Concepts Pt.2 Flashcards
A security design principle that states that every time a subject requests access to an object, the request needs to be checked to ensure that the subject has the authority to access the object.
- Least privilege
- Separation of duties
- Complete mediation
- Defense-in-Depth
Complete mediation
A security design principle that ensures that no single point of complete compromise exists by implementing multiple layers of risk mitigation controls. Also known as layered defense.
- Least privilege
- Separation of duties
- Complete mediation
- Defense-in-Depth
Defense-in-Depth
A security design principle that states that when the software is architected, the mechanisms that are common (shared) between two different users or processes must be minimized.
- Least common mechanism
- Economy of mechanism
- Least privilege
- Separation of duties
Least common mechanism
A security design principle that ensures that no one person or process can complete an operation in its entirety. It is also referred to as the compartmentalization principle.
- Separation of duties
- Defense-in-Depth
- Leveraging existing components
- Complete mediation
Separation of duties
A willingness of users to accept a particular control.
- Accountability
- Psychological acceptability
- Separation of duties
- Leveraging existing components
Psychological acceptability
A security design principle that states that the likelihood of vulnerabilities increases with the complexity of the software design.
- Least common mechanism
- Separation of duties
- Complete mediation
- Economy of mechanism
Economy of mechanism
A security design principle that ensures that the attack surface is not increased and no newer vulnerabilities are introduced because existing components of code/functionality are reused (leveraged) when architecting software.
- Defense-in-Depth
- Leveraging existing components
- Separation of duties
- Least privilege
Leveraging existing components
A security design principle that ensures that when the software fails, the confidentiality, integrity, and availability of the software is still maintained along with rapid recovery. Also known as Fail Secure.
- Open design
- Auditing
- Least privilege
- Fail safe
Fail safe
A security design principle that states that the security of the software/system should not be a secret, but be open for review.
- Authentication
- Complete mediation
- Open design
- Confidentiality
Open design
A security design principle in which a user or process is explicitly given only the necessary and minimum level of access rights (privileges) for a specified amount of time, in order to complete an operation.
- Least privilege
- Defense-in-Depth
- Complete mediation
- Non-repudiation
Least privilege
Which of the following is an acceptable approach to risk treatment or response?
- Accept risk
- Report on risk
- Measure risk
- Ignore risk
Accept risk
What is an advantage of economy of mechanism?
- To demonstrate an active security program
- To save money on IT investment
- To avoid complexity in a system’s design
- To ensure layers of defense and protection
To avoid complexity in a system’s design
What does psychological acceptability refer to?
- Management’s reluctance to enforce security policy
- The lack of privacy associated with biometrics
- The inability of IT to measure security effectiveness
- The problem that users will resist security they feel is unnecessary
The problem that users will resist security they feel is unnecessary
What technique is used to restrict the amount of data in a customer record that is visible to a user of an application that accesses a database?
- Single sign-on
- View-based controls
- Input validation
- Strong passwords
View-based controls
What is the primary purpose of Information System’s controls?
- To demonstrate due care and due diligence
- To support and protect the business mission
- To avoid unnecessary expense or liability
- To ensure that attacks will not be sucessful
To support and protect the business mission
What is the primary benefit of enforcing least privilege?
- To provide management with insight into system controls
- To protect the integrity of data
- To ensure the availability of critical systems
- To ensure no one has privileged access rights
To protect the integrity of data
What term is used to describe checking all access requests to ensure that only appropriate levels of access are granted?
- Least privilege
- Authentication
- Complete mediation
- Preventative control
Complete mediation
What risk is often associated with confidentiality?
- Data breach liability
- Single points of failure
- Loss of data precision
- Separation of duties
Data breach liability
You and your project team have identified the project risks and now are analyzing the probability and impact of the risks. What type of analysis of the risks provides a quick and high-level review of each identified risk event?
- Quantative risk analysis
- Qualitative risk analysis
- Seven risk responses
- A risk probability-impact matrix
Qualitative risk analysis
Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure. What risk response has been enacted in this project?
- Mitigation
- Transference
- Acceptance
- Avoidance
Transference
You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?
- Transference
- Exploiting
- Avoidance
- Sharing
Transference
To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature. According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?
- Compliance control
- Physical control
- Procedural control
- Technical control
Compliance control
Which of the following are the types of access controls? (Pick 3)
- Administrative
- Automatic
- Technical
- Physical
Administrative, Technical, Physical
You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following?
- Avoidance
- Acceptance
- Mitigation
- Transference
Avoidance
To help review or design security controls, they can be classified by several criteria. One of these criteria is based on time. According to this criteria, which of the following controls are intended to prevent an incident from occurring?
- Corrective controls
- Adaptive controls
- Detective controls
- Preventative controls
Adaptive controls
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
- Exploit
- Mitigation
- Transference
- Avoidance
Avoidance
