ISC 2 Credentials CISSP Release Date

Information assets are any data or information that have value for the organization, such as financial records, customer data, intellectual property, or trade secrets. Information assets are essential for the organization to achieve its objectives and to maintain its competitive advantage. Information assets should be identified, classified, and protected according to their value, sensitivity, and criticality. International Organization for Standardization (ISO) 27001 compliance does not specify which information assets must be included in asset inventory, but rather provides a framework and a set of requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS). Building an information assets register is not necessarily a resource-intensive job, but rather a necessary and beneficial one, as it helps to document and manage the information assets of the organization, and to support the risk assessment and security planning processes. Information assets inventory is required for risk assessment, as it helps to determine the scope, impact, and likelihood of the risks that may affect the information assets, and to prioritize and implement the appropriate controls and measures to mitigate the risks. 

The best action that the organization should take when the application owner of a system that handles confidential data leaves the organization is to assign a temporary application owner to the system. An application owner is a person or role that is responsible or accountable for the management or oversight of an application, system, or resource, that handles or processes the data or information of the organization, such as confidential, sensitive, or personal data or information. An application owner can perform various duties or tasks, such as defining, implementing, or enforcing the security policies, procedures, or standards, that govern the access or use of the application, system, or resource, as well as monitoring, reviewing, or auditing the activities, events, or transactions, that occur on the application, system, or resource. An application owner can also act as a liaison or representative between the users, stakeholders, or customers, and the developers, administrators, or providers, of the application, system, or resource, by communicating, coordinating, or collaborating with them, to ensure the functionality, performance, or security of the application, system, or resource. When the application owner of a system that handles confidential data leaves the organization, the organization should assign a temporary application owner to the system, until a permanent replacement is hired. Assigning a temporary application owner to the system can help to ensure the continuity, availability, or reliability of the system, as well as the confidentiality, integrity

Authentication by ownership is stronger than authentication by knowledge because it is more difficult to duplicate. Authentication by ownership is a type of authentication that relies on something that the user possesses, such as a smart card, a token, or a biometric feature. Authentication by knowledge is a type of authentication that relies on something that the user knows, such as a password, a PIN, or a security question. Authentication by ownership is more difficult to duplicate than authentication by knowledge, as it requires physical access, specialized equipment, or sophisticated techniques to copy or forge the authentication factor. Authentication by knowledge is easier to duplicate than authentication by ownership, as it may be guessed, cracked, or stolen by various methods, such as brute force, social engineering, or phishing. Authentication by ownership is not necessarily easier to change, simpler to control, or more convenient to keep on the user’s person than authentication by knowledge, as these factors may depend on the specific implementation and context of the authentication system. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 5: Identity and Access Management, page 247.

Assuming an individual has taken all of the steps to keep their internet connection private, such as using encryption, VPN, and secure protocols, the best option to browse the web privately is to prevent information about browsing activities from being stored on the personal device. This can be achieved by using the private or incognito mode of the web browser, which does not save the browsing history, cookies, cache, or other temporary files on the device. This can help protect the individual’s privacy from other users who may have access to the device, or from malware that may compromise the device. The other options are not as good as preventing information from being stored on the device. Preventing information from being stored in the cloud may not be possible or effective, as some web services or applications may still collect or store the user’s data on their servers, regardless of the user’s preferences. Storing information in the cloud or on the device may expose the user’s browsing activities to unauthorized access or disclosure, unless the data is encrypted and protected by strong authentication and authorization mechanisms. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Communication and Network Security, page 608. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5: Communication and Network Security, page 609.