroy and kill people,unfortunately, into the civilian
sector.
Not necessarily to destroy andkill people, unfortunately, but
(01:50):
they are designed in other waysthan they advance research
projects that get put into thecommercial side.
Well, I guess, according to acouple of years ago, there was a
new agency that was stood upcalled ARPA-H, and what it is is
it's the same thing, it's avery similar concept as DARPA,
but it's for the hospital andhealthcare industry, and it's an
same thing.
It's a very similar concept asDARPA, but it's for the hospital
and healthcare industry, andit's an interesting piece.
They actually have a videointerview from the inaugural
(02:12):
director, kind of going overlooking for technology in the
healthcare space to be able tohelp create more innovative
ideas, and so it's really coolin the fact that it's they see
ways that it can help withpeople's, because right now, you
see, all the new technologythat's coming out is going to be
a dramatic impact to thehealthcare industry as well.
(02:33):
I'd say the one thing that'sgoing to hurt the healthcare
industry the most is thebureaucracy of getting stuff
through.
But because they stood this up,this is going to be an amazing
thing.
I feel it's going to be reallygreat to help the overall
industry as a whole.
Well, what they had they alsomentioned the fact is that, as
we all know, ransomware has beena huge factor in the healthcare
(02:54):
industry for years, and itcontinues to be a big thing, and
, like I mentioned in thepodcast a few weeks ago, how it
impacted me and my familydirectly, how it impacted me and
my family directly Well, theneat part about this is there's
going to be money available forhealthcare professionals that
want to do more research in thisspace, and it can help, as it
includes cybersecurity, andthat's a really neat area in the
(03:17):
fact of now there's other waysto help provide some sort of
funding and, potentially, somehelp in regards to correcting
issues that deal with ransomwarein the healthcare industry as
well.
So I saw it was kind of aninteresting piece of this.
So they're only starting offwith $50 million, and I say only
, I mean right, all of us thatwould go okay.
(03:38):
I just take like 1 millionwould be amazing.
It would totally change my lifeforever.
But $50 million, they'restarting off small, but the
ultimate goal, though, is thatthey're trying to figure out
different ways to utilize thetech industry in the healthcare
aspect.
So if you are a researcher andyou're studying for your CISSP
and you're trying to figure outother ways to help that industry
(04:00):
, arpa-h is an option for youand it's an article that was in
the register.
It basically says this is thetitle from Rupert Goodwin's take
two APIs and call me in themorning.
But the ultimate goal is youcan kind of dig into it a little
bit and figure out what worksbest for you.
It's just.
The neat part is that there aremore and more options available
to you, especially in security.
(04:21):
As you can see, this space isjust exploding and it's really
great that you all are workingto get your CISSP, just because,
or if you're in the techindustry as a whole, because
there is so much opportunityhere for you and is in such
desperate need for individualslike yourselves that are wanting
to get into security to helpmake a difference.
(04:42):
Okay so, let's roll into ourquestions for this week.
Okay, so, again, as I talkedabout, you are a become a member
of the CISSP Cyber TrainingClub.
You can gain access to all ofthese questions directly and
test your skills on what youknow.
But if you don't and you wantthe free content, hey, that is
totally fine too, I get it andthat is available to you at
(05:02):
CISSP Cyber Training.
You can actually just watch thevideos on the blog or you can
go to YouTube and you'll seethem eventually at some point in
time as well.
So those are available to you.
But if you want to actually gotake the test,
cisspcybertrainingcom is thebest place to go to get that.
And again, we've talked aboutbefore these questions are
examples of what you may see onthe CISSP exam.
(05:25):
They are not CISSP questionsthat somehow, miraculously, I
got a hold of yeah, no, they'renot that.
But they will give you an ideaof what you may experience as it
relates to the exam.
So you're better prepared todeal with it.
Well, let's get started.
Question one a company developsa new marketing campaign with
catchy slogans and productimages.
(05:45):
The information is most likelyclassified as A confidential
data, b private data, csensitive data or D public data.
Okay, so this is catchy slogans, product images.
What would it be consideredfrom a data classification
standpoint?
And the answer is C sensitive.
(06:07):
Well, the information isn'thighly confidential because they
didn't say that.
Right, catchy slogans andproduct images may not be
something that is thatconfidential.
They would be consideredsensitive and you wouldn't
necessarily want it all to beout to the public.
Now you're probably saying,well, it's going to be released
to the public anyway, yes, butwhat happens is when you add
those catchy slogans to thosepictures before they are
(06:28):
potentially released, that wouldbe sensitive data, obviously.
Once they're released to thepublic, then all bets are off.
It doesn't really matter atthat point.
Question two you are a securityanalyst for a health care
provider.
A new regulation mandatesstricter controls for patient
social security numbers.
Those are SSNs, you may see theabbreviation.
These controls would likelyfall under the umbrella of A PII
(06:52):
, that's, personal identifiableinformation.
B PHI personal health care orhealth information.
C proprietary data or Dgovernment classified
information.
Okay, so social securitynumbers and you're looking for a
health care provider.
So that probably would fallunder, potentially, the PHI.
Now, ssns are typically PII,but they fall under the stricter
(07:16):
regulations of HIPAA and healthcare data.
Then this is why it would fallunder the PHI.
It's a tough one, right?
You may want to bite off on thefact that.
Well, it's a social securitynumber.
The key part is understandingthe healthcare provider piece of
this.
Question three your company isdeveloping a revolutionary new
battery technology.
The blueprints andspecifications of this
(07:38):
technology would be consideredwhat?
A?
Class zero low impact.
B.
Class one moderate impact.
C.
Class two high impact.
Class three severe impact.
Again, you're developing arevolutionary battery technology
.
So what would it be?
It would be class three severeimpact, such as a data breach,
(08:01):
would have devastating resultson the company's competitive
advantage, and so, therefore, itwould be a class three.
Question four you are designinga data classification policy for
your organization.
Which of the following is theleast important factor to
consider?
Again, you're designing thisdata classification policy for
(08:22):
your organization.
Which of the following is theleast important factor to
consider?
A regulatory compliance forrequirements.
B sensitivity of the data.
C the ease of implementationfor the employees.
Or D alignment to theorganization's risk tolerance.
So now, all of those, obviously, are important, except for C.
(08:44):
Right, we want to make thesethings as easy as possible for
our employees, because the morecomplex you make it, they're
just not going to do it.
So you want to have some levelof ease or comfort in helping
deploy these solutions.
However, that is the leastimportant factor in the ones
that were provided Every one ofthose other ones are very
(09:05):
important, especially with yourorganization's risk tolerance.
This is one thing that I'veseen.
Companies really need to trulyunderstand what is their risk
around IP or data loss.
And it's the thing you have tounderstand.
If you are a business owner andyou're dealing with IP, you
will lose data.
It's a given.
It's a matter of not if, butwhen.
The question comes into is howsensitive is that data and how
(09:27):
much of that data are youwilling to lose?
That's what will really drivethe fact of.
Do you want to put in a DLPproduct or other type of
protection around yourintellectual property?
Question five a hacker gainsaccess to database containing
employee names, email addressesand salary information.
This scenario represents abreach of what type of data?
(09:47):
A public data, b non-classified, sensitive data.
C personally identifiableinformation or D all of the
above?
Okay, a database contains names, email addresses and salary
information.
Which is that of?
It?
Is D all of the above rightPublic data, non-classified and
personal data.
It's all involved in thisbreach?
(10:10):
Question five If you are an ITmanager at a governmental agency
, a report details thedeployment schedule for a new
national security system, thisinformation would be considered
or classified as A unclassified,b sensitive but unclassified, c
secret or D top secret.
(10:31):
Say you are the IT manager for agovernment agency.
The report details a deployment, a report, a report details the
deployment schedule for a newnational security system.
This information would be wouldlikely be classified as what?
And the answer is C secret.
Right Now you're probablyasking well, what could it be
(10:51):
Top secret?
It possibly could, but thequestion is that with this
question here, I would defaultto the lower part.
Now, if it mentioned that itwas dealing with military
secrets or something along thoselines, then top secret may be
the better option.
But you're going to have to.
This is the ultimate goal ishow are you thinking through
this as a manager?
(11:12):
It's an IT manager for agovernment agency.
To put it in perspective, itpeople within the government
have pretty much everybody has asecret clearance that
especially you deal with anysort of systems within the
government.
They all, everybody gets secret, where very few people get top
secret, and so therefore, ifyou're looking at a system
that's dealing with the USgovernment.
(11:32):
Secret is probably the highestlevel most people will deal with
.
So unless it got into veryspecific questions around the
military system, then I woulderr to the fact that it would
just be secret, not top secret.
Question seven which of thefollowing security controls is
most effective in protectingdata at rest?
(11:52):
A data loss prevention, baccess controls, c encryption or
D activity monitoring.
So which of the followingsecurity controls is most
effective most in protecting thedata at rest?
And the answer is C, obviously,encryption.
Right.
Encrypted data at rest rendersit potentially unreadable, right
(12:14):
, without the decryption key.
As long as you have.
Hey, you've used a goodencryption algorithm to do this,
but it offers the bestprotection when you're dealing
with data at rest.
Question eight your company usescloud storage device to store
customer credit card information.
Which of the following bestdescribes the data ownership and
(12:35):
responsibilities in thisscenario?
So your company uses cloudstorage service to store
customer credit card information.
Which of the following bestdescribes the data ownership and
the responsibilities in thisscenario?
A a cloud service provider ownsthe data and solely responsible
for its security.
B your company retainsownership of the data but shares
(13:00):
responsibility with the cloudprovider C, the customer who
provided the credit cardinformation owns the data, and D
ownership is irrelevant.
Both companies and cloudproviders are responsible for
security.
So those seem pretty good.
Right, but we're looking atwhat best describes the data
ownership and responsibilitiesin this specific scenario.
(13:21):
So a company uses cloud storageto store a customer's credit
card information.
So the customer gave the creditcard over to the purchaser or
the vendor.
The vendor then put it in thecloud and the cloud stores it,
right?
Well, you, as a company whoprovided that service to the
from the so basically, thecustomer gave you their card you
(13:43):
provided that information tothe cloud you own, you retain
the ownership of the data, butyou share the responsibility
with the cloud provider.
You never lose responsibility.
The moment you take that datafrom the customer, you now own
it, and so, therefore, if it'sbreached, it's just as much your
fault as the cloud provider'sfault as well.
You can try to pass the buckand point fingers at them, but
(14:06):
at the end of it, let's say, forexample, they take the data and
they store the data and they doall that they can to protect it
, but the breach occurs andyou're like well, I didn't do it
, I had no control over the dataat all.
That's true.
However, you have thereputational aspects that you'll
take a hit on, so you havejoint ownership of this Question
.
Nine you suspect a data breachhas occurred involving employee
(14:30):
performance reviews.
What is the most importantaction to take after confirming
the breach?
You suspect a data breach hasoccurred involving employee
performance reviews.
What is the most importantaction to take after confirming
the breach?
A Implement a new dataencryption protocol.
B Terminate the employeeresponsible for the breach.
C notify infected employees ofthe regulatory bodies, if
(14:53):
applicable.
And then D conduct a securityawareness training for all
employees.
Okay, so all of those thingsare probably going to be in
factor right, to include,probably most likely terminating
the employee who is responsible, depending upon the situation,
obviously, but the best or themost important action is to
notify the affected employeesand the regulatory bodies as
soon as you possibly can.
(15:14):
So, again, when you're dealingwith all of these aspects and
you don't want to go and startdoing this right away, right,
you want to figure out whatactually occurred.
How did it occur?
But there are regulatory timersthat are enabled if you get a
data breach of some kind rightor an incident of some kind.
So therefore, it's importantthat you do notify the employees
(15:36):
and the regulatory bodies inthe event that that happens and
then start going through thelaundry list of things you
should do to help mitigate theproblem even further.
Question 10.
A company implements a dataclassification system with four
categories public, internal,confidential and top secret.
Okay, so they came up withtheir own strategy and they got
public, internal, confidentialand top secret.
(15:58):
This classification scheme ismost likely used by whom?
Okay, a a government agency, ba healthcare provider, c a
financial institution or D aretail store chain.
And the answer is A agovernment agency.
Now, like we mentioned before,the government agencies
typically will follow a certainpath.
(16:18):
However, they don't have to.
They can have their own thatthey want to use, except, I will
say, the top secret piece ofthis the secret, top secret.
If you deal with any sort ofsecret or top secret information
, that labeling is done byitself.
Same with unclassified.
But if you're going to labeltop secret, you better be using
(16:39):
top secret.
You can't just arbitrarily comeup with your own idea on that
term.
So the top secret piece reallykind of lends itself to being a
government agency.
Question 11, which of thefollowing statements about data
classification is most accurate?
Okay, again, most accurate Alldata within the organization
should be classified at the samelevel.
B the data classificationshould be a one-time process
(17:03):
upon data creation.
C data classification helpsorganizations prioritize
security controls based onimpact.
And then D publicly availabledata always requires the least
stringent security measures.
So question 11 is which of thefollowing statements about data
classification is most accurate?
(17:23):
And the answer is C dataclassification helps
organization prioritize securitycontrols based on impact.
So again you have.
You ultimately go as you wantto classify the data.
You now can understand how doyou best protect it if you know
that the impact would besubstantial and therefore you
will then protect it better orput different controls in place
(17:43):
to manage its risk.
Question 12, you are a securityconsultant tasked to improving a
company's data security postureand ie, reduce cyber risk.
Question 12.
You are a security consultanttasked to improving a company's
data security posture and ie,reduce cyber risk.
Sean Gerber, by the way, I gotto throw a plug, got to throw a
plug.
The current classificationsystem defines sensitive data as
any information not publiclyavailable.
This approach is a problematicbecause, okay, so your security
(18:06):
consultant asks what's improvingcompany's data security posture
.
The current classificationsystem defines sensitive data as
an information not publiclyavailable.
This approach is problematicbecause why?
A it doesn't consider thepotential impact of a data
breach.
B it creates an overly complexclassification schema.
(18:27):
C it doesn't differentiatebetween internal and external
use.
And.
D it provides insufficientguidance for employees.
Okay, so their currentclassification system defines
sensitive data as anyinformation not publicly
available.
Okay, so that's a lot?
Right, that's totally a lot.
And what ends up happening isit doesn't really consider the
(18:50):
potential impact of a databreach, right?
So not all non-public data hasthe same impact.
So sensitive data should befurther classified based on the
potential harm of a breach.
So you're going digging deeperinto this.
If you say, well, everything issensitive.
Well, okay, so you buy.
(19:11):
I'll use an example.
I'm trying to find a goodexample in my head as I sent an
email to Bill about thedeployment of a F5 load balancer
is considered sensitive.
Well, I didn't tell himanything about IPs.
I didn't tell him anythingabout the location of where it's
going to be in the data center.
I just said we have F5 loadbalancers and when are you going
to put those in?
That is not as sensitive asokay, well, this is the IP
(19:33):
address, this is where it's at,this is so-and-so and so-and-so
and so forth, that would be twoseparate things.
And if I want bad guys to tryto get in my network and they go
well, hey, you've got an F5load balancer.
Well, so what right?
I mean I say that looselybecause they could figure out
ways to potentially pop the boxon it, break it open.
However, if I'm not given amuch more detail other than the
(19:54):
fact that it's a load balancer,it's not nearly to the same
level of sensitivity as if Itold them hey, this one's in the
DMZ, this is the IP address,hey, by the way, we have some
vulnerabilities with it, butwe're not able to patch because
X, y and Z.
That is much more sensitivethan just saying I have a load
balancer, all right.
(20:14):
Question 13.
A company implements data lossprevention solution to prevent
unauthorized data exfiltration.
Which of the following datatypes would DLP be least
effective in protecting?
Okay, so they're implementing aDLP solution to prevent
unauthorized data exfiltration.
Which would be the leasteffective in protecting?
A customer credit cardinformation stored
(20:36):
electronically.
B printed documents containingconfidential trade secrets.
C employee messages withsensitive company information.
Or D.
All the above, because they allcan be protected with DLP with
proper configurations.
And the answer is B obviously,printed documents containing
confidential trade secrets.
Yeah, if they're not digital,dlp is not going to help you a
(20:56):
whole lot.
Now, if they printed it off andit has a watermark across the
front, that would help.
I mean, it would help a little,but printed documents have
always been a problem for DLPfor any sort of electronic data
management.
Question 14.
Your company is developing a newmobile map application that
collects user geolocation data.
What security considerations aremost important when handling
(21:19):
this type of data?
Okay so, new app collectinguser geo data, and what are the
most important things whenhandling this kind of
information?
A implementing strong accesscontrols and encryption for the
data?
B obtaining explicit userconsent for the data collection
and usage?
C minimizing the amount ofgeolocation data collected to
what is strictly necessary forthe app and for the means, or?
(21:43):
D all of the above, they're allimportant.
And the answer is D all of theabove, right, they're all very
important.
When you're dealing with thistype of data and obviously you
get with Apple or any of theseother ones they have to allow
the use of it, even thoughpeople click through it, and all
of these are an importantfactor when you're dealing with
geolocation data.
Again, it's very sensitive If Iknow where Bill is walking and
(22:06):
I'm a bad guy or girl and I wantto go mug Bill.
Well, now I can follow and trackhim or her.
I saw this in a I'll just kindof a real quick tangent.
I know of some very I know ofpeople that have like in the
stars and individuals that aremore out there.
They have ways to track theirkids, watch what their kids are
(22:29):
doing.
Well, this is a good example ofhow they would do that.
All right, the last question,question 15.
A company experiences a databreach involving a database
containing customer purchasehistory and product reviews.
The scenario highlights theimportance of what.
Again, a company experienced adata breach involving a database
containing customer purchasehistory and product reviews.
(22:52):
This highlights the importanceof what A.
Implementing multi-factor forall user accounts.
B regularly updating softwareand patching vulnerabilities.
C conducting penetrationtesting to identify and address
security weaknesses.
Or.
D all of the above securitypractices as they are important
for preventing data breaches.
And the answer is D all of theabove right Multi-factor is
(23:16):
important for all user accountsIf you can do it regularly.
Updating software and patchingvulnerabilities is extremely
important, and conducting pentests to identify and address
security weaknesses is extremelyimportant.
And conducting pen tests toidentify and address security
weaknesses is an importantfactor.
Now, again, we talk about pentests, though Keep in mind, pen
tests are only a point in timeand space.
They also are very targeted.
They are not a broad brushassessment.
(23:37):
So pen tests are great, butthey're not always the best for
every situation.
You have to kind of decidewhich is best for you and your
organization is the best forevery situation.
You have to kind of decidewhich is best for you and your
organization.
All right, that is all I havefor today.
So, if you like what you heard,go to CISSP Cyber Training,
check it out.
There's a great information.
My blueprint is there.
It'll help you pass the CISSP,guaranteed it will.
(23:57):
It'll walk you through step bystep by step.
If you're interested in someconsulting services, I've got
that available to you as well.
Through CISSP Cyber TrainingI've got.
Or through Reduce Cyber Risk,I've got mentoring.
Through CISSP Cyber Training,there's mentoring available.
I actually mentor quite a fewindividuals on their
cybersecurity programs as wellas through helping them grow
(24:19):
their cybersecurity businessesand their CISSP as well.
So I'm here for you to give youthe experience you need.
I bring in 20 some years ofexperience with backgrounds from
military to multinationalcorporations to now consulting,
and I can help you.
If you need it, I guarantee Ican, and if I can't, I can also
find you people that will helpyou with what you need.
(24:40):
All right, have a wonderful,wonderful day and we will catch
you on the flip side, see ya.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.