You are the head of a public company’s manufacturing department in Taiwan as an original equipment manufacturer (OEM) that accepts orders from the globe. Your department has collected manufacturing parameters, accumulated rich experience to improve efficiency and optimize costs, and created sustainable competitiveadvantages. Which of the following is the most critical concern to protect the manufacturing parameters from the perspective of intellectual property? A. The ownership of the parameters B. The secrecy of the parameters C. The innovation of the parameters D. The expression of the parameters
You are the head of the research and development (R&D) department. As the data owner of R&D data sets, you are responsible for classifying data and accountable for the results. Which of the following is the best criterion that justifies your classification decision? A. The importance or meaning to stakeholders B. The risk of the unauthorized disclosure of information C. The risk of the unauthorized modification or destruction of information D. The risk of the disruption of access to or use of information or an information system
On a broader scale, the US Dodd-Frank Act addresses record-keeping transparency. The US Comprehensive Capital Analysis and Review (CCAR) framework addresses data quality and management. In Europe, MiFID II addresses data collection processes, while Basel III contains data governance provisions within the context of risk management and capital adequacy concerns.
In China, the Banking and Insurance Regulatory Commission (CBIRC) issued guidelines in May 2018 that include provisions for financial firms, assigning responsibility for setting up data governance systems, data quality control and related incentive and accountability systems.
So, with a good handle on data governance traits and rules, firms may also deploy enterprise data management (EDM) and master data management (MDM) systems as a means to carry out the provisions made in data governance. These systems scrub, enrich and curate data, to standardize how data is defined and produce metadata that helps implement data governance frameworks, with integrity, accountability and security.
With knowledge of the elements of data governance, both as part of a firm’s native efforts and its compliance requirements, management will be better equipped to do business in the markets and lower their operational and regulatory risk.
As the head of the research and development department, you are authorizing colleagues in your department access to resources. Which of the following best justifies your authorization decision? A. Background check B. Security clearance C. Job description D. Separation of duties
You are evaluating and selecting software vendors to customize the transportation management system in a procurement project. Which of the following is least likely to be part of the evaluation criteria for the vendor qualification? A. FOCI (Foreign Ownership, Control, and Influence) B. Capability Maturity Model Integration (CMMI) C. Software Assurance Maturity Model (SAMM) D. Common Criteria (ISO 15408)
Based on the NIST Risk Management Framework (RMF), you are categorizing the Transportation Management System (TMS) that handles the information types of Ground Transportation and Air Transportation.Which of the following is the most possible outcome of the system categorization? A. Public B. Moderate C. Confidential D. Catastrophic
Due Diligence (DD) is more specific than Due Care (DC) because DD has explicit “standards,” while DC is implicit and relies on a judge’s inner conviction per the prudent man rule.
Due Diligence (DD)
“Investigation” is a generally accepted “standard” of DD across industries. Some laws or regulations may define the standard of DD in certain subject domains. For example, the US regulation, 16 CFR § 682.3, defines the DD standard for the proper disposal of consumer information.
Generally speaking, DD emphasizes investigation as a preventive/proactive measure, establishing and maintaining the management system (policies, standards, procedures, controls, etc.) and ensuring its effectiveness.
Due Care (DC)
DC focuses on exercising best effort and reasonable care to conduct activities and take preventive, detective, corrective, or recovery actions. However, it is not easy to measure the degree of the endeavor of DC. That’s why a defender in the court has to justify he or she has exercised “due care” to the judge.
DD and DC
It’s common for CISSP aspirants to use the following mnemonics:
Sanitization methods address the data remanence problem to different levels of effectiveness. Which of the following is the best method that makes the data recovery and media reuse infeasible using state of the art laboratory techniques per NIST SP 800-88 R1? A. Purge B. Destroy C. Degaussing D. Physical destruction