Chapter 1- Security Governance Through Principles and Policies

Question 1

5 Pillars of Information Security

Answer 1

Confidentiality
Integrity
Availability
Authenticity
Nonrepudiation

Question 2

DAD Triad

Answer 2

Disclosure
Alteration
Destruction

Question 3

Authenticity

Answer 3

Data is genuine and originates from its alleged source

Question 4

Nonrepudiation

Answer 4

Ensures that the subject of an activity or who caused an event cannot deny that the event occurred.
Prevents subjects from claiming not to have sent a message, performed an action, been the cause of an event, etc
Enforced through digital certificates, session identifiers, transaction logs, etc

Question 5

AAA Services

Answer 5

Identification
Authentication
Authorization
Auditing
Accounting

Question 6

Authentication

Answer 6

Proving that you are a claimed identity

Question 7

Authorization

Answer 7

Defines permissions of a resource and object access for a specific identity

Question 8

Accounting

Answer 8

Reviewing log files to check for compliance and violations to hold subjects accountable

Question 9

Abstraction

Answer 9

Similar elements put into groups, classes, or roles that are collectively assigned security controls, restrictions, or permissions

Question 10

Data Hiding

Answer 10

Intentionally positioning data so that it is not viewable or accessible to an unauthorized subject

Question 11

Security Boundary

Answer 11

Line of intersection between areas, subnets, or environments with different security requirements or needs

Question 12

Security Governance

Answer 12

Collection of practices related to supporting, evaluating, defining, and directing an organization’s security efforts

Seeks to compare organization’s security processes and infrastructure with knowledge and insight from external sources

Question 13

Security Function

Answer 13

Aspect of operating a business that focuses on evaluating and improving security over time

Question 14

Strategic Plan

Answer 14

Long term, defines organization’s security purpose and aligns it with goals, mission, and objectives of the organization. 5+ years

Question 15

Tactical Plan

Answer 15

Mid term plan developed to provide more details on accomplishing the goals set in the strategic plan, but can also be ad hoc based on unpredicted events. Approximately 1 year

Question 16

Organizational Plan

Answer 16

Short term, highly detailed plan based on strategic and tactical plans. Useful only for a short time, must be updated often to align with tactical plans

Question 17

Senior Manager

Answer 17

Ultimately responsible for security maintained by the organization. Signs off on all security policy issues. Decision makers.

Question 18

Security Professional

Answer 18

Writes and implements security policy. Implementers.

Question 19

Asset Owner

Answer 19

Responsible for classifying information for placement/protection within the security solution. Typically a high-level manager but delegates data management tasks to custodian

Question 20

Custodian

Answer 20

Responsible for the tasks of implementing the prescribed protection defined by policy and senior management

Question 21

Auditor

Answer 21

Responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. Provides compliance and effectiveness reports to management.

Question 22

ISO

Answer 22

International Organization for Standardization. Worldwide standards-setting group of representatives from various national standards organizations. Cover equipment, software, protocols, etc

Question 23

ISO 27000

Answer 23

International security standard that can be the basis for implementing organizational security and related management policies

Question 24

NIST

Answer 24

National Institute of Standards and Technology. US Federal Agency that promotes and maintains measurement standards, as well as advance technology and innovation.

Question 25

NIST SP 800-53

Answer 25

Security and Privacy Controls for Information Systems and Organizations

Question 26

COBIT

Answer 26

Control Objectives for Information and Related Technologies. Documented set of best IT security practices by ISACA, mapping security ideals to business objectives

Question 27

COBIT Six Key Principles

Answer 27

Provide stakeholder value
Holistic approach
Dynamic governance system
Governance distinct from management
Tailored to enterprise needs
End to end governance system

Question 28

SABSCA

Answer 28

Sherwood Applied Business Security Architecture. For developing risk-driven enterprise security and information assurance architectures.

Question 29

PCI DSS

Answer 29

Payment Card Industry Data Security Standard. Ensures protection of sensitive credit/debit card info.

Question 30

FedRAMP

Answer 30

Federal Risk and Authorization Management Program. US government-wide program designed to standardize cloud security in products and services used by federal agencies.

Question 31

ITIL

Answer 31

Information Technology Infrastructure Library. Set of recommended best practices for optimization of IT services to support business growth, transformation, and change. Focuses on how IT and security should be aligned to organization’s objectives. Used as a starting point for crafting a customized security solution.

Question 32

Due Diligence

Answer 32

Establishing a plan, policy, process to protect the interests of an organization. Knowing what should be done and planning for it.

Question 33

Due Care

Answer 33

Practicing the individual activities that maintain the due diligence effort. Doing the right action at the right time.

Question 34

Threat Modeling

Answer 34

Security process where potential threats are identified, categorized, and analyzed. Continuous process.

Question 35

STRIDE

Answer 35

Microsoft developed threat categorization scheme. Stands for:
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 36

PASTA

Answer 36

Seven stage threat modeling methodology. Process for attack simulation and threat analysis. Risk-centric, aimed at selecting countermeasures in relation to asset value

Question 37

VAST

Answer 37

Visual, Agile, and Simple Threat. Threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis

Question 38

Diagramming

Answer 38

Creation of a diagram of the elements involved in a transaction, with indications of data flows and privilege boundaries. Use the diagram to identify all technologies involved, and attacks that could be targeted at each element.

Question 39

Reduction Analysis/Decomposing

Answer 39

Breaking down a system into its individual components for a greater understanding of how it operates and potential vulnerabilities. Understanding trust boundaries, data flow paths, input points, privileged operations, and details about security stance

Question 40

Probability x Damage Potential

Answer 40

Risk ranking technique that produces a risk severity between 1 and 100. Can be arbitrary and subjective.

Question 41

High/Medium/Low Rating Process

Answer 41

Risk ranking technique that uses a risk matrix or heat map to help establish criticality prioritization

Question 42

DREAD

Answer 42

Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. Risk rating system designed to provide a flexible rating solution based on the data for those five categories

Question 43

SCRM

Answer 43

Supply Chain Risk Management. Ensuring that all vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners

Question 44

Silicon Root of Trust

Answer 44

Foundational and tamper resistant component within a computer’s hardware that provides a secure starting point for establishing trust and security in a system. Ensures the CIA of the system’s boot process and software

Question 45

Secure Boot

Answer 45

Verifies the integrity of firmware, bootloader, and OS during the boot sequence to ensure no unauthorized or malicious code is executed

Question 46

Remote Attestation

Answer 46

Enables a remote entity to verify the trustworthiness of a system

Question 47

Physically Unclonable Function (PUF)

Answer 47

Specialized physical electronic component or function that generates a unique, unpredictable digital identifier

Question 48

SBOM

Answer 48

Software Bill of Materials. Structured and comprehensive inventory of all software components and dependencies that make up a software application or system

Question 49

Risks of Mergers and Acquisitions

Answer 49

Inappropriate information disclosure
Data Loss
Downtime
Failure to achieve a sufficient return on investment (ROI)

Question 50

When doing a third party risk assessment, you discover several serious issues with the vendor such as failing to require encryption for all communications and not requiring MFA on management interfaces. What should you do?

Answer 50

Void the authorization to operate (ATO) of the vendor.