1 - Security Governance Through Principles and Polcies

Question 1

CIA Triad

Answer 1

Confidentiality
Integrity
Availability

Question 2

Confidentiality

Answer 2

Objects are not disclosed to unauthorized subjects

Question 3

Integrity

Answer 3

Objects retain their veracity and are intentionally modified by authorized subjects

Question 4

Availability

Answer 4

Authorized subjects are granted uninterrupted access to objects

Question 5

Identification

Answer 5

Process to establish an identity and accountability

Question 6

Authentication

Answer 6

Process of verifying or testing that a claimed identity is valid

Question 7

AAA

Answer 7

Authentication
Authorization
Accountability

Question 8

Authorization

Answer 8

Activity, access, rights, or privileges are granted to to an authenticated identity

Question 9

Auditing

Answer 9

Monitoring subjects to be held accountable for their actions while authenticated on a system
Detecting unauthorized or abnormal activities on a system

Question 10

What is the importance of Accountability?

Answer 10

Security policies can only be enforced if subjects are held accountable for their actions

Question 11

Nonrepudiation

Answer 11

Subject of an activity cannot deny that the event occurred

Question 12

What are the three types of security management planning?

Answer 12

Strategic - long term
Tactical - mid term
Operational - short term

Question 13

What are the elements of a security policy structure?

Answer 13

Policy
Standards/Baseline
Guidelines
Procedures

Question 14

Layering

Answer 14

Use of multiple controls against security threats

Question 15

Abstraction

Answer 15

Collection of similar elements into groups or classes that are assigned security controls/restrictions as a collective

Question 16

Encryption

Answer 16

Hiding meaning or intent of a communication

Question 17

Government/Military classifications

Answer 17

Top Secret
Secret
Confidential
Sensitive unclassified
Unclassified

Question 18

Commercial business/private sector classification levels

Answer 18

Confidential
Private
Sensitive
Public

Question 19

COBIT (Control Objectiveness for Information and Related Technology) principles

Answer 19

Meeting Stakeholder Needs
Covering the Enterprise end-to-end
Applying a single, integrated framework
Enabling a holistic approach
Separating Governance from management

Question 20

What are the primary security roles?

Answer 20

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Question 21

Separation of duties

Answer 21

Dividing critical work tasks among individuals so that no one person can compromise security

Question 22

Principle of least privilege

Answer 22

Users should be granted the minimum amount of access necessary

Question 23

Job rotation and mandatory vacation

Answer 23

Reduce fraud, theft, misuse of information and audit/verify work tasks

Question 24

SLA (Service level agreement)

Answer 24

Define levels of performance, expectation, compensation, and consequences

Question 25

SLA (Service level agreement)

Answer 25

Define levels of performance, expectation, compensation, and consequences

Question 26

Third-party governance

Answer 26

System of oversight that may be mandated by law, regulation, industry standards or licensing requirements

Question 27

Risk analysis key elements

Answer 27

Assets, asset valuation, threats, vulnerabilities, exposure, risk, realized risk, safeguards, countermeasures, attaches, breaches

Question 28

Exposure factor

Answer 28

Loss that would be experienced if a specific asset were violated

Question 29

SLE (single loss expectancy)

Answer 29

Cost associated with a single risk

SLE = AV * EF

Question 30

ARO (Annualized rate of occurrence)

Answer 30

Expected frequency which a specific threat or risk will occur

Question 31

ALE (Annualized loss expectancy)

Answer 31

Yearly cost of all instances of a single specific threat against an asset
ALE = SLE * ARO

Question 32

Safeguard

Answer 32

Tool or measure to reduce risk
(ALE1 - ALE2) - ACS
ALE before safeguard - ALE after safeguard - Annual Cost of safeguard

Question 33

Delphi technique

Answer 33

Anonymous feedback and response process to arrive at consensus

Question 34

Total risk and residual risk

Answer 34

Total risk is the amount of risk an organization would face if no safeguards were implemented
Residual risk is risk that management has chosen to accept
Control gap is the amount of risk reduced by safeguard

Total risk - control gap = residual risk