ISO/IEC 27040:2015 - Storage Security Foundation Free Practice Test — 30 Questions

Question 1

An enterprise is developing its storage security framework, aiming to align with ISO/IEC 27040:2015. They have decided to implement a tiered storage approach, categorizing data based on its sensitivity and regulatory compliance requirements. Highly sensitive customer financial records will reside on a highly secured, encrypted storage tier with strict access controls, while less critical internal operational logs will be placed on a more accessible, less protected tier. What is the fundamental security principle guiding this data segregation strategy within the context of ISO/IEC 27040:2015?

Accepted Answer

Applying security controls commensurate with the risk and value of the data asset.

Question 2

An organization operating under strict data retention mandates, similar to those found in financial regulations like SOX or GDPR concerning data privacy, is implementing a new storage solution. They need to ensure that historical financial transaction records, once written, cannot be altered or deleted by any user, including administrators, for a period of seven years. Concurrently, they must guarantee the ability to retrieve these records accurately and promptly in case of audits or legal discovery requests. Which combination of security controls, aligned with the principles of ISO/IEC 27040:2015, would most effectively address both the immutability and availability requirements for these sensitive records?

Accepted Answer

Implementation of write-once, read-many (WORM) storage technology combined with regular, verified backups to an offsite, air-gapped location.

Question 3

A multinational corporation, \"Aethelred Solutions,\" is implementing a new data storage infrastructure compliant with ISO/IEC 27040:2015. They are defining access control policies for their sensitive research and development data. Considering the standard\'s emphasis on minimizing risk and ensuring accountability, which of the following access control strategies would best align with the principles of least privilege and effective data governance for R&D personnel who require temporary access to specific datasets for project-based analysis?

Accepted Answer

Implement a role-based access control (RBAC) system that dynamically assigns permissions based on project assignments and data sensitivity classifications, with automated revocation upon project completion and periodic re-validation of roles.

Question 4

A global financial services firm, operating under strict regulatory mandates such as the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS), is implementing a new data archival strategy for its sensitive customer transaction records. The firm must ensure that these records are protected against unauthorized modification and that a complete, verifiable audit trail of all access and modification attempts is maintained for at least seven years. Which combination of storage security controls would best satisfy these stringent regulatory and operational requirements, aligning with the principles of ISO/IEC 27040:2015 for storage security?

Accepted Answer

Employing write-once, read-many (WORM) media for archival storage coupled with detailed, immutable access logging that records user identity, timestamp, and specific operations performed on the data.

Question 5

Consider a financial institution that utilizes a tiered storage strategy for its data. The highest tier is reserved for highly sensitive customer personally identifiable information (PII) and critical transaction records, while a lower tier is used for general operational logs and system monitoring data. According to the principles outlined in ISO/IEC 27040:2015, which storage configuration best aligns with the objective of maintaining appropriate security controls for each data tier, particularly in light of regulations like GDPR?

Accepted Answer

Storing customer PII and transaction records on a dedicated, encrypted storage array with granular access controls, while operational logs are stored on a separate, less restricted volume with standard access controls and periodic backups.

Question 6

A global financial services firm, operating under stringent regulatory frameworks like GDPR and SOX, is experiencing an escalating number of sophisticated ransomware attacks. These attacks are specifically designed to corrupt data integrity and render storage systems unavailable, posing a significant threat to business operations and client trust. Considering the principles outlined in ISO/IEC 27040:2015 for establishing and maintaining storage security, which of the following strategic responses would most effectively address the identified threats and vulnerabilities while adhering to the standard\'s emphasis on a risk-based approach?

Accepted Answer

Implementing a comprehensive data resilience strategy that includes immutable backups, robust access controls, continuous monitoring for anomalous activity, and a well-defined incident response and recovery plan.

Question 7

A financial institution, adhering to ISO/IEC 27040:2015, is migrating sensitive customer transaction records from its primary transactional database to a long-term archival storage solution. This archival solution is designed for infrequent access and is subject to different operational security parameters than the active system. Considering the principles of storage security throughout the data lifecycle, which of the following best describes the necessary security considerations for this transition and subsequent management of the archived data?

Accepted Answer

Ensuring the archival storage employs robust access control mechanisms, appropriate encryption for long-term data protection, and a verifiable secure deletion process for data reaching its end-of-retention period.

Question 8

A financial institution is transitioning its legacy tape backup system to a modern, encrypted object storage solution. During the decommissioning of the tape library, a significant volume of historical financial transaction data, previously encrypted using a proprietary algorithm, needs to be securely disposed of to comply with data privacy regulations like GDPR. Given the nature of the data and the need for absolute irrecoverability, which method of sanitization, as implicitly supported by the principles of ISO/IEC 27040:2015 for data at rest, would be the most appropriate and auditable for rendering this encrypted data permanently unreadable?

Accepted Answer

Cryptographic erasure by securely destroying the encryption keys used for the tape backups.

Question 9

An organization\'s storage infrastructure, housing sensitive financial data, experiences a significant data exfiltration event. Post-incident analysis reveals that the breach exploited an unpatched vulnerability in the storage array\'s management interface, which was accessible via an internal network segment. The organization had implemented encryption for data at rest and in transit, and employed role-based access control for administrative functions. However, the patch management process for storage system firmware was found to be inconsistent. Considering the principles outlined in ISO/IEC 27040:2015 for storage security management, which of the following best characterizes the primary deficiency that led to this security incident?

Accepted Answer

Inadequate implementation of a comprehensive patch management program for storage system firmware.

Question 10

An enterprise is transitioning its vast archival data repository from on-premises tape libraries to a distributed cloud-based object storage service. This migration involves sensitive financial records and personally identifiable information (PII) subject to stringent regulatory compliance, such as GDPR and SOX. The organization retains ultimate responsibility for data protection, even though the physical infrastructure is managed by the cloud provider. Which combination of security controls, as guided by ISO/IEC 27040:2015 principles, would most effectively address the security requirements for data at rest in this new storage paradigm?

Accepted Answer

Implementing robust client-side encryption with organization-managed keys, coupled with strict role-based access controls and regular security audits of the cloud provider's compliance certifications.

Question 11

A multinational corporation, operating under stringent data protection laws such as the California Consumer Privacy Act (CCPA) and financial regulations like the Payment Card Industry Data Security Standard (PCI DSS), is architecting a new data storage solution. The solution must securely store a combination of customer personally identifiable information (PII) and sensitive financial transaction records. Considering the principles of ISO/IEC 27040:2015, which storage security strategy would most effectively address the dual requirements of data isolation and robust access control for these distinct data types?

Accepted Answer

Implementing a unified storage pool with granular access control lists (ACLs) applied to individual files containing PII and financial data.

Question 12

Consider a scenario where a financial institution is decommissioning a legacy storage array that previously held sensitive customer transaction data. According to the principles of ISO/IEC 27040:2015, what is the most critical security consideration during the transition from active service to final disposal of this array?

Accepted Answer

Ensuring all data encryption keys associated with the array are securely destroyed or rendered irretrievable.

Question 13

An enterprise, adhering to ISO/IEC 27040:2015 principles, is implementing a new storage architecture for its highly sensitive financial transaction records. This data resides on a primary, high-performance storage tier that is frequently accessed. What combination of security measures would best align with the standard\'s guidance for protecting this critical data throughout its lifecycle within the storage environment and during its retrieval?

Accepted Answer

Implementing robust encryption for data at rest on the primary storage tier and utilizing secure protocols for all data in transit to and from the storage system.

Question 14

A financial institution is decommissioning a set of legacy storage arrays that previously held sensitive customer transaction data. The arrays are no longer actively used but have not yet been physically removed from the data center. According to the principles outlined in ISO/IEC 27040:2015, what is the most critical security consideration before these arrays are released for disposal or repurposing?

Accepted Answer

Ensuring all data on the arrays has been rendered unrecoverable through approved sanitization methods.

Question 15

A distributed storage network, utilized by a global financial institution, has begun exhibiting sporadic instances of data corruption across multiple nodes. This corruption manifests as subtle bit flips in critical transaction logs and customer account records, leading to inconsistencies that are only detected during periodic auditing. The institution is concerned about maintaining the integrity and availability of its sensitive financial data, which is subject to stringent regulatory requirements like the General Data Protection Regulation (GDPR) and local financial data protection laws. Which of the following foundational storage security controls, as advocated by ISO/IEC 27040:2015, would most directly and effectively mitigate the identified risk of data corruption and ensure compliance with data integrity mandates?

Accepted Answer

Implementation of comprehensive data integrity verification mechanisms, including error detection and correction codes, alongside robust backup and restore procedures to ensure data can be validated and recovered.

Question 16

A financial institution is decommissioning a set of legacy storage arrays that previously held highly sensitive customer financial records. The arrays are no longer in active use, and the organization plans to sell them to a third-party vendor specializing in refurbished hardware. According to the principles outlined in ISO/IEC 27040:2015, what is the most critical step to ensure the security of the data previously stored on these arrays before they are transferred to the vendor?

Accepted Answer

Implement a multi-pass overwrite procedure on all storage media, followed by a verification scan to confirm data irrecoverability.

Question 17

A financial institution\'s primary storage system, housing sensitive customer transaction records, is identified as a critical asset. Analysis of potential threats reveals a moderate likelihood of an insider exploiting privileged access to exfiltrate data, and a high potential impact on regulatory compliance and customer trust if successful. Conversely, a low likelihood of a hardware failure impacting availability is also noted, with a moderate impact on operations. Which risk treatment approach, as guided by ISO/IEC 27040:2015 principles, would be most prudent for this institution to prioritize for the storage security of this critical asset?

Accepted Answer

Implementing stringent, multi-factor authentication for all administrative access and granular, role-based access controls for data retrieval, coupled with continuous monitoring for anomalous activity.

Question 18

A financial institution is migrating its legacy customer transaction data to a new, tiered storage architecture. The primary tier is designated for frequently accessed, highly sensitive customer financial records, which are subject to strict regulatory compliance mandates, including data privacy and integrity requirements. The secondary tier will house less frequently accessed but still important historical data, and the tertiary tier will store archival data for long-term retention. Considering the principles of ISO/IEC 27040:2015, which combination of security controls would provide the most robust and compliant protection for the data residing on the primary storage tier?

Accepted Answer

Implementing strong, end-to-end encryption for data at rest on the primary tier, coupled with a dedicated hardware security module (HSM) for key management and role-based access control (RBAC) enforced at the storage system level.

Question 19

Consider a scenario where a financial institution is decommissioning a set of legacy hard disk drives (HDDs) that previously stored sensitive customer transaction records. These drives are slated for disposal. The institution\'s IT security team has implemented a policy that mandates the secure erasure of all data before disposal. However, during a post-disposal audit, a forensic analysis of a sample of the drives revealed that while file system entries were removed and the drives were formatted, residual data fragments from the transaction records were still recoverable using specialized tools. Which of the following actions, if it had been correctly implemented as part of the decommissioning process, would most effectively align with the principles of secure data sanitization as outlined in ISO/IEC 27040:2015 to prevent such data remanence?

Accepted Answer

Performing a single pass overwrite of the entire storage media with a fixed pattern of binary zeros.

Question 20

A multinational corporation, \"Aethelred Analytics,\" is migrating its legacy customer relationship management (CRM) database to a new cloud-based storage solution. Before decommissioning the on-premises storage arrays that housed the old CRM data, including personally identifiable information (PII) and proprietary business strategies, the organization must ensure that all sensitive data is securely eliminated. Given the stringent data protection regulations in several jurisdictions where Aethelred Analytics operates, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which of the following approaches best aligns with the security principles outlined in ISO/IEC 27040:2015 for the secure disposal of sensitive data from storage media?

Accepted Answer

Implementing a multi-pass overwrite procedure using a recognized standard like NIST SP 800-88 Rev. 1 guidelines to render the data unreadable, followed by a verification process to confirm data irrecoverability.

Question 21

Consider a highly sensitive data archive housed in a dedicated server room. The organization has implemented strong encryption for data at rest and employs multi-factor authentication for all network-based access to the storage systems. However, a recent threat assessment identified a potential vulnerability where an adversary could gain undetected physical access to the server room itself, potentially leading to the direct manipulation or exfiltration of storage media. Which security control, as emphasized by the principles of ISO/IEC 27040:2015, would serve as the most critical foundational defense against this specific physical compromise scenario?

Accepted Answer

Rigorous physical access controls and environmental monitoring for the data center housing the storage infrastructure

Question 22

When a global fintech firm is migrating its customer transaction history to a new, cloud-based storage infrastructure, and this data is subject to stringent financial regulations like PCI DSS and local data residency laws, which foundational element of storage security, as outlined by ISO/IEC 27040:2015, should most heavily influence the selection and configuration of security controls for the new system?

Accepted Answer

The comprehensive output of a documented risk assessment that evaluates threats, vulnerabilities, and impacts across the data lifecycle, considering regulatory compliance obligations.

Question 23

A multinational corporation, \"Aethelred Analytics,\" is migrating its sensitive customer data from legacy magnetic tape drives to a modern solid-state storage infrastructure. Before decommissioning the old tape library, the Chief Information Security Officer (CISO) needs to ensure that all historical customer information is rendered irretrievable, adhering to the principles of data remanence and sanitization as stipulated by ISO/IEC 27040:2015. Which of the following actions would be the most compliant and effective method for achieving this objective, considering the nature of magnetic media and the standard\'s guidance on data sanitization?

Accepted Answer

Executing a standard file deletion command on each tape and then reformatting the tapes for potential reuse.

Question 24

Consider a financial institution that has migrated its active customer transaction records to a new, high-performance storage system. The older transaction data, still subject to a seven-year retention period under financial regulations, has been moved to a separate, offline archival storage solution. What is the most critical security consideration for this archival storage, as guided by the principles of ISO/IEC 27040:2015, to ensure ongoing compliance and data integrity during its inactive phase?

Accepted Answer

Implementing robust encryption for the archived data and ensuring secure key management practices, alongside strict access controls to the archival media and systems.

Question 25

A multinational corporation, \"Aethelred Analytics,\" is transitioning its legacy data storage infrastructure to a cloud-based solution. During this migration, they must ensure the secure decommissioning of their on-premises storage arrays, which contain highly sensitive client financial data. According to the principles espoused in ISO/IEC 27040:2015, which method of data sanitization for these arrays would be considered the most robust and aligned with ensuring the irrecoverability of the information, assuming the data is currently encrypted?

Accepted Answer

Securely destroying the encryption keys associated with the encrypted data on the storage media.

Question 26

A cloud storage provider is planning to integrate a novel data deduplication technology to optimize storage utilization. This technology works by identifying and storing only unique data blocks, replacing duplicate blocks with pointers. Considering the principles outlined in ISO/IEC 27040:2015 for storage security, which of the following actions would be the most critical and proactive step to ensure the security of stored data before the widespread adoption of this new technology?

Accepted Answer

Conduct a comprehensive risk assessment specifically targeting the deduplication process and its potential impact on data confidentiality and integrity.

Question 27

Considering the principles outlined in ISO/IEC 27040:2015 for rendering data irrecoverable from storage media, which of the following approaches most accurately reflects the standard\'s emphasis on achieving a state where data cannot be retrieved through any reasonably foreseeable means, irrespective of the specific media type?

Accepted Answer

Implementing a multi-pass overwrite procedure using random data patterns, followed by a verification step to confirm the absence of readable data.

Question 28

A multinational corporation, \"Aethelred Dynamics,\" operates a hybrid cloud storage infrastructure across several geographically dispersed data centers. They are tasked with ensuring the confidentiality and integrity of sensitive customer financial records stored on these distributed nodes, adhering to the principles outlined in ISO/IEC 27040:2015. Given the potential for insider threats and sophisticated external attacks targeting data at rest, which combination of security measures would most effectively address the requirements for protecting this data across the distributed storage environment?

Accepted Answer

Implementing robust end-to-end encryption for all data at rest, coupled with granular, role-based access controls enforced at the storage node level.

Question 29

Consider an organization that handles highly sensitive financial records and is striving to comply with stringent data protection regulations, such as GDPR, by implementing a comprehensive storage security framework aligned with ISO/IEC 27040:2015. The primary concern is to ensure that financial transaction data stored on disk arrays remains unaltered by any unauthorized entity, whether internal or external, and that any such alteration can be reliably detected. Which of the following control mechanisms, when implemented as part of the storage security foundation, would most effectively address the detection of unauthorized modifications to data at rest?

Accepted Answer

Employing cryptographic hash functions on data blocks and securely managing the keys used for hashing.

Question 30

A financial institution, adhering to stringent data protection regulations such as the General Data Protection Regulation (GDPR), has completed a migration of customer financial records to a new, more secure storage infrastructure. The legacy storage devices that housed this sensitive data are now scheduled for decommissioning. Considering the critical nature of financial data and the legal obligations to protect customer privacy, which decommissioning method for the legacy storage media would most effectively satisfy the requirements for secure data disposal as outlined by storage security best practices, ensuring no residual data remains accessible?

Accepted Answer

Employing a multi-pass data overwriting technique that conforms to established standards for secure data sanitization, followed by a physical destruction of the media if feasible.

ISO/IEC 27040:2015 - Storage Security Foundation Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO/IEC 27040:2015 - Storage Security Foundation Certification