Chapter 1 Security Governance Through Principles and Policies Flashcards

1
Q

Similar elements are put into groups, classes, or roles that
are assigned security controls, restrictions, or permissions as a collective.

Abstraction
Layering
Data Hiding
Encryption

A

Abstraction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

use of multiple controls in a series.

Abstraction
Layering
Data Hiding
Encryption

A

Layering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

the art and science of hiding the meaning or intent of a communication from
unintended recipients.

Abstraction
Layering
Data Hiding
Encryption

A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

preventing data from being discovered or
accessed by a subject by positioning the data in a logical storage compartment that is not
accessible or seen by the subject.

Abstraction
Layering
Data Hiding
Encryption

A

Data Hiding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A ______ is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals.

Strategic Plan
Operational Plan
Tactical plan

A

tactical plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

a short-term, highly detailed plan

Strategic Plan
Operational Plan
Tactical plan

A

Operational Plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

a long-term plan that is fairly stable. It defines the organization’s security purpose. It also helps to understand security function and align it to goals, mission, and objectives of the organization.

Strategic Plan
Operational Plan
Tactical plan

A

Strategic Plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The disclosure of this data does not compromise confidentiality or
cause any noticeable damage.

Top Secret
Secret
Confidential
Unclassified

A

Unclassified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The unauthorized disclosure of this data will have signifcant effects and cause critical damage to national security.

Top Secret
Secret
Confidential
Unclassified

A

Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The unauthorized disclosure of top-secret
data will have drastic effects and cause grave damage to national security.

Top Secret
Secret
Confidential
Unclassified

A

Top Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Used for data of a private, sensitive, proprietary, or highly valuable nature.
The unauthorized disclosure this data will have noticeable effects and cause serious damage to national security

Top Secret
Secret
Confidential
Unclassified

A

confidential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If this data is disclosed, it can have drastic effects on the competitive edge of an organization.

Confidential
Private
Sensitive
Public

A

Confidential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Its disclosure does not have a serious negative impact on the
organization.

Confidential
Private
Sensitive
Public

A

Public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

data that is of a personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if this data is disclosed.

Confidential
Private
Sensitive
Public

A

Private

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A negative impact could
occur for the company if sensitive data is disclosed.

Confidential
Private
Sensitive
Public

A

Sensitive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

is responsible for reviewing and verifying that the security policy is
properly implemented and the derived security solutions are adequate.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
A

Auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

responsible for understanding and upholding the security policy of an
organization by following prescribed operational procedures and operating within defi ned
security parameters.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
A

User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

performs all activities necessary to provide adequate protection
for the CIA Triad (confi dentiality, integrity, and availability) of data and to fulfi ll
the requirements and responsibilities delegated from upper management.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
A

Data Custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

the person who is responsible for classifying information for placement and protection within the security solution.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
A

Data Owner

20
Q

writing the security policy and implementing it.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
A

Security Professional

21
Q

the person who will be held liable for the overall success or failure of a security solution and is responsible for exercising due care and due
diligence in establishing security for an organization.

Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor
A

Senior Manager

22
Q

should broadly outline the security goals and practices

that should be employed to protect the organization’s vital interests.

A

Security Policies

23
Q

This policy discusses
the rules that must be followed and outlines the procedures that should be
used to elicit compliance.

regulatory
advisory
informative

A

regulatory

24
Q

______ policy discusses behaviors and activities that are
acceptable and defi nes consequences of violations. It explains senior management’s desires
for security and compliance within an organization.

regulatory
advisory
informative

25
______ policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. An informative policy provides support, research, or background information relevant to the specific elements of the overall policy. regulatory advisory informative
informative
26
_____ define compulsory requirements for the homogenous use of hardware, software, technology, and security controls. Standards Baselines Guidelines
Standards
27
______ establishes a common foundational secure state on which all additional and more stringent security measures can be built. Standards Baselines Guidelines
Baselines
28
_____ offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. Standards Baselines Guidelines
Guidelines
29
______ is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
Procedures
30
___________ the security process where potential threats are identified, categorized, and analyzed.
Threat Modeling
31
An attack with the goal of gaining access to a target system through the use of a falsified identity. ``` Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege ```
Spoofing
32
Any action resulting in the unauthorized changes or manipulation of data, whether in transit or in storage. ``` Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege ```
Tampering
33
The ability for a user or attacker to deny having performed an action or activity. ``` Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege ```
Repudiation
34
can take advantage of system design and implementation mistakes, such as failing to remove debugging code, leaving sample applications and accounts, not sanitizing programming notes from client visible content (such as comments in HTML documents), using hidden form fields, or allowing overly detailed error messages to be shown to users. ``` Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege ```
Information disclosure
35
attempts to prevent authorized use of a resource. ``` Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege ```
Denial of service (DoS)
36
might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account. ``` Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege ```
Elevation of privilege
37
The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements.
Reduction Analysis
38
Any location where the level of trust or security changes ``` Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach ```
Trust Boundaries
39
The movement of data between locations ``` Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach ```
Data Flow Paths
40
Locations where external input is received ``` Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach ```
Input Points
41
Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security ``` Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach ```
Privileged Operations
42
The declaration of the security policy, security foundations, and security assumptions ``` Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach ```
Details about Security Stance and Approach
43
Identifying Threats three approaches:
Focused on Assets, Focused on Attackers, Focused on Software
44
Microsoft developed a threat categorization scheme known as STRIDE. STRIDE is often used in relation to assessing threats against applications or operating systems
``` Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Denial of service (DoS)— ```
45
The DREAD rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat:
Damage potential—How severe is the damage likely to be if the threat is realized? Reproducibility—How complicated is it for attackers to reproduce the exploit? Exploitability—How hard is it to perform the attack? Affected users—How many users are likely to be affected by the attack (as a percentage)? Discoverability—How hard is it for an attacker to discover the weakness?