Chapter 1: Security Principles

Question 1

Vulnerability

Answer 1

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.

Question 2

Risk

Answer 2

A measure of the extent to which an entity is threatened by a potential circumstance or event.

Question 3

Threat

Answer 3

Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image or reputation), organisational assets, individuals, other organisations or the nation through an information system via unauthorised access, destruction, disclosure, modification of information and/or denial of service.

Question 4

Threat Vector

Answer 4

The means by which a threat actor carries out their objectives.

Question 5

Risk Likelihood

Answer 5

The probability that a risk will occur

Question 6

Risk Impact

Answer 6

Risk impact is the potential consequence or damage that a problem can cause if it occurs. It can be measured in terms of financial loss, operational disruption, customer dissatisfaction, reputation damage, legal liability, or any other relevant metric.

Question 7

Risk Identification

Answer 7

Risk identification (RI) is a set of activities that detect, describe and catalog all potential risks to assets and processes that could have negatively impact business outcomes in terms of performance, quality, damage, loss or reputation.

Question 8

Risk Acceptance

Answer 8

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

Question 9

Risk Avoidance

Answer 9

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Question 10

Risk Transference

Answer 10

Paying an external party to accept the financial impact of a given risk.

Question 11

Security Controls

Answer 11

Mitigate the impact or reduce the likelihood of the threat happening

Question 12

NIST 800-53

Answer 12

The NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organisations is a set of recommended security and privacy controls for federal information systems and organisations to help meet the Federal Information Security Management Act (FISMA) requirements.

Question 13

PCI-DSS

Answer 13

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

Question 14

Cost/Benefit Analysis

Answer 14

A cost-benefit analysis is a systematic process that businesses use to analyse which decisions to make and which to forgo.

Question 15

Risk Appetite

Answer 15

Risk appetite is the level of risk that an organisation is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk.

Question 16

ISC2 Code of Ethics Canons

Answer 16

• Protect society, the common good, necessary public trust and confidence and the infrastructure
• Act honorably, honestly, justly, responsibly and legally
• Provide diligent and competent service to principals
• Advance and protect the profession

Question 17

Risk Tolerance

Answer 17

The level of risk or degree of uncertainty that is acceptable to organisations. The organisation’s or stakeholder’s readiness to bear the remaining risk after risk response in order to achieve its objectives, with the consideration that such tolerance can be influenced by legal or regulatory requirements.

Question 18

Rootkits

Answer 18

A rootkit is software used by cybercriminals to gain control over a target computer or network. Rootkits can sometimes appear as a single piece of software but are often made up of a collection of tools that allow hackers administrator-level control over the target device.

A rootkit tries to maintain root-level access while concealing malicious activity. It typically creates a backdoor and attempts to remain undetected by anti-malware software. A rootkit is active while the system is running.

Question 19

Cross-Site Scripting

Answer 19

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Question 20

Risk Management

Answer 20

Cybersecurity risk management is an ongoing process of identifying, analysing, evaluating, and addressing your organisation’s cybersecurity threats. Cybersecurity risk management isn’t simply the job of the security team; everyone in the organisation has a role to play.