Chapter 1

Question 1

{BLANK} ensures that the subject of an activity or who caused an event cannot deny that the event occurred.

Answer 1

Nonrepudiation

Question 2

Think - AAA Services

{BLANK} is the security concept that data is authentic or genuine and originates from its alleged source.

Answer 2

Authenticity

Question 3

Think - CIA Triad

{BLANK} is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources.

Answer 3

Confidentiality

Question 4

{BLANK} is establishing a plan, policy, and process to protect the interest of an organization.

Answer 4

Due Diligence

Question 5

{BLANK} is knowing what should be done and planning for it.

Answer 5

Due Diligence

Question 6

A {BLANK} defines a minimum level of security that every system throughout the organization must meet.

Answer 6

Baseline

Question 7

{BLANK} is reviewing log files to check for compliance and violations in order to hold subjects accountable for their action especially violations of organizational security policy.

Answer 7

Accounting (aka Accountability)

Question 8

AAA Services is a core security mechanism of all security environments. What are the five elements of AAA services?

Answer 8

• Identification
• Authenticication
• Authorization
• Auditing
• Accounting

Question 9

An {BLANK} is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Answer 9

Auditor

Question 10

What are the five key concepts of the decomposition process?

Answer 10

• Trust Boundaries
• Dataflow Paths
• Input Points
• Privileged Operations
• Detailed about Security and Approach

Question 11

{BLANK} is the collection of practices related to supporting, evaluating, defining, and directing the security efforts of an organization.

Answer 11

Security Governance

Question 12

Think - CIA Triad

{BLANK} means authorized subjects are granted timely and uninterrupted access to objects.

Answer 12

Availability

Question 13

{BLANK} is preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Answer 13

Data Hiding

Question 14

A {BLANK} is the line intersection between any two areas, subnets, or environments that have different security requirements or needs.

Answer 14

Security Boundary

Question 15

{BLANK} is practicing the individual activities that maintain the due diligence effort.

Answer 15

Due Care

Question 16

{BLANK} is doing the right action at the right time.

Answer 16

Due Care

Question 17

A {BLANK} offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professional and users.

Answer 17

Guideline

Question 18

{BLANK}, also known as laying, is the use of multiple controls in a series.

Answer 18

Defense in Depth

Question 19

What are the common security roles present in a typical secured environment?

Answer 19

• Senior Manager
• Security Professional
• Assest Owner
• Custodian
• User
• Auditor

Question 20

{BLANK} is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.

Answer 20

Third-Party Governance

Question 21

{BLANK} is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected.

Answer 21

PASTA
(Process for Attack Simulation and Threat Analysis)

Question 22

{BLANK} is the process of reading the exchanged materials and verifying them against standards and expectations.

Answer 22

Documentation Review

Question 23

What does the acronym STRIDE stand for?

Answer 23

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service (DoS)
• Elevation of Privilege

Question 24

{BLANK} define compulsory requirements for the homogenous use of hardware, software, technology and security controls.

Answer 24

Standards

Question 25

A {BLANK} or {BLANK} is a detailed, step-by-step how-to document that describes that exact actions necessary to implement a specific security mechanism, control, or solution.

Answer 25

Procedure; Standard Operating Procedure

Question 25

{BLANK} are typically viewed as the primary goals and objectives of a security infrastructure.

Answer 25

CIA Triad

Question 26

The {BLANK} (end user or operator)

Answer 26

User

Question 27

Think - AAA Services

{BLANK} is recording a log of the events and activities related to the systen and subjects.

Answer 27

Auditing

Question 28

Think - AAA Services

{BLANK} is defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity or subject.

Answer 28

Authorization

Question 29

The {BLANK} role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.

Answer 29

Custodian

Question 30

Think - AAA Services

{BLANK} is proving that you are that claimed identity.

Answer 30

Authentication

Question 31

Think - AAA Services

{BLANK} is claiming to be an identity when attempting to access a secured area or system.

Answer 31

Identification

Question 32

The {BLANK} role is assigned to the person who is responsible for classifying information for placement and proctection within the security solution.

Answer 32

Asset Owner

Question 33

The {BLANK} information security (InfoSec) officer or computer incident repsonse team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.

Answer 33

Security Professional

Question 34

The organizational owner, {BLANK}, role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets.

Answer 34

Senior Manager

Question 35

{BLANK} is the concept of protecting the reliability and correctness of data.

Answer 35

Integrity

Question 36

{BLANK} is use for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Answer 36

Abstraction

Question 37

{BLANK} is a documented set of best IT security practices crafted by ISACA. It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.

Answer 37

COBIT
(Control Objectives for Information and Related Technology)

Question 38

COBIT is based on six key principles for governance and management of enterprose IT:

Answer 38

• Provide Stakeholder Value
• Holistic Approach
• Dynamic Governance System
• Governance Distinct from Management
• Tailored to Enterprose Needs
• End-toEnd Governace System

Question 39

Think - STRIDE

An attack with the goal of gaining access to a target system through the use of a falsified identity. When an attacker spoofs their identitiy as a vaild or authorized entity, they are often able to bypass filters and blockades against unauthorized access.

Answer 39

Spoofing

Question 40

Think - STRIDE

Any action resulting in unauthorized changes or manipulation of data whether in transit or in storage.

Answer 40

Tampering

Question 41

Think - STRIDE

The ability of an user or attacker to deny having performed an action or activity by maintaining plausible deniability. Repudiation attacks can also result in innocent third parties being blamed for security entities.

Answer 41

Repudiation

Question 42

Think - STRIDE

An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation connection overloading or traffic flooding.

Answer 42

Denial of Service (DoS)

Question 43

Think -STRIDE

An attack where a linited user account is transformed into an account with greater priveleges, powers, and access.

Answer 43

Elevation of Privilege

Question 44

Think - STRIDE

The revelation or distribution of provate, confidential, or controlled information to external or unauthorized entities.

Answer 44

Information Disclosure