cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
savita1974
Newcomer I

need support on this question

Hi , I got the question while looking at few examples. in my point of understanding, answer A seems right but book says that it is option B. Kindly clarify and help. 

 

 

Alex has ensured that all of his staff have signed nondisclosure agreements to help protect his organization’s intellectual property and data. What potential issue is Alex working to deal with?

a. Data exfiltration

b. Personnel retention

c. Data breach

d. Nonproprietary data sharing

 

Thanks

Savita

 

4 Replies
Shannon
Community Champion

 

I'd be inclined to chose option A as well, given that I see 'Personnel Retention' as 'Employee Retention.'

 

However, if it's been taken as related to the requirements for 'Data Retention,' that may be the reason for B being the correct option here.

 

Books / sites offering practice questions tend to justify the answer --- wasn't it done in this case?

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
CISOScott
Community Champion


@savita1974 wrote:

Hi , I got the question while looking at few examples. in my point of understanding, answer A seems right but book says that it is option B. Kindly clarify and help. 

 

 

Alex has ensured that all of his staff have signed nondisclosure agreements to help protect his organization’s intellectual property and data. What potential issue is Alex working to deal with?

a. Data exfiltration

b. Personnel retention

c. Data breach

d. Nonproprietary data sharing

 

Thanks

Savita

 


Again,

Look at what each answer is and how a Non-Disclosure Agreement (NDA) would help. First what is a NDA and what is it used for? A NDA is designed to restrict people from releasing information that may be proprietary, confidential, sensitive, etc.  As an aside, I used NDA's in my supervisory capacity to protect my cyber security employees from other IT supervisors, as we were the investigators of incidents, which sometimes included inappropriate use by IT people or managers. If my employees were told to reveal the contents of an investigation they were told to say "I have signed an NDA, you need to speak with the CISO." I could then direct them to the appropriate avenue to reveal the contents of an investigation, usually HR or Legal departments. I even signed one myself to keep the CIO or other managers from overreaching. But back to the question at hand... So NDA's attempt to protect people from spilling the secrets or confidential information of a company or agency and then be able to take legal action if the NDA is violated. Notice I did not say prevent! NDA's do not prevent anything but attempt to prevent via threat of legal action, so it is more of a deterrent than a protective control/measure. So with that in mind let's look at the answers IN RELATION TO protecting a company's intellectual property (IP).

 

a. Data exfiltration- a NDA would not prevent this or even deter it. If an employee had already made a decision to violate the NDA and steal IP and to exfiltrate it, they have already made the decision to breach the NDA. You would need additional controls or measures to find out who is exfiltrating data, was it company IP, etc. As a CISSP or cyber professional, you would not use a NDA to control data exfiltration, you would use other measures. 

b. Personnel retention - By signing an NDA it makes an employee's knowledge of IP less valuable as they (theoretically and legally) cannot use it at another company. So if you worked at Coca-Cola and knew the recipe for Coke you couldn't go to Pepsi and share it (without massive legal reparations) so therefore it makes sense that you would use an NDA to protect IP. If it makes your employees less valuable to other companies, then it could be used as a personnel retention tool. In the choice of other answers this makes the most sense giving the question and answers provided.

c. Data breach - A data breach is usually caused by outsiders trying to steal information and we do not make hackers sign NDA's before they steal our IP. If an employee was to accidentally disclose IP it would usually not fall into the realm of data requiring a data breach notification so probably not a good answer. Plus NDA's are not used to prevent/discourage data breaches.

d. Nonproprietary data sharing - The question asked about IP, not non-proprietary information so it makes this answer not a valid answer. Plus NDA's are not used to protect information that is non-proprietary.

savita1974
Newcomer I

Hi , thanks for detailed reply. It seems practical aspect as well. But what makes me nervous is that nowhere NDA is mentioned as personnel retention tool.
How do align this with contents /reference of CISSP.

Thanks
Savita
CISOScott
Community Champion

Part of being a CISSP or other certified professional is being able to not only obtain knowledge but being able to apply obtained knowledge to a situation, and interpret it and make a decision based on the information available.  Like with life, you will run into situations where the decision is not black or white but a shade of grey that requires some interpretation or application of your experiences. All the answers in life are not in a book. There is information that has to be applied based on the information provided. If you know some of the definitions or you have some life experiences you apply your experiences to them to make the best decision.