0 / 10 flipped
Concept
What are the five stages of the procurement process, in order?
Answer
1. User request — employee identifies need; documents specs, justification, budget source; routes for management approval
2. IT and purchasing review — evaluates technical fit, budget, preferred vendors
3. Supplier negotiation — pricing, delivery, licensing, warranty, SLA terms
4. Purchase and delivery — purchase order generated; goods/services delivered
5. Invoice and payment — payment processed per invoice terms; assets entered into tracking system
The process creates an auditable financial trail from request to receipt.
2. IT and purchasing review — evaluates technical fit, budget, preferred vendors
3. Supplier negotiation — pricing, delivery, licensing, warranty, SLA terms
4. Purchase and delivery — purchase order generated; goods/services delivered
5. Invoice and payment — payment processed per invoice terms; assets entered into tracking system
The process creates an auditable financial trail from request to receipt.
Term
Asset Classification — CapEx vs. OpEx
Definition
Hardware = Capital Expenditure (CapEx)
Physical assets (servers, laptops, routers) — long-lived; depreciate over time; affect taxes annually through depreciation schedule.
Software = Operating Expenditure (OpEx)
Licenses, subscriptions, SaaS — ongoing business expense; generally does not depreciate; expensed in the period incurred.
The distinction matters for financial reporting, tax compliance, and audit accuracy. The exam tests whether you know which is which and why the difference matters.
Physical assets (servers, laptops, routers) — long-lived; depreciate over time; affect taxes annually through depreciation schedule.
Software = Operating Expenditure (OpEx)
Licenses, subscriptions, SaaS — ongoing business expense; generally does not depreciate; expensed in the period incurred.
The distinction matters for financial reporting, tax compliance, and audit accuracy. The exam tests whether you know which is which and why the difference matters.
Concept
What is asset enumeration, and why does it matter for security?
Answer
Asset enumeration documents the individual components within each asset rather than treating the device as a single black-box entry.
A workstation record includes: CPU model/speed, memory capacity, storage drive make/model/capacity, peripheral devices, operating system, and installed software versions.
Security relevance:
• Cannot patch what you haven't enumerated — knowing "we have a workstation" is insufficient; knowing it has "Intel CPU, 16GB RAM, WD 1TB HDD, Windows 11 21H2" identifies exactly what patches apply
• Supports precise vulnerability management
• Helps desk pre-population with device specs before dispatch
• Identifies unsupported or end-of-life components
A workstation record includes: CPU model/speed, memory capacity, storage drive make/model/capacity, peripheral devices, operating system, and installed software versions.
Security relevance:
• Cannot patch what you haven't enumerated — knowing "we have a workstation" is insufficient; knowing it has "Intel CPU, 16GB RAM, WD 1TB HDD, Windows 11 21H2" identifies exactly what patches apply
• Supports precise vulnerability management
• Helps desk pre-population with device specs before dispatch
• Identifies unsupported or end-of-life components
Term
Asset Tag — types and purposes
Definition
A physical identifier attached to a device that links it to its record in the asset tracking system.
Types: Barcode (scanned with handheld reader), RFID tag (scanned wirelessly), visible tracking number with org name.
Three functions:
• Rapid inventory — scan devices during physical audit rather than reading serial numbers manually
• Help desk integration — scan device to instantly pull up asset record
• Theft deterrence and recovery — visible org label discourages theft; enables recovery via pawn shop reporting or police database matching
Types: Barcode (scanned with handheld reader), RFID tag (scanned wirelessly), visible tracking number with org name.
Three functions:
• Rapid inventory — scan devices during physical audit rather than reading serial numbers manually
• Help desk integration — scan device to instantly pull up asset record
• Theft deterrence and recovery — visible org label discourages theft; enables recovery via pawn shop reporting or police database matching
Concept
What is media sanitization, and what makes it different from standard file deletion?
Answer
Media sanitization securely removes data from storage media so it cannot be recovered — by any means, including forensic tools. It is a one-way process: properly sanitized data is gone permanently.
Why standard deletion is NOT sanitization: When you delete a file or format a drive using the OS, only the directory entry (pointer) is removed. The actual data remains on the disk sectors until new data overwrites those sectors. Free recovery tools can restore deleted files in seconds.
Sanitization methods: Secure overwrite (rewrites all sectors with random data; drive reusable), or physical destruction (drive not reusable but data unrecoverable). Method choice depends on the device's next destination.
Why standard deletion is NOT sanitization: When you delete a file or format a drive using the OS, only the directory entry (pointer) is removed. The actual data remains on the disk sectors until new data overwrites those sectors. Free recovery tools can restore deleted files in seconds.
Sanitization methods: Secure overwrite (rewrites all sectors with random data; drive reusable), or physical destruction (drive not reusable but data unrecoverable). Method choice depends on the device's next destination.
Term
Degaussing — what it does, what it does NOT do
Definition
Degaussing uses a powerful electromagnetic field to destroy the magnetic patterns on storage media.
Effective on: Hard disk drives (HDDs) with magnetic platters. Destroys all data AND renders the drive mechanically unusable (servo tracks erased; drive cannot position read/write heads).
NOT effective on: Solid-state drives (SSDs). SSDs store data as electrical charge in flash memory cells, not magnetic patterns. An electromagnetic field has no effect — the SSD comes out of the degausser unchanged, with all data intact and fully readable.
Applying degaussing to an SSD is not sanitization. It is a false sense of security.
Effective on: Hard disk drives (HDDs) with magnetic platters. Destroys all data AND renders the drive mechanically unusable (servo tracks erased; drive cannot position read/write heads).
NOT effective on: Solid-state drives (SSDs). SSDs store data as electrical charge in flash memory cells, not magnetic patterns. An electromagnetic field has no effect — the SSD comes out of the degausser unchanged, with all data intact and fully readable.
Applying degaussing to an SSD is not sanitization. It is a false sense of security.
Concept
What are the four physical destruction methods? When is each appropriate?
Answer
Drilling / Hammering: Puncture or deform platters manually. Quick; no specialized equipment; suitable for small quantities. Must penetrate actual platter surface, not just housing.
Shredding / Pulverization: Industrial machinery reduces drives to fragments. Scalable for large volumes; high assurance; third-party services available; produces physical evidence.
Degaussing: Electromagnetic erasure. HDDs only (not SSDs). Drive is rendered permanently unusable as a side effect.
Incineration: High-temperature destruction; reduces to ash. Highest assurance; no fragments survive. Reserved for classified/highly sensitive data or government/military requirements.
Shredding / Pulverization: Industrial machinery reduces drives to fragments. Scalable for large volumes; high assurance; third-party services available; produces physical evidence.
Degaussing: Electromagnetic erasure. HDDs only (not SSDs). Drive is rendered permanently unusable as a side effect.
Incineration: High-temperature destruction; reduces to ash. Highest assurance; no fragments survive. Reserved for classified/highly sensitive data or government/military requirements.
Term
Certificate of Destruction
Definition
A formal document issued by a third-party destruction vendor confirming that specific storage devices were destroyed per defined procedures.
Should include: Serial numbers of each drive (matched to asset inventory), destruction method used, date and location, vendor authorization and signature.
Why serial numbers matter: A certificate listing only "500 drives destroyed" is weak — it proves nothing about your specific drives. Serial-number-matched certificates prove your specific assets were destroyed.
Functions: Compliance audit evidence (demonstrates data disposal due diligence), legal protection (chain-of-custody record), regulatory reporting (HIPAA, PCI DSS, SOX disposal requirements).
Should include: Serial numbers of each drive (matched to asset inventory), destruction method used, date and location, vendor authorization and signature.
Why serial numbers matter: A certificate listing only "500 drives destroyed" is weak — it proves nothing about your specific drives. Serial-number-matched certificates prove your specific assets were destroyed.
Functions: Compliance audit evidence (demonstrates data disposal due diligence), legal protection (chain-of-custody record), regulatory reporting (HIPAA, PCI DSS, SOX disposal requirements).
Concept
What are the three drivers of data retention policy?
Answer
1. Regulatory compliance: Mandatory minimums set by law. HIPAA: patient records. SOX: financial records (7 years). SEC/FINRA: trading records and emails. Failure = fines, sanctions, license loss.
2. Operational recovery: Backup retention for accidental deletion (daily backups, 30-day window), disaster recovery (geographically separated copies), incident investigation (log retention for security analysis).
3. Data type differentiation: Not all data has the same requirements. Executive email vs. scheduling email. Financial transaction logs vs. operational logs. Policy must map each data category to its specific retention period and deletion procedure — "keep everything forever" wastes storage and increases breach exposure.
2. Operational recovery: Backup retention for accidental deletion (daily backups, 30-day window), disaster recovery (geographically separated copies), incident investigation (log retention for security analysis).
3. Data type differentiation: Not all data has the same requirements. Executive email vs. scheduling email. Financial transaction logs vs. operational logs. Policy must map each data category to its specific retention period and deletion procedure — "keep everything forever" wastes storage and increases breach exposure.
Concept
Why is asset management considered a security control, not just an administrative function?
Answer
Asset management is the prerequisite for nearly every other security control:
• Patch management requires knowing what software/firmware is installed — impossible without enumerated inventory
• Vulnerability scanning requires knowing what devices to scan — shadow IT devices are invisible to scanners
• Network segmentation requires knowing what devices belong in which segment
• Incident response requires quickly identifying what was affected — ownership records point to the right user and device
• Data protection requires knowing which devices hold sensitive data
Principle: You cannot secure what you don't know you have. An untracked device is unpatched, unmonitored, and uncontrolled — an invisible attack surface.
• Patch management requires knowing what software/firmware is installed — impossible without enumerated inventory
• Vulnerability scanning requires knowing what devices to scan — shadow IT devices are invisible to scanners
• Network segmentation requires knowing what devices belong in which segment
• Incident response requires quickly identifying what was affected — ownership records point to the right user and device
• Data protection requires knowing which devices hold sensitive data
Principle: You cannot secure what you don't know you have. An untracked device is unpatched, unmonitored, and uncontrolled — an invisible attack surface.