Chapter 2 (Domain 1)

Question 1

IAM

Answer 1

Identity and Access Management

System of an organization which will provision the account and assign necessary privileges and access.

Question 2

AUP

Answer 2

Acceptable Use Policy
Policy that users must understand and sign to adhere to the necessary policies related to their perspective job position.

Question 3

Asset

Answer 3

Anything used in a business process or task. Person, place, or thing.

Question 4

Asset Valuation

Answer 4

Value assigned to an asset based on a number of factors.

Question 5

Threats

Answer 5

Any potential occurrence that may cause and undesirable or unwanted outcome for an organization or for a specific asset.

Question 6

Threat Agent/Actors

Answer 6

Intentionally exploit vulnerabilities. Usually people but can be programs, hardware, or systems.

Question 7

Threat Events

Answer 7

Accidental occurrence or intentional exploitations of vulnerabilities.

Question 8

Threat Vector

Answer 8

AKA Attack Vector. The path or means by which an attack or attacker can gain access to a target in order to cause harm.

Question 9

Vulnerability

Answer 9

The weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability.

Question 10

Exposure

Answer 10

Being susceptible to asset loss because of a threat

Question 11

Risk

Answer 11

The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.
Risk = Threat * Vulnerability
Risk = Probability of harm * Severity of harm

Question 12

Safeguards

Answer 12

Security control, protection mechanism, or countermeasure that removes/reduces the vulnerability or protects against one or more specific threats.

Question 13

Attack

Answer 13

An attack is the intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets.

Question 14

Breach

Answer 14

Breach, intrusion, or penetration is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Question 15

Delphi Technique

Answer 15

An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus.

Question 16

Single-loss Expectancy (SLE)

Answer 16

SLE = Asset Value (AV) * Exposure Factor (EF)

Question 17

Annual Loss Expectancy (ALE)

Answer 17

ALE = ARO * SLE
ALE = ARO * AV * EF

Question 18

Risk Mitigation

Answer 18

The implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats.

Question 19

Risk Assignment

Answer 19

Assignment/Transferring is the placement of the responsibility of loss due to a risk onto another entity or organization. ie… insurance

Question 20

Risk Deterrence

Answer 20

Process of implementing deterrents to would-be violators of security and policy.

Question 21

Risk Avoidance

Answer 21

Is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.

Question 22

Risk Acceptance

Answer 22

The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due wot a risk.

Question 23

Risk Rejection

Answer 23

Ignoring the risk.

Question 24

Inherent risk

Answer 24

The level of natural, native , or default risk that exists in an environment, system, or product prior to any risk management efforts being performed.

Question 25

Residual Risk

Answer 25

Consists of threats to specific assets against which upper management chooses not to implement a response.
Total risk - Control Gap = Residual risk

Question 26

Control Gap

Answer 26

Difference between residual risk and total risk

Question 27

Total Risk

Answer 27

Amount of risk an organization would face if no safeguards were in place.
Total Risk = asset value * vulnerabilities * threats

Question 28

Annual Cost of Safeguards (ACS)

Answer 28

Cost each year to implement safeguards

Question 29

Cost/Benefit Analysis

Answer 29

Calculation used to determine whether the safeguard actually improves security without costing too much.
[ALE pre-safeguard - ALE post-safeguard] - annual cost of safeguard (ACS) = value of the safeguard to the company

Question 30

Three categories of security controls

Answer 30

Administrative
Logical/Technical
Physical

Question 31

Administrative Controls

Answer 31

The policies and procedures defined by an organization’s security policy and other regulations or requirements.

Question 32

Logical/Technical Controls

Answer 32

Involves the hardware or software mechanisms used to manage access and provide protection for the IT resources and systems.

Question 33

Physical Controls

Answer 33

Security mechanisms focused on providing protections to the facility and real-world objects.

Question 34

Preventative Control

Answer 34

Deployed to thwart or stop unwanted or unauthorized activity from occurring.

Question 35

Deterrent Control

Answer 35

Deployed to discourage security Policy violations.

Question 36

Detective Control

Answer 36

Deployed to discover or detect unwanted or unauthorized activity.

Question 37

Compensating Control

Answer 37

Deployed to provide various options to other existing controls to aid in enforcement and support of security policies.

Question 38

Corrective Control

Answer 38

Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.

Question 39

Recovery Control

Answer 39

An extension of corrective controls but have more advanced or complex abilities.

Question 40

Directive Control

Answer 40

Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

Question 41

Security Control Assessment (SCA)

Answer 41

Formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectations.

Question 42

Risk Reporting

Answer 42

A key task to perform at the conclusion of a risk analysis. Risk reporting involves the production of a risk report and a presentation of that report to the interested/relevant parties.

Question 43

Risk Register

Answer 43

Risk log. Document that inventories all the identified risks to an organization or system or within an individual project.
Tracked activities:
-Identifying risks
-Evaluating the severity of and prioritizing those risks
-Prescribing responses to reduce or eliminate the risks
-Tracking the progress of risk mitigation

Question 44

Risk Matrix

Answer 44

Risk Heat Map. Form of risk assessment that is performed on a basic graph or chart.

• Qualitative
• 3x3 grid

Question 45

Risk Maturity Model (RMM)

5 Levels

Answer 45

Assess the key indicators and activities of a mature, sustainable, and repeatable risk management process.

1) Ad hoc- Chaotic starting point from which risk management is initiated
2) Preliminary - Loose attempts are made to follow risk management process
3) Defined - A common or standardized risk framework is adopted organization wide.
4) Integrated - Risk Management operations are integrated into business processes.
5) Optimized - Risk management focus on achieving objectives

Question 46

Prepending

Answer 46

The adding of a term, expression, or phrase to the beginning or header of some other communication. Ex… RE:, FW:, EXTERNAL, PRIVATE, INTERNAL

Question 47

Smishing

Answer 47

Short Message Service (SMS) phishing. Phishing over text messages.

Question 48

Vishing/SpIt

Answer 48

Phishing done over any telephony or voice communication system.

Question 49

Tailgating

Answer 49

When an unauthorized entity gains access to a facility under the authorization of a valid worker but WITHOUT their knowledge.

Question 50

Piggybacking

Answer 50

When an unauthorized entity gains access to a facility under the authorization of a valid worker by tricking the victim into providing consent.

Question 51

First step in defining security needs related to personnel and being able to seek out new job hires?

Answer 51

Job description

Question 52

Onboarding

Answer 52

Process of adding new employees to the organization using socialization and orientation.

Question 53

Offboarding

Answer 53

The removal of an employee’s identity from the IAM system once that person has left the organization.

Question 54

Nondisclosure Agreement (NDA)

Answer 54

Used to protect the confidential information within an organization from being disclosed by a former employee.

Question 55

User Behavior Analytics (UBA) and User and Entity Behavior Analytics (UEBA)

Answer 55

Concept of analyzing the behavior of users, subjects, visitors, customers, etc for some specific goal or purpose.

Question 56

What is a security champion?

Answer 56

A member of a group who decides to take charge of leading the adoption and integration of security concepts into the group’s work activities. Not a security team member.

Question 57

What is gamification?

Answer 57

A means to encourage compliance and engagment by integrating common elements of game play into other activities, such as security compliance and behavioral change.