Asset Security
Drill 13 practice questions focused entirely on Asset Security for the ISC2 CISSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A security architect adopts a vendor-published security baseline for the organization's Windows servers. During implementation, she discovers that 12 legacy application servers cannot support one of the baseline's mandatory controls (a modern TLS cipher configuration) because doing so would break a critical business application that the vendor no longer updates. Management insists the application must remain operational. What is the MOST appropriate action for the architect to take regarding the baseline?
A hospital is consolidating three legacy databases into a single data warehouse. The combined dataset will contain patient names and addresses (classified Internal), appointment schedules (classified Internal), and diagnosis codes with treatment histories (classified Restricted). The data warehouse team asks the data owner what classification and handling requirements should apply to the consolidated repository. What is the MOST appropriate guidance?
A hospital is rolling out a new patient-portal system that stores electronic health records. Leadership asks who should be formally accountable for assigning the classification level of the patient data and approving who may access it. The IT infrastructure team manages the servers and encryption, while the compliance office monitors regulatory requirements. Which party should hold this accountability?
A product team is launching a new mobile fitness app. During design, they propose collecting the user's precise GPS location, full contact list, and device advertising ID, even though the core feature only requires the user's step count and general activity level. The privacy officer reviews the design before development begins. Which principle should the privacy officer invoke to challenge the proposed data collection?
A retail company collects customer purchase data and decides how and why it will be used for marketing analytics. It contracts a cloud analytics vendor to run the computations strictly according to the retailer's documented instructions. The vendor's operations team also manages the day-to-day storage, backups, and access controls for the hosted datasets. Under a privacy framework such as GDPR, how should the retailer and the vendor's operations team be classified?
A hospital's Chief Medical Officer is formally accountable for the classification and permissible uses of patient health records. She has directed that these records be classified as 'Highly Confidential.' A database administrator on the IT operations team is tasked with configuring nightly backups, applying encryption, and managing access control lists on the storage array that holds these records. During an audit, a reviewer asks who is filling the data custodian role for these records. Who is the data custodian in this scenario?
A financial analytics firm encrypts customer records at rest using AES-256 and secures all transfers with TLS 1.3. During a security review, an auditor notes that sensitive data is decrypted into system memory and processed in plaintext while running complex analytics workloads on shared virtualization hosts. Which technology BEST addresses the protection gap the auditor has identified?
A pharmaceutical company recently classified its drug formulation research as its most sensitive intellectual property. Investigators discovered that a departing researcher emailed several formulation spreadsheets to a personal cloud storage account over the previous month, and the activity went completely unnoticed. Management wants a technical control that will detect and block sensitive data leaving the organization through channels such as email, web uploads, and removable media in the future. Which control best meets this requirement?
A hospital is deploying a new electronic health records (EHR) system. The Chief Medical Officer decides which staff roles may view patient records and sets the sensitivity level for the data. The IT operations team configures the database access control lists, runs nightly backups, and applies encryption at rest per policy. During an audit, a reviewer asks who is accountable for defining the appropriate protection requirements for the patient data. Which party holds this responsibility?
A hospital plans to reassign a set of storage arrays that previously held highly sensitive patient records to a lower-sensitivity internal training environment. The arrays will remain within the organization and continue in service. The security team must ensure the previously stored patient data cannot be recovered while allowing the media to be reused. Which term best describes the process the team should perform on these arrays before reuse?
A hospital is decommissioning several servers that stored patient records on self-encrypting solid-state drives (SSDs). The drives will be returned to a leasing company at the end of the contract, so physical destruction is not permitted. The security team must ensure the sensitive data cannot be recovered before the drives leave the organization's control. Which method most reliably addresses data remanence for these SSDs?
A healthcare organization's legal team discovers that patient records from a closed clinic have been kept indefinitely on backup tapes, well beyond the 7-year period required by regulation. The chief privacy officer wants to reduce the organization's exposure from holding this excess data. Which practice, if it had been enforced, would MOST directly have prevented this situation?
A hospital's radiology department burns patient MRI images and reports onto DVDs and ships them via courier to a partner clinic for a second opinion. The security team is defining handling requirements for this workflow. Which control most directly addresses the classification level of the data while it is being physically transported on the DVDs?
More CISSP practice
Keep going with the other ISC2 CISSP — Certified Information Systems Security Professional domains, or take a full timed mock exam.
← Back to CISSP overview