Class 16: Data Classification, Privacy, Compliance, DLP, Conduct Policies, and Security Awareness
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/115
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
116 Terms
Data types
Data types classify data based on characteristics such as structure, format, sensitivity, regulation, readability, business value, and intended use.
Example: A company separates regulated data, trade secrets, financial records, legal documents, human-readable data, and machine-readable data.
Memory trick: Data type means what kind of data it is.
Trick question tip: Data type clues help decide how information should be protected, processed, retained, and destroyed.
Data classification
Data classification organizes data into categories so the organization can apply appropriate handling, storage, protection, lifecycle, and security controls.
Example: Credit card data is classified differently from public marketing content because it needs stronger protection.
Memory trick: Classification tells security what rules to apply.
Trick question tip: If the question asks why data is tagged or categorized, think classification.
Regulated data
Regulated data is information subject to legal, regulatory, industry, or contractual requirements for handling, storage, use, protection, retention, and destruction.
Example: Healthcare records, credit card data, financial information, and PII are regulated data examples.
Memory trick: Regulated data has rule-based handling.
Trick question tip: Legal requirements, privacy rules, breach notification, retention, and destruction rules point to regulated data.
PII
Personally Identifiable Information is data that can identify, contact, locate, or distinguish a specific individual.
Example: A government identifier, account number tied to a person, or full name with contact details may be PII.
Memory trick: PII points to a person.
Trick question tip: If data can identify an individual, treat it as sensitive and often regulated.
HIPAA
HIPAA is a healthcare-related law that protects certain healthcare and patient information.
Example: A healthcare provider protects patient records from unauthorized access or disclosure.
Memory trick: HIPAA = healthcare privacy.
Trick question tip: Healthcare records, patient privacy, medical data, and protected health information point to HIPAA.
PCI DSS
PCI DSS is a payment card security standard for organizations that process, store, or transmit cardholder data.
Example: A merchant protects cardholder data using access controls, secure storage, encryption, and monitoring.
Memory trick: PCI DSS protects payment cards.
Trick question tip: Credit card or cardholder data points to PCI DSS.
Regulated data lifecycle controls
Regulated data lifecycle controls include encryption, access controls, breach notification, handling protocols, retention safeguards, and destruction safeguards.
Example: Regulated records are encrypted, limited by role, retained for the required period, and securely destroyed when no longer needed.
Memory trick: Protect, restrict, notify, retain, destroy.
Trick question tip: Retention and destruction requirements are common regulated data clues.
Data breach notification
Data breach notification is the process of informing required parties when protected or regulated data is exposed or compromised.
Example: A company notifies affected individuals and regulators after unauthorized access to sensitive customer data.
Memory trick: Breach notification means tell the right people after exposure.
Trick question tip: Regulated data often has mandatory notification requirements.
Trade secret data
Trade secret data is valuable confidential business information that gives an organization competitive advantage because it is not publicly known.
Example: A formula, proprietary process, customer list, pricing model, or marketing strategy can be a trade secret.
Memory trick: Trade secrets are business secrets with value.
Trick question tip: Commercial value from secrecy points to trade secret data.
Trade secret protection
Trade secret protection uses secrecy, access controls, NDAs, monitoring, and legal remedies to prevent unauthorized use or disclosure.
Example: A contractor signs an NDA before accessing confidential product design information.
Memory trick: NDA helps keep trade secrets secret.
Trick question tip: Confidential business information protected by nondisclosure agreements often involves trade secrets.
Legal data
Legal data includes contracts, legal agreements, court records, regulatory filings, intellectual property filings, litigation documents, and compliance records.
Example: A contract and a regulatory filing are legal data because they support legal rights, duties, or governance.
Memory trick: Legal data supports legal rights and obligations.
Trick question tip: Contracts, litigation, court records, and regulatory filings point to legal data.
Financial data
Financial data is information about financial activity, reporting, transactions, obligations, and business performance.
Example: Balance sheets, income statements, cash flow statements, tax records, audit reports, and ledger entries are financial data.
Memory trick: Financial data tracks money.
Trick question tip: Financial statements, budgets, tax records, ledgers, and transaction records point to financial data.
Human-readable data
Human-readable data is information people can understand directly without special processing or translation.
Example: Documents, reports, emails, web pages, presentations, images, and multimedia content are human-readable.
Memory trick: Human-readable means people can read it.
Trick question tip: Text, reports, email, web pages, and presentations point to human-readable data.
Non-human-readable data
Non-human-readable data cannot be easily understood in raw form without tools, decoding, decryption, parsing, or specialized software.
Example: Binary code, encrypted data, encoded data, and complex machine-readable structures are non-human-readable.
Memory trick: Humans need tools to interpret it.
Trick question tip: Binary, encrypted, encoded, or complex structured data points to non-human-readable data.
Encrypted data visibility limitation
Encrypted data can limit traditional security inspection because the content cannot be interpreted without decryption and the proper key.
Example: A content filter cannot inspect sensitive content inside an encrypted file unless authorized decryption or special inspection is available.
Memory trick: If the tool cannot read it, the tool may not inspect it well.
Trick question tip: Encrypted data is protected, but it can reduce content-filtering visibility.
Human-readable security controls
Human-readable data is often protected by DLP, content filtering, user awareness, web security, monitoring, and access controls.
Example: DLP scans outgoing email text for sensitive information.
Memory trick: Readable content can often be inspected.
Trick question tip: DLP and content filtering are easier when data is human-readable.
Non-human-readable security controls
Non-human-readable data is often protected by encryption, access controls, IDS/IPS, secure data exchange, application security, and specialized inspection.
Example: A system uses encryption, application testing, and IDS monitoring for encoded machine-readable data flows.
Memory trick: Machine data needs machine-aware protection.
Trick question tip: Encryption, IDS/IPS, secure exchange, and code security fit non-human-readable data.
Specialized inspection
Specialized inspection uses tools, algorithms, parsing, decoding, decryption, or application-aware methods to interpret and protect non-human-readable data.
Example: A security tool parses encoded application traffic to detect suspicious content.
Memory trick: Special data needs special tools.
Trick question tip: Non-human-readable data often requires specialized approaches.
Data classification schema
A data classification schema is a structured method or decision tree for applying labels to data assets.
Example: A classification workflow asks whether data is public, internal, confidential, restricted, or regulated before applying labels.
Memory trick: Schema is the decision tree for choosing the label.
Trick question tip: Decision trees for applying data labels point to classification schema.
Information lifecycle
The information lifecycle covers data from creation and use through storage, sharing, retention, archiving, and destruction.
Example: A confidential file is labeled, stored securely, shared only with approved users, retained, archived, and destroyed securely.
Memory trick: Lifecycle means data’s whole life.
Trick question tip: Classification supports data management through the whole lifecycle.
Public data
Public data has no viewing restrictions and presents little disclosure risk, though it may still need integrity and availability protection.
Example: A published press release is public, but unauthorized modification of it could still damage trust.
Memory trick: Public means safe for anyone to view.
Trick question tip: Public does not mean unimportant; it can still need integrity and availability controls.
Unclassified data
Unclassified data is not assigned a restricted confidentiality classification, but in some government contexts it may still require authorization before release.
Example: A government document may be unclassified but not yet approved for public release.
Memory trick: Unclassified is not always automatically public.
Trick question tip: Government context may separate unclassified from publicly releasable.
Confidential data
Confidential data is sensitive information intended only for authorized users or trusted third parties under conditions such as NDAs.
Example: An internal business plan is shared only with approved employees and a trusted vendor under NDA.
Memory trick: Confidential means limited access.
Trick question tip: Sensitive but not necessarily national-security-level information points to confidential.
Secret and Top Secret
Secret data could cause serious damage to national security if disclosed, while Top Secret data could cause exceptionally grave damage.
Example: A serious national-security plan may be secret; the most damaging defense information may be Top Secret.
Memory trick: Secret is serious; Top Secret is exceptionally grave.
Trick question tip: The damage wording separates Secret from Top Secret.
Need to know
Need to know means access is limited to people who require the information to perform authorized duties.
Example: A user with clearance is denied a document because the user does not need it for their role.
Memory trick: Clearance is not enough; need to know matters.
Trick question tip: Access to classified or sensitive data often requires both authorization and need to know.
Automatic document labeling
Automatic document labeling applies classification labels using defined rules, policies, or detected data characteristics.
Example: A system labels a document as company confidential when sensitive content is detected.
Memory trick: The tool tags the document for you.
Trick question tip: Automated classification and priority settings support data governance.
Proprietary data
Proprietary data is company-created, owned, or controlled information related to products, services, processes, methods, or intellectual property.
Example: Product design documents, internal algorithms, and service methods may be proprietary data.
Memory trick: Proprietary means the company owns it.
Trick question tip: Company-created information or IP points to proprietary data.
Intellectual property
Intellectual property is company-owned creative, technical, or business information that has value and may require protection from competitors or unauthorized use.
Example: Software designs, product plans, books, music, formulas, and technical processes can be IP.
Memory trick: IP means valuable ideas and creations.
Trick question tip: Competitor interest, copying, counterfeiting, or product design theft points to IP risk.
Private data
Private data relates to an individual identity and includes personal data, PII, sensitive personal data, credentials, financial details, and biometric data.
Example: Names, addresses, identifiers, financial records, health records, credentials, and biometrics can be private data.
Memory trick: Private data points back to a person.
Trick question tip: Data related to an individual identity points to private or personal data.
Sensitive data
Sensitive data is information that could harm a person, organization, or decision-making process if disclosed or misused.
Example: Health information, genetic data, login credentials, and privacy-sensitive personal details can be sensitive.
Memory trick: Sensitive means exposure could hurt.
Trick question tip: Harm, prejudice, identity theft, or unfair decisions point to sensitive data.
Sensitive personal data
Sensitive personal data is a special category of personal data that could cause harm or prejudice if disclosed or used improperly.
Example: Health data, genetic data, racial or ethnic origin, religious beliefs, political opinions, trade union membership, gender, or sexual-orientation data may be sensitive personal data.
Memory trick: Sensitive personal data is the most delicate person-related data.
Trick question tip: GDPR-style sensitive categories require extra care.
Biometric data
Biometric data is personal data based on unique physical or behavioral characteristics.
Example: Fingerprints, facial templates, iris scans, and voiceprints may be biometric data.
Memory trick: Biometrics are body-based identifiers.
Trick question tip: Biometric data is treated as sensitive personal or private data.
Restricted data
Restricted data is highly confidential or sensitive information requiring stringent controls and very limited access.
Example: Highly sensitive security plans or data that could cause significant harm may be classified as restricted.
Memory trick: Restricted means locked down hard.
Trick question tip: Stringent controls, limited access, and significant harm point to restricted data.
Private versus sensitive data
Private data relates to an individual identity, while sensitive data could cause harm or prejudice if disclosed or misused.
Example: A name and address may be private; health information or biometric data may be sensitive.
Memory trick: Private identifies; sensitive can harm.
Trick question tip: Individual identity points to private; harm or prejudice points to sensitive.
Confidential versus restricted data
Confidential data is sensitive and limited to authorized users, while restricted data usually requires stronger controls due to greater harm potential.
Example: An internal plan may be confidential; highly sensitive security plans may be restricted.
Memory trick: Confidential is limited; restricted is locked down harder.
Trick question tip: Greater harm and stricter controls point to restricted.
Data sovereignty
Data sovereignty means data is subject to the laws and restrictions of the jurisdiction where it is stored, processed, transmitted, or collected.
Example: An organization stores customer data in a specific cloud region to meet local privacy requirements.
Memory trick: Location controls the rules.
Trick question tip: Jurisdiction, legal boundaries, storage location, and processing restrictions point to data sovereignty.
Jurisdiction
Jurisdiction is the legal authority of a country, state, region, or regulatory body over data, systems, people, or organizations.
Example: Data stored in another country may be subject to that country’s privacy and access laws.
Memory trick: Jurisdiction means whose law applies.
Trick question tip: If data crosses borders, jurisdiction becomes a major concern.
Cross-border data risk
Cross-border data risk occurs when data is stored, transmitted, processed, or collected across different legal or geographic jurisdictions.
Example: A company collects data in one region but stores it in a cloud region with weaker privacy protections.
Memory trick: Data crossing borders carries legal baggage.
Trick question tip: Data stored or transmitted in other countries may face different privacy and access rules.
Data localization
Data localization requires data to be stored or processed within a specific geographic or legal boundary.
Example: A cloud customer chooses a local datacenter so regulated data stays inside an approved country.
Memory trick: Localization means keep the data local.
Trick question tip: Requirements to store or process data inside a boundary point to data localization.
Cloud region selection
Cloud region selection chooses where cloud data is stored and processed to meet business, latency, privacy, and legal requirements.
Example: A company selects an approved regional cloud datacenter for regulated customer data.
Memory trick: Cloud region decides where data lives.
Trick question tip: Cloud datacenter choice often supports sovereignty compliance.
Data processing and storage restrictions
Processing restrictions limit where or how data can be collected, analyzed, transformed, stored, or used, while storage restrictions limit where data may reside.
Example: A privacy rule prevents customer records from being processed or stored outside an approved jurisdiction.
Memory trick: Processing is what happens to data; storage is where data lives.
Trick question tip: Data sovereignty affects both processing and storage.
Adequate privacy regulation and safeguards
Adequate privacy regulation means the destination jurisdiction protects data well enough; contractual safeguards can extend privacy duties when it does not.
Example: A vendor contract requires protection of transferred personal data in another jurisdiction.
Memory trick: Adequate means protected well enough; contracts add promises.
Trick question tip: Cross-border transfers may require adequate safeguards or contractual protections.
Geolocation access control
Geolocation access control allows or denies access based on the user’s geographic location.
Example: A database blocks access attempts from countries outside the approved operating region.
Memory trick: Geolocation asks where the user is logging in from.
Trick question tip: Location-based access approval or denial points to geolocation controls.
Constraint-based access control
Constraint-based access control uses conditions such as location, time, device, network, or risk level before authorizing access.
Example: A cloud file service checks user location and device status before allowing access to sensitive files.
Memory trick: Access depends on conditions.
Trick question tip: Validating geographic location before access is a constraint-based access clue.
Privacy data
Privacy data is personally identifiable or sensitive information associated with an individual’s personal, financial, health, or social identity.
Example: Names, addresses, identifiers, medical records, and financial transactions can be privacy data.
Memory trick: Privacy data points to a person and their rights.
Trick question tip: If exposure could infringe privacy rights, think privacy data.
Privacy rights
Privacy rights let individuals control, access, correct, delete, restrict, object to, or withdraw consent for certain uses of personal data.
Example: A person requests access to the personal data a company stores about them.
Memory trick: Privacy rights give people control over personal data.
Trick question tip: Access, correction, deletion, restriction, portability, objection, and consent withdrawal are privacy rights.
Privacy data versus confidential data
Privacy data relates to individual personal information and privacy rights, while confidential data can include any protected nonpublic business or sensitive information.
Example: A patient record is privacy data; source code for a proprietary product is confidential data.
Memory trick: Privacy protects people; confidential protects sensitive information.
Trick question tip: Individual rights and consent point to privacy; business competitiveness and IP point to confidential.
GDPR
GDPR is a European privacy regulation that sets strong privacy and data protection standards for personal data.
Example: An organization processing personal data of EU residents may need to follow GDPR even if the organization is outside the EU.
Memory trick: GDPR is the big EU privacy rule.
Trick question tip: EU residents, personal data, data subject rights, and extraterritorial effect point to GDPR.
GDPR extraterritorial effect
GDPR extraterritorial effect means GDPR can apply to organizations outside the EU when they process personal data of EU residents.
Example: A non-EU company serving EU users may need to follow GDPR for those users’ data.
Memory trick: GDPR can follow EU personal data beyond Europe.
Trick question tip: Company location alone does not always prevent GDPR from applying.
Data Controller
A Data Controller determines the purposes and means of processing personal data.
Example: A company decides why customer data is collected, what categories are processed, and how the data is used.
Memory trick: Controller decides why and how.
Trick question tip: Decision-making authority over personal data points to Data Controller.
Data Processor
A Data Processor processes personal data on behalf of and under the instructions of the Data Controller.
Example: A cloud provider stores customer data for a company according to that company’s instructions.
Memory trick: Processor performs processing for the controller.
Trick question tip: Acting on behalf of the controller without independent decision-making points to Data Processor.
Controller versus Processor
A Data Controller decides why and how personal data is processed, while a Data Processor processes the data only on the controller’s behalf and instructions.
Example: A business decides to collect customer data; its cloud provider stores it as instructed.
Memory trick: Controller decides; processor does.
Trick question tip: Purpose and means equal controller; instructed processing equals processor.
Right of access
Right of access allows data subjects to request access to personal data and information about how it is processed.
Example: A customer asks what categories of personal data a company stores and who receives it.
Memory trick: Access means show me my data.
Trick question tip: Requests for processing purpose, data categories, recipients, or retention duration point to right of access.
Right to erasure
Right to erasure allows data subjects to request deletion or removal of personal data under certain circumstances.
Example: A person asks an organization to delete data no longer needed for its original purpose.
Memory trick: Erasure means delete my data.
Trick question tip: Deletion request under privacy law points to erasure or right to be forgotten.
Data portability
Data portability allows data subjects to receive personal data in a commonly used machine-readable format so they can transfer it.
Example: A user downloads account data in a machine-readable file to move to another provider.
Memory trick: Portability means take your data with you.
Trick question tip: Machine-readable format and transfer to another service point to data portability.
Right to be forgotten
Right to be forgotten is a GDPR principle allowing data subjects to request erasure of personal data under certain circumstances.
Example: A person asks a service to remove personal information that is no longer necessary or lawful to retain.
Memory trick: Right to be forgotten means remove my data when allowed.
Trick question tip: Erasure may extend to third parties, but can be limited by legal obligations or legal claims.
Data inventory
A data inventory is a detailed record of data assets, categories, locations, owners, processing purposes, legal basis, recipients, and retention periods.
Example: A company maintains a map of where customer personal data is stored and why it is processed.
Memory trick: Data inventory is the map of personal data.
Trick question tip: Inventory helps transparency, privacy requests, retention, and compliance.
Data minimization
Data minimization means collecting and keeping only the personal data necessary for the stated purpose.
Example: A signup form asks only for the information needed to create the account.
Memory trick: Collect less, risk less.
Trick question tip: Unnecessary collection violates minimization principles.
Data retention and storage limitation
Data retention keeps data only as long as required, while storage limitation prevents keeping personal data longer than necessary.
Example: A company deletes old customer records when retention requirements expire.
Memory trick: Keep it only as long as needed.
Trick question tip: Retention rules support privacy, compliance, and secure disposal.
Anonymization
Anonymization transforms personal data so individuals can no longer be identified from it.
Example: Customer identifiers are removed before records are used for broad statistical analysis.
Memory trick: Anonymization removes the person from the data.
Trick question tip: Anonymization can reduce privacy risk when data is no longer needed in identifiable form.
Data breach
A data breach is the unauthorized access, loss, exposure, disclosure, modification, deletion, or misuse of data.
Example: A misconfigured folder exposes customer records to unauthorized users.
Memory trick: Breach means data security failed.
Trick question tip: A breach can involve any data type, not only privacy data.
Privacy breach
A privacy breach is the loss, exposure, or misuse of personal or privacy data that affects individual rights or privacy.
Example: Unauthorized access to customer identity records creates a privacy breach.
Memory trick: Privacy breach means personal data exposure.
Trick question tip: Privacy breach is narrower than general data breach.
Unauthorized read, modification, and deletion
Unauthorized read exposes information, unauthorized modification changes or corrupts it, and unauthorized deletion removes it without approval.
Example: A user views a restricted file, edits it improperly, or deletes it without permission.
Memory trick: Read breaks confidentiality, modify breaks integrity, delete affects availability and integrity.
Trick question tip: Match breach behavior to CIA impact.
Intellectual property breach
An intellectual property breach is unauthorized access, disclosure, copying, or theft of IP or proprietary information.
Example: A product design is stolen and used by a competitor.
Memory trick: IP breach steals valuable ideas.
Trick question tip: IP theft can cause revenue loss, competitive harm, and counterfeiting risk.
Breach consequences
Breach consequences can include reputation damage, customer trust loss, identity theft, data subject damages, regulatory fines, legal action, and business disruption.
Example: A customer data breach leads to fines, lawsuits, and loss of customer confidence.
Memory trick: Breach consequences hit trust, money, law, and operations.
Trick question tip: Turnover-based fines, identity theft, and regulator action are breach consequence clues.
Notifiable breach
A notifiable breach is a breach that must be reported to required parties under law, regulation, contract, or policy.
Example: A protected health information breach may require notification to affected individuals and regulators.
Memory trick: Notifiable means must tell someone.
Trick question tip: Breach notification requirements define who must be notified and how quickly.
HIPAA breach notification threshold
HIPAA breach notification may require media notification when more than 500 affected individuals in a state or jurisdiction are involved.
Example: A large healthcare data breach triggers notification to affected people, regulators, and media.
Memory trick: HIPAA big breach can mean media notice.
Trick question tip: The 500-person threshold is a HIPAA breach notification clue.
GDPR breach notification
GDPR generally requires notification to the supervisory authority within 72 hours after becoming aware of a qualifying personal data breach.
Example: A controller reports a qualifying breach to the regulator within the required time.
Memory trick: GDPR breach clock is 72 hours.
Trick question tip: GDPR is usually stronger and broader than many U.S. privacy rules.
CCPA
CCPA is a California privacy law focused on consumer privacy rights and obligations for businesses handling California consumer data.
Example: A California consumer requests information about personal data collected by a business.
Memory trick: CCPA = California consumer privacy.
Trick question tip: California consumer rights and privacy obligations point to CCPA.
Security compliance
Security compliance means following applicable laws, regulations, standards, contracts, policies, controls, and reporting obligations.
Example: An organization verifies that privacy controls meet legal and industry requirements.
Memory trick: Compliance means following required rules.
Trick question tip: Compliance protects sensitive data and helps avoid penalties.
Noncompliance consequences
Noncompliance can cause legal sanctions, financial penalties, liability, data subject lawsuits, reputational damage, loss of trust, regulatory scrutiny, and mandated remediation.
Example: A regulator fines a company and orders corrective action after a privacy violation.
Memory trick: Breaking rules costs money, trust, and control.
Trick question tip: Fines, lawsuits, scrutiny, and mandated remediation are noncompliance consequences.
Software licensing compliance
Software licensing compliance means following software license terms, usage rights, and contract restrictions.
Example: A company tracks installed software to avoid exceeding licensed user counts.
Memory trick: Licensing compliance means use software only as allowed.
Trick question tip: Usage rights, license revocation, audits, and overuse point to licensing compliance.
Contractual noncompliance
Contractual noncompliance is failure to meet obligations in a contract, which can lead to breach of contract, damages, termination, penalties, or liability.
Example: A vendor fails to meet required security controls in the service agreement.
Memory trick: Contract rules count too.
Trick question tip: Termination penalties, indemnification, contractual damages, and aggrieved parties are contract clues.
Compliance monitoring
Compliance monitoring systematically checks whether the organization continues to follow required rules and controls.
Example: A tool monitors whether security controls remain configured according to policy.
Memory trick: Monitoring checks compliance over time.
Trick question tip: Ongoing monitoring, data collection, analysis, findings, and recommendations are compliance monitoring clues.
Internal versus external compliance reporting
Internal reporting focuses on organizational improvement and accountability, while external reporting communicates compliance to regulators, auditors, customers, or stakeholders.
Example: A risk committee receives internal reports; a regulator receives external compliance documentation.
Memory trick: Internal improves; external proves.
Trick question tip: External reporting emphasizes transparency and outside confidence.
Attestation and acknowledgment
Attestation is a formal statement that requirements are met, while acknowledgment is confirmation that someone received or understood a policy, training, or requirement.
Example: A vendor attests to control compliance, while an employee acknowledges the AUP.
Memory trick: Attestation vouches; acknowledgment confirms receipt or understanding.
Trick question tip: Do not confuse formal compliance attestation with user policy acknowledgment.
Data at rest
Data at rest is data stored on persistent media such as drives, databases, files, folders, archives, or backups.
Example: A database file stored on disk contains data at rest.
Memory trick: Data at rest is sitting still.
Trick question tip: Persistent storage and stored files point to data at rest.
Data at rest protection
Data at rest is protected using whole disk encryption, database encryption, file-level encryption, folder-level encryption, ACLs, and trusted OS mediation.
Example: A laptop uses full-disk encryption and ACLs to protect stored documents.
Memory trick: Stored data needs encryption and permissions.
Trick question tip: Disk, file, folder, and database protections point to data at rest.
Data in transit
Data in transit, also called data in motion, is data moving between systems, networks, users, or services.
Example: A user sends data to a web application over the network.
Memory trick: Data in transit is moving.
Trick question tip: Transport encryption such as TLS or IPsec protects data in transit.
Data in use
Data in use, also called data in processing, is actively being used by an application, user, CPU, or memory.
Example: A decrypted file being edited in memory is data in use.
Memory trick: Data in use is actively working.
Trick question tip: Data often must be decrypted while in use, creating extra exposure.
Data state comparison
Data at rest is stored, data in transit is moving, and data in use is actively being processed.
Example: A file on disk is at rest, a file transfer is in transit, and an open decrypted document in RAM is in use.
Memory trick: Stored, moving, working.
Trick question tip: Match the control to the state: storage encryption, transport encryption, or processing protection.
Encryption versus hashing
Encryption is reversible with a key for confidentiality, while hashing is one-way and verifies integrity or stores password representations.
Example: A file is encrypted so it can be decrypted later; a file hash proves whether it changed.
Memory trick: Encryption hides and can come back; hashing fingerprints and cannot come back.
Trick question tip: If the goal is confidentiality, use encryption; if the goal is integrity, use hashing.
Tokenization
Tokenization replaces sensitive data with a random substitute token while the real value is stored separately in a secure token vault.
Example: A payment system stores a token instead of the actual card number.
Memory trick: Token replaces the real secret.
Trick question tip: Payment card protection and substitute values point to tokenization.
Masking versus tokenization
Masking hides or substitutes visible data, while tokenization replaces sensitive data with a separate token that maps back to the original value in a secure system.
Example: A masked card shows only four digits; a tokenized card uses a random token for transactions.
Memory trick: Masking hides; tokenization swaps.
Trick question tip: Tokenization is stronger when systems do not need the original value.
Segmentation
Segmentation divides networks, data, systems, or access into smaller controlled areas to limit exposure and movement.
Example: Sensitive data is placed in a separate segment with stricter access controls.
Memory trick: Segmentation puts walls between things.
Trick question tip: Segmentation reduces exposure and limits lateral movement or broad access.
Least privilege with data protection
Least privilege gives users only the data and permissions needed for their role.
Example: A finance user can access payroll records but not engineering source code.
Memory trick: Only give the access needed.
Trick question tip: Permission restrictions reduce unauthorized access to sensitive data.
RBAC and rule-based access control
RBAC grants access based on assigned roles, while rule-based access control grants or denies access using specific rules or conditions.
Example: A manager role grants report access; a rule blocks access outside business hours.
Memory trick: Role decides job access; rule decides condition access.
Trick question tip: Job role points to RBAC; specific conditional rule points to rule-based access.
MAC and ABAC
MAC enforces access based on mandatory labels and clearances, while ABAC uses attributes such as user, resource, location, time, or device.
Example: A classified system uses labels for MAC; a cloud app allows access based on user role, device health, and location for ABAC.
Memory trick: MAC uses labels; ABAC uses attributes.
Trick question tip: Clearance labels point to MAC; multiple contextual attributes point to ABAC.
Data Loss Prevention (DLP)
DLP is a security solution that discovers, classifies, monitors, and enforces rules to prevent unauthorized movement or exposure of sensitive data.
Example: DLP blocks a user from emailing confidential files to an unapproved external recipient.
Memory trick: DLP stops sensitive data from leaving the wrong way.
Trick question tip: Data discovery, classification, policy enforcement, alerts, blocks, and quarantine point to DLP.
DLP for personal data and IP
DLP can protect personal data and intellectual property by discovering, classifying, and controlling movement of sensitive content.
Example: DLP detects customer identifiers in an outbound message and blocks unapproved sharing of source code.
Memory trick: DLP protects people-data and business-secrets.
Trick question tip: PII and IP are common DLP targets.
DLP remediation actions
DLP remediation actions include alert-only, block, quarantine, tombstone replacement, logging, and reporting.
Example: DLP blocks an upload, quarantines a file, and logs the incident.
Memory trick: DLP can warn, stop, isolate, replace, and record.
Trick question tip: Alert-only permits the action with a warning; block prevents it; quarantine isolates it.
DLP report
A DLP report summarizes incidents, policy violations, affected users, destinations, actions, and trends.
Example: A report shows repeated USB transfer attempts and quarantined files.
Memory trick: DLP report shows who tried to send what where.
Trick question tip: Reports support investigation, tuning, compliance, and training.
Conduct policies
Conduct policies define expected employee behavior when using organizational systems, data, devices, communications, and resources.
Example: A policy explains acceptable internet use, file sharing, social media use, and device restrictions.
Memory trick: Conduct policy tells users how to behave.
Trick question tip: Employee behavior rules point to conduct or acceptable use policies.
Acceptable Use Policy (AUP)
An AUP defines how employees may and may not use company networks, systems, devices, applications, internet access, and data.
Example: An AUP prohibits fraud, defamation, illegal material, unauthorized hardware, unauthorized software, and snooping.
Memory trick: AUP means allowed use policy.
Trick question tip: User activity on company systems points to AUP.
Personally owned device risk
Personally owned devices can create risks from unmanaged storage, cameras, microphones, USB transfer, malware, and loss of corporate data control.
Example: An employee copies work files to a personal phone that is not managed by the company.
Memory trick: Personal devices can become data exits.
Trick question tip: BYOD, USB devices, cameras, and voice recording are personal device risk clues.
Shadow IT
Shadow IT is the use of unauthorized applications, services, hardware, or cloud tools outside official IT approval.
Example: Employees use an unapproved cloud storage app to share work files.
Memory trick: Shadow IT hides from official IT control.
Trick question tip: Unapproved software or services can create data exfiltration, malware, licensing, and liability risks.
Clean desk policy
A clean desk policy requires employees to keep sensitive documents, notes, devices, and storage media secured when not in use.
Example: A worker locks confidential documents in a drawer before leaving the workspace.
Memory trick: Clean desk means no sensitive data left out.
Trick question tip: Paper documents, badges, USB media, and visible notes on desks point to clean desk policy.
Training topics and techniques
Training topics and techniques are the subjects, delivery methods, and learning approaches used to build security awareness.
Example: A program teaches phishing, removable media, passwords, insider threats, and hybrid work using CBT, workshops, and simulations.
Memory trick: Training teaches users what to watch for and what to do.
Trick question tip: Security awareness is ongoing and should match user roles and threats.
Emerging threat education
Emerging threat education teaches users about newer or changing threats such as fileless malware, zero-day exploits, new phishing tactics, and malicious cables.
Example: Users learn that a charging cable can contain malicious hardware.
Memory trick: New threats need new awareness.
Trick question tip: Training should update as threat patterns change.
Gamification and CTF
Gamification adds game-like elements to training, while CTF challenges learners to solve security tasks competitively.
Example: Employees earn points for completing phishing challenges, or students solve capture-the-flag exercises.
Memory trick: Gamification makes training feel like a game; CTF makes it a challenge.
Trick question tip: Points, badges, leaderboards, and security challenges point to gamification or CTF.