Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The development team is conducting threat modeling to identify potential threats to the database. Which of the following security control is least related to data at rest?
A. Data classification
B. Authorization
C. Storage redundancy
D. Data marking

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Data marking.

Data classification is the basis of the authorization; both enforce the confidentiality of data. Storage redundancy protects the availability of data.

Data marking enforces the confidentiality of data as well. It applies to printed reports or documents (data at rest). However, this question limits the context to the database or digital data, while data/security labeling is more appropriate for digital data. Moreover, labeling implies mandatory access control (MAC) is implemented. It’s a rare situation to implement MAC at the database level except for the military.

Labeling vs. Marking

A security label is machine-readable, while security marking is human-readable.

Security Label

The means used to associate a set of security attributes with a specific information object as part of the data structure for that object.

Source: NIST SP 800-53 Revision 4

Security Marking

The means used to associate a set of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies.

Source: NIST SP 800-53 Revision 4

Leave a Reply