Chapter 1 (Domain 1 & 3)

Question 1

Confidentiality

Answer 1

The goal of confidentiality protection is to prevent or minimize unauthorized access.

Question 2

Sensitivity

Answer 2

Sensitivity refers to the quality of information, which could cause harm or damage if disclosed.

Question 3

Discretion

Answer 3

Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.

Question 4

Criticality

Answer 4

The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality.

Question 5

Concealment

Answer 5

Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction.

Question 6

Secrecy

Answer 6

Secrecy is the act of keeping something secret or preventing the disclosure of information.

Question 7

Privacy

Answer 7

Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.

Question 8

Seclusion

Answer 8

Seclusion involves storing something in an out-of-the-way location, likely with strict access controls.

Question 9

Isolation

Answer 9

Isolation is the act of keeping something separated from others.

Question 10

Integrity

Answer 10

Integrity is the concept of protecting the reliability and correctness of data.

Question 11

Availability

Answer 11

Availability means authorized subjects are granted timely and uninterrupted access to objects.

Question 12

DAD Triad

Answer 12

Disclosure, alteration, and destruction. Represents the failures of security protections in the CIA Triad.

Question 13

AAA services

Answer 13

Identification, Authentication, Authorization, Auditing, Accounting

Question 14

Defense In Depth terms

Answer 14

Level, multi-leveled, layers.

Classifications, zones, realms, components, compartments, silos, segmentation, lattice structure, and protection rings.

Question 15

Abstraction

Answer 15

Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Question 16

Data Hiding

Answer 16

Preventing data from being discovers or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Question 17

Three types of security management planning

Answer 17

1) Strategic
2) Tactical
3) Operational

Question 18

Organization Roles

Answer 18

Senior Manager-Ultimately responsible for the security maintained by an organization.
Security Professional-Writing and implementing policies
Asset Owner-Responsible for classifying information for placement and protection
Custodian-Implements the controls
User-Responsible for understanding and upholding the security policy
Auditor-Reviewing and verifying that the security policy is properly implemented.

Question 19

Merger/Acquisition Risks

Answer 19

• Inappropriate information disclosure
• Data loss
• Down time
• Failure to achieve sufficient ROI

Question 20

What is COBIT?

Answer 20

Control Objectives for Information and Related Technology - Security concept infrastructure used to organize the complex solutions of companies.

Question 21

COBIT Six key principles

Answer 21

1) Provide stakeholder value
2) Holistic approach
3) Dynamic governance system
4) Governance distinct from management
5) Tailored to enterprise needs
6) End-to-end governance

Question 22

NIST 800-53 Rev 5

Answer 22

Contains U.S. government-sourced general recommendations for organizational security.

Question 23

CIS

Answer 23

Center for Interned Security - Provides OS, application, and hardware security configuration guides

Question 24

NIST Risk Management Framework(RMF)

Six phases

Answer 24

Establishes mandatory requirements for federal agencies.

1) Categorize
2) Select
3) Implement
4) Assess
5) Authorize
6) Monitor

Question 25

NIST Cybersecurity Framework (CSF)

Five functions

Answer 25

Designed for critical infrastructure and commercial organizations.

1) Identify
2) Protect
3) Detect
4) Respond
5) Recover

Question 26

ISO / IEC

Answer 26

International Organization for Standardization / International Electrotechnical Commission 2700 family group - International standard that can be the basis of implementing organizational security and related management practices.

Question 27

ITIL

Answer 27

Information Technology Infrastructure Library - Developed by British and became an international standard. Best practices for optimization of IT services to support business growth, transformation, and change. Customized IT security solution.

Question 28

Threat Modeling Basics

Answer 28

Identify;Categorize;Analyze
Focus on Assets, Focus on Attackers, Focus on Software
Threat Models:
STRIDE, PASTA, VAST, DREAD

Question 29

STRIDE

Answer 29

Microsoft developed threat categorization scheme.
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege

Question 30

PASTA

Answer 30

Risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the asset being protected.
Stages I: Definition of the Objectives(DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis(TA)
Stage V: Weakness and Vulnerability Analysis(WVA)
Stage VI: Attack Modeling & Simulation(AMS)
Stage VII: Risk Analysis & Management(RAM)

Question 31

VAST

Answer 31

Visual, Agile, and Simple Threat - Threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis.

Question 32

Decomposition process five key concepts

Answer 32

1) Trust boundaries
2) Dataflow paths
3) Input points
4) Privileged Operation
5) Details about security stance and approach

Question 33

DREAD

Answer 33

Rating system designed to provide a flexible rating solution that is based on the answer to five main questions about each threat.
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability

Question 34

SCRM

Answer 34

Supply Chain Risk Management