Explanation: The data owner is usually considered the cloud customer in a cloud configuration; the data in question is the customer’s information, being processed in the cloud. The cloud provider is only leasing services and hardware to the customer. The cloud access security broker (CASB) only handles access control on behalf of the cloud customer, and is not in direct contact with the production data.

Explanation: All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label.

Explanation: AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.

Explanation: DLP tools need to be aware of which information to monitor and which requires categorization (usually done upon data creation, by the data owners). DLPs can be implemented with or without physical access or presence. USB connectivity has nothing to do with DLP solutions.

Explanation: All the elements except adjudication need to be addressed in each policy. Adjudication is not an element of policy.

Explanation: DLP solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure.

Explanation: Policy drives all programs and functions in the organization; the organization should not conduct any operations that don’t have a policy governing them. Penalties may or may not be an element of policy, and severity depends on the topic. Multifactor authentication and homomorphic encryption are red herrings here.

Explanation: Confidential recipes unique to the organization are trade secrets. The other answers listed are answers to other questions.

Explanation: DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.

Explanation: In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.