Chapter 2: Asset Security

Question 1

Senior/Exec Management

Answer 1

CEO, CFO, CIO, ISO - infosec officer`

Question 2

Steering Committee

Answer 2

Define Risks, Objectives and Approaches.

Question 3

Auditors

Answer 3

Evaluates Business Processes

testable should answer to an independent enity in org such as the CEO have them aligned with him.

Question 4

Data Owner

Answer 4

Classifies Data - determines the classification of data

Question 5

Data Custodian

Answer 5

Day to day maintenance of data

Question 6

Network Admin

Answer 6

Ensures Availability of network resources

not to be security admin need to be different.

Question 7

Security Administrator

Answer 7

Responsible for all security-related tasks, focusing on Confidentiality and Integrity.
can’t be network admin…

Question 8

Information Security Officer - ISO

Answer 8

responsible for providing CIA for all assets
communicates risks to senior management
recommends best practices
establish security measurements
compliance  with gov and industries
awareness of emerging threats

Question 9

the C’s of Classification

Answer 9

Cost - value of data
classify - criteria for classification
controls - determines baseline security config for each

Question 10

what is purpose of classification?

Answer 10

to drive what controls needs to be in place to protect he info

Question 11

consideration for asset value

Answer 11

value to org
loss if compromised
legislative drivers
liabilities

Question 12

sensitivity

Answer 12

describes the amount of damage that would be done should the info be disclosed

Question 13

criticality

Answer 13

describes the time sensitivity of the data. how much revenue will be lost when something is down.

Question 14

3 states of data

Answer 14

at rest - File system encryptions, efs, tpm
in process -
in transit

Question 15

EFS

Answer 15

windows encryption might be vurnerable because you can put drive in different type of computer.

Question 16

TPM

Answer 16

trusted platform module. encryption is on the key on the motherboard. if hard drive is stolen… - PGP is one etc.

Question 17

data in process

Answer 17

screen protectors…physical secuirty

Question 18

data in transit

Answer 18

use secure protocols - tls, ssl, ipsec

Question 19

System Hardening

Answer 19

remove unnecessary services
installing latest service packs and patches
rename default accts
change default settings
enabling security configs like auditing, firewalls, updates etc.
don’t forget physical security.

Question 20

Config Management

Answer 20

Defined by ISC2 as “ a process of id’ing and documenting hardware components, software and the associated settings”

controlling changes made to servers and documenting it…

Question 21

TCB

Answer 21

Trusted computing base

Question 22

Change Management

Answer 22

Admin control policy - should be incorporated into org. policy.
only approved changes will be implemented.
ultimate goal is system stability.
DON’T FIX PROBLEMS
do not make changes…

Question 23

change management process

Answer 23

request submittal
risk assessment
approval or rejection
testing
scheduling
implementaion
validation 
documentation

Question 24

patch management

Answer 24

a process to prioritze patches …etc. below change management…