1. Sec and Risk Management / 2. Assets

Question 1

military classification

Answer 1

unclassidied, confidential, secret, top secret

Question 2

commercial classification

Answer 2

public, sensitive, confidential/private

Question 3

policy components

Answer 3

procedures, guidelines, baselines, standards, policies

Question 4

STRIDE

Answer 4

threat categorization scheme focused on application threats

spoofing
tampering
repudiation
information disclosure
DoS
elevation of privileges

Question 5

DREAD

Answer 5

threat rating system used for threat priorization

damage potential
reproducibility
exploitability
affected users
discoverability

Question 6

security management planning

Answer 6

strategic: long-term goals, missions
tactical: midterm, how to accomplish goals?
operational: short-term, highly detailed

Question 7

quantitative risk analysis

Answer 7

Assign Asset Value AV
Calculate Exposure Factor EF
Calculate Single Loss Expectancy SLE=AVEF
Assess annualized rate of occurance ARO
Derive annualized loss expectancy ALE=SLEARO

Perform cost/benefit analysis of countermeasures (ALE1-ALE2-ACS) (annual cost of safeguard)

Question 8

qualitative risk analysis

Answer 8

brainstorming. delphi, surveys, checklists, interviews, meetings

Question 9

delphi technique

Answer 9

anonymous feedback-and-response process to reach an anonymous consensus. Gives honest an uninfluenced responses. repeatet until consensus is found

Question 10

risk assignment

Answer 10

assigning or transferring risk

insurance or outsourcing (SLA)

Question 11

risk acceptance

Answer 11

management has agreed to accept the consequences because of negative cost/benefit analysis of possible safeguards

Question 12

risk

Answer 12

threatsvulnerabilitiesasses value= total risk (combination)

Question 13

residual risk

Answer 13

total risk-controls gap = residual risk

Question 14

types of controls I

Answer 14

technical: hardware, software
administrative: policies, procedures
physical

Question 15

types of controls II

Answer 15

deterrent: appeals to human decision not to….
preventive: blocks the action
detective: discovers after occurence
corrective: corrects problems (reboot, restore)
recovery: advanced correction: imaging, clustering…
directive: direct control of actions to force compliance (escape route signs, posted notifications)

Question 16

risk framework management

RFM

Answer 16

1. categorize
2. select
3. implement
4. assess
5. authorize
6. monitor

Question 17

BCP steps

Answer 17

1. project scope, planning
2. business impact analysis
3. continuity planning
4. approva, implementation

Question 18

BCP step 1

project scope and planning

Answer 18

• business organization analysis builds foundation for BCP team selection
• BCP team selection (representatives from each operational and support departments
• face legal and regulatory requirements (due diligence, regulations, obligations to clients)
• resource requirements (personal, time)

Question 19

BCP step 2

business impact analysis BIA

Answer 19

• identify priorities (threats and their relevance, MTD, MTO Maximum Tolerable Outage, RTO Recovery Time Objectve)
• risk identification
• likelihood assessment (ARO)
• impact assessment (EF, SLE, ALE)
• ressource priorization (to identified risks)

Question 20

BCP step 3

continuity planning

Answer 20

• strategy development ( which risks will be adressed? in accordance to priorization from step 2 and MTD)
• provisions and processes (people first!)

Question 21

BCP step 4

approval and implementation

Answer 21

• approval by senior management
• training, education
• BCP documentation (written record for everyone affected

Question 22

What is included in BCP documentation?

Answer 22

goals, statement of importance, statement of priorities and responsibility, risk acceptance/mitigation, emergency response guidelines, maintenance testing)

Question 23

law

Answer 23

common law:

criminal: murder, robbery
civil: business
administrative: government agencies

Question 24

copyright

Answer 24

books, poems, songs
70 years after death

work for hire:
95 years after date of publication
120 years after date of creation

Question 25

trademarks

Answer 25

names, slogans, logos TM without registration R after registration

Question 26

patent

Answer 26

inventions | 20 years from request

Question 27

trade secret

Answer 27

protects operating secrets no registration adequate controls, NDA required

Question 28

software licensing | UCITA

Answer 28

- contractual license: written contract - shrink-wrap: on software package - click trough - cloud service license agreement: online click though

Question 29

Computer Fraud and Abuse Act 1987

Answer 29

protects computer used by government or in interstate commerce

Question 30

Computer Security Act 1987

Answer 30

- NIST is responsible for securing government systems - NSA is responsible for securing classified systems - NIST is responsible for developing standards - requires security plans by all operators of federal computer systems - requires training for all people involved in management and use of federal computers

Question 31

DMCA Digital Millenium Copyright Act

Answer 31

- limits the liability of ISPs for the activities of their users - copyright protecting mechanisms placed in digital media - 1 Mio $ or up to 10 years for repeated offenders - in compliance with WIPO

Question 32

export restrictions | wassenaar agreement

Answer 32

india, pakistan, afghanistan, cuba, north korea, sudan, syria

Question 33

privacy in US constitutions

Answer 33

4th amendment

Question 34

Health Information Tech for Economical und Clinical Health Act 2009 HITECH

Answer 34

- updates HIPAA - protected health information (PHI) processed by other firms are covered by HIPAA - data breaches must be notified to individuals, Secretary of Health and media

Question 35

Safe Harbour

Answer 35

- directive to protect personal data processed by infosystems - organizations outside EU must apply these rules - department of commerce certifies businesses and offers them "safe harbour" notice: inform individuals about purpose of collecting data choice: opt-out onward transfer: transfer only to compliant organizations data integrity: data is allowed to use only for purpose declared befor access: individuals have the right to correct or delete if inacurate enforcement: implement mechanisms to ensure compiance with principles above

Question 36

PCI-DSS

Answer 36

self regulated | compliant with sabanes-oaxley

Question 37

PII

Answer 37

personalli identifiable information

Question 38

PHI

Answer 38

protected health information

Question 39

managing sensitive data

Answer 39

- labeling (identifies classification) - handling (secure transportation) - storing (encryption, loss prevention, physical) - destroying

Question 40

destroying sensitive data

Answer 40

- erasing: delete op, data remains on drive - clearing: overwriting - purging: intense clearing - declassification : reuse in unclass. environment - sanitization: remote all data, purge or destroy media - degaussing: magnetic field - destruction: crushing, shredding, acid

Question 41

data owner

Answer 41

senior management identifies classification, ensures labeling, ensures sec controls bases on classification, decides privileged and access rights

Question 42

system owner

Answer 42

often same as data owner | responsible for system sec und system labeling

Question 43

business/mission owner

Answer 43

own processes managed by IT | cost/profit oriented

Question 44

data processors

Answer 44

processes data on behalf of the owner

Question 45

administrators

Answer 45

assign permissions based on need to know

Question 46

custodians

Answer 46

day to day routines, backup, storing

Question 47

Baselines

Answer 47

provide minimum security standard listing of basic controls imaging

Question 48

Scoping/Tailoring Baselines

Answer 48

Scoping: Select only the baselinses that meet requirements Tailoring: Modity baselines, so that they align with the mission of an organization

Question 49

Policies, Standards, Guidelines, Procedures | PSGP

Answer 49

Policy: overview of an organizations security needs Standard: tactical documents, that define methods to accomplish the goals and overall direction defined by security policy Guideline: recommendations on how standards and baselines are implemented. operational guide Procedures: step-by-step how-to document to implement a specific security mechanism

Question 50

Baseline

Answer 50

Mimimun level of security that every system must meet

Question 51

Vulnerability

Answer 51

The weakness in an asset + the absence of a safeguard

Question 52

Threat

Answer 52

Any potential occurence that could cause damage, disclosure oder loss

Question 53

Breach

Answer 53

Security mechanism being bypassed by a threat agent

Question 54

third party governance

Answer 54

mandadet by law, regulation, industry standard, licensing requirements

Question 55

exigent circumstance doctrine

Answer 55

exception to search warrant because destruction of evidence is near

Question 56

Tort law

Answer 56

civil law

Question 57

downstream liabilities

Answer 57

Haftung bei intrusion and theft of data from customers or business partners

Question 58

remanence

Answer 58

residual magnetization

Question 59

due care due diligence negligence

Answer 59

due care is informal due diligence follows a process negligence is the opposite (Fahrlässigkeit)

Question 60

attestation

Answer 60

the secutity practices of a service provider are reviewed by third party finally attested

Question 61

compartmentilization

Answer 61

technical method for enforcing need to know

Question 62

SSD erase

Answer 62

ATA Secure Erase or destruction | garbage collection by TRIM does not reliably destroy data

Question 63

SRAM | DRAM

Answer 63

SRAM: fast, flipflop, expensive DRAM: capacitors, slow, cheap