Concepts Pt.2 Flashcards

1
Q

A security design principle that states that every time a subject requests access to an object, the request needs to be checked to ensure that the subject has the authority to access the object.

  • Least privilege
  • Separation of duties
  • Complete mediation
  • Defense-in-Depth
A

Complete mediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security design principle that ensures that no single point of complete compromise exists by implementing multiple layers of risk mitigation controls. Also known as layered defense.

  • Least privilege
  • Separation of duties
  • Complete mediation
  • Defense-in-Depth
A

Defense-in-Depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A security design principle that states that when the software is architected, the mechanisms that are common (shared) between two different users or processes must be minimized.

  • Least common mechanism
  • Economy of mechanism
  • Least privilege
  • Separation of duties
A

Least common mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A security design principle that ensures that no one person or process can complete an operation in its entirety. It is also referred to as the compartmentalization principle.

  • Separation of duties
  • Defense-in-Depth
  • Leveraging existing components
  • Complete mediation
A

Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A willingness of users to accept a particular control.

  • Accountability
  • Psychological acceptability
  • Separation of duties
  • Leveraging existing components
A

Psychological acceptability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security design principle that states that the likelihood of vulnerabilities increases with the complexity of the software design.

  • Least common mechanism
  • Separation of duties
  • Complete mediation
  • Economy of mechanism
A

Economy of mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A security design principle that ensures that the attack surface is not increased and no newer vulnerabilities are introduced because existing components of code/functionality are reused (leveraged) when architecting software.

  • Defense-in-Depth
  • Leveraging existing components
  • Separation of duties
  • Least privilege
A

Leveraging existing components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security design principle that ensures that when the software fails, the confidentiality, integrity, and availability of the software is still maintained along with rapid recovery. Also known as Fail Secure.

  • Open design
  • Auditing
  • Least privilege
  • Fail safe
A

Fail safe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A security design principle that states that the security of the software/system should not be a secret, but be open for review.

  • Authentication
  • Complete mediation
  • Open design
  • Confidentiality
A

Open design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A security design principle in which a user or process is explicitly given only the necessary and minimum level of access rights (privileges) for a specified amount of time, in order to complete an operation.

  • Least privilege
  • Defense-in-Depth
  • Complete mediation
  • Non-repudiation
A

Least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is an acceptable approach to risk treatment or response?

  • Accept risk
  • Report on risk
  • Measure risk
  • Ignore risk
A

Accept risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an advantage of economy of mechanism?

  • To demonstrate an active security program
  • To save money on IT investment
  • To avoid complexity in a system’s design
  • To ensure layers of defense and protection
A

To avoid complexity in a system’s design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does psychological acceptability refer to?

  • Management’s reluctance to enforce security policy
  • The lack of privacy associated with biometrics
  • The inability of IT to measure security effectiveness
  • The problem that users will resist security they feel is unnecessary
A

The problem that users will resist security they feel is unnecessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What technique is used to restrict the amount of data in a customer record that is visible to a user of an application that accesses a database?

  • Single sign-on
  • View-based controls
  • Input validation
  • Strong passwords
A

View-based controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the primary purpose of Information System’s controls?

  • To demonstrate due care and due diligence
  • To support and protect the business mission
  • To avoid unnecessary expense or liability
  • To ensure that attacks will not be sucessful
A

To support and protect the business mission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the primary benefit of enforcing least privilege?

  • To provide management with insight into system controls
  • To protect the integrity of data
  • To ensure the availability of critical systems
  • To ensure no one has privileged access rights
A

To protect the integrity of data

17
Q

What term is used to describe checking all access requests to ensure that only appropriate levels of access are granted?

  • Least privilege
  • Authentication
  • Complete mediation
  • Preventative control
A

Complete mediation

18
Q

What risk is often associated with confidentiality?

  • Data breach liability
  • Single points of failure
  • Loss of data precision
  • Separation of duties
A

Data breach liability

19
Q

You and your project team have identified the project risks and now are analyzing the probability and impact of the risks. What type of analysis of the risks provides a quick and high-level review of each identified risk event?

  • Quantative risk analysis
  • Qualitative risk analysis
  • Seven risk responses
  • A risk probability-impact matrix
A

Qualitative risk analysis

20
Q

Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure. What risk response has been enacted in this project?

  • Mitigation
  • Transference
  • Acceptance
  • Avoidance
A

Transference

21
Q

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

  • Transference
  • Exploiting
  • Avoidance
  • Sharing
A

Transference

22
Q

To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature. According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

  • Compliance control
  • Physical control
  • Procedural control
  • Technical control
A

Compliance control

23
Q

Which of the following are the types of access controls? (Pick 3)

  • Administrative
  • Automatic
  • Technical
  • Physical
A

Administrative, Technical, Physical

24
Q

You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following?

  • Avoidance
  • Acceptance
  • Mitigation
  • Transference
A

Avoidance

25
Q

To help review or design security controls, they can be classified by several criteria. One of these criteria is based on time. According to this criteria, which of the following controls are intended to prevent an incident from occurring?

  • Corrective controls
  • Adaptive controls
  • Detective controls
  • Preventative controls
A

Adaptive controls

26
Q

A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?

  • Exploit
  • Mitigation
  • Transference
  • Avoidance
A

Avoidance