Question

An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command.

Assuming availability of the controls, which of the following would BEST protect against the loss of sensitive data in the future?

A. Implement a container that wraps PII data and stores keying material directly in the container's encrypted application space.
B. Use encryption keys for sensitive data stored in an eFuse-backed memory space that is blown during remote wipe.
C. Issue devices that employ a stronger algorithm for the authentication of sensitive data stored on them.
D. Procure devices that remove the bootloader binaries upon receipt of an MDM-issued remote wipe command.

Answer 1

To protect against the loss of sensitive data in the future, implementing a container for PII data, using encryption keys, and employing stronger authentication algorithms are all effective measures.

Step-by-step explanation:

The BEST way to protect against the loss of sensitive data in the future when using mobile devices is to implement a container that wraps PII (Personally Identifiable Information) data and stores keying material directly in the container's encrypted application space (option A). This allows for secure storage and transmission of sensitive data, even if the device is compromised or wiped.

Using encryption keys for sensitive data stored in an eFuse-backed memory space that is blown during remote wipe (option B) can also provide protection, as it ensures that the data cannot be recovered after a wipe command.

Issuing devices that employ a stronger algorithm for the authentication of sensitive data stored on them (option C) can add an extra layer of security and protect against unauthorized access to the data.