1. Security And Risk Management

Question 1

What is the CIA triad?

Answer 1

Confidentiality, Integrity, and Availability

Question 2

Define Confidentiality

Answer 2

Only people who need to know, know.

Question 3

Define Integrity

Answer 3

Only people who need to access something, can.

Question 4

Define Availability

Answer 4

The data is available all the time to people who know about it, and have access to it.

Question 5

What does AAA stand for?

Answer 5

Authentication, Authorization, and Accountability

Question 6

Define Authentication

Answer 6

Proves who you are. Something you; know, do, or are.

Question 7

Define Authorization

Answer 7

Actions you can perform after you authenticate your ID.

Question 8

Define Accountability

Answer 8

Hold users accountable for their actions

Question 9

Who is ultimately responsible for security?

Answer 9

Senior management.

Question 10

Define risk assessment

Answer 10

Identify assets, threats, and vulnerabilities. General write down of risks.

Question 11

Define risk analysis

Answer 11

Adding number figures for costs of assets that are at risk.

Question 12

What is OCTAVE?

Answer 12

Operationally Critical Threat, Asset and Vulnerability Evaluation.

A risk methodology, where you identify assets and their critically, vulnerabilities, and threats and base a protection strategy off that.

Question 13

What is FRAP?

Answer 13

A risk methodology.Facilitated Risk Analysis Process. Qualitative analysis to determine if you should continue with a quantitative analysis. If likelihood is too low, the analysis is forgone.

Question 14

What is NIST 800-30?

Answer 14

A risk methodology. A risk management made for information technology systems. It has 9 steps.

Question 15

Define Qualitative Risk Analysis

Answer 15

Subjective analysis to help prioritize probability and impact if risk events.

Question 16

Define Quantitative Risk Analysis

Answer 16

Providing a $ amount for a single risk event.
More sophisticated in nature, it relies on qualitative analysis to be relevant, but is much more difficult and requires a special subset of skills.

Question 17

Define AV

Answer 17

Asset value

Question 18

Define EF

Answer 18

Exposure factor

Question 19

Define TCO

Answer 19

Total cost of ownership

Question 20

Define SLE

Answer 20

Single loss expectancy

SLE = AV x EF

Question 21

Define ALE

Answer 21

Annual loss expectancy.

ALE = SLE x ARO

Question 22

Define ARO

Answer 22

Annual rate of occurrence.

Question 23

Define total risk

Answer 23

The risk that exists before any control is implemented.

Total Risk = Threats x vulnerability x Asset Value

Question 24

Define residual risk

Answer 24

Leftover risk after applying a control.

Residual Risk = Total Risk x Controls Gap

Question 25

Define Secondary risk

Answer 25

When one risk response triggers another risk event.

Question 26

Define Governance

Answer 26

Ensures that stakeholder needs, conditions and options are evaluated to determine RISK APPIATITE

Question 27

Define Risk Management

Answer 27

Plans, builds, runs and monitors activities in alignment with the direction set by the governance body.

Question 28

What does COBIT stand for?

Answer 28

Control Objectives for Information and related Technologies. It is a governance framework GOAL.

Question 29

What does COSO stand for?

Answer 29

Committee of Sponsoring Organizations. It is a governance framework GOAL.

Question 30

What does ITIL stand for?

Answer 30

Information Technology Infrastructure Library. It is the defacto standard for the best practices for IT Service Management.

Question 31

What is due diligence?

Answer 31

Research. Continually monitoring an organizations practices to ensure they are meeting/exceeding the security requirements.

Question 32

What is due care?

Answer 32

Action. Ensuring that “best practices “ are implemented and followed. Follows up due diligence.

Question 33

What is the prudent man rule?

Answer 33

Acting responsibly and cautiously as a prudent man would.

Question 34

What is copeable negligence?

Answer 34

Essentially; is this your fault? This is decided based on due care. Have you done the right thing to prevent this?

Question 35

What is the difference between procedures, baselines, standards and guidelines?

Answer 35

Procedures, baselines and standards are MANDATORY, guidelines are not mandatory. Baselines are the bare minimum.

Question 36

What is knowledge transfer?

Answer 36

A fancy term for teaching employees about security policies.

Question 37

What is the main international organization ran by the UN, protecting intellectual property?

Answer 37

The World Intellectual Property Organization (WIPO).

Question 38

How long do copyrights last?

Answer 38

The lifetime of the author plus 70 years, or 75 years for corporations.

Question 39

How long are patents valid?

Answer 39

20 years

Question 40

What is Buisness Continuity Planning?

Answer 40

Long term over all plan for continuing the organization in case of disruption.

Question 41

What is a disaster recovery plan?

Answer 41

Mostly IT focused plan of how to minimize a disasters effects and get the Buisness back up and running.

Question 42

Who can call an event a disaster.

Answer 42

Only the BCP Coordinator. But anyone can declare and emergency.

Question 43

What are the three BCP teams?

Answer 43

Rescue, recovery and salvage.

Question 44

What are the seven phases of BCP?

Answer 44

1. Project initiation 2. Buisness impact analysis 3. Recovery strategy 4. Plan design and development 5. Implementation 6. Testing 7. Maintenance

Question 45

What is always the #1 priority?

Answer 45

Safety and human life

Question 46

What are the phases of BCP step Implementation?

Answer 46

1. Notification/activation- getting word out that something bad has happened. 2. Recovery/fail over - actions taken by recovery teams to restore IT at an alternative site 3. Reconstruction/fail back - outlines actions taken to return the system to normal operations.

Question 47

What is a checklist test?

Answer 47

Functional manager review of a list for each department

Question 48

What is a structured walkthrough (tabletop) test?

Answer 48

All parties sit down at a table and talk through the simulation

Question 49

What is a simulation test?

Answer 49

Physically going through a disaster scenario. Continues up to the actual relocation of an offsite facility.

Question 50

What is a parallel test?

Answer 50

Systems moved to alternative site, and processing takes place there.

Question 51

What is a full implementation test?

Answer 51

Original site shut down. All processing moved to offsite facility.

Question 52

What is a post incident review?

Answer 52

A lessons learned meeting. Focus on how to improve. Go over what happened, what should have happened. Does. It focus on who’s fault it was.

Question 53

What is BIA?

Answer 53

Buisness impact analysis. It identifies and prioritizes all Buisness processes based on criticality.

Question 54

What are the BIA metrics to establish?

Answer 54

1. Service level objectives 2. RPO - recovery point objective 3. MTD- maximum tolerable downtime 4. MTBF - mean time between failures

Question 55

What is STRIDE?

Answer 55

A threat model. | It is used in assessing threats against applications or operating systems. Developed my Microsoft

Question 56

What does STRIDE stand for?

Answer 56

``` Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege ```

Question 57

What is data ownership?

Answer 57

The formal assignment of responsibility to an individual or group. Often this grants full capabilities and privileges over the object they own.

Question 58

What is the most important and distinctive concept in relation to layered security?

Answer 58

Security in series. So that if one fails the next one will stop an intruder.

Question 59

What is data hiding?

Answer 59

Preventing data from being discovered or accessed by a subject. Often a key element in security controls as well as in programming.

Question 60

What are the three types of military classified information levels?

Answer 60

Confidential Secret Top secret

Question 61

What data classification of private sector is used to protect information about individuals?

Answer 61

Private