Chapter 5 Flashcards
- Discuss and describe the CIA Triad.
The CIA Triad is the combination of confidentiality, integrity, and availability. This term is used to indicate the three key components of a security solution.
- What are the requirements to hold a person accountable for the actions of their user account?
The requirements of accountability are identification, authentication, authorization, and auditing.
Each of these components needs to be legally supportable to truly hold someone accountable for their actions.
- Describe the benefits of change control management.
The benefits of change control management include preventing unwanted security reduction because of uncontrolled change, documenting and tracking of all alterations in the environment, standardization, conforming with security policy, and the ability to roll back changes in the event of an unwanted or unexpected outcome.
- What are the seven major steps or phases in the implementation of a classification scheme?
(1) Identify the custodian, and define their responsibilities.
(2) Specify the evaluation criteria of how the information will be classified and labeled.
(3) Classify and label each resource. Although the owner conducts this step, a supervisor should review it.
(4) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria.
(5) Select the security controls that will be applied to each classification level to provide the necessary level of protection.
(6) Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity.
(7) Create an enterprise-wide awareness program to instruct all personnel about the classification system.
- Name the six primary security roles as defined by ISC2 for CISSP
The six security roles are senior management, IT/security staff, owner, custodian, operator/user, and auditor.
- What are the four components of a complete organizational security policy and their basic purpose?
The four components of a security policy are policies, standards, guidelines, and procedures.
- Policies are broad security statements.
- Standards are definitions of hardware and software security compliance.
- Guidelines are used when there is not an appropriate procedure.
- Procedures are detailed step-by-step instructions for performing work tasks in a secure manner.
- Which of the following contains the primary goals and objectives of security?
A. A network’s border perimeter
B. The CIA Triad
C. A stand-alone system
D. The Internet
B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.
- Vulnerabilities and risks are evaluated based on their threats against which of the following?
A. One or more of the CIA Triad principles
B. Data usefulness
C. Due care
D. Extent of liability
A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.
- Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?
A. Identification
B. Availability
C. Encryption
D. Layering
B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.
- Which of the following is not considered a violation of confidentiality?
A. Stealing passwords
B. Eavesdropping
C. Hardware destruction
D. Social engineering
C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.
- Which of the following is not true?
A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.
C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.
- Confidentiality is dependent upon which of the following?
A. Accountability
B. Availability
C. Nonrepudiation
D. Integrity
D. Without integrity, confidentiality cannot be maintained.
- If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can____________ the data, objects, and resources.
A. Control
B. Audit
C. Access
D. Repudiate
C. Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
- Which of the following describes the freedom from being observed, monitored, or examined without consent or knowledge?
A. Integrity
B. Privacy
C. Authentication
D. Accountability
B. One definition of privacy is freedom from being observed, monitored, or examined without consent or knowledge.
- All but which of the following items require awareness for all individuals affected?
A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages
D. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.