Chapter 11 – Legal and Compliance Part II

Question 1

What are KRIs (Key Risk Indicators)?

Answer 1

Metrics used by an organization to inform management of impending negative impacts to operations; involves algorithms and rating systems ascribed to factors selected by analysts and management for an early-warning system.

Question 2

What are KPIs (Key Performance Indicators)?

Answer 2

Backward-looking metrics to gauge business critical initiatives, objectives, or goals; measurable benchmarks against defined goals.

Question 3

What is Risk Appetite/Tolerance?

Answer 3

How the organization views risks; senior management dictates the amount of risk an organization is willing to take.

Question 4

What are Risk Profiles?

Answer 4

Comprehensive analysis of the possible risks to the organization; includes a survey of various operations the organization is engaged in, public perception, pending legislation, and stability of countries where the organization operates.

Question 5

What are Physical Controls?

Answer 5

Physical access to assets that reduces the impact of a physical event; examples include locks, fire suppression, fences, and guards.

Question 6

What are Technical Controls?

Answer 6

Also known as logical controls; controls that enhance the CIA triad; examples include encryption, ACLs, audit trails, and logs.

Question 7

What are Administrative Controls?

Answer 7

Processes and activities that provide aspects of security; examples include background checks, scheduled log reviews, mandatory vacations, and robust security policies.

Question 8

What is the Risk Management Framework (RMF)?

Answer 8

A structured approach to managing risk, including standards like ISO 31000:2018 and NIST SP 800-37.

Question 9

What is ISO 31000:2018?

Answer 9

An international standard focusing on designing, implementing, and reviewing risk management processes and practices.

Question 10

What is NIST SP 800-37?

Answer 10

A methodology for handling all organizational risk in a holistic, comprehensive, and continual manner; relies on automated solutions.

Question 11

What is ENISA?

Answer 11

The EU Agency for Network and Information Security; responsible for producing guidelines on cloud computing security risks.

Question 12

What is COBIT?

Answer 12

A framework for developing, implementing, monitoring, and improving IT governance and management practices.

Question 13

What is ISO/IEC 31010:2009?

Answer 13

A standard for risk management techniques.

Question 14

What are Risk Management Metrics?

Answer 14

A scale used to evaluate risk levels: 5 – Critical; 4 – High; 3 – Moderate; 2 – Low; 1 – Minimal.

Question 15

What is ISO/IEC 15408-1:2009?

Answer 15

Common Criteria Assurance Framework providing assurances for security claims by vendors.

Question 16

What is ISO 28000:2007?

Answer 16

A standard that applies to security controls in supply chains.

Question 17

What is CSA STAR?

Answer 17

A framework for evaluating cloud providers; registry of security controls designed for vendor management.

Question 18

What is CCM (Cloud Controls Matrix)?

Answer 18

A list of security controls and principles appropriate for cloud environments, cross-referenced to other control frameworks.

Question 19

What is CAIQ (Consensus Assessments Initiative Questionnaire)?

Answer 19

A self-assessment by cloud providers detailing evaluation of practice areas and control groups.

Question 20

What are the levels of the CSA STAR Program?

Answer 20

Level One: Self-Assessment; Level Two: CSA STAR Attestation; Level Three: CSA STAR Continuous Monitoring.

Question 21

What is PKI?

Answer 21

A framework of programs, procedures, communication protocols, and public key cryptography that enables secure communication.

Question 22

What is OWASP?

Answer 22

An international nonprofit that focuses on identifying software vulnerabilities and educating developers in secure coding practices.

Question 23

What are some common software vulnerabilities identified by OWASP?

Answer 23

Broken Access Control; Cryptographic Failures; Injection; Insecure Design; Security Misconfiguration; Vulnerable and Outdated Components; Identification and Authentication Failures; Software and Data Integrity Failures; Security Logging and Monitoring Failures; Server-Side Request Forgery (SSRF).

Question 24

What are Joint Operating Agreements?

Answer 24

Agreements that provide nearby relocation sites to limit disruption to the organization’s own facility.

Question 25

What is the OSI Model?

Answer 25

A model consisting of seven layers: Physical; Data Link; Network; Transport; Session; Presentation; Application.

Question 26

What is SSO?

Answer 26

Single Sign-On; allows a user to access multiple applications with a single set of credentials.

Question 27

What is the Cross-Certification Model?

Answer 27

A model where every participating organization must review and approve every other organization; does not scale well.

Question 28

What is FPE (Format-Preserving Encryption)?

Answer 28

A technique used to scramble data while keeping its structural arrangement.

Question 29

What are Logging Levels?

Answer 29

Levels of logging: OFF > FATAL > ERROR > WARN > INFO > DEBUG > TRACE > ALL.

Question 30

What does the OFF logging level do?

Answer 30

Turns off logging.

Question 31

What does the FATAL logging level indicate?

Answer 31

Indicates a serious problem or corruption; the application is about to stop.

Question 32

What does the ERROR logging level indicate?

Answer 32

Indicates an inability to access a service/file; a severe issue is stopping functions within the application.

Question 33

What does the WARN logging level indicate?

Answer 33

Indicates an unexpected application problem.

Question 34

What does the INFO logging level indicate?

Answer 34

Indicates normal behavior of applications.

Question 35

What does the DEBUG logging level provide?

Answer 35

Provides detailed diagnostic information for troubleshooting.

Question 36

What does the TRACE logging level capture?

Answer 36

Captures all details about application behavior, including events in third-party libraries.

Question 37

What does the ALL logging level show?

Answer 37

Shows all or custom-defined logs.

Question 38

What is the Management Plane?

Answer 38

Technology that allows an admin to remotely manage a fleet of servers and configure cloud resources.

Question 39

Who is the Information Commissioner?

Answer 39

Responsible for enforcing the UK’s GDPR and offering advice to groups whose information is held.

Question 40

What is the NIS Directive (EU2016/1148)?

Answer 40

The first piece of EU-wide cybersecurity legislation; requires notification to competent authorities.

Question 41

What is NIST 800-145?

Answer 41

The NIST definition of Cloud Computing; describes a model for enabling on-demand network access to shared computing resources.

Question 42

What is NIST 800-146?

Answer 42

Describes cloud computing benefits and guidelines for organizations regarding opportunities and risks.

Question 43

What are Functional requirements?

Answer 43

Performance aspects necessary for a business task; e.g., a salesperson must connect to the organization’s network remotely.

Question 44

What are Nonfunctional requirements?

Answer 44

Aspects that are desired but not necessary for a business task; e.g., the remote connection must be secure.

Question 45

What are DFDs (Data Flow Diagrams)?

Answer 45

Useful in systems/software engineering to establish functional requirements before technology selection.

Question 46

What is Eucalyptus?

Answer 46

Software for building AWS-compatible private/hybrid cloud computing environments; supports multitenancy.

Question 47

What is ISO/IEC 17788?

Answer 47

An overview of cloud computing and a set of terms and definitions.

Question 48

What is NIST 500-292?

Answer 48

Guidance on the adoption of cloud computing into the Federal Government.

Question 49

What is Metastructure?

Answer 49

Protocols and mechanisms that provide the interface between the infrastructure layer and other layers.

Question 50

What is PRE (Proxy Re-Encryption)?

Answer 50

Allows a proxy to convert ciphertext encrypted under one key into an encryption of the same message under another key.

Question 51

What is Software-Defined Infrastructure?

Answer 51

Technical computing infrastructure entirely under the control of software with no human intervention.

Question 52

What is Chaos Engineering?

Answer 52

A method of testing software that introduces failure scenarios to verify resilience.

Question 53

What is Microsoft's Security Development Lifecycle (SDL)?

Answer 53

A software development process aimed at reducing security issues and vulnerabilities.

Question 54

What is NIST 800-92?

Answer 54

Guidance on log management.

Question 55

What is NIST 800-40?

Answer 55

Guidance on enterprise patch management planning.

Question 56

What are the types of backups?

Answer 56

Full, Copy, Differential, Incremental.

Question 57

What is a Differential backup?

Answer 57

Backs up all data changed since the last full backup; quicker than a full backup but uses more storage until the next full backup.

Question 58

What is an Incremental backup?

Answer 58

Backs up data that changed since the last backup; time-consuming to restore data.