Ch2

Question 1

Define privacy

Answer 1

• active prevention of unauthorized access to information that can be directly linked to a person or organization
• freedom from unauthorized access to information deemed personal or confidential
• freedom from being observed, monitored or examined without consent or knowledge

Question 2

what information is considered PII

Answer 2

• name
• SSN
• phone number
• mailing address
• email address
• Date of Birth
• Place of Birth
• biometric records
• mother’s maiden name
• medical, educational, financial & employment info

Question 3

What is NCA

Answer 3

Non-compete Agreement - prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order
to prevent that second organization from benef ting from the worker’s special knowledge
of secrets.

Question 4

Are personal items considered a company asset

Answer 4

No - such as personal files on company computer

Question 5

vulnerability

Answer 5

weakness or absence of an asset or safeguard or countermeasure

Question 6

Delphi Technique

Answer 6

anonymous feedback and response process

Question 7

define Total Risk

Answer 7

amount of risk an organization would have if no safeguards were implemented

Question 8

total risk formula

Answer 8

threats * vulnerabilities * asset value = total risk

Question 9

define residual risk

Answer 9

amount of risk remaining after safeguards were implemented that is assumed by management

Question 10

what is the difference between total risk and residual risk

Answer 10

controls gap - amount of risk reduced by implementing safeguards

Question 11

residual risk formula

Answer 11

total risk - controls gap = residual risk

Question 12

countermeasures

Answer 12

• directly affect the ARO

- countermeasure is designed to prevent/reduce the occurrence of the risk, which reduces the frequency per year

Question 13

What is the clearest and most direct example of management of the security function to drive the security policy.

Answer 13

Risk Assessment

Question 14

Risk Management Framework

Answer 14

■ Categorize the information system and the information processed, stored, and
transmitted by that system based on an impact analysis.
■ Select an initial set of baseline security controls for the information system based on
the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
■ Implement the security controls and describe how the controls are employed
within the information system and its environment of operation.
■ Assess the security controls using appropriate assessment procedures to
determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the system.
■ Authorize information system operation based on a determination of the risk
to organizational operations and assets, individuals, other organizations, and
the Nation resulting from the operation of the information system and the
decision that this risk is acceptable.
■ Monitor the security controls in the information system on an ongoing
basis including assessing control effectiveness, documenting changes to the
system or its environment of operation, conducting security impact analyses
of the associated changes, and reporting the security state of the system to
designated organizational officials.”

Question 15

Deterrent access control

Answer 15

• discourage violation of security policies
• depend on individuals deciding not to take an unwanted action
• examples include policies, security-awareness training, locks, fences, security badges, guards, mantraps, and security cameras

Question 16

Preventive access control

Answer 16

• thwart or stop unwanted or unauthorized activity
  from occurring
• Examples of preventive access controls include fences, locks, biometrics,mantraps, lighting, alarm systems, separation of duties, job rotation, data classifcation,penetration testing, access-control methods, encryption, auditing, presence of security cameras or CCTV, smartcards, callback procedures, security policies, security-awareness training, antivirus software, frewalls, and intrusion prevention systems (IPSs)

Question 17

Detective access control

Answer 17

• discover or detect unwanted or unauthorized activity
• operate after the fact and can discover the activity only after it has occurred
• Examples of detective access controls include security guards, motion detectors,recording and reviewing of events captured by security cameras or CCTV, job rotation,mandatory vacations, audit trails, honeypots or honeynets, IDSs, violation reports, supervision and reviews of users, and incident investigations.

Question 18

Compensating access control

Answer 18

• provide various options to other existing
  controls to aid in enforcement and support of security policies
• any controls used in addition to, or in place of, another control

Question 19

Corrective access control

Answer 19

• modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred
• repair or restore resources, functions, and capabilities after a violation of security policies.
• attempts to correct any problems that occurred as a result of a security incident
• terminating malicious activity, rebooting a system, antivirus solutions that can remove or quarantine a virus, backup and restore plans to ensure that lost data can be restored, and active IDS that can modify the environment to stop an attack in progress.

Question 20

Recovery access control

Answer 20

• extension of corrective controls but have more advanced or complex abilities
• Examples of recovery access controls include backups and restores, faulttolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing

Question 21

Directive access control

Answer 21

• to direct, confne, or control the actions of subjects
  to force or encourage compliance with security policies
• Examples of directive access controls include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.

Question 22

Administrative access control

Answer 22

• policies and procedures def ned by an organization’s security policy and other regulations or requirements
• Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classifcations and labeling, security awareness and training efforts, vacation
  history, reports and reviews, work supervision, personnel controls, and testing

Question 23

Physical access controls

Answer 23

• items you can physically touch
• Examples of physical access controls include guards, fences, motion detectors,
  locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms.

Question 24

Technical access controls

Answer 24

• hardware or software mechanisms used to manage access and to provide protection for resources and systems
• Examples of logical or technical access controls include authentication methods (such as usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access
  control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels