D1. Security and Risk Management Flashcards

1
Q

Refers to the process and methodologies involved in safeguarding information and underlying systems from inappropriate access, use, modifications, or disturbance.

A

What is Information security?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three principles forming the pillars of information security?

A

CIA Triad (Confidentiality, Integrity, and Availability)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This is the concept of limiting access to data to authorized users and systems and restricting access from unauthorized parties?

A

What is Confidentiality?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Confidentiality is closely related to this security best practice.

A

What is least privileged? (Asserts that access to information should be granted only on a need-to-know basis)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This is the concept of maintaining the accuracy, validity, and completeness of data and systems.

A

What is Integrity?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

These two concepts are closely related to Integrity.

A

What is Authenticity and Non-repudiation?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Refers to ensuring the data is genuine and that all parties are who they say they are.

A

What is Authenticity?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

This concept requires ensuring that no party is able to deny their actions (e.g., creating, modifying, or deleting data).

A

What is Non-repudiation?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Most common mechanisms used to establish authenticity and nonrepudiation in information security.

A

What are digital signatures?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This concept is focused on ensuring that authorized users can access data when they need it.

A

What is Availability?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Concepts to be considered alongside Availability include:

A

What is accessibility (ability o erase of a user to use a resource or access data when needed), usability (ability of a user to meet their needs with available data), and timeliness (time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use)?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some mechanisms that can help prevent disruption of system and information availability?

A

Data backups, redundant storage, Bach up power supply, and web application firewalls (WAFs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This National Institute of Standards and Technology (NIST) Special Publication included the CIA Triad as three of its five security objectives.

A

What is 800-33 “Underlying Technical Models for Information Technology Security”. The two additional concepts were accountability and assurance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The actions of an entity may be traced uniquely to that entity is termed?

A

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes, is termed?

A

Assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

This is the right of human individuals to control the distribution of information about themselves.

A

What is Privacy?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

This is a set of responsibilities, policies, and procedures related to defining, managing, and overseeing security practices at an organization.

A

What is Security governance?

18
Q

Applying security governance principles involves:

A
  1. Aligning the org security function to the company’s business strategy, mission, goals, and objectives.
  2. Defining and managing organizational processes that require security involvement or oversight.
  3. Developing security roles and responsibilities throughout the organization.
  4. Identifying one or more security control frameworks to align your organization with
  5. Conducting due diligence and due care activities on an ongoing basis.
19
Q

This is a simple declaration that defines a company’s function and purpose; and summarizes what the company is, what it does, and why the company exist to do those things.

A

What is a mission statement?

20
Q

Describes the action that a company takes to achieve its goals and objectives.

A

What is a business strategy?

21
Q

This is something that can an organization expects to achieve or accomplish.

A

What is a business goal?

22
Q

Is a milestone or a specific step that contributes to an organization reaching it’s goal and achieving its mission.

A

What is an objective?

23
Q

A group of executives and leaders who regularly meet to set the direction of the company’s security function and provide guidance to help the security function align with the company’s overall mission and business strategy.

A

What is the governance committee?

24
Q

This is the combining of two separate organizations that creates a new, joint organization.

A

What is merger?

25
Q

This is a takeover of one organization by another.

A

What is acquisition?

26
Q

Any person who accesses or handles an organization’s information systems and data.

A

What is a user or end user?

27
Q

A technical, operational, or management safeguard used to prevent, detect, minimize, or counteract security threats.

A

What is security control?

28
Q

(ISC)2 defines a notional construct outlining the organizations’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization.

A

What is a security control framework?

29
Q

System-based safeguards and countermeasures - things like firewalls, IDS/IPS, and data loss prevention (DLP).

A

What are technical controls?

30
Q

System-based safeguards and countermeasures - that are primarily implemented and executed by people (as opposed to systems), security guards are a common example.

A

What are operational controls?

31
Q

Includes policies, procedures, and other countermeasures that control (or manage) the information security risk.

A

What are management “also referred to as administrative” controls?

32
Q

Legal term used to describe the conduct that a reasonable person would exercise in a given situation.

A

What is due care?

33
Q

Adherence to a mandate; it includes the set of activities that an organization conducts to understand and satisfy all applicable laws, regulatory requirements, industry standards, and contractual agreements.

A

What is compliance?

34
Q

A legal concept that establishes the official power to make legal decisions and judgments.

A

What is jurisdiction?

35
Q

Auditing framework that gives organizations the flexibility to be audited based on their own needs.

A

What is SOC (System and Organization Control)?

36
Q

An audit and compliance report that focuses strictly on a company’s financial statements and controls that can impact a customer’s financial statements.

A

What is SOC (System and Organization Control) 1?

37
Q

What are the five “Trusted Service Principles” of AICPA (American Institute of Certified Public Accountants)?

A

Privacy
Security
Availability
Processing Integrity
Confidentiality

38
Q

An audit and compliance report that evaluates an organization based on AICPA trusted service principles.

A

What is SOC (Systems and Organization Controls) 2?

39
Q

This is a lite version of a SOC 2 report (does not disclose specifics) abstracts or removes all sensitive details.

A

What is SOC 3

40
Q

Any criminal activity that directly involves computers or the internet.

A

What are cybercrimes?

41
Q

A specific cybercrime where information is accessed or stolen by a cybercriminal without authorization

A

What is data breach?