Asset Security for CISSP

Sample Practice Questions

1. Question 1

   An organization has been collecting a large amount of redundant and unusable data and filling up the storage area network (SAN). Management has requested the identification of a solution that will address ongoing storage problems. Which is the BEST technical solution?
   1. A. Compression
   2. B. Caching
   3. C. Replication
   4. D. Deduplication
   Explanation

   The correct answer is: D. Deduplication.

   Deduplication is engineered specifically to eliminate redundant copies of data by storing a single instance of each unique block and replacing duplicates with pointers, which is the precise problem the SAN is experiencing; for backup-heavy and archive workloads it routinely reclaims 50 to 90 percent of capacity. Compression reduces the size of individual files via encoding but does not remove redundancy across files, so duplicate copies still each consume space. Caching keeps frequently accessed data on faster tiers to improve performance and does not reduce storage consumption at all. Replication intentionally creates additional copies for availability or disaster recovery and therefore increases rather than decreases storage usage. Deduplication directly targets the redundancy at the heart of the storage problem.

2. Question 2

   A company is enrolled in a hard drive reuse program where decommissioned equipment is sold back to the vendor when it is no longer needed. The vendor pays more money for functioning drives than equipment that is no longer operational. Which method of data sanitization would provide the MOST secure means of preventing unauthorized data loss, while also receiving the MOST money from the vendor?
   1. A. Pinning
   2. B. Single-pass wipe
   3. C. Multi-pass wipes
   4. D. Degaussing
   Explanation

   The correct answer is: C. Multi-pass wipes.

   Multi-pass overwrites correspond to the Purge level of NIST SP 800-88 Rev. 1 media sanitization for magnetic drives, providing resistance to laboratory-grade recovery techniques while leaving the drive electrically and mechanically functional and therefore eligible for the vendor's higher resale price. A single-pass wipe maps to the Clear level and is acceptable for low-sensitivity data, but for the most secure outcome on reusable magnetic media multi-pass overwriting is the stronger choice. Degaussing falls under Destroy because the magnetic field that erases the data also corrupts the servo tracks and renders the drive permanently inoperable, eliminating resale value. Pinning is a memory and CPU concept unrelated to media sanitization and does not erase persistent storage. Multi-pass wiping therefore uniquely satisfies both criteria of strong sanitization and continued drive functionality.

3. Question 3

   An organization is looking to include mobile devices in its asset management system for better tracking. In which system tier of the reference architecture would mobile devices be tracked?
   1. A. 0
   2. B. 1
   3. C. 2
   4. D. 3
   Explanation

   The correct answer is: D. 3.

   In the federal reference architecture inspired by NIST SP 800-39 and adopted in many enterprise asset frameworks, Tier 0 corresponds to facilities and supporting infrastructure, Tier 1 to organizational governance, Tier 2 to mission and business processes, and Tier 3 to the information systems and the endpoint and enterprise hardware that participate in them; mobile devices belong at Tier 3 because they are enterprise endpoints used by employees to access systems and data. Tier 0 placement misallocates an endpoint to facility infrastructure. Tier 1 governance and Tier 2 business processes are organizational and process layers that do not directly track physical devices. Putting mobile devices at Tier 3 aligns asset management with the layer that actually represents enterprise computing assets, where MDM enrollment, configuration baselines, and lifecycle tracking are applied.

4. Question 4

   Which of the following is the BEST way to protect an organization's data assets?
   1. A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms.
   2. B. Monitor and enforce adherence to security policies.
   3. C. Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD).
   4. D. Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts.
   Explanation

   The correct answer is: A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms..

   Encrypting data both in transit (TLS, IPsec) and at rest (AES-256 on disks, databases, and backups) with current algorithms protects the data itself, so that even if perimeter, network, or access controls fail, the data remains unreadable to anyone lacking the keys; this is the canonical CISSP defense-in-depth control for protecting data assets. Monitoring and enforcing policy adherence is a governance control that catches deviations but does not by itself render stolen data unusable. MFA and separation of duties protect access pathways and reduce insider fraud but do nothing for data already exfiltrated or sitting on a stolen disk. A DMZ with proxies, firewalls, and bastion hosts is a network-segmentation control that protects perimeters but leaves data on internal systems exposed to insider and lateral-movement threats. Encryption applied to the data itself is the strongest, most direct protection.

5. Question 5

   What is the term used to define where data is geographically stored in the cloud?
   1. A. Data privacy rights
   2. B. Data sovereignty
   3. C. Data warehouse
   4. D. Data subject rights
   Explanation

   The correct answer is: B. Data sovereignty.

   Data sovereignty refers to the principle that data is subject to the laws and regulations of the country in which it is physically stored, which is the precise concept used to describe where data is geographically located in a cloud environment; it is the driver behind cloud-region selection, data-residency clauses, and cross-border-transfer restrictions under regimes such as GDPR Chapter V. Data privacy rights describe the rights of individuals (access, rectification, erasure) and do not name the geographic-storage concept. A data warehouse is an analytic store and a technology pattern, not a geographic concept. Data subject rights refers specifically to the rights of individuals under privacy law. Sovereignty is the term that captures both the geographic location and the legal regime that attaches to data held in that location.

Other CISSP domains

• Communication and Network Security (58 questions)
• Identity and Access Management (IAM) (55 questions)
• Security and Risk Management (75 questions)
• Security Architecture and Engineering (71 questions)
• Security Assessment and Testing (54 questions)
• Security Operations (68 questions)
• Software Development Security (57 questions)