Chap 1

Question 1

What is information security?

Answer 1

Protection of data resources from unauthorized access, attack, theft or damage.

Question 2

What is the CIA Triad?

Answer 2

Properties of securing information:
- Confidentiality
- Integrity
- Availability
* Non-Repudiation

Question 3

What is Confidentiality?

Answer 3

Certain information should only be known to certain people.

Question 4

What is integrity?

Answer 4

When data is stored and transferred as intended and that any modification is authorized.

Question 5

What is Availability?

Answer 5

Information is accessible to those authorized to view or modify it.

Question 6

What is Non-repudiation?

Answer 6

A subject cannot deny doing something such as creating, modifying or sending a resource.

Question 7

What are the five functions of Cybersecurity task according to NIST?

Answer 7

• Identify
• Protect
• Detect
• Respond
• Recover

Question 8

What is Identify as a cybersecurity task function?

Answer 8

To develop security policies and capabilities.

Question 9

What is protect as a function of cybersecurity task?

Answer 9

Procure/develop, install, operate and decommission IT hardware and software assets with security.

Question 10

What is “detect” as a function of Cybersecurity task?

Answer 10

To perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new threats.

Question 11

What is “Respond” as a function if cybersecurity task?

Answer 11

To identify, analyze, contain, and eradicate threats to systems and data security.

Question 12

What is “recover” as a function of cybersecurity task.

Answer 12

To implement cybersecurity resilience to remote systems and data if other controls are unable to prevent attacks.

Question 13

What is a security policy?

Answer 13

A security policy is a formalized statement that defines how security will be implemented within an organization.

Question 14

What is a CSO/CISO

Answer 14

Chief Security Officer/ Chief Information Security Officer is the overall authority for internal security.

Question 15

What is an ISSO

Answer 15

Information Systems Security Officer is a dedicated security admin.

Question 16

Who as external responsibility for security (due care/liability)?

Answer 16

The owner/ director

Question 17

All employees share some measure of responsibility. T/F?

Answer 17

True

Question 18

What is a SOC?

Answer 18

A Security Operations Center is where critical information assets are monitored and protected across other business functions such as finance, operations, sales/marking and so on.

Question 19

What is DevSecOps?

Answer 19

Development Security Operations is a form of development security operations that bridges the gap between developers and system administrators.

Question 20

What is a CIRT/CSIRT/CERT?

Answer 20

Cyber incident response team, Computer security incident response team, or computer emergency response team is a single point of contact for notification of a security incident.

Question 21

What is a security control?

Answer 21

Something designed to make a system or data asset the properties of confidentiality, integrity, availability and non-repudiation.

Question 22

What are the categories of security controls?

Answer 22

• Technical
• Operational
• Managerial

Question 23

What is a technical security control?

Answer 23

Control implemented as a system (hardware ,software, or firmware).

Question 24

What is an Operational security control?

Answer 24

Control implemented primarily by people rather than systems.

Question 25

What is a managerial security control?

Answer 25

Control that gives oversight of the information system.

Question 26

What are the security control function types?

Answer 26

• Preventive
• Detective
• Corrective

Question 27

What type of security control is Preventive?

Answer 27

The control acts to eliminate or reduce the likelihood that an attack can succeed.

ACL (Access Control List) is an example of this.

Question 28

What type of security control is Detective?

Answer 28

The control may not prevent or deter access, but it will identify and record any attempted or successful intrusion.

Question 29

What type of security control is Corrective?

Answer 29

The control acts to eliminate or reduce the impact of an intrusion event and typically used after the attack.

Question 30

What are other types security functions can be classified as?

Answer 30

• Physical
• Deterrent
• Compensating

Question 31

What type of security control is physical?

Answer 31

Controls such as alarms, gateways,locks, lighting, security cameras, and guards that deter and detect access to premises and hardware.

Question 32

What type of security control is Deterrent?

Answer 32

Control may not physically or logically prevent access, but psychologically discourages an attacker from attempting to an intrusion (i.e. warning signs).

Question 33

What type of security control is Compensating?

Answer 33

Control serves as a substitute for a principle control, as recommended by a security standard and affords the same level of protection.

Question 34

What is a CSF?

Answer 34

Cybersecurity framework is a list of activities and objectives undertaken to mitigate risk and allows an org to create an objective statement of current capabilities and prioritize investments to achieve a target level.

Question 35

RMF vs CSF

Answer 35

Risk Management Framework pre dates the CSF and the CSF forces on practical cybersecurity of businesses while RMF is more prescriptive and principally for federal agents.

Question 36

What is ISO?

Answer 36

International Organization of Standards

Question 37

What is ISO 27001,27002, 27017, 27018 and 27701 focus on?

Answer 37

27001: Info Sec Management
27002: Classifies Sec Controls
27017 & 27018: Cloud Security
27701: Personal data and Privacy

Question 38

What is ISO 31k?

Answer 38

Overall framework for enterprise risk management (ERM) which includes financial, customer service, competition and legal liability.

Question 39

What is CSA?

Answer 39

Could Security Alliance produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms.

Question 40

What is SSAE?

Answer 40

Statements on Standards for Attestation Engagements are audit specifications developed by the American Institute of Certified Public Accountants (AICPA)

Question 41

What levels of reporting are in SSAE No.18?

Answer 41

Service Organization Control (SOC2) and SOC3

Question 42

What is the CIS?

Answer 42

Center for Internet Security is a not-for-profit org and used to perform an overall evaluation of security posture.

Question 43

Codes that run on the client should not be trusted. T/F?

Answer 43

True

Question 43

What is OWASP?

Answer 43

Open Web Application Security Project is a not-for-profit, online community that publishes several secure application development resources such as the Top 10 most critical security application risks.

Question 44

What is Due Diligence in reference to Regulation, standards and legislation?

Answer 44

legal term meaning that responsible persons have not been negligent in discharging their duties.

Question 45

What does SOX mandate?

Answer 45

Sarbanes-Oxley ACT mandates the implementation of risk assessments, internal controls, and audit procedures.

Question 46

What is GDPR?

Answer 46

General Data Protection Regulation is a fairness and right to privacy regulation in Europe.

Question 47

What complicates compliance?

Answer 47

Laws derive from different sources.

Question 48

What is GLBA?

Answer 48

Gramm-Leach-Bliley Act is for financial services, and the Health Insurance Portability and Accountability Act (HIPPA).

Question 49

What is the PCI DSS?

Answer 49

Payment Card Industry Data Security Standard and defines the safe handling and storage of financial information.