D1. Security and Risk Management

Question 1

Refers to the process and methodologies involved in safeguarding information and underlying systems from inappropriate access, use, modifications, or disturbance.

Answer 1

What is Information security?

Question 2

What are the three principles forming the pillars of information security?

Answer 2

CIA Triad (Confidentiality, Integrity, and Availability)

Question 3

This is the concept of limiting access to data to authorized users and systems and restricting access from unauthorized parties?

Answer 3

What is Confidentiality?

Question 4

Confidentiality is closely related to this security best practice.

Answer 4

What is least privileged? (Asserts that access to information should be granted only on a need-to-know basis)

Question 5

This is the concept of maintaining the accuracy, validity, and completeness of data and systems.

Answer 5

What is Integrity?

Question 6

These two concepts are closely related to Integrity.

Answer 6

What is Authenticity and Non-repudiation?

Question 7

Refers to ensuring the data is genuine and that all parties are who they say they are.

Answer 7

What is Authenticity?

Question 8

This concept requires ensuring that no party is able to deny their actions (e.g., creating, modifying, or deleting data).

Answer 8

What is Non-repudiation?

Question 9

Most common mechanisms used to establish authenticity and nonrepudiation in information security.

Answer 9

What are digital signatures?

Question 10

This concept is focused on ensuring that authorized users can access data when they need it.

Answer 10

What is Availability?

Question 11

Concepts to be considered alongside Availability include:

Answer 11

What is accessibility (ability o erase of a user to use a resource or access data when needed), usability (ability of a user to meet their needs with available data), and timeliness (time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use)?

Question 12

What are some mechanisms that can help prevent disruption of system and information availability?

Answer 12

Data backups, redundant storage, Bach up power supply, and web application firewalls (WAFs).

Question 13

This National Institute of Standards and Technology (NIST) Special Publication included the CIA Triad as three of its five security objectives.

Answer 13

What is 800-33 “Underlying Technical Models for Information Technology Security”. The two additional concepts were accountability and assurance.

Question 14

The actions of an entity may be traced uniquely to that entity is termed?

Answer 14

Accountability

Question 15

The basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes, is termed?

Answer 15

Assurance

Question 16

This is the right of human individuals to control the distribution of information about themselves.

Answer 16

What is Privacy?

Question 17

This is a set of responsibilities, policies, and procedures related to defining, managing, and overseeing security practices at an organization.

Answer 17

What is Security governance?

Question 18

Applying security governance principles involves:

Answer 18

1. Aligning the org security function to the company’s business strategy, mission, goals, and objectives.
2. Defining and managing organizational processes that require security involvement or oversight.
3. Developing security roles and responsibilities throughout the organization.
4. Identifying one or more security control frameworks to align your organization with
5. Conducting due diligence and due care activities on an ongoing basis.

Question 19

This is a simple declaration that defines a company’s function and purpose; and summarizes what the company is, what it does, and why the company exist to do those things.

Answer 19

What is a mission statement?

Question 20

Describes the action that a company takes to achieve its goals and objectives.

Answer 20

What is a business strategy?

Question 21

This is something that can an organization expects to achieve or accomplish.

Answer 21

What is a business goal?

Question 22

Is a milestone or a specific step that contributes to an organization reaching it’s goal and achieving its mission.

Answer 22

What is an objective?

Question 23

A group of executives and leaders who regularly meet to set the direction of the company’s security function and provide guidance to help the security function align with the company’s overall mission and business strategy.

Answer 23

What is the governance committee?

Question 24

This is the combining of two separate organizations that creates a new, joint organization.

Answer 24

What is merger?

Question 25

This is a takeover of one organization by another.

Answer 25

What is acquisition?

Question 26

Any person who accesses or handles an organization’s information systems and data.

Answer 26

What is a user or end user?

Question 27

A technical, operational, or management safeguard used to prevent, detect, minimize, or counteract security threats.

Answer 27

What is security control?

Question 28

(ISC)2 defines a notional construct outlining the organizations’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization.

Answer 28

What is a security control framework?

Question 29

System-based safeguards and countermeasures - things like firewalls, IDS/IPS, and data loss prevention (DLP).

Answer 29

What are technical controls?

Question 30

System-based safeguards and countermeasures - that are primarily implemented and executed by people (as opposed to systems), security guards are a common example.

Answer 30

What are operational controls?

Question 31

Includes policies, procedures, and other countermeasures that control (or manage) the information security risk.

Answer 31

What are management “also referred to as administrative” controls?

Question 32

Legal term used to describe the conduct that a reasonable person would exercise in a given situation.

Answer 32

What is due care?

Question 33

Adherence to a mandate; it includes the set of activities that an organization conducts to understand and satisfy all applicable laws, regulatory requirements, industry standards, and contractual agreements.

Answer 33

What is compliance?

Question 34

A legal concept that establishes the official power to make legal decisions and judgments.

Answer 34

What is jurisdiction?

Question 35

Auditing framework that gives organizations the flexibility to be audited based on their own needs.

Answer 35

What is SOC (System and Organization Control)?

Question 36

An audit and compliance report that focuses strictly on a company’s financial statements and controls that can impact a customer’s financial statements.

Answer 36

What is SOC (System and Organization Control) 1?

Question 37

What are the five “Trusted Service Principles” of AICPA (American Institute of Certified Public Accountants)?

Answer 37

Privacy
Security
Availability
Processing Integrity
Confidentiality

Question 38

An audit and compliance report that evaluates an organization based on AICPA trusted service principles.

Answer 38

What is SOC (Systems and Organization Controls) 2?

Question 39

This is a lite version of a SOC 2 report (does not disclose specifics) abstracts or removes all sensitive details.

Answer 39

What is SOC 3

Question 40

Any criminal activity that directly involves computers or the internet.

Answer 40

What are cybercrimes?

Question 41

A specific cybercrime where information is accessed or stolen by a cybercriminal without authorization

Answer 41

What is data breach?