Chapter 1 Security Governance Through Principles and Policies

Question 1

Similar elements are put into groups, classes, or roles that
are assigned security controls, restrictions, or permissions as a collective.

Abstraction
Layering
Data Hiding
Encryption

Answer 1

Abstraction

Question 2

use of multiple controls in a series.

Abstraction
Layering
Data Hiding
Encryption

Answer 2

Layering

Question 3

the art and science of hiding the meaning or intent of a communication from
unintended recipients.

Abstraction
Layering
Data Hiding
Encryption

Answer 3

Encryption

Question 4

preventing data from being discovered or
accessed by a subject by positioning the data in a logical storage compartment that is not
accessible or seen by the subject.

Abstraction
Layering
Data Hiding
Encryption

Answer 4

Data Hiding

Question 5

A ______ is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals.

Strategic Plan
Operational Plan
Tactical plan

Answer 5

tactical plan

Question 6

a short-term, highly detailed plan

Strategic Plan
Operational Plan
Tactical plan

Answer 6

Operational Plan

Question 7

a long-term plan that is fairly stable. It defines the organization’s security purpose. It also helps to understand security function and align it to goals, mission, and objectives of the organization.

Strategic Plan
Operational Plan
Tactical plan

Answer 7

Strategic Plan

Question 8

The disclosure of this data does not compromise confidentiality or
cause any noticeable damage.

Top Secret
Secret
Confidential
Unclassified

Answer 8

Unclassified

Question 9

The unauthorized disclosure of this data will have signifcant effects and cause critical damage to national security.

Top Secret
Secret
Confidential
Unclassified

Answer 9

Secret

Question 10

The unauthorized disclosure of top-secret
data will have drastic effects and cause grave damage to national security.

Top Secret
Secret
Confidential
Unclassified

Answer 10

Top Secret

Question 11

Used for data of a private, sensitive, proprietary, or highly valuable nature.
The unauthorized disclosure this data will have noticeable effects and cause serious damage to national security

Top Secret
Secret
Confidential
Unclassified

Answer 11

confidential

Question 12

If this data is disclosed, it can have drastic effects on the competitive edge of an organization.

Confidential
Private
Sensitive
Public

Answer 12

Confidential

Question 13

Its disclosure does not have a serious negative impact on the
organization.

Confidential
Private
Sensitive
Public

Answer 13

Public

Question 14

data that is of a personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if this data is disclosed.

Confidential
Private
Sensitive
Public

Answer 14

Private

Question 15

A negative impact could
occur for the company if sensitive data is disclosed.

Confidential
Private
Sensitive
Public

Answer 15

Sensitive

Question 16

is responsible for reviewing and verifying that the security policy is
properly implemented and the derived security solutions are adequate.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 16

Auditor

Question 17

responsible for understanding and upholding the security policy of an
organization by following prescribed operational procedures and operating within defi ned
security parameters.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 17

User

Question 18

performs all activities necessary to provide adequate protection
for the CIA Triad (confi dentiality, integrity, and availability) of data and to fulfi ll
the requirements and responsibilities delegated from upper management.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 18

Data Custodian

Question 19

the person who is responsible for classifying information for placement and protection within the security solution.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 19

Data Owner

Question 20

writing the security policy and implementing it.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 20

Security Professional

Question 21

the person who will be held liable for the overall success or failure of a security solution and is responsible for exercising due care and due
diligence in establishing security for an organization.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 21

Senior Manager

Question 22

should broadly outline the security goals and practices

that should be employed to protect the organization’s vital interests.

Answer 22

Security Policies

Question 23

This policy discusses
the rules that must be followed and outlines the procedures that should be
used to elicit compliance.

regulatory
advisory
informative

Answer 23

regulatory

Question 24

______ policy discusses behaviors and activities that are
acceptable and defi nes consequences of violations. It explains senior management’s desires
for security and compliance within an organization.

regulatory
advisory
informative

Answer 24

advisory

Question 25

______ policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners
and customers. An informative policy provides support, research, or background information
relevant to the specific elements of the overall policy.

regulatory
advisory
informative

Answer 25

informative

Question 26

_____ define compulsory requirements for the homogenous use of hardware, software, technology, and security controls.

Standards
Baselines
Guidelines

Answer 26

Standards

Question 27

______ establishes a common foundational secure state on which all additional and more stringent
security measures can be built.

Standards
Baselines
Guidelines

Answer 27

Baselines

Question 28

_____ offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.

Standards
Baselines
Guidelines

Answer 28

Guidelines

Question 29

______ is a detailed, step-by-step how-to document that describes the exact actions necessary to
implement a specific security mechanism, control, or solution.

Answer 29

Procedures

Question 30

___________ the security process where potential threats are identified, categorized,
and analyzed.

Answer 30

Threat Modeling

Question 31

An attack with the goal of gaining access to a target system through the use
of a falsified identity.

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Elevation of privilege

Answer 31

Spoofing

Question 32

Any action resulting in the unauthorized changes or manipulation of
data, whether in transit or in storage.

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Elevation of privilege

Answer 32

Tampering

Question 33

The ability for a user or attacker to deny having performed an action or
activity.

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Elevation of privilege

Answer 33

Repudiation

Question 34

can take advantage of system design and implementation
mistakes, such as failing to remove debugging code, leaving sample applications
and accounts, not sanitizing programming notes from client visible content (such as comments in HTML documents), using hidden form fields, or allowing overly detailed
error messages to be shown to users.

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Elevation of privilege

Answer 34

Information disclosure

Question 35

attempts to prevent authorized use of a
resource.

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Elevation of privilege

Answer 35

Denial of service (DoS)

Question 36

might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account.

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Elevation of privilege

Answer 36

Elevation of privilege

Question 37

The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements.

Answer 37

Reduction Analysis

Question 38

Any location where the level of trust or security changes

Trust Boundaries
Data Flow Paths
Input Points
Privileged Operations
Details about Security Stance and Approach

Answer 38

Trust Boundaries

Question 39

The movement of data between locations

Trust Boundaries
Data Flow Paths
Input Points
Privileged Operations
Details about Security Stance and Approach

Answer 39

Data Flow Paths

Question 40

Locations where external input is received

Trust Boundaries
Data Flow Paths
Input Points
Privileged Operations
Details about Security Stance and Approach

Answer 40

Input Points

Question 41

Any activity that requires greater privileges than of a standard user
account or process, typically required to make system changes or alter security

Trust Boundaries
Data Flow Paths
Input Points
Privileged Operations
Details about Security Stance and Approach

Answer 41

Privileged Operations

Question 42

The declaration of the security policy, security
foundations, and security assumptions

Trust Boundaries
Data Flow Paths
Input Points
Privileged Operations
Details about Security Stance and Approach

Answer 42

Details about Security Stance and Approach

Question 43

Identifying Threats three approaches:

Answer 43

Focused on Assets, Focused on Attackers, Focused on Software

Question 44

Microsoft developed a threat categorization scheme known as STRIDE. STRIDE is often used in relation to assessing threats against applications or operating systems

Answer 44

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Denial of service (DoS)—

Question 45

The DREAD rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat:

Answer 45

Damage potential—How severe is the damage likely to be if the threat is realized?

Reproducibility—How complicated is it for attackers to reproduce the exploit?

Exploitability—How hard is it to perform the attack?

Affected users—How many users are likely to be affected by the attack (as a percentage)?

Discoverability—How hard is it for an attacker to discover the weakness?