Domain 3 – Section B Review: Data Protection and Resilience

This section integrates:

• Security Architecture Design Principles
• Data Protection Strategies
• High Availability and Site Resilience
• Backup and Disaster Recovery

Security+ expects you to apply design principles to protect data and maintain operational resilience across failure scenarios.

1. Security Design Principles

Architecture decisions shape the security posture of every system:

Defense in depth means no single control is the last line of defense.
Fail secure means the system denies access when controls fail.

• Defense in depth — layered controls so that failure of one does not compromise the system.
• Least privilege — users and processes get only the access they need.
• Fail secure/fail closed — systems default to a secure state on failure.
• Separation of duties — no single person controls an entire critical process.

When a scenario asks about architecture, think in layers. No single control should be the only barrier.

2. Data Protection at Every State

Data exists in three states, each requiring different protection:

• Data at rest — stored data. Protected by encryption (AES, BitLocker, LUKS).
• Data in transit — data moving across networks. Protected by TLS, VPN, IPsec.
• Data in use — data being processed in memory. Protected by secure enclaves and memory encryption.

Classify data first, then protect it according to its sensitivity level.
Encryption protects data. Classification determines how much protection it needs.

Data loss prevention (DLP) tools monitor and prevent unauthorized data movement across all three states.

3. High Availability and Resilience

Resilience ensures systems continue operating during and after disruptions:

• RAID — disk redundancy protecting against drive failure.
• Clustering — multiple servers sharing a workload.
• Load balancing — distributing traffic across multiple servers.
• Geographic redundancy — hot, warm, and cold sites for disaster recovery.

Key metrics:

• RPO (Recovery Point Objective) — maximum acceptable data loss measured in time.
• RTO (Recovery Time Objective) — maximum acceptable downtime.
• MTTR (Mean Time to Repair) — average time to restore service.
• MTBF (Mean Time Between Failures) — average time between system failures.

4. Backup Strategy and DR Planning

Backups are the last line of defense against data loss:

• Full backup — complete copy of all data. Slowest to create, fastest to restore.
• Incremental backup — only data changed since the last backup. Fastest to create, slowest to restore.
• Differential backup — data changed since the last full backup. Middle ground.
• 3-2-1 rule — three copies, two different media types, one offsite.

A backup that has never been tested is not a backup — it is a hope.

Section B Decision Pattern

When unsure in Domain 3 Section B:

1. Identify the data state (at rest, in transit, in use) and apply the matching protection.
2. Apply defense in depth — never rely on a single control.
3. Match RPO/RTO requirements to the backup and recovery strategy.
4. Hot sites have the lowest RTO; cold sites have the highest.
5. Always verify that backups are tested and recoverable.

Section B – Practice Questions

Question 1

A firewall fails and begins allowing all traffic through instead of blocking it. What security design principle was violated?

A. Defense in depth
B. Least privilege
C. Fail secure
D. Separation of duties

Question 2

A company performs a full backup every Sunday and incremental backups Monday through Saturday. The server fails on Thursday. How many backup sets are needed to restore?

A. 1 (Thursday's incremental only)
B. 2 (Sunday full + Thursday incremental)
C. 4 (Sunday full + Monday, Tuesday, Wednesday incrementals)
D. 5 (Sunday full + Monday through Thursday incrementals)

Question 3

A healthcare organization must ensure that patient records transmitted between facilities are protected. Which data state requires protection, and what is the BEST control?

A. Data in transit; TLS encryption
B. Data at rest; full-disk encryption
C. Data in use; secure enclaves
D. Data at rest; access control lists

Question 4

A business requires that no more than one hour of data can be lost in a disaster. Which metric defines this requirement?

A. RTO
B. RPO
C. MTTR
D. MTBF

Question 5

An organization implements a web application firewall, network firewall, endpoint detection, and security awareness training. What design principle does this represent?

A. Least privilege
B. Fail secure
C. Defense in depth
D. Separation of duties

Question 6

After a ransomware attack encrypts production data, the IT team attempts to restore from backups but discovers the backup tapes are unreadable. What practice was neglected?

A. Regular backup testing and verification
B. Encryption of backup data
C. Increasing backup frequency
D. Implementing RAID on the backup server

Question 7

A company needs to resume operations within four hours of a disaster. They currently have a cold site that would take 48 hours to activate. What should they implement?

A. A warm site with pre-configured hardware
B. More frequent tape backups
C. Additional cold sites in different regions
D. A hot site with real-time data replication

Question 8

A DLP system detects that an employee is attempting to email a spreadsheet containing Social Security numbers to a personal email address. The system blocks the transmission. What data state was the DLP monitoring?

A. Data in transit
B. Data at rest
C. Data in use
D. Data in processing

Question 9

A server uses RAID 1 (mirroring). One of the two drives fails. What happens?

A. All data is lost and must be restored from backup
B. The server continues operating using the remaining drive
C. The server switches to read-only mode
D. Performance doubles because only one drive is active

Question 10

An application requires that a financial transaction must be approved by both a manager and a compliance officer before processing. What security principle does this implement?

A. Least privilege
B. Defense in depth
C. Separation of duties
D. Fail secure