Explanation: All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label.

Explanation: We should do all of these except for requiring multifactor authentication, which is pointless in key management.

Explanation: In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.

Explanation: Cryptographic keys should not be stored along with the data they secure, regardless of key length. We don’t split crypto keys or generate redundant keys (doing so would violate the principle of secrecy necessary for keys to serve their purpose).

Explanation: Data masking does not support authentication in any way. All the others are excellent use cases for data masking.

Explanation: SIEM does not intend to provide any enhancement of performance; in fact, a SIEM solution may decrease performance because of additional overhead. All the rest are goals of SIEM implementations.

Explanation: DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.

Explanation: DLP solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure.

Explanation: ITAR is a Department of State program. Evaluation assurance levels are part of the Common Criteria standard from ISO. Digital rights management tools are used for protecting electronic processing of intellectual property.