Domain 5: Security Operations

Store the documents on their personal laptops

Share the documents via unsecured email

Save the documents on a secure company server, apply appropriate access controls, and classify the data according to its sensitivity

Upload the documents to a public file-sharing service

Store the information in plaintext

Use encrypted storage, implement strong access controls, and ensure regular backups of the data

Allow all employees to access the information

Disable all backup processes

Allow unrestricted access to customer data

Use secure access methods, log all access activities, and implement data integrity checks

Share customer data with external parties without verification

Keep no record of data access activities

Share the strategy via public social media platforms

Send the strategy via unencrypted email

Allow anyone to download the strategy from the internet

Ensure the consultant has proper authorization, use encrypted communication methods, and apply data loss prevention techniques

Delete the files and throw the hard drives away

Use a certified data destruction method such as degaussing to render the hard drives unreadable, followed by physical destruction of the drives

Sell the hard drives without wiping them

Store the hard drives indefinitely

Allow all employees to access the data

Send the data via regular postal mail

Store the data on public servers

Restrict access to a limited number of authorized personnel, use strong encryption for storage and transmission, and implement stringent access controls and monitoring

It allows data to be shared freely

It ensures that everyone who handles the data is aware of its sensitivity and the required security measures, reducing the risk of accidental exposure or mishandling

It permits unrestricted access to the data

It has no impact on data security

Securely destroy records that have exceeded the retention period according to its data destruction policy

Keep the records indefinitely

Move the records to a public server

Sell the records to third parties

Only the user IDs

User ID and system activities, timing of key events, device and location identity, successful and rejected access attempts, system configuration changes, and system protection activation and deactivation

Only the timing of key events

Only successful access attempts

Hash function

Plaintext

Ciphertext

Encryption