Chapter 1

Question 1

What are the three (3) common types of security evaluation?

Answer 1

Risk Assessment, Vulnerability Assessment, and Penetration Testing

Question 2

What is a risk assessment?

Answer 2

A process of identifying assets, threats, and vulnerabilities and then using that information to calculate risk.

Question 3

What is is vulnerability assessment?

Answer 3

A procedure that uses automated tools to locate known security weaknesses.

Question 4

What is a penetration test?

Answer 4

A procedure using trusted individuals to stress-test the security infrastructure to find issues that may not have been discovered by other assessments.

Question 5

What are the primary goals and objectives for a security infrastructure?

Answer 5

Confidentiality, Integrity, and Availability (CIA)

Question 6

In the security CIA Triad - what is confidentiality?

Answer 6

The concept of ensuring secrecy of data, objects and resources.

Question 7

Which basic security principle is confidentiality based upon?

Answer 7

Least privilege.

Question 8

What is the goal of confidentiality?

Answer 8

To prevent or minimize unauthorized “read” access to data.

Question 9

What is the corner stone of security concepts?

Answer 9

Confidentiality, Integrity, and Availability (CIA)

Question 10

What is the opposite of Confidentiality, Integrity, and Availability (CIA)?

Answer 10

Disclosure, Alteration and Destruction (DAD)

Question 11

Name the concepts, conditions and aspects of confidentiality

Answer 11

Sensitivity, Discretion, Criticality, Concealment, Secrecy, Privacy, Seclusion, and Isolation

Question 12

What is sensitivity in the concept of confidentiality?

Answer 12

The level of damage that could be caused if the information was released without authorization

Question 13

What is discretion in the concept of confidentiality?

Answer 13

The act of the data owner or operator that influences or controls the disclosure of the data.

Question 14

What is criticality in the concept of confidentiality?

Answer 14

The level of to which the information is importance to the organization for continuing operations.

Question 15

What is concealment in the concept of confidentiality?

Answer 15

The act of hiding the information to prevent unauthorized disclosure.

Question 16

What is secrecy in the concept of confidentiality?

Answer 16

The act of keeping data or information secret or preventing its disclosure.

Question 17

What is privacy in the concept of confidentiality?

Answer 17

The act of keeping personally identifiable information confidential.

Question 18

What is seclusion in the concept of confidentiality?

Answer 18

Involves storing data or information in a location that is out of the way of unauthorized users.

Question 19

What is isolation in the concept of confidentiality?

Answer 19

The act of keeping something separated from others.

Question 20

In relation to the security CIA triad, what is integrity?

Answer 20

The concept of protecting the reliability and correctness of the data.

Question 21

In practice, how does integrity protect the data?

Answer 21

Preventing unauthorized modifications, preventing mistakes by authorized users, and maintaining consistency and verifiability of the data

Question 22

What are the concepts, conditions and aspects of integrity?

Answer 22

Accuracy, truthfulness, validity, accountability, responsibility, completeness, comprehensiveness

Question 23

In relation to the security CIA triad, what is avilability?

Answer 23

The timely and uninterrupted access to data by authorized users.

Question 24

What are the concepts, conditions and aspects of availability?

Answer 24

Usability, accessibility, and timeliness

Question 25

What is authenticity?

Answer 25

The security concept that the data is authentic and genuine and originates from its alleged source.

Question 26

What is non-repudiation?

Answer 26

The concept that which ever subject caused and event or modification to data cannot successfully deny tha the event or change took place.

Question 27

Within the framework of AAA services, what is identification?

Answer 27

A claim that the subject is who or what is say it is.

Question 28

Within the framework of AAA services, what is authentication?

Answer 28

Verification or proof that the subject is who or what it claims to be.

Question 29

Within the framework of AAA services, what is authorization?

Answer 29

Permission from the system to access data in question.

Question 30

Within the framework of AAA services, what is auditing?

Answer 30

The means by which a subjects actions are tracked once authorization is granted.

Question 31

Explain "defense in depth"?

Answer 31

The laying of security controls such that breaching once layer may not fully expose the data.

Question 32

Explain the use of abstraction in the concept of security?

Answer 32

The practice of placing data or assets in to groups, classes, or roles to further protect the data.

Question 33

What is a security boundary?

Answer 33

A line or intersection between two areas that having different security requirements.

Question 34

What is third-party governance?

Answer 34

A system of external oversight that may be mandated by law, regulation, industry standards, contractural obligation or licensing demands.

Question 35

What is a security policy?

Answer 35

The highest level tier of formal document that defines the scope or security needed by the organization and a breakdown of assets that require protection. Security policies are mandatory and high level.

Question 36

What is a security procedure?

Answer 36

A detailed set of steps that document and describe exactly how to implement a specific securoty mechanism, control, or solution.

Question 37

What is a standard?

Answer 37

Standards describe the specific use of a technology and are mandatory to follow.

Question 38

What are guidelines?

Answer 38

Recommendations on the use or implementation of a particular solution; ie password length, or the use of certain characters.

Question 39

What is due care?

Answer 39

The care a "reasonable person" would exercise under a given set of circumstances.

Question 40

What is due diligence?

Answer 40

The preemptive measures made to avoid harm.

Question 41

What is threat modeling?

Answer 41

A process performed where potential threats are identified, classified, and analyzed.

Question 42

What is governance?

Answer 42

The process of ensuring that the organization focuses on the core activities and clarifying subject that have authority to make decisions.

Question 43

What is risk management?

Answer 43

The systematic process of identifying, analyzing, evaluating, remediating, and monitoring rissk.

Question 44

What is security governance?

Answer 44

The collections. of practices related to supporting, defining and directing the security efforts of an organization.

Question 45

What is compliance?

Answer 45

The actions taken to ensure behavior complies with established rules and policies.

Question 46

What is a strategic plan?

Answer 46

A long-term plan to guide the organization in its security efforts that is fairly stable.

Question 47

What is a tactical plan?

Answer 47

A mid-term plan developed to provide more details on accomplishing the goals and objectives in tyeh strategic plan.

Question 48

What is an operational plan?

Answer 48

A short-term plan that is highly detailed and used for implementing the strategic and tactical plans.

Question 49

What is the time frame for a strategic plan?

Answer 49

About 5-years and is maintained annually.

Question 50

What is the typical time frame for a tactical plan?

Answer 50

About one-year.

Question 51

How often is an operational plan normally updated?

Answer 51

Either monthly or quarterly