Chapter 5 - Describing Information Security Concepts

Question 1

What is the concept that guarantees only authorized users can view sensitive information?

Answer 1

Confidentiality

Question 2

The concept that guarantees only authorized subjects can change sensitive information and may also guarantee authenticity of data.

Answer 2

Integrity

Question 3

The concept that guarantees uninterrupted access by authorized users to important computing resources and data.

Answer 3

Availability

Question 4

Information that can be used on its own, or with other information to identify, contact, or locate a single person.

Answer 4

Personally Identifiable Information (PII)

Question 5

Any information about health status, provision of health care, or payment of health care that can be linked to a specific individual.

Answer 5

Personal Health Information (PHI)

Question 6

A function of the likelihood of a given threat source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

Answer 6

Risk

Question 7

An intent and method that is targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

Answer 7

Threat Source

Question 8

The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

Answer 8

Threat

Question 9

A weakness that makes a resource susceptible to a threat.

Answer 9

Vulnerability

Question 10

The resulting damage to the organization that is caused by a threat.

Answer 10

Impact

Question 11

A network attack in which an unauthorized person gains access to a network and stays there undetected for a long time period.

Answer 11

Advanced Persistent Threat (APT)

Question 12

A risk option when the cost of other risk management options may outweigh the cost of the risk itself.

Answer 12

Risk Acceptance

Question 13

A risk option that avoids any exposure to the risk.

Answer 13

Risk Avoidance

Question 14

A risk option where a company’s risk exposure is limited by taking some action.

Answer 14

Risk Limitation

Question 15

A risk option where the transference of risk to a willing third party.

Answer 15

Risk Transfer

Question 16

A risk assessment approach that involves trying to map a dollar amount to each specific risk.

Answer 16

Quantitative approach

Question 17

A risk assessment approach that involves assigning a risk level, such as low, medium, or high to each risk.

Answer 17

Qualitative approach

Question 18

A defect in software or hardware, in the concept of information security.

Answer 18

Vulnerability

Question 19

The open framework for communicating and characteristics and severity of software vulnerabilities.

Answer 19

CVSS

Question 20

Access control model that secures information by assigning sensitivity labels on information and comparing it to the users operating sensitivity level.

Answer 20

Mandatory Access Control

Question 21

Access control model that uses an ACL to decide which users or groups have access to the information.

Answer 21

Discretionary Access Control

Question 22

Access control model that is based on an individual’s roles and responsibilities within the organization (RBAC).

Answer 22

Non-Discretionary Access Control

Question 23

Name the three types of Security Operations Centers

Answer 23

Threat-centric - actively looks for threats on the network
compliance-based - focuses on security posture as it relates to compliancy testing
operational-based - focuses on maintaining operational integrity and functionality

Question 24

Risk is a function of what three factors

Answer 24

Threat, Vulnerability, and Impact