Domain 2 Capstone: Asset Security
Executive Pattern Summary
Domain 2 is smaller than Domain 1 but more tightly integrated. Every topic connects to every other topic. Before working through these capstone questions, internalize these five decision patterns that run through the entire domain:
- Classification is the foundation. Every handling decision, every access control, every destruction method, and every compliance requirement traces back to how the data was classified. When a scenario describes a protection failure, check classification first. If data was classified incorrectly — or not at all — everything downstream is built on sand.
- Ownership creates accountability. Data without an owner has no one responsible for classification, access decisions, or retention governance. When you see a scenario where controls are inconsistent or missing, look for the ownership gap. The data owner decides; the custodian implements; the user complies.
- Controls must match the data state. Data at rest, in transit, and in use each require different controls. A control that works for one state may be irrelevant for another. When the question describes a data exposure, identify which state the data was in when the failure occurred.
- Retention is active governance. Keeping data too long is a liability. Destroying data too early is a violation. Legal holds override schedules. Destruction must be verified across all copies. When a retention question appears, the answer involves a documented schedule, legal hold awareness, and verifiable destruction.
- Compliance follows the data, not the server. GDPR applies to EU residents' data regardless of where the server sits. PCI DSS applies wherever cardholder data exists. Data sovereignty means the physical location of storage creates legal obligations. When a scenario crosses jurisdictions, trace the data to find the applicable framework.
Domain 2 – Capstone Questions
Question 1
A government contractor receives a classified document marked "Secret." The document must be shared with a team member who holds a Top Secret clearance but is assigned to a different program with no connection to the document's subject matter.
Should the document be shared?
A. Yes — Top Secret clearance exceeds the Secret classification level
B. Yes — government contractors can share classified documents within the same organization
C. No — the team member lacks need-to-know for this specific document, which is required regardless of clearance level
D. No — classified documents cannot be shared outside the originating program under any circumstances
Answer & reasoning
Correct: C
Access to classified information requires both appropriate clearance and a specific need-to-know. A Top Secret clearance satisfies the clearance requirement, but being assigned to an unrelated program means there is no established need-to-know. Clearance is necessary but not sufficient. Need-to-know must be verified for each specific piece of information.
Question 2
An organization's CMDB shows 2,400 servers. A vulnerability scan discovers 2,700 active IP addresses responding on the network. The 300 additional devices are not in any inventory system.
What is the MOST significant risk these unmanaged devices represent?
A. They consume bandwidth that should be allocated to managed devices
B. They represent shadow IT that cannot be patched, monitored, or governed, creating blind spots in the security program
C. They indicate the vulnerability scanner is generating false positives
D. They are likely test systems that do not require inventory tracking
Answer & reasoning
Correct: B
Devices outside the CMDB are invisible to the security program. They do not receive patches, are not included in vulnerability management, are not monitored for threats, and have no assigned owner accountable for their security posture. The gap between inventory and reality is one of the most common sources of breach exposure. Assuming they are test systems (D) is the exact governance failure the scenario describes.
Question 3
A security audit reveals that a database containing customer Social Security numbers is classified as "Internal Use Only" — the second-lowest classification tier. The organization's classification policy defines SSNs as requiring "Confidential" treatment.
Who is accountable for correcting the classification?
A. The data owner, who is responsible for assigning and reviewing classification based on the data's sensitivity
B. The database administrator, who manages the technical infrastructure
C. The security team, who should override the classification
D. The compliance officer, who monitors regulatory requirements
Answer & reasoning
Correct: A
The data owner is accountable for classification decisions. The database administrator is the custodian who implements controls based on the owner's classification. The security team advises and monitors but does not own the classification decision. The compliance officer identifies requirements but does not assign classifications. The data owner must correct the under-classification and ensure handling controls are updated to match.
Question 4
A company decommissions 200 laptops that were used by the sales team. The laptops had full-disk encryption enabled. The IT team plans to donate the laptops to a local school and proposes destroying the encryption keys as the sole sanitization method.
Is cryptographic erasure sufficient in this scenario?
A. Yes — destroying the encryption keys renders the encrypted data unrecoverable
B. No — the laptops must also be physically destroyed before donation
C. Yes — but only if the encryption used AES-256 or stronger
D. No — crypto-erasure addresses encrypted volumes but any data stored outside the encrypted volume (swap files, temporary directories, recovery partitions) may remain accessible
Answer & reasoning
Correct: D
Full-disk encryption with key destruction is effective for data within the encrypted volume. However, laptops may have unencrypted recovery partitions, BIOS-level data, or configurations that were not covered by the encryption. When devices leave organizational control, the sanitization method must account for all possible data locations, not just the primary encrypted volume. A secondary verification step (such as secure erase of the entire drive) provides additional assurance.
Question 5
A healthcare system generates billing data that is subject to both HIPAA (as it contains PHI) and PCI DSS (as it contains payment card numbers). The security team proposes applying HIPAA controls uniformly across the billing system.
Why is this approach insufficient?
A. HIPAA controls are always weaker than PCI DSS controls
B. PCI DSS has specific technical requirements for cardholder data (network segmentation, encryption standards, logging) that HIPAA does not prescribe at the same level of specificity
C. HIPAA does not apply to billing data
D. PCI DSS supersedes HIPAA in all healthcare scenarios
Answer & reasoning
Correct: B
HIPAA and PCI DSS have different control requirements. PCI DSS is more prescriptive about specific technical controls for cardholder data, including network segmentation, encryption of data in transit across public networks, and detailed logging requirements. HIPAA provides a risk-based framework with "addressable" controls. Applying only HIPAA controls may leave PCI DSS requirements unmet. When data is subject to multiple frameworks, each framework's specific requirements must be satisfied.
Question 6
An organization's retention schedule specifies a five-year retention period for employee performance reviews. The legal department issues a litigation hold related to a wrongful termination lawsuit. The hold covers all performance documentation for the affected department.
A performance review for an employee in the affected department is six years old — past the retention period.
What should happen to this review?
A. Destroy it per the retention schedule since the five-year period has expired
B. Archive it for an additional five years as a precaution
C. The legal hold preserves it regardless of the retention schedule — it must be retained until the hold is lifted
D. Transfer it to the legal department and remove it from the HR system
Answer & reasoning
Correct: C
A legal hold overrides the retention schedule for all potentially relevant data, including data that has exceeded its normal retention period. The document must be preserved in place until the legal hold is lifted. Destroying it would constitute spoliation of evidence. The hold applies to the department's performance documentation broadly, and a six-year-old review for an employee in the affected department falls within scope.
Question 7
A bank's data loss prevention system detects that a customer service representative is emailing customer account lists to a personal email address. The DLP system is configured to alert but not block.
What should the security team do FIRST?
A. Block the representative's email access and begin an investigation into the scope and intent of the data transfer
B. Send the representative a reminder about the acceptable use policy
C. Reconfigure DLP to block all outbound emails containing customer data
D. Report the incident to law enforcement immediately
Answer & reasoning
Correct: A
The immediate priority is stopping the data exfiltration and preserving evidence. Blocking email access prevents further data loss while an investigation determines the scope (how much data was sent, to whom, over what period) and intent (malicious theft, convenience, or accidental). A policy reminder (B) does not stop the bleeding. Reconfiguring DLP globally (C) is a long-term fix, not an incident response. Law enforcement (D) may be appropriate later but is not the first action.
Question 8
An organization uses dynamic data masking in its production CRM system. Customer service agents see only the last four digits of credit card numbers when viewing customer records. A database administrator discovers that the masking is applied at the application layer — anyone with direct database access can see the full card numbers.
What is the security gap?
A. Dynamic masking should be replaced with static masking for all users
B. The masking is applied at the wrong layer — database-level controls should enforce masking regardless of access path to prevent bypass through direct queries
C. Customer service agents should not have access to any card data, even masked
D. Application-layer masking is always sufficient for PCI DSS compliance
Answer & reasoning
Correct: B
Application-layer masking only protects data when accessed through the application. Direct database access (through SQL tools, reporting queries, or administrative interfaces) bypasses the masking entirely. The control must be enforced at the data layer so that masking applies regardless of the access path. This is a defense-in-depth issue — the control exists but can be circumvented.
Question 9
A multinational company stores European customer data on servers in its Singapore data center. The company has Standard Contractual Clauses in place for the EU-to-Singapore transfer. Singapore then enacts a new law requiring all financial data of Singapore residents to be stored domestically.
What new compliance challenge has emerged?
A. The SCCs for EU data transfers are invalidated by Singapore's new law
B. Singapore's law affects only Singapore resident data and does not conflict with the existing EU data transfer arrangement
C. The company must now manage overlapping sovereignty requirements — EU data transfer rules for European customers and Singapore localization rules for Singaporean financial data — potentially requiring data segregation by jurisdiction
D. The company should move all data back to the EU to avoid both requirements
Answer & reasoning
Correct: C
The company now faces two parallel sovereignty requirements. EU data must satisfy GDPR transfer mechanisms (SCCs are in place). Singapore financial data must remain in Singapore. If the same infrastructure handles both, the company likely needs to segregate data by jurisdiction and apply different governance rules to each. The SCCs are not invalidated (A) — they address a different data flow. Moving everything to the EU (D) would violate Singapore's localization requirement for Singaporean data.
Question 10
An organization classifies its data into four tiers: Public, Internal, Confidential, and Restricted. A security review finds that the handling procedures document defines different storage, transmission, and access controls for each tier except Restricted — the highest tier has no defined handling procedures.
What is the MOST likely consequence of this gap?
A. Restricted data will be handled inconsistently because custodians have no documented guidance on what controls to apply
B. Restricted data is automatically protected because everyone knows it is the highest tier
C. The classification scheme should be reduced to three tiers
D. The security team should apply Confidential-tier handling to Restricted data as an interim measure
Answer & reasoning
Correct: D
Without documented handling procedures, Restricted data will receive inconsistent treatment. Some custodians may apply Confidential controls, others may improvise, and some may apply no controls at all. The immediate remedy is applying the next-lower tier's documented procedures as a minimum baseline while developing Restricted-specific procedures. Assuming everyone "just knows" (B) is the governance failure the scenario describes. Reducing tiers (C) avoids the problem rather than solving it.
Question 11
A SaaS provider stores customer data across multiple cloud regions for performance. A customer audit reveals that the provider cannot confirm which specific regions store which customer's data at any given time due to dynamic load balancing.
Why is this a problem for the customer?
A. Dynamic load balancing degrades application performance
B. The customer cannot confirm compliance with data sovereignty and localization requirements if data location is indeterminate
C. Multi-region storage is always more expensive than single-region
D. The SaaS provider is responsible for all compliance obligations, not the customer
Answer & reasoning
Correct: B
If the customer's data is subject to sovereignty or localization laws, the customer must be able to demonstrate that data resides only in permitted jurisdictions. When the SaaS provider cannot confirm data location, the customer cannot satisfy regulatory audit requirements. Compliance obligations typically remain with the data controller (the customer), even when processing is outsourced to a provider. The customer must contractually require geographic restrictions and verification.
Question 12
During an annual review, the records management team discovers that backup tapes from a decommissioned HR system are still stored in an offsite vault. The tapes contain employee SSNs and were backed up seven years ago. The retention policy for HR data is five years. No legal hold applies.
What is the correct course of action?
A. Keep the tapes as a precaution in case a future legal hold is issued
B. Return the tapes to the data center for reuse
C. Transfer the tapes to the HR department for their records
D. Verify no legal hold applies, then destroy the tapes using a method appropriate for the media type and data sensitivity, and document the destruction with a certificate
Answer & reasoning
Correct: D
The data has exceeded its five-year retention period by two years. With no legal hold in place, the organization is obligated to destroy the data per its retention schedule. Continued storage creates unnecessary liability and potential discovery exposure. Destruction must be appropriate for the media (tapes) and the sensitivity (SSNs) and must be documented with a certificate of destruction.
Question 13
A company's development team needs to test a new analytics feature using production-quality data. The production database contains customer PII including names, email addresses, and purchase history. The test environment has fewer access controls than production.
What approach should the security manager recommend?
A. Grant the development team temporary read access to the production database
B. Copy the production database directly to the test environment with encryption
C. Create a statically masked copy of the production data that preserves data structure and relationships without containing actual PII
D. Allow testing with production data if developers sign non-disclosure agreements
Answer & reasoning
Correct: C
Static data masking creates an irreversibly altered copy that preserves the data's structure, relationships, and statistical properties while replacing all PII with fictitious values. This gives developers realistic test data without exposing actual customer information. Production access (A) introduces unnecessary risk. Encrypted copies (B) still contain real PII once decrypted. NDAs (D) are a legal control, not a technical one, and do not prevent accidental exposure in a less-controlled environment.
Question 14
An organization encrypts all data at rest in its cloud database using AES-256. A penetration test reveals that the database connection does not use TLS — queries and results travel in plaintext between the application servers and the database.
Which data state is exposed?
A. Data at rest
B. Data in use
C. Data in archive
D. Data in transit
Answer & reasoning
Correct: D
Data at rest is protected by AES-256 encryption in the database. However, when queries travel between the application and the database without TLS, the data is exposed during transit. An attacker who can intercept network traffic between the application and database can capture query results containing sensitive data in plaintext. Each data state requires its own protection — encryption at rest does not protect data in transit.
Question 15
A security manager discovers that the organization has 14 different SaaS applications storing customer data. Only three of these were procured through the official IT procurement process. The remaining 11 were purchased directly by business units using corporate credit cards.
What governance failure does this represent?
A. Shadow IT — assets provisioned outside the governance framework cannot be assessed for security, included in the data inventory, or governed by organizational policies
B. The corporate credit card policy needs stricter spending limits
C. Business units should be prohibited from using SaaS applications
D. The IT procurement process is too slow and should be eliminated
Answer & reasoning
Correct: A
When business units procure SaaS applications outside the official process, those applications are not assessed for security risks, not included in data inventories, not governed by data protection policies, and not evaluated for regulatory compliance. The customer data in these 11 applications is effectively unmanaged from a security perspective. The solution is not to eliminate SaaS or slow down procurement, but to ensure all applications go through a governance process that evaluates security, compliance, and data handling before deployment.
Question 16
A retail organization implements tokenization for credit card data at the point of sale. The tokens flow through the inventory system, the loyalty program, and the customer support platform. Only the payment gateway and the token vault handle actual card numbers.
What is the PRIMARY benefit from a compliance perspective?
A. Tokenization eliminates the need for PCI DSS compliance entirely
B. The inventory, loyalty, and support systems are removed from PCI DSS scope because they never handle actual cardholder data
C. Tokens provide stronger encryption than AES-256
D. The payment gateway no longer requires PCI DSS controls
Answer & reasoning
Correct: B
Tokens have no exploitable value — they cannot be reversed to reveal the original card number without access to the token vault. Systems that only handle tokens are not part of the cardholder data environment and fall outside PCI DSS audit scope. This dramatically reduces compliance cost and complexity. PCI DSS still applies to the payment gateway and token vault (so A and D are wrong). Tokenization is not encryption (C) — it is a substitution mechanism.
Question 17
An organization maintains a data classification policy that requires annual review of all classifications. The policy was implemented three years ago. No reviews have been conducted. During that time, the organization began collecting biometric data for building access, which is not addressed in the current classification scheme.
What is the MOST significant risk?
A. Biometric data is being collected without a classification, meaning no handling procedures, access controls, or retention rules apply to it
B. The annual review deadline was missed, creating a minor administrative finding
C. Biometric data does not require classification because it is not personally identifiable
D. The classification policy needs more tiers to accommodate new data types
Answer & reasoning
Correct: A
Biometric data is highly sensitive and regulated in many jurisdictions. Without a classification, there are no defined handling requirements, no access controls tied to sensitivity, no retention rules, and no destruction procedures. The missed reviews are not a minor administrative issue (B) — they allowed a new, sensitive data type to operate entirely outside the governance framework. Biometric data is PII (C is wrong). The existing tiers may be sufficient if the data is classified into one of them (D).
Question 18
A company terminates its contract with a cloud storage provider. The contract includes a clause requiring the provider to delete all customer data within 30 days of termination. The company's data was encrypted with keys managed by the company, not the provider.
What is the BEST approach to ensure data protection after termination?
A. Trust the provider's contractual obligation and do nothing further
B. Request a certificate of destruction from the provider after 30 days
C. Extend the contract for 90 days to allow time for a thorough deletion process
D. Perform crypto-shredding by destroying the encryption keys under the company's control, then verify the provider's deletion process and obtain a certificate of destruction
Answer & reasoning
Correct: D
The strongest approach combines immediate technical assurance with procedural verification. Destroying the encryption keys (crypto-shredding) renders the stored data unrecoverable even if the provider's deletion process is incomplete. Then verifying the provider's deletion and obtaining a certificate of destruction provides documented evidence for compliance purposes. Relying solely on the contract (A) provides legal but not technical assurance. A certificate alone (B) provides documentation but not technical certainty.
Question 19
A security manager reviews an incident report showing that a departing employee copied 50 GB of proprietary engineering files to a personal USB drive on their last day. The DLP system detected the transfer but was configured to alert only, not block. The employee's access had not been revoked despite a two-week resignation notice.
Which failure is MOST significant from a governance perspective?
A. The DLP system should have been configured to block USB transfers for employees in their notice period
B. The offboarding process failed to restrict or monitor access during the notice period for an employee with access to proprietary data
C. USB ports should be disabled on all workstations
D. The engineering files should have been classified at a higher level
Answer & reasoning
Correct: A
While multiple controls failed, the most significant governance failure is the DLP configuration. The system detected the exfiltration in real time but was not configured to prevent it. For employees in their notice period with access to proprietary data, DLP should be set to block, not just alert. The offboarding process (B) also failed, but even with that gap, a properly configured DLP system would have prevented the data loss. Technical preventive controls are more reliable than process-dependent detective controls when the risk is foreseeable.
Question 20
An organization operates in the EU and processes personal data of EU residents. A cloud architect proposes using a US-based cloud provider's data centers in Ireland for primary storage and automatic failover to the provider's US East region for disaster recovery.
What is the compliance concern with the failover configuration?
A. Disaster recovery configurations are exempt from GDPR data transfer restrictions
B. Ireland-based storage does not satisfy GDPR because it is outside the EU
C. The US East failover region would transfer personal data outside the EU/EEA without an approved transfer mechanism, violating GDPR
D. Cloud providers cannot guarantee data residency during failover events
Answer & reasoning
Correct: C
When the failover activates, personal data of EU residents would be replicated to the US East region, constituting a cross-border data transfer. GDPR requires an approved transfer mechanism (SCCs, BCRs, or adequacy decision) for any transfer outside the EU/EEA, including disaster recovery scenarios. There is no DR exemption under GDPR (A is wrong). Ireland is within the EU (B is wrong). The concern is not whether the provider can guarantee residency (D), but whether the approved legal mechanism exists for the US transfer.