Chapter 1: Security and Risk Management

Question 1

What is CIA triad?

Answer 1

It’s an acronym that means confidentiality, integrity, and availability.

Question 2

What HVAC stands for?

Answer 2

Heating, ventilation, and air conditioning

Question 3

What is Availability protection ensure?

Answer 3

Availability protection ensures reliability and timely access to data and resources to authorized individuals.

Question 4

What does integrity guarantee from a security point of view?

Answer 4

Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented.

Question 5

What is Confidentiality protection ensure?

Answer 5

Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.

Question 6

Six examples of Integrity

Answer 6

Hashing (data integrity)

Configuration management (system integrity)

Change control (process integrity)

Access control (physical and technical)

Software digital signing

Transmission cyclic redundancy check (CRC) functions

Question 7

What is a Vulnerability?

Answer 7

A vulnerability is a weakness in a system that allows a threat source to compromise its security

Question 8

What is a Threat?

Answer 8

A threat is any potential danger that is associated with the exploitation of a vulnerability

Question 9

What is a Risk?

Answer 9

A risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact.

Question 10

What is an Exposure?

Answer 10

An exposure is an instance of being exposed to losses.

Question 11

What is an Administrative Control?

Answer 11

Commonly referred to as “soft controls”, like security documentation, risk management, personnel security, and training.

Question 12

What is a Technical Control?

Answer 12

Also called logical controls, they are software or hardware components, as in firewalls, IDS, encryption, and identification and authentication mechanisms.

Question 13

What is a Physical Control?

Answer 13

Items put into place to protect facilities, personnel, and resources, like security guards, locks, fencing, and lighting.

Question 14

What is the functionality of a Preventive Control?

Answer 14

Intended to avoid an incident from occurring

Question 15

What is the functionality of a Detective Control?

Answer 15

Helps identify an incident’s activities and potentially an intruder

Question 16

What is the functionality of a Corrective Control?

Answer 16

Fixes components or systems after an incident has occurred

Question 17

What is the functionality of a Deterrent Control?

Answer 17

Intended to discourage a potential attacker

Question 18

What is the functionality of a Recovery Control?

Answer 18

Intended to bring the environment back to regular operations

Question 19

What is the functionality of a Compensating Control?

Answer 19

Controls that provide an alternative measure of control

Question 20

What type of control are administrative, physical, and technical?

Answer 20

They are preventive in nature.

Question 21

Security Program Development

Answer 21

ISO/IEC 27000 series

Question 22

Enterprise Architecture Development

Answer 22

Zachman Framework, TOGAF, DoDAF, MODAF and SABSA model

Question 23

Security Controls Development

Answer 23

COBIT 5, NIST SP 800-53 and COSO Internal Control— Integrated Framework

Question 24

Process Management Development

Answer 24

ITIL, Six Sigma and Capability Maturity Model Integration (CMMI)

Question 25

What BS7799 Part 1 outlined?

Answer 25

Control objectives and a range of controls that can be used to meet those objectives

Question 26

What BS7799 Part 2 outlined?

Answer 26

How a security program (ISMS) can be set up and maintained

Question 27

Why the companies seek for ISO/IEC 27001?

Answer 27

Check Information Security Management System (ISMS) requirements and attests to the organization’s compliance level

Question 28

What are the four architecture types that TOGAF framework can develop?

Answer 28

Business architecture, Data architecture, Applications architecture and Technology architecture

Question 29

What is the difference between an ISMS and an enterprise security architecture?

Answer 29

An ISMS outlines the controls that need to be put into place (risk management, vulnerability management, business continuity planning, data protection, auditing, configuration management, physical security, etc.) and provides direction on how those controls should be managed throughout their life cycle

The enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment

Question 30

What Business enablement means?

Answer 30

Business enablement means the core business processes are integrated into the security operating model—they are standards based and follow a risk tolerance criteria.

Help the business to achieve their goals but adding security controls to make it work securely.

Question 31

What Process enablement means?

Answer 31

So while business enablement means “we can do new stuff,” process enhancement means “we can do stuff better.”

Question 32

What Security Effectiveness means?

Answer 32

It’s a way to determine how useful the current security solutions and architecture as a whole are performing (using SLA, metrics, ROI…)

Question 33

What is the difference between Enterprise and System Architectures
?

Answer 33

An enterprise architecture addresses the structure of an organization. A system architecture addresses the structure of software and computing components.

Question 34

COBIT five key principles

Answer 34

Meeting stakeholder needs

Covering the enterprise end to end

Applying a single integrated framework

Enabling a holistic approach

Separating governance from management

Question 35

What is the different between COSO IC and COBIT?

Answer 35

COSO IC deals more at the strategic level, while COBIT focuses more at the operational level

Question 36

What is the different between Polymorphic and Metamorphic malware

Answer 36

A polymorphic virus decrypts its code, runs that code, and then when propagating itself encrypts the decrypted code with a different key. A metamorphic virus simply runs its code and then when propagating itself mutates its code into different but functionally identical code

Question 37

What is Data subject?

Answer 37

The individual to whom the data pertains

Question 38

What is Data controller?

Answer 38

Any organization that collects data on EU residents

Question 39

What is Data processor?

Answer 39

Any organization that processes data for a data controller

Question 40

When Criminal law is used?

Answer 40

Criminal law is used when an individual’s conduct violates the government laws, which have been developed to protect the public.
Jail sentences are commonly the punishment

Question 41

What do administrative/regulatory laws deal with?

Answer 41

Administrative/regulatory law deals with regulatory standards that regulate performance and conduct.

Question 42

What are the two types of Intellectual Property?

Answer 42

Industrial property—such as inventions (patents), industrial designs, and trademarks—and copyrighted property, which covers things like literary and artistic works.

Question 43

What Trade Secret protects?

Answer 43

Trade secret law protects certain types of information or resources from unauthorized use or disclosure.

A trade secret is something that is proprietary to a company and important for its survival and profitability.

Question 44

What copyright law protects?

Answer 44

Copyright law protects the right of the creator of an original work to control the public distribution, reproduction, display, and adaptation of that original work.

Question 45

What trademark law protects?

Answer 45

A trademark is used to protect a word, name, symbol, sound, shape, color, or combination of these

Question 46

What is a patent?

Answer 46

Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent

Question 47

What is a privacy horizontal approach?

Answer 47

Rules that stretch across all industry boundaries

Question 48

What is a privacy vertical approach?

Answer 48

Defines requirements for specific verticals, such as the financial sector and health care

Question 49

What is PII?

Answer 49

Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

Question 50

What is privacy?

Answer 50

Privacy is an individual’s right to determine what data they would like others to know about themselves, which people are permitted to know that data, and when those people can access it.

Question 51

Federal Privacy Act of 1974

Answer 51

Agencies can gather information about individuals, but it must be relevant and necessary to the agency’s official functions. In addition, an agency cannot share people’s private information. If it does, private citizens have the right to sue that agency to protect their privacy.

Question 52

The Federal Information Security Management Act (FISMA)

Answer 52

FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to the Office of Management and Budget (OMB).

Question 53

Health Insurance Portability and Accountability Act (HIPAA)

Answer 53

HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.

Question 54

What REP stands for?

Answer 54

Reasonable Expectation of Privacy

Question 55

Ways to deal with Privacy

Answer 55

Laws on government FPA, VA ISA, USA PATRIOT

Laws on corporations HIPAA, HITECH, GLBA, PIDEDA

Self-regulation PCI DSS

Individual user Passwords, encryption, awareness

Question 56

What are the three policy types?

Answer 56

The organizational security policy provides scope and direction for all future security activities within the organization

An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues.

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications.

Question 57

What is the difference between strategic and tactical goal?

Answer 57

A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps necessary to achieve it.

Question 58

What is the difference between security policies, standards, procedures, baselines, and guidelines

Answer 58

Security policy - Is an overall general statement produced by senior management that dictates what role security plays within the organization.

Standard - Refer to mandatory activities, actions, or rules.

Procedure - Detailed step-by-step tasks that should be performed to achieve a certain goal.

Baseline - Refers to a point in time that is used as a comparison for future changes.

Guideline - Recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply.

Question 59

What is risk?

Answer 59

Risk is the probability of a threat agent exploiting a vulnerability to cause harm to an asset resulting in a business impact.

Question 60

Types of Risk

Answer 60

PHEIMiLoA

Physical Damage
Human Interaction
Equipment Malfunction
Inside and Outside Attacks
Misuse of Data
Loss of Data
Application error

Question 61

What is the purpose of NIST 800-53?

Answer 61

Security and Privacy

Question 62

What is the purpose of NIST 800-39?

Answer 62

Risk

• Organizational tier
• Business process tier
• Information systems tier

Question 63

What is a Threat?

Answer 63

Potential cause of an unwanted incident, which may result in harm to a system or organization

Question 64

What is the difference between risk assessment and risk analysis?

Answer 64

Risk assessment is a broader effort, which is reinforced by specific risk analysis tasks as needed.

Question 65

Questions to evaluate a risk

Answer 65

What event could occur (threat event)?

What could be the potential impact (risk)?

How often could it happen (frequency)?

What level of confidence do we have in the answers to the first three questions (certainty)?

Question 66

What is the focus area of NIST SP 800-30?

Answer 66

Risk assessments

Question 67

What is FRAP?

Answer 67

Facilitated Risk Analysis Process is a qualitative methodology focused only on the systems that really need assessing, to reduce costs and time obligations

Question 68

What is OCTAVE?

Answer 68

Operationally Critical Threat, Asset, and Vulnerability Evaluation is a methodology that is intended to be used in situations where people manage and direct the risk evaluation for information security within their company

Question 69

What is the focus of AS/NZS ISO 31000 ?

Answer 69

This risk methodology is more focused on the health of a company from a business point of view, not security.

Question 70

What is FMEA?

Answer 70

Failure Modes and Effect Analysis is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.

Question 71

What is the difference between Risk Assessment and Risk Analysis?

Answer 71

Risk assessment is used to gather data. A risk analysis examines the gathered data to produce results that can be acted upon.

Question 72

What SLE stands for?

Answer 72

Single loss expectancy (SLE)

Asset Value × Exposure Factor (EF) = SLE

Question 73

What ALE stands for?

Answer 73

Annual loss expectancy (ALE)

SLE × Annualized Rate of Occurrence (ARO) = ALE

Question 74

What HVAC stands for?

Answer 74

Heating, ventilation, and air conditioning

Question 75

What is the goal of NIST SP 800-161?

Answer 75

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Question 76

What RMF stands for?

Answer 76

Risk Management Framework

Question 77

What TTP stands for?

Answer 77

Tactics, techniques, and procedures

Question 78

What is the difference between Disaster Recovery, Business Continuity Plan and Business Continuity Management?

Answer 78

Disaster recovery is to minimize the effects of a disaster or disruption.
Business continuity plan provides methods and procedures for dealing with longer-term outages and disasters.
Business continuity management is the holistic management process that should cover both of them

Question 79

What are the three pillars of BCM?

Answer 79

Availability, Reliability and Recoverability

Question 80

What is the NIST SP 800-34 attached to?

Answer 80

Contingency Planning Guide for Federal Information Systems

Question 81

What MDT stands for?

Answer 81

Maximum Downtime Tolerable

Question 82

Who should be part of the BCP committee?

Answer 82

Business units, Senior management, IT department, Security department, Communications department, Legal department

Question 83

What SWOT stands for?

Answer 83

Strengths/Weaknesses (internal)

Opportunities/Threats (external)

Question 84

What is due diligence?

Answer 84

Do everything in our power to prevent something bad from happening.

Question 85

What is due care?

Answer 85

Taking the precautions that a reasonable and competent person would take in the same situation.

Question 86

Which threats BPC should identify?

Answer 86

Maximum tolerable downtime and disruption for activities

Operational disruption and productivity

Financial considerations

Regulatory responsibilities

Reputation

Question 87

What is the equation of Risk?

Answer 87

Risk = Threat × Impact × Probability

Could add time

Question 88

what can be a threat?

Answer 88

Threats can be manmade, natural, or technical

Question 89

What MPTD stands for?

Answer 89

Maximum Period Time of Disruption

Question 90

How RFC 1087 is called?

Answer 90

Ethics and the Internet

This RFC outlines the concepts pertaining to what the IAB considers unethical and unacceptable behavior