2.0 Compliance and Operational Security

Question 1

What is Access Control?

Answer 1

Access control is the ability to permit or deny the privileges that users have when accessing resources on a network or computer.

Question 2

What processes are included in access control?

Answer 2

What processes that are included in access control are Identification, Authentication, Authorization, and Auditing.

Question 3

What is MAC?

Answer 3

Mandatory Access Control (MAC) uses labels or attributes for both users and objects.

Question 4

What is DAC?

Answer 4

Discretionary Access Control (DAC) assigns access directly to users based on the discretion of the owner.

Question 5

What is RBAC?

Answer 5

Role Based Access Control (RBAC) allows access based on a role in an organization, not individual users.

Question 6

What is the principle of least privilege?

Answer 6

The principle of least privilege states that users or groups are given only the access they need to do their job and nothing more.

Question 7

What is need to know?

Answer 7

Need to know describes the restriction of data that is highly sensitive.

Question 8

What is separation of duties?

Answer 8

Separation of duties is the concept of having more than one person required to complete a task.

Question 9

What is job rotation?

Answer 9

Job rotation is a technique where users are cross-trained in multiple job positions, and where responsibilities are regularly rotated between personnel.

Question 10

What is defense-in-depth?

Answer 10

Defense-in-depth is an access control method which implements multiple access control methods instead of relaying on a single method?

Question 11

What is creeping privileges?

Answer 11

Creeping privileges occurs when a user’s job position changes and their previous access privileges are not removed or modified.

Question 12

What is a regulation?

Answer 12

A regulation is a requirement published by a government or other licensing body that must be followed.

Question 13

What is a procedure?

Answer 13

A procedure is a step-by-step process outlining how to implement a specific action.

Question 14

What is a baseline?

Answer 14

A baseline dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.

Question 15

What is a guideline?

Answer 15

A guideline is a recommendation to use when a specific standard or procedure does not exist.

Question 16

What is information classification?

Answer 16

Information classification is the process of determining how and what information will be disclosed to ensure an organization’s privacy requirements.

Question 17

What is business continuity?

Answer 17

Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions.

Question 18

What is a BCP?

Answer 18

A Business Continuity Plan (BCP) identifies appropriate disaster responses in order to maintain business operations during reduced or restricted infrastructure and resource capabilities.`

Question 19

What is BIA?

Answer 19

Business Impact Analysis (BIA) focuses on the impact losses will have on the organization.

Question 20

What is a DRP?

Answer 20

A Disaster Recovery Plan (DRP) identifies short-term actions to take to stop the incident and restore critical functions so the organization can continue to operate.

Question 21

What is risk management?

Answer 21

Risk management is the process or identifying vulnerabilities and threats and deciding what countermeasures to take to reduce risks to an acceptable level.

Question 22

What is a security incident?

Answer 22

A security incident is an event or series of events that are a result of a security policy violation that has adverse effects on a company’s ability to proceed with normal business.

Question 23

What is an incident response?

Answer 23

An incident response is the action taken to deal with an incident during and after the incident.

Question 24

What is social engineering?

Answer 24

Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity.

Question 25

What is shoulder surfing?

Answer 25

Shoulder surfing involves looking over the shoulder of someone working on a computer.

Question 26

What is eavesdropping?

Answer 26

Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics.

Question 27

What is dumpster diving?

Answer 27

Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.

Question 28

What is tailgating and piggybacking?

Answer 28

Piggybacking and tailgating refer to an attacker entering a secure building by following an authorized employee through a secure door and not providing identification.

Question 29

What is masquerading?

Answer 29

Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.

Question 30

What is phishing?

Answer 30

Phishing is an e-mail pretending to be from a trusted organization, asking to verify personal information or send money.

Question 31

What is spear phishing?

Answer 31

Spear phishing is targeted at gaining access to information that will allow the attacker to gain commercial advantage or commit fraud.

Question 32

What is employee management?

Answer 32

Employee management is the implementation of processes to ensure that employees play a major role in protecting company assets.

Question 33

What is fraud?

Answer 33

Fraud is the use of deception to deliberately divert company assets or profits to the employee.

Question 34

What is collusion?

Answer 34

Collusion is a situation in which multiple employees conspire to commit fraud or theft.