CompTIA CASP+ (CAS-003) — Question 192

An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command. Assuming availability of the controls, which of the following would BEST protect against the loss of sensitive data in the future?

Answer options

• A. Implement a container that wraps PII data and stores keying material directly in the container's encrypted application space.
• B. Use encryption keys for sensitive data stored in an eFuse-backed memory space that is blown during remote wipe.
• C. Issue devices that employ a stronger algorithm for the authentication of sensitive data stored on them.
• D. Procure devices that remove the bootloader binaries upon receipt of an MDM-issued remote wipe command.

Correct answer: A

Explanation

Implementing a container that wraps PII data and stores keying material in the encrypted application space ensures that even if a device is wiped, the sensitive data remains protected and inaccessible. The other options, while they provide some level of security, do not offer the same level of protection against data recovery after a wipe. For example, using eFuse-backed memory or stronger algorithms does not fully prevent the possibility of residual data being recovered.