Ch. 1 - Security Principles Flashcards
Ensure the data has not been altered in an unauthorized manner.
A. Confidentiality
B. Integrity
C. Availability
D. Non-Repudiation
B. Integrity
Protect the data that needs protection and prevent access to unauthorized individuals.
A. Integrity
B. Availability
C. Identification
D. Confidentiality
D. Confidentiality
Ensure data is accessible to authorized users when and where it is needed, and in the form and format that is required.
A. Availability
B. Confidentiality
C. Integrity
D. Assessment
A. Availability
Risk Treatment:
Taking no action to reduce the likelihood of a risk occurring.
A. Risk Acceptance
B. Risk Avoidance
C. Risk Mitigation
D. Risk Transfer
A. Risk Acceptance
Risk Treatment:
The decision to attempt to eliminate the risk entirely.
A. Risk Acceptance
B. Risk Avoidance
C. Risk Mitigation
D. Risk Transfer
B. Risk Avoidance
Risk Treatment:
The most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact.
A. Risk Acceptance
B. Risk Avoidance
C. Risk Mitigation
D. Risk Transfer
C. Risk Mitigation
Risk Treatment:
The practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment.
A. Risk Acceptance
B. Risk Avoidance
C. Risk Mitigation
D. Risk Transfer
D. Risk Transfer
Security Controls:
Physical hardware devices, such as a badge reader, architectural features of buildings and facilities that address process-based security needs.
A. Administrative Controls
B. Technical Controls
C. Physical Controls
D. Polity Controls
C. Physical Controls
Security Controls:
Also called logical controls, security controls that computer systems and networks directly implement.
A. Administrative Controls
B. Technical Controls
C. Physical Controls
D. Polity Controls
B. Technical Controls
Security Controls:
Also known as managerial controls, directives, guidelines or advisories aimed at the people within the organization.
A. Administrative Controls
B. Technical Controls
C. Physical Controls
D. Polity Controls
A. Administrative Controls
Governance Elements:
Commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for non-compliance.
A. Procedures
B. Policies
C. Standards
D. Regulations
D. Regulations
Governance Elements:
Used by governance teams to provide a framework to introduce policies and procedures in support of regulations.
A. Procedures
B. Policies
C. Standards
D. Regulations
C. Standards
Governance Elements:
Put in place by organizational governance, such as executive management, to provide guidance to all activities to ensure that the organization supports industry standards and regulations.
A. Procedures
B. Policies
C. Standards
D. Regulations
B. Policies
Governance Elements:
The detailed steps to complete a task that support departmental or organizational policies.
A. Procedures
B. Policies
C. Standards
D. Regulations
A. Procedures
Which formula is correct?
A. Level of Risk = Probability + Impact
B. Level of Risk = Severity + Cause
C. Level of Risk = Impact + Cause
D. Level of Risk = Probability + Severity
A. Level of Risk = Probability + Impact
Definitions:
Anything of value that is owned by an organization.
Asset
Definitions:
Access control process validating that the identity being claimed by a user or entity is known to the system, by comparing one or more factors of identification.
A. Authentication
B. Availability
C. Confidentiality
D. Integrity
A. Authentication
Definitions:
The right or a permission that is granted to a system entity to access a system resource.
A. Authentication
B. Availability
C. Confidentiality
D. Authorization
D. Authorization
Definitions:
Ensuring timely and reliable access to and use of information by authorized users.
A. Authentication
B. Availability
C. Confidentiality
D. Integrity
B. Availability
Definitions:
A documented, lowest level of security configuration allowed by a standard or organization.
Baseline
Definitions:
Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.
Biometric
Definitions:
Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.
Bot
Definitions:
Information that has been determined to required protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
Classified or Sensitive Information
Definitions:
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.
A. Authentication
B. Availability
C. Confidentiality
D. Integrity
C. Confidentiality
Definitions:
The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering.
A. Encryption
B. Decryption
C. Encapsulate
D. Decapsulate
A. Encryption
Definitions:
European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.
A. PCI DSS - Payment Card Industry Data Security Standards
B. HIPAA - Health Insurance Portability and Accountability Act
C. PII - Personal Identifiable Information
D. GDPR - General Data Protection Regulation
D. General Data Protection Regulation (GDPR)
Definitions:
This U.S. federal law is the most important healthcare information regulation in the United States.
A. PCI DSS - Payment Card Industry Data Security Standards
B. HIPAA - Health Insurance Portability and Accountability Act
C. PII - Personal Identifiable Information
D. GDPR - General Data Protection Regulation
B. Health Insurance Portability and Accountability Act (HIPAA)
Definitions:
Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
Multi-Factor Authentication
Definitions:
The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
Non-repudiation
Definitions:
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.
A. Physical Controls
B. Administrative Controls
C. Logical Controls
D. Technical Controls
A. Physical Controls
Definitions:
The right of an individual to control the distribution of information about themselves.
A. Identifiable Information
B. Privacy
C. Integrity
D. Confidentiality
B. Privacy
Definitions:
A measure of the extent to which an entity is threatened by a potential circumstance or event.
Risk
Definitions:
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
B. Risk Acceptance
Definitions:
The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
A. Risk Management
B. Risk Assessment
C. Risk Configuration
D. Risk Reduction
B. Risk Assessment
Definitions:
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
A. Risk Avoidance
Definitions:
The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
A. Risk Management
B. Risk Assessment
C. Risk Configuration
D. Risk Reduction
A. Risk Management
Definitions:
A structured approach used to oversee and manage risk for an enterprise.
Risk Management Framework (RMF)
Definitions:
Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
C. Risk Mitigation
Definitions:
The level of risk an entity is willing to assume in order to achieve a potential desired result.
A. Risk Tolerance
B. Risk Assessment
C. Risk Level
D. Risk Threat
A. Risk Tolerance
Definitions:
Paying an external party to accept the financial impact of a given risk.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
D. Risk Transference
Definitions:
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.
A. Threat
B. Vulnerability
C. Exploit
D. Threat Vector
A. Threat
Definitions:
An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
A. Threat Vector
B. Threat Object
C. Threat Exploit
D. Threat Actor
D. Threat Actor
Definitions:
The means by which a threat actor carries out their objectives.
A. Threat
B. Vulnerability
C. Exploit
D. Threat Vector
D. Threat Vector
Definitions:
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.
A. Threat
B. Vulnerability
C. Exploit
D. Threat Vector
B. Vulnerability
Security Concepts of Information Assurance
Protect the data that needs protection and prevent access to
unauthorized individuals.
A. Authentication
B. Availability
C. Confidentiality
D. Integrity
C. Confidentiality
Security Concepts of Information Assurance
Ensure the data has not been altered in an unauthorized manner.
A. Authentication
B. Availability
C. Confidentiality
D. Integrity
D. Integrity
Security Concepts of Information Assurance
Ensure data is accessible to authorized users when and where it is needed, and in the form and format that is required.
A. Authentication
B. Availability
C. Confidentiality
D. Integrity
B. Availability
Risk Treatment:
is taking no action to reduce the likelihood of a risk occurring.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
B. Risk Acceptance
Risk Treatment:
is the decision to attempt to eliminate the risk entirely.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
A. Risk Avoidance
Risk Treatment:
is the most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
C. Risk Mitigation
Risk Treatment:
is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment.
A. Risk Avoidance
B. Risk Acceptance
C. Risk Mitigation
D. Risk Transference
D. Risk Transference
