Chapter 2 - IS Governance and Risk Management

Question 1

What are the 3 components that make up the AIC triad?

Answer 1

Availability, integrity, and confidentiality.

Question 2

This type of protection ensures reliability and timely access to data and resources to authorized individuals.

Answer 2

Availability

Question 3

What is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented?

Answer 3

Integrity

Question 4

Strict access controls, intrusion detection, and hashing can combat what types of threats?

Answer 4

Attackers (through a logic bomb, virus, or back door) or mistakes by users compromising the integrity of data.

Question 5

What ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure?

Answer 5

Confidentiality

Question 6

What should prevail when data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination?

Answer 6

Confidentiality

Question 7

What is shoulder surfing?

Answer 7

When a person looks over another person’s shoulder and watches their keystrokes or views data as it appears on a computer screen.

Question 8

What is social engineering?

Answer 8

When one person tricks another person into sharing confidential information.

Question 9

Clustering, load balancing, and a fail-over configuration are examples of which component of the AIC triad?

Answer 9

Availability

Question 10

Hashing, Change Control, Access Control, and software digital signing are examples of which component of the AIC triad?

Answer 10

Integrity

Question 11

Encryption for data at rest, encryption for data in transit, and access control are examples of which component of the AIC triad?

Answer 11

Confidentiality

Question 12

What is a lack of a countermeasure or a weakness in a countermeasure that is in place?

Answer 12

A vulnerability

Question 13

What is a threat?

Answer 13

Any potential danger that is associated with the exploitation of a vulnerability.

Question 14

What is the entity that takes advantage of a vulnerability referred to?

Answer 14

Threat agent

Question 15

What is risk?

Answer 15

The likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.

Question 16

What is exposure?

Answer 16

An instance of being exposed to losses.

Question 17

What is a countermeasure that is put into place to mitigate (reduce) the potential risk?

Answer 17

A control.

Question 18

Control can also be referred to as what 2 other terms?

Answer 18

Countermeasure and safeguard.

Question 19

A threat agent gives rise to what?

Answer 19

A threat.

Question 20

A threat exploits what?

Answer 20

A vulnerability.

Question 21

A vulnerability leads to what?

Answer 21

Risk

Question 22

Risk can damage what?

Answer 22

An asset.

Question 23

Assets cause what?

Answer 23

Exposure

Question 24

Exposure can be countermeasure by what?

Answer 24

A safeguard.

Question 25

A safeguard directly affects what?

Answer 25

A threat agent.

Question 26

What 3 main flavors do control come in?

Answer 26

1) Administrative
2) Technical
3) Physical

Question 27

What are some examples of administrative controls?

Answer 27

Security documentation, risk management, personnel security, and training.

Question 28

Technical controls are also referred to as what?

Answer 28

Logical controls

Question 29

What are some examples of technical controls?

Answer 29

Firewalls, IDS, encryption, identification and authentication mechanisms.

Question 30

What are some examples of physical controls?

Answer 30

Security guards, locks, fencing, and lighting.

Question 31

What is defense-in-depth?

Answer 31

The coordinated use of multiple security controls in a layered approach. A multilayered defense system minimizes the probability of successful penetration and compromise.

Question 32

What are the 6 different functionalities of security controls?

Answer 32

Preventative, detective, corrective, deterrent, recovery, and compensating.

Question 33

What is a deterrent?

Answer 33

Intended to discourage a potential attacker.

Question 34

What is the preventative control functionality?

Answer 34

Intended to avoid an incident from occurring.

Question 35

What is the corrective control functionality?

Answer 35

Fixes components or systems after an incident has occurred.

Question 36

What control functionality is intended to bring the environment back to regular operations?

Answer 36

Recovery

Question 37

What control functionality helps identify an incident’s activities and potentially an intruder?

Answer 37

Detective

Question 38

Which control functionality are controls that provide an alternative measure of control?

Answer 38

Compensating

Question 39

What control types are preventative in nature?

Answer 39

Administrative, physical, and technical

Question 40

What is security through obscurity?

Answer 40

Assuming that your enemies are not as smart as you are and that they cannot figure out something that you feel is very tricky.

Question 41

What is the British Standard 7799 or BS7799?

Answer 41

Outlines how an information security management system should be built and maintained.

Question 42

Who took on the task of expanding and standardizing the BS7799?

Answer 42

ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission)

Question 43

What is the ISO/IEC 27000 series?

Answer 43

Serves as industry best practices for the management of security controls in a holistic manner within organizations around the world.

Question 44

ISO follows a certain iterative process that is commonly used in business process quality control programs. What is this process called?

Answer 44

PDCA - Plan, Do, Check, Act

Question 45

What is an enterprise architecture?

Answer 45

Encompasses the essential and unifying components of an organization. It expresses the enterprise structure (form) and behavior (function).

Question 46

What is the difference between a framework and an actual architecture?

Answer 46

The framework is a guideline on how to build an architecture that best fits a company’s needs.

Question 47

What does the enterprise architecture attempt to accomplish?

Answer 47

Providing an understanding of the entity holistically.

Question 48

Which architecture framework uses a two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When, and Why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and Worker) to give a holistic understanding of the enterprise?

Answer 48

The Zachman framework.

Question 49

Which enterprise architecture framework has its origins in the U.S. Department of Defense?

Answer 49

The Open Group Architecture Framework (TOGAF)

Question 50

TOGAF is a framework that can be used to develop what architecture types?

Answer 50

1) Business Architecture
2) Data Architecture
3) Applications Architecture
4) Technology Architecture

Question 51

What is the Architecture Development Method or ADM?

Answer 51

This method is an interactive and cyclic process that allows requirements to be continuously reviewed and the individual architectures updated as needed.

Question 52

What are 2 military-oriented Architecture Frameworks?

Answer 52

1) Department of Defense Architecture Framework (DoDAF)

2) British Ministry of Defense Architecture Framework (MODAF)

Question 53

What is an enterprise security architecture?

Answer 53

A subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally.

Question 54

What security architecture is a layered model with its first layer defining business requirements from a security perspective?

Answer 54

Sherwood Applied Business Security Architecture (SABSA)

Question 55

For an enterprise security architecture to be successful in its development and implementation, what 4 items must be understood and followed?

Answer 55

1) Strategic Alignment
2) Process Enhancement
3) Business Enablement
4) Security Effectiveness

Question 56

What does strategic alignment mean?

Answer 56

The business drivers and the regulatory and legal requirements are being met by the security enterprise architecture.

Question 57

What 3 business systems must work together in a concerted effort to prevent deficiencies and imbalances in the organization?

Answer 57

Business, IT, and Security

Question 58

What is the difference between ISMS and a Security Enterprise Architecture?

Answer 58

The ISMS outlines the controls that need to be put into place and provides direction on how those controls should be managed throughout their lifecycle. The Enterprise Security Architecture illustrates how these components are to be integrated into the different layers of the current business environment.

Question 59

What means that the core business processes are integrated into the security operating model - they are standards-based and follow a risk tolerance criteria?

Answer 59

Business enablement

Question 60

What is process enhancement?

Answer 60

Improving processes to increase productivity.

Question 61

Business enablement means “we can do new stuff”, what does process enhancement mean?

Answer 61

“We can do stuff better”

Question 62

What is the difference between enterprise architectures and system architectures?

Answer 62

A system architecture addresses the structure of software and computing components while the enterprise architecture addresses the structure of the organization.

Question 63

What’s a good analogy when comparing system and enterprise architecture?

Answer 63

The solar system. The enterprise view is looking at the entire solar system while the system view is looking at the individual planets.

Question 64

What is CobiT?

Answer 64

Control Objectives for Information and related Technology. It is a framework and set of control objectives developed by the Information Systems Audit and Control Association and the IT Governance Institute.

Question 65

CobiT is broken down into what 4 domains?

Answer 65

1) Plan and Organize
2) Acquire and Implement
3) Deliver and Support
4) Monitor and Evaluate