Skip to content

Chapter 5 Protecting Security of Assets

Written Lab

  1. Describe sensitive data.

    Sensitive data is any data that isn't public or unclassified. It includes personally identifiable information (PII), protected health information (PHI), proprietary data, and any other data that an organization needs to protect. PII is any information that can identify an individual.

  2. Identify the difference between EOL and EOS.

    End-of-life (EOL) identifies the date when a vendor plans to stop selling a product. End-of-support (EOS) identifies the date when a vendor plans to stop supporting a product. Organizations should replace products before the EOS date.

  3. Identify common uses of pseudonymization, tokenization and anonymization.

    • Organizations use pseudonymization when they want to create a dataset that they can transfer to others. The new dataset doesn't hold any privacy data. However, the organization still holds the mapping of the pseudonyms and the original data and can reverse the process.
    • Organizations that process credit card data use tokenization. A third party holds the mapping of the token and the credit card data, but the organization doesn't need to maintain the credit card data.
    • Organizations use anonymization to remove all privacy data from a dataset. When this is done correctly, the GDPR no longer applies, but it's often possible to discover the original data.

  4. Describe the difference between scoping and tailoring.

    Tailoring refers to modifying a list of controls to ensure they align with the mission of the organization. Tailoring includes scoping. Scoping refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT systems you're trying to protect.