(ISC)2 Certified Information Systems Security Professional CISSP Realistic Practice Test

​Chapter 1: About the Author

CertSquad‌ ‌Professional‌ ‌Trainers‌ ‌is‌ ‌an ‌Authorized‌ ‌Professional‌ ‌Certification‌ ‌Training‌ ‌Provider‌ ‌for‌ ‌Cloud,‌ ‌PMP®,‌ ‌Agile®,‌ ‌ITIL®‌ ‌, and‌ ‌Six‌ ‌Sigma®‌ ‌.‌ ‌More‌ ‌than‌ ‌325,000‌ ‌persons‌ ‌have‌ ‌been‌ ‌enabled‌ ‌by‌ ‌our‌ ‌certification‌ ‌programs.‌ ‌More‌ ‌than‌ ‌5,000‌ ‌students‌ ‌are‌ ‌certified‌ ‌each‌ ‌month.‌ ‌We‌ ‌offer‌ ‌Classroom,‌ ‌Online‌ ‌, and‌ ‌Webinars‌ ‌for‌ ‌professionals,‌ ‌businesses ‌, and‌ ‌government.‌ ‌ We‌ ‌believe‌ ‌that‌ ‌skills‌ ‌and‌ ‌their‌ ‌certification‌ ‌have ‌the‌ ‌power‌ ‌to‌ ‌transform‌ ‌lives‌ ‌and‌ ‌the‌ ‌whole‌ ‌world.‌ ‌We‌ ‌are‌ ‌dedicated‌ ‌to‌ ‌providing‌ ‌best-in-industry‌ ‌training‌ ‌and‌ ‌mock‌ ‌tests‌ ‌that‌ ‌are‌ ‌delivered‌ ‌by‌ ‌highly‌ ‌experienced‌ ‌and‌ ‌competent‌ ‌industry‌ ‌experts.‌

We believe that skills and their certification has the power to transform lives and the whole world. We are dedicated to providing best-in-industry training and mock tests that are delivered by highly experienced and competent industry experts. We thrive to work in partnership with communities over the boundaries. Our focus is to become the leading provider of high-quality online certification training to professionals over the boundaries.

​1.1 About CISSP

The Certified Information Systems Security Professional (CISSP) is the most globally recognized certification in the information security market. CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.

The broad spectrum of topics included in the CISSP Common Body of Knowledge (CBK®) ensures its relevance across all disciplines in the field of information security. Successful candidates are competent in the following eight domains: 

●  Security and Risk Management

●  Asset Security

●  Security Architecture and Engineering

●  Communication and Network Security

●  Identity and Access Management (IAM)

●  Security Assessment and Testing

●  Security Operations

●  Software Development Security

​1.2 Experience Requirements

Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required experience. Education credit will only satisfy one year of experience.

A candidate that doesn’t have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)² will then have six years to earn the five years required experience. You can learn more about CISSP experience requirements and how to account for part-time work and internships at www.isc2.org/Certifications/CISSP/experience-requirements

​1.3 Accreditation 

CISSP was the first credential in the field of information security to meet the stringent requirements of ANSI/ ISO/IEC Standard 17024. 

​1.4 Job Task Analysis (JTA)

(ISC)² has an obligation to its membership to maintain the relevancy of the CISSP. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals who are engaged in the profession defined by the CISSP. The results of the JTA are used to update the examination. This process ensures that candidates are tested on the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.

​Chapter 2: CISSP Examination Information

​2.1 CISSP CAT Exam

The CISSP exam uses Computerized Adaptive Testing (CAT) for all English exams. CISSP exams in all other languages are administered as linear, fixed-form exams. You can learn more about CISSP CAT at www.isc2.org/certificatons/CISSP-CAT.

​2.2 CISSP CAT Examination Domains

​2.3 CISSP Linear Examination Information

​2.4 CISSP Linear Examination Domains

​Chapter 3: Exam Topic Details

Domain 1: Security and Risk Management

1.1 Understand, adhere to, and promote professional ethics

» (ISC)² Code of Professional Ethics

» Organizational code of ethics 

1.2 Understand and apply security concepts

» Confidentiality, integrity, and availability, authenticity and nonrepudiation

1.3 Evaluate and apply security governance principles

» Alignment of the security function to business strategy, goals, mission, and objectives

» Organizational processes (e.g., acquisitions, divestitures, governance committees)

» Organizational roles and responsibilities

» Security control frameworks

» Due care/due diligence

1.4 Determine compliance and other requirements

» Contractual, legal, industry standards, and regulatory requirements

» Privacy requirements

1.5 Understand legal and regulatory issues that pertain to information security in a holistic context

» Cybercrimes and data breaches

» Licensing and Intellectual Property (IP) requirements

» Import/export controls

» Transborder data flow

» Privacy

1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) 

1.7 Develop, document, and implement security policy, standards, procedures, and guidelines

1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements

» Business Impact Analysis (BIA)

» Develop and document the scope and the plan 

1.9 Contribute to and enforce personnel security policies and procedures

» Candidate screening and hiring

» Employment agreements and policies

» Onboarding, transfers, and termination processes

» Vendor, consultant, and contractor agreements and controls

» Compliance policy requirements

» Privacy policy requirements

1.10 Understand and apply risk management concepts

» Identify threats and vulnerabilities

» Risk assessment/analysis

» Risk response

» Countermeasure selection and implementation

» Applicable types of controls (e.g., preventive, detective, corrective)

» Control assessments (security and privacy)

» Monitoring and measurement

» Reporting

» Continuous improvement (e.g., Risk maturity modeling)

» Risk frameworks

1.11 Understand and apply threat modeling concepts and methodologies

1.12 Apply Supply Chain Risk Management (SCRM) concepts

» Risks associated with hardware, software, and services

» Third-party assessment and monitoring » Minimum security requirements

» Service level requirements

1.13 Establish and maintain a security awareness, education, and training program

» Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)

» Periodic content reviews

» Program effectiveness evaluation

Domain 2: Asset Security

2.1 Identify and classify information and assets » Data classification » Asset Classification

2.2 Establish information and asset handling requirements

2.3 Provision resources securely

» Information and asset ownership

» Asset inventory (e.g., tangible, intangible)

» Asset management

2.4 Manage data lifecycle

» Data roles (i.e., owners, controllers, custodians, processors, users/subjects)

» Data collection

» Data location

» Data maintenance

» Data retention

» Data remanence

» Data destruction

2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))

2.6 Determine data security controls and compliance requirements

» Data states (e.g., in use, in transit, at rest)

» Scoping and tailoring » Standards selection

» Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))

Domain 3: Security Architecture and Engineering

3.1 Research, implement and manage engineering processes using secure design principles

» Threat modeling

» Least privilege

» Defense in depth

» Secure defaults

» Fail securely

» Separation of Duties (SoD)

» Keep it simple

» Zero Trust

» Privacy by design

» Trust but verify

» Shared responsibility

3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) 

3.3 Select controls based upon systems security requirements

3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)

3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

» Client-based systems

» Server-based systems

» Database systems

» Cryptographic systems

» Industrial Control Systems (ICS)

» Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

» Distributed systems

3.6 Select and determine cryptographic solutions

» Cryptographic life cycle (e.g., keys, algorithm selection)

» Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)

» Public Key Infrastructure (PKI)

» Internet of Things (IoT)

» Microservices

» Containerization

» Serverless

» Embedded systems

» High-Performance Computing (HPC) systems

» Edge computing systems

» Virtualized systems

» Key management practices

» Digital signatures and digital certificates

» Non-repudiation

» Integrity (e.g., hashing)

3.7 Understand methods of cryptanalytic attacks

» Brute force

» Ciphertext only

» Known plaintext

» Frequency analysis

» Chosen ciphertext

» Implementation attacks

» Side-channel

» Fault injection

» Timing

» Man-in-the-Middle (MITM)

» Pass the hash

» Kerberos exploitation

» Ransomware

3.8 Apply security principles to site and facility design

3.9 Design site and facility security controls

» Wiring closets/intermediate distribution facilities

» Server rooms/data centers

» Media storage facilities

» Evidence storage

» Restricted and work area security

» Utilities and Heating, Ventilation, and Air Conditioning (HVAC)

» Environmental issues

» Fire prevention, detection, and suppression

» Power (e.g., redundant, backup)

Domain 4: Communication and Network Security

4.1 Assess and implement secure design principles in network architectures

» Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models

» Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6)

» Secure protocols

» Implications of multilayer protocols

» Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP))

» Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))

» Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite)

» Cellular networks (e.g., 4G, 5G)

» Content Distribution Networks (CDN)

4.2 Secure network components

» Operation of hardware (e.g., redundant power, warranty, support)

» Transmission media

» Network Access Control (NAC) devices

» Endpoint security

4.3 Implement secure communication channels according to design

» Voice

» Multimedia collaboration

» Remote access

» Data communications

» Virtualized networks

» Third-party connectivity

Domain 5: Identity and Access Management (IAM)

5.1 Control physical and logical access to assets

» Information

» Systems

» Devices

» Facilities

» Applications

5.2 Manage identification and authentication of people, devices, and services

» Identity Management (IdM) implementation

» Single/Multi-Factor Authentication (MFA)

» Accountability

» Session management

» Registration, proofing, and establishment of identity

5.3 Federated identity with a third-party service

» On-premise

» Cloud

» Federated Identity Management (FIM)

» Credential management systems

» Single Sign On (SSO)

» Just-In-Time (JIT) » Hybrid

5.4 Implement and manage authorization mechanisms

» Role Based Access Control (RBAC)

» Rule based access control

» Mandatory Access Control (MAC)

» Discretionary Access Control (DAC)

» Attribute Based Access Control (ABAC)

» Risk based access control

5.5 Manage the identity and access provisioning lifecycle

» Account access review (e.g., user, system, service)

» Provisioning and deprovisioning (e.g., on /off boarding and transfers)

5.6 Implement authentication systems

» OpenID Connect (OIDC)/Open Authorization (Oauth)

» Security Assertion Markup Language (SAML)

» Kerberos

» Role definition (e.g., people assigned to new roles)

» Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)

» Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)

Domain 6: Security Assessment and Testing

6.1 Design and validate assessment, test, and audit strategies

» Internal

» External

» Third-party

6.2 Conduct security control testing

» Vulnerability assessment

» Penetration testing

» Log reviews

» Synthetic transactions

» Code review and testing

» Misuse case testing

» Test coverage analysis

» Interface testing

» Breach attack simulations

» Compliance checks

6.3 Collect security process data (e.g., technical and administrative)

» Account management

» Management review and approval

» Key performance and risk indicators

» Backup verification data

6.4 Analyze test output and generate report

» Remediation

» Exception handling

» Ethical disclosure

6.5 Conduct or facilitate security audits

» Internal

» External

» Third-party

» Training and awareness

» Disaster Recovery (DR) and Business Continuity (BC)

Domain 7: Security Operations

7.1 Understand and comply with investigations

» Evidence collection and handling

» Reporting and documentation

» Investigative techniques

7.2 Conduct logging and monitoring activities

» Intrusion detection and prevention

» Security Information and Event Management (SIEM)

» Continuous monitoring

» Egress monitoring

» Digital forensics tools, tactics, and procedures

» Artifacts (e.g., computer, network, mobile device) 

» Log management

» Threat intelligence (e.g., threat feeds, threat hunting)

» User and Entity Behavior Analytics (UEBA)

7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)

7.4 Apply foundational security operations concepts

» Need-to-know/least privilege

» Separation of Duties (SoD) and responsibilities

» Privileged account management

7.5 Apply resource protection

» Media management

» Media protection techniques

7.6 Conduct incident management

» Detection

» Response

» Mitigation

» Reporting

» Job rotation

» Service Level Agreements (SLAs)

» Recovery

» Remediation

» Lessons learned

7.7 Operate and maintain detective and preventive measures

» Firewalls (e.g., next generation, web application, network)

» Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

» Whitelisting/blacklisting

» Third-party provided security services

» Sandboxing

» Honeypots/honeynets

» Anti-malware

» Machine learning and Artificial Intelligence (AI) based tools

7.8 Implement and support patch and vulnerability management

7.9 Understand and participate in change management processes

7.10 Implement recovery strategies

» Backup storage strategies

» Recovery site strategies

» Multiple processing sites

7.11 Implement Disaster Recovery (DR) processes

» Response

» Personnel

» Communications

» Assessment

7.12 Test Disaster Recovery Plans (DRP)

» Read-through/tabletop

» Walkthrough

» Simulation

» System resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance

» Restoration

» Training and awareness

» Lessons learned

» Parallel

» Full interruption

7.13 Participate in Business Continuity (BC) planning and exercises

7.14 Implement and manage physical security

» Perimeter security controls

» Internal security controls

7.15 Address personnel safety and security concerns

» Travel

» Security training and awareness

» Emergency management » Duress

Domain 8: Software Development Security

8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)

» Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)

» Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))

» Operation and maintenance

» Change management

» Integrated Product Team (IPT) 8.2 Identify and apply security controls in software development ecosystems

» Programming languages

» Libraries

» Tool sets

» Integrated Development Environment (IDE)

» Runtime

» Continuous Integration and Continuous Delivery (CI/CD)

8.3 Assess the effectiveness of software security

» Auditing and logging of changes

» Risk analysis and mitigation

8.4 Assess security impact of acquired software

» Commercial-off-the-shelf (COTS)

» Open source

» Third-party

» Security Orchestration, Automation, and Response (SOAR)

» Software Configuration Management (SCM)

» Code repositories

» Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))

» Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

8.5 Define and apply secure coding guidelines and standards

» Security weaknesses and vulnerabilities at the source-code level

» Security of Application Programming Interfaces (APIs)

» Secure coding practices

» Software-defined security

​Chapter 4: CISSP Practice Test 1

Question 1:

The owner of a system should have the confidence that the system will behave according to its specifications. This is termed as:

Integrity

Accountability

Assurance

Availability

Answer: C.

Explanation

In a trusted system, all protection mechanisms work together to process sensitive data for many types of uses, and will provide the necessary level of protection per classification level. Assurance looks at the same issues but in more depth and detail. Systems that provide higher levels of assurance have been tested extensively and have had their designs thoroughly inspected, their development stages reviewed, and their technical specifications and test plans evaluated. In the Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, the lower assurance level ratings look at a system’s protection mechanisms and testing results to produce an assurance rating, but the higher assurance level ratings look more at the system design, specifications, development procedures, supporting documentation, and testing results. The protection mechanisms in the higher assurance level systems may not necessarily be much different from those in the lower assurance level systems, but the way they were designed and built is under much more scrutiny. With this extra scrutiny comes higher levels of assurance of the trust that can be put into a system.

Incorrect Answers:

A: Integrity ensures that data is unaltered. This is not what is described in the question.

B: Accountability is a security principle indicating that individuals must be identifiable and must be held responsible for their actions. This is not what is described in the question.

D: Availability ensures reliability and timely access to data and resources to authorized individuals.

Question 2:

The US Department of Health, Education and Welfare developed a list of fair information practices focused on privacy of individually, personally identifiable information. Which one of the following is incorrect?

There must be a way for a person to find out what information about them exists and how ¡t is used.

There must be a personal data record-keeping system whose very existence shall be kept secret.

There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another purpose without their consent.

Any organization creating, maintaining, using, or disseminating records of personal identifiable information must ensure reliability of the data for their intended use and must make precautions to prevent misuses of that data.

Answer: B.

Explanation

Fair Information Practice was first developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). T Fair Information Practice does not state that the personal data record-keeping system must be secret.

Incorrect Answers:

A: HEW Fair Information Practices include that there should be mechanisms for individuals to review data about them, to ensure accuracy.

C: HEW Fair Information Practices include

●  For all data collected there should be a stated purpose

●  Information collected by an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual

D: HEW Fair Information Practices include

●  Records kept on an individual should be accurate and up to date

●  Data should be deleted when it is no longer needed for the stated purpose

Question 3:

The typical computer fraudsters are usually persons with which of the following characteristics?

They have had previous contact with law enforcement

They conspire with others

They hold a position of trust

They deviate from the accepted norms of society

Answer: C.

Explanation

It is easy for people who are placed in a position of trust to commit fraud, as they are considered to be trustworthy.

Incorrect Answers:

A: A fraudster might very well have a clean legal record. This in conjunction with a position of trust makes him/her hard to detect.

B: It is most typical that a fraudster conspires with other persons as the fraudster usually acts alone.

D: A fraudster can very well follow the accepted norms of society, and this makes him/her harder to detect.

Question 4:

The US-EU Safe Harbor process has been created to address which of the following?

Integrity of data transferred between U.S. and European companies

Confidentiality of data transferred between U.S and European corn panics

Protection of personal data transferred between U.S and European companies

Confidentiality of data transferred between European and international companies

Answer: C.

Explanation

The US-EU Safe Harbor process relates to privacy, that is protection of personal data. The Safe Harbor is a construct that outlines how U.S.-based companies can comply with EU privacy. The Safe Harbor Privacy Principles states that if a non-European organization wants to do business with a European entity, it will need to adhere to the Safe Harbor requirements if certain types of data will be passed back and forth during business processes

Incorrect Answers:

A: The US-EU Safe Harbor process does not relate to the integrity of the data. It concerns the privacy of the data.

B: The US-EU Safe Harbor process does not relate to the Confidentiality of the data. It concerns the privacy of the data.

D: The US-EU Safe Harbor process does not relate to the Confidentiality of the data. It concerns the privacy of the data.

Question 5:

What level of assurance for a digital certificate verifies a user's name, address, social security number, and other information against a credit bureau database?

Level 1/Class I

Level 2/Class 2

Level 3/Class 3

Level 4/Class 4

Answer: B.

Explanation

Users can obtain certificates with various levels of assurance.

Level 1/Class 1 certificates verify electronic mail addresses. This is done through the use of a personal information number that a user would supply when asked to register. This level of certificate may also provide a name as well as an electronic mail address; however, it may or may not be a genuine name (i.e., it could be an alias). This proves that a human being will reply back if you send an email to that name or email address.

Class 2/Level 2 verify a user’s name, address, social security number, and other information against a credit bureau database.

Class 3/Level 3 certificates are available to companies. This level of certificate provides photo identification to accompany the other items of information provided by a level 2 certificate.

Incorrect Answers:

A: Level 1/Class 1 certificates verify electronic mail addresses. They do not verify a user's name, address, social security number, and other information against a credit bureau database.

C: Level 3/Class 3 certificates provide photo identification to accompany the other items of information provided by a level 2 certificate. They do not verify a user's name, address, social security number, and other information against a credit bureau database.

D: Level 4/Class 4 certificates do not verify a user's name, address, social security number, and other information against a credit bureau database.

Question 6:

According to Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) there is a requirement to protect stored cardholder data. Which of the following items cannot be stored by the merchant?

Primary Account Number

Cardholder Name

Expiration Date

The Card Validation Code (CVV2)

Answer: D.

Explanation

Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to protect stored cardholder data. The public assumes merchants and financial institutions will protect data on payment cards to thwart theft and prevent unauthorized use.

Requirement 3 applies only if cardholder data is stored. Merchants who do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves.

For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect that data. To prevent unauthorized storage, only council certified PIN entry devices and payment applications may be used.

PCI DSS compliance is enforced by the major payment card brands who established the PCI DSS and the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

PCI DSS Requirement 3

It details technical guidelines for protecting stored cardholder data. Merchants should develop a data retention and storage policy that strictly limits storage amount and retention time to that which is required for business, legal, and/or regulatory purposes.

Sensitive authentication data must never be stored after authorization – even if this data is encrypted.

●  Never store full contents of any track from the card’s magnetic stripe or chip (referred to as full track, track, track 1, track 2, or magnetic stripe data). If required for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.

●  Never store the card-validation code (CVV) or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions).

●  Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The first six and last four digits are the maximum number of digits that may be displayed. This requirement does not apply to those authorized with a specific need to see the full PAN, nor does it supersede stricter requirements in place for displays of cardholder data such as in a point-of-sale receipt.

Incorrect Answers:

A: The Primary Account Number can be stored by the merchant according to the PCI Data Storage Guidelines.

B: The Cardholder Name can be stored by the merchant according to the PCI Data Storage Guidelines.

C: The Expiration Date can be stored by the merchant according to the PCI Data Storage Guidelines.

Question 7:

Which of the following is NOT a proper component of Media Viability Controls?

Storage

Writing

Handling

Marking

Answer: B.

Explanation

Writing is not a component of media viability controls.

Media viability controls are implemented to preserve the proper working state of the media, particularly to facilitate the timely and accurate restoration of the system after a failure.

Many physical controls should be used to protect the viability of the data storage media. The goal is to protect the media from damage during handling and transportation, or during short-term or long-term storage. Proper marking and labeling of the media is required in the event of a system recovery process:

●  Marking. All data storage media should be accurately marked or labeled. The labels can be used to identify media with special handling instructions, or to log serial numbers or bar codes for retrieval during a system recovery.

●  Handling. Proper handling of the media is important. Some issues with the handling of media include cleanliness of the media and the protection from physical damage to the media during transportation to the archive sites.

●  Storage. Storage of the media is very important for both security and environmental reasons. A proper heat- and humidity-free, clean storage environment should be provided for the media. Data media is sensitive to temperature, liquids, magnetism, smoke, and dust.

Incorrect Answers:

A: Storage is a media viability control used to protect the viability of data storage media.

C: Handling is a media viability control used to protect the viability of data storage media.

D: Marking is a media viability control used to protect the viability of data storage media.

Question 8:

Degaussing is used to clear data from all of the following media except:

Floppy Disks

Read-Only Media

Video Tapes

Magnetic Hard Disks

Answer: B.

Explanation

Atoms and Data

Shon Harris says: A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero. This magnetic force is what properly erases data from media. Data is stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original flux (magnetic alignment).

Degaussing is achieved by passing the magnetic media through a powerful magnet