Cybersecurity and Governance

Question 1

The objective of security:

Answer 1

to provide confidentiality, integrity, availability, authenticity, and nonrepudiation.

Question 2

Confidentiality

Answer 2

Keeping unauthorized access entities (be they people or processes) from gaining access to information assets.

Question 3

Integrity

Answer 3

An asset is free from unauthorized alterations.

Question 4

Availability

Answer 4

Protection ensures reliability and timely access to data and resources to authorized individuals

Question 5

Authenticity

Answer 5

Protections ensure we can trust that something comes from its claimed source.

Question 6

Nonrepudiation

Answer 6

Which is closely related to authenticity, means that someone cannot disallow being the source of given action.

Question 7

Vulnerability

Answer 7

This is a weakness in a system that allows a threat source to compromise its security.

Question 8

Threat

Answer 8

This is any potential danger that is associated with the exploitation of a vulnerability.

Question 9

Threat Source

Answer 9

(Threat agent or threat actor) is any entity that can exploit a vulnerability.

Question 10

Risk

Answer 10

A Risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact.

Question 11

Control or Countermeasure

Answer 11

A Control or Countermeasure is put into place to mitigate (reduce) the potential risk.

Question 12

Information Security Management System (ISMS)

Answer 12

ISMS is a collection of policies, procedures, baselines, and standards that an organization puts in place to make sure that its security efforts are aligned with business needs, streamlined and effective and that no security controls are missing.

Question 13

Enterprise Security Architecture

Answer 13

Enterprise Security Architecture implements an information security strategy and consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. Enterprise Security Architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.

Question 14

Security Governance

Answer 14

Security governance is a framework that provides oversight, accountability, and compliance.

Security Governance is a framework that supports the security goals of an organization being set and expressed by senior management, communicated throughout the different levels of the organization, and consistently applied and assessed.

Question 15

Senior management

Answer 15

Senior management always carries the ultimate responsibility for the organization.

Question 16

Security Policy

Answer 16

A security policy is a statement by management dictating the role security plays in the organization.

Question 17

Standards and Documents

Answer 17

Standards and Documents that describe specific requirements that are compulsory in nature and support the organization’s security policies.

Question 18

Baseline

Answer 18

A Baseline is minimum level of security.

Question 19

Guidelines

Answer 19

Guidelines are recommendations and general approaches that provide advice and flexibility.

Question 20

Procedures

Answer 20

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.

Question 21

Job Rotation

Answer 21

Job Rotation and mandatory vacations are administrative security controls that can help detect fraud.

Question 22

Separation of Duties

Answer 22

Separation of Duties ensures no single person has total control over a critical activity or task.

Question 23

Split knowledge and Dual Control

Answer 23

Split knowledge and Dual Control are two variations of separation of duties.

Question 24

Social Engineering

Answer 24

Social Engineering is an attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.

Question 25

Security Awareness

Answer 25

Security Awareness training should be comprehensive, tailored for specific groups, and organization wide.

Question 26

Gamification

Answer 26

Gamification is the application of elements of game play to other activities such as security awareness training.

Question 27

Security Champions

Answer 27

Security Champions, which are members of an organization that though their job description does not include security, inform, and encourage the adoption of security practices within their own teams.

Question 28

Professional Ethics

Answer 28

Professional Ethics codify the right way for a group of people to behave.