Chapter 1– Security Governance through Principles and Policies Flashcards
- Which of the following contains the primary goals of and objectives of security?
The CIA Triad
The CIA Triad
The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.
- Vulnerabilities and risks are evaluated based on their threats against which of the following?
One or more of the CIA Triad principles
One or more of the CIA Triad principles
Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.
- Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?
Availability
Availability
Availability means that authorized subjects are granted timely and uninterrupted access to objects.
- Which of the following is not considered a violation of confidentiality
A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.
Hardware destruction
Hardware destruction
Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.
- Which of the following is not true?
A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.
Violations of confidentiality are limited to direct intentional attacks.
Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.
- STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE?
Disclosure
Disclosure
Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
- If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can ________ the data, objects, and resources.
Access
Access
Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
- _______ refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
Privacy
Privacy
Privacy refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out of the way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality.
- All but which of the following items require awareness for all individuals affected?
The backup mechanism used to retain email messages
The backup mechanism used to retain email messages
Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.
- What element of data categorization management can override all other forms of access control
Taking ownership
Taking ownership
Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.
- What ensures that the subject of an activity or event cannot deny that the event occurred
Nonrepudiation
Nonrepudiation
Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.
- Which of the following is the most important and distinctive concept in relation to layered security?
Series
Series
Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.
- Which of the following is not considered an example of data hiding?
A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being accessed by unauthorized visitors
C. Restricting a subject at a lower classification level from accessing data at a higher classification level
D. Preventing an application from accessing hardware directly
Preventing an authorized reader of an object from deleting the object
Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.
- What is the primary goal of change management?
Preventing security compromises
Preventing security compromises
The prevention of security compromises is the primary goal of change management.
- What is the primary objective of data classification schemes?
To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.
