SY0-301 Question #568: Real Exam Question with Answer & Explanation

The correct answer is B: Incorporating a full-disk encryption system. Full-disk encryption directly protects data at rest by rendering stored data unreadable without the correct decryption key, providing the strongest technical control for this requirement. Other options address physical access or detection but do not encrypt the data itself.

Question

A system administrator has been instructed by the head of security to protect their data at-rest. Which of the following would provide the strongest protection?

Options

AProhibiting removable media
BIncorporating a full-disk encryption system
CBiometric controls on data center entry points
DA host-based intrusion detection system

Explanation

Full-disk encryption directly protects data at rest by rendering stored data unreadable without the correct decryption key, providing the strongest technical control for this requirement. Other options address physical access or detection but do not encrypt the data itself.

Common mistakes.

A. Prohibiting removable media is a policy control that reduces data exfiltration risk but does not encrypt or protect data already stored on the system's disks.
C. Biometric controls on data center entry points provide physical access control to the facility but do not protect data if the storage media is removed or accessed through other means.
D. A host-based intrusion detection system monitors for suspicious activity and generates alerts but does not encrypt or protect data at rest from unauthorized access.

Concept tested. Full-disk encryption for data-at-rest protection

Reference. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/

Community Discussion

No community discussion yet for this question.

Full SY0-301 Practice