080082017_NewHorizons

Question 1

3D 2C PR

Answer 1

Directive , Detective ,Deterrent,Corrective , Compensate Preventive, Recovery

Question 2

Risk response

Answer 2

Reduce or Mitigate

Reject or Ignore

Assign or Transfer

Accept

Question 3

NIST SP 800-34 used for…

Answer 3

Business Continuity

Question 4

NIST SP 800-34, 7 categories

Answer 4

Develop Policy

BIA

Identify Preventive Controls

Develop Recovery Strategies

Develop IT Contingency Plan

Plan for Testing

Plan for Maintenance

Question 5

NIST SP 800-34,

7 categories

Answer 5

<p>Develop Policy 
BIA
Identify Preventive Controls
Develop Recovery Strategies
Develop IT Contingency Plan
Plan for Testing
Plan for Maintenance</p>

Question 6

<p>DR Testing that "tests alternate facility WITHOUT taking main site offline"</p>

Answer 6

<p>Parallel Testing</p>

Question 7

<p>DR Testing that mimics an actual business disruption by SHUTTING DOWN the original site and testing operations at the alternate site</p>

Answer 7

<p>Full Interruption Testing</p>

Question 8

<p>DR Testing: Planners and testers walk through the BCP to validate logical workflow of events</p>

Answer 8

<p>Walkthrough Testing</p>

Question 9

<p>How often to review BCP</p>

Answer 9

<p>Yearly, update when evaluated, update for dept. changes</p>

Question 10

<p>BCP exercise where staff role play from a conference room</p>

Answer 10

<p>Tabletop</p>

Question 11

<p>IAAS, PAAS, SAAS examples</p>

Answer 11

<p>IAAS - Compute, Storage

SAAS - Email, Security

PAAS - Compute, OS, DB, All-In-One</p>

Question 12

Consider doing these 3 things when evaluating a third party for security integration

Answer 12

<p>On-site walkthrough

Document Exchange and Review

Process/Policy Review</p>

Question 13

ISO 27001

Answer 13

FRAMEWORK: information security management system

Question 14

CMMI (2002)

Answer 14

Initial -Chaotic, Dependent on individual success

Repeatable - Can repeat process,Project Management,

Defined - Documentation of standards to be consistent

Managed - Quantitative

Optimize - Continuous improvement

Question 15

CMMI - i stands for

Answer 15

Initial - Chaotic

Question 16

CMMI - d stands for

Answer 16

Defined - Consistent, documented

Question 17

CMMI - o stands for

Answer 17

Optimize - Continuous improvement

Question 18

Which Role classifies data?

Answer 18

Data Owner

Question 19

Two types of classification levels

Answer 19

Commercial

Military

Question 20

Military Classification levels

Answer 20

Top Secret -Gave Damage
Secret - Serious Damage
Confidential - Damage
Unclassified - No damage

Question 21

Commercial Classification levels

Answer 21

Confidential

Private

Public

Question 22

NIST SP 800-27

Answer 22

Engineering Principles

Question 23

NIST SP 800-14

Answer 23

Principle and Practices of Security

Question 24

NIST standards used for design..

Answer 24

800-27 - Engineering

800-14 - Practices of Security

Question 25

TCB Trusted Computing Base

Answer 25

Hardware

Software

Firmware

Question 26

CPU Modes (2)

Answer 26

Supervisor/Kernel State: FULL rights

User/Application State: Non-Priv rights.

Question 27

TCB is mentioned in what publication

Answer 27

Dod Standard 5200.28, Orange Book

Question 28

Multitasking

Answer 28

Divide Tasks Among Programs

Question 29

What separates TCB with the rest of the system

Answer 29

Security Perimeter

Question 30

What is Supervisor/Kernel state

Answer 30

This is part of TCB and allows FULL rights to the OS

Question 31

Multiprocessing allows programs to be divided amount multiple ________ cpu’s

Answer 31

Physical

Question 32

Nonvolatile Memory

Answer 32

HD

Question 33

Primary Storage is

Answer 33

RAM

Question 34

Secondary Storage is

Answer 34

HD

Question 35

What is TPM?

Answer 35

Trusted Platform Module TPM

Question 36

Trust Platform Module TPM has what characteristics?

Answer 36

RSA burned in hw

Stores Cryptographic Keys

User must supply with PW or Physical Token

Question 37

Lattice

Answer 37

“Higher” and “Lower” levels

Bell Lapadula and Biba

Question 38

Bell Lapadula

Answer 38

Confidentiality - Practices NEED TO KNOW

Star - No Write Down
Simple - No Read Up

Question 39

Biba

Answer 39

Integrity - Note: Biba and Clark are for Integrity

Star - No Write Up
Simple - No Read Up

Question 40

Clark

Answer 40

Integrity - Biba and Clark address Integrity

Uses ACCESS CONTROL SIMPLE

Procedures:
CDI Constrained Data Item, UDI Unconstrained
TP Transformation Procedures
Integrity Verification

Question 41

Graham-Denning

Answer 41

Create and Delete objects and subjects

Question 42

Brewer-Nash

Answer 42

Addresses Conflict of Interest

Chinese Wall

Requires:

• Identify Subjects
• One or More data sets
• Conflict Class Definitions for data sets

Question 43

Discretionary Access Control

Answer 43

Control of their OWN data and can create different access levels

Permission List DACL

Question 44

Mandatory Access Control

Answer 44

Only access based on OBJECT classification

Labels

Question 45

Role Based Access Control

Answer 45

Instead of adding users add ROLES to access. Similar to SECURITY GROUPS in Windows

Question 46

Rule Based Access Control

Answer 46

Sys Admin grants access based on rules.. Example of this is a Firewall

Question 47

TCSEC created in what year

Answer 47

1983

Question 48

TCSEC Divisions - Baseline Security, from Rainbow Library

Answer 48

A -= Verified
B - Mandatory
C - Discretionary
D - Minimal

A1- Highest - Verified Protection

B3 - Security Domains

B2 - Structured Protection

B1 - Labeled Security Protection

C2 - Controlled Access

C1 - Discretionary protection

D1 - Did NOT MEET requirements

Question 49

ITSec

Answer 49

European framework

Question 50

Common Criteria, 7 areas

Answer 50

ISO - International

EAL1 - Functionality

EAL2 - Structurally

EAL3 - Methodically Tested and Checked

EAL4 - Methodically Designed, Reviewed

EAL5 - Semi-Formally

EAL6

Question 51

A Reference Monitor in the OS is also called the ______ kernel.

Answer 51

Security