Chapter 1: Cybersecurity Governance

Question 1

Objectives of security

Answer 1

Provide confidentiality, integrity, availability, authenticity, and nonrepudiation

Question 2

Confidentiality

Answer 2

keep unauthorized entities (people or processes) from gaining access to assets

Question 3

Integrity

Answer 3

keep an asset free from unauthorized alterations

Question 4

Availability

Answer 4

ensure reliable and timely access to assets for authorized individuals

Question 5

Authenticity

Answer 5

ensure we can trust that something comes from its claimed source

Question 6

Nonrepudiation

Answer 6

someone cannot disavow being the source of a given action

Question 7

Vulnerability

Answer 7

a weakness in a system which allows a threat source to compromise security

Question 8

threat

Answer 8

any potential danger associated with exploiting a vulnerability

Question 9

threat source

Answer 9

threat agent or threat actor; any entity which can exploit a vulnerability

Question 10

Risk

Answer 10

likelihood of a threat source exploiting a vulnerability and corresponding business impact

Question 11

Control

Answer 11

countermeasure; put into place to mitigate (reduce) potential risk

Question 12

security governance

Answer 12

a framework which provides oversight, accountability, and compliance

Question 13

ISMS

Answer 13

information security management system; a collection of policies, procedures, baselines, and standards for an org to ensure that security efforts are aligned with business needs, streamlined, and effective and no security controls are missing

Question 14

Enterprise security architecture

Answer 14

Implements an info security strategy and consists of layers of solutions, processes, and procedures and how they are linked across an enterprise strategically, tactically, and operationally

Question 15

Enterprise security architecture core features

Answer 15

strategic alignment, business enablement, process enhancement, and security effectiveness

Question 16

Security governance

Answer 16

framework which supports the creation and communication of security goals to consistently apply and assess them

Question 17

Senior management

Answer 17

always carries the ultimate responsibility for the org; support needed for necessary attention, funds, resources, and enforcement capabilities

Question 18

Security policy

Answer 18

a statement by management dictating the role security plays in the org; intended to be strategic

Question 19

Standards

Answer 19

documents that describe specific requirements that are compulsory in nature and support the org’s security policies; describe mandatory activities, actions, or rules

Question 20

baseline

Answer 20

minimum level of security

Question 21

Guidelines

Answer 21

recommendations and general approaches that provide advice and flexibility; recommended but optional practices

Question 22

Procedures

Answer 22

detailed step-by-step tasks that should be performed to achieve a certain goal; describes the manner in which something must be done

Question 23

Job rotation and mandatory vacations

Answer 23

administrative security controls to help detect fraud

Question 24

Separation of duties

Answer 24

ensures no single person has total control over a critical activity or task; admin control to ensure that fraud cannot happen successfully unless collusion occurs

Question 25

Split knowledge and dual control

Answer 25

two variations of separation of duties; admin preventative controls

Question 26

Social engineering

Answer 26

an attack carried out to manipulate a person into providing sensitive data to an unauthorized individual

Question 27

Security awareness training

Answer 27

comprehensive, tailored for specific groups, and organization-wide

Question 28

Gamification

Answer 28

the application of elements of game play to other activities such as security awareness training

Question 29

Security champions

Answer 29

members of an org who aren’t in security but inform and encourage the adoption of security practices within their own teams

Question 30

Professional ethics

Answer 30

codify the right ways for a group of people to behave