Chapter 2 - Design Requirements Flashcards
Gathering business requirements can aid the organization in determining all of this information about organizational assets, except:
A. Full Inventory
B. Usefulness
C. Value
D. Criticality
B. When we gather information about business requirements, we need to do a complete inventory, receive accurate valuation of assets (usually from owners of those assets), and assess criticality; this collection of information does not tell us, objectively, how useful an asset is.
The BIA can be used to provide information about all of the following except:
A. Risk Analysis
B. Secure Acquisition
C. BC/DR planning
D. Selection of Security Controls
B. The business impact analysis gathers asset valuation information that is beneficial for risk analysis and selection of security controls (it helps avoid putting the ten-dollar lock on the five-dollar bicycle), and criticality information that helps in BC/DR planning by letting the organization understand which systems, data, and personnel are necessary to continuously maintain. However, it does not aid secure acquisition efforts, since the assets examined by the BIA have already been acquired.
In which cloud service model is the customer required to maintain the OS?
A. CaaS
B. SaaS
C. PaaS
D. IaaS
D. In IaaS, the service is bare metal, and the customer has to install the OS and the software; the customer is responsible for maintaining that OS. In other models, the provider installs and maintains the OS.
In which cloud service model is the customer required to maintain and update only the applications?
A. CaaS
B. SaaS
C. PaaS
D. IaaS
C. In PaaS, the provider supplies the hardware, connectivity, and OS; the customer installs and maintains applications. In IaaS, the customer must also install the OS, and in SaaS, the provider supplies and maintains the applications.
In which cloud service model is the customer only responsible for the data?
A. CaaS
B. SaaS
C. PaaS
D. IaaS
B. SaaS is the model in which the customer supplies only the data; in the other models, the customer also supplies the OS, the application, or both.
The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified?
A. RMF
B. Contract
C. MOU
D. BIA
B. The contract codifies the rights and responsibilities of the parties involved upon completion of negotiation. The RMF aids in risk analysis and design of the environment. An MOU is shared between parties for a number of possible reasons.
In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?
A. Technological
B. Physical
C. Administrative
D. All of the above
D. Layered defense calls for a diverse approach to security.
Which of the following is considered administrative control?
A. Access control process
B. Keystroke logging
C. Door locks
D. Biometric Authentication
A. A process is an administrative control; sometimes, the process includes elements of other types of controls (n this case, the access control mechanism might be a technical control, or it might be a physical control), but the process itself is administrative. Keystroke logging is a technical control (or a attack, if done for malicious purposes, and not for auditing); door locks are a physical control; and biometric authentication is a technological control. This is a tricky question.
Which of the following is considered a technological control?
A. Firewall software
B. Fireproof safe
C. Fire extinguisher
D. Firing personnel
A. A firewall is a technological control. The safe and extinguisher are physical controls, nd firing someone is an administrative control.
Which of the following is considered a physical control?
A. Carpets
B. Ceilings
C. Doors
D. Fences
D. Fences are physical controls; care and ceiling are architectural features, and a door is not necessarily a control; the lock o the door would be a physical security control. Although you might think of a door as potential answer, the best answer is the fence; the exam will have questions with more than one correct answer and that answer that will score you points is the one that is most correct.
In a cloud environment, encryption should be used for all of the following, except:
A. Long-term storage of data
B. Near-term storage of virtualized images
C. Secure sessions/VPN
D. Profile formatting
D. All of these activities should incorporate encryption, except for profile formatting, which a made-up term.
The process of hardening a device should include all of the following, except:
A. Improve default accounts
B. Close unused ports
C. Delete unnecessary services
D. Strictly control administrative access
A. We don’t want to improve default accounts-we want to remove them. All of the other options are steps we take to harden devices.
The process of hardening a device should include which of the following?
A. Encrypting the OS
B. Updating and patching the system
C. Using video cameras
D. Performing thorough personnel background checks
B. Updating and patching the system helps harden the system. Encrypting the OS is a distractor. That would make the OS/machine impossible to use. Video cameras are a security control, but not one used to harden a device. Background checks are good for vetting personnel, but not for hardening devices.
What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first?
A. Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption.
Risk appetite for an organization is determined by which of the following?
A. Appetite evaluation
B. Senior management
C. Legislative mandates
D. Contractual agreement
B. Senior management decides the risk appetite of the organization.
