D1: Security & Risk Management

Question 1

NDA

Answer 1

Non Disclosure Agreement; restricts dissemination of information; Compelling parties to not reveal information to others; Keeping secrets;

Question 2

NCA

Answer 2

Non Compete Agreement; relates to employment with competition; Work restrictions; Agreement not to enter into or start a similar line of work in competition against another party;

Question 3

AUP

Answer 3

Authorized Use Policy; warns employees about proper use of organizational assets; Allows for firing employee for misuse;

Question 4

Exit Interview

Answer 4

Useful for discovering serious problems that might not be otherwise disclosed;

Question 5

Education

Answer 5

Providing fundamental knowledge & definitions

Question 6

Training

Answer 6

Providing tactical knowledge necessary for a job or task

Question 7

Awareness

Answer 7

Imparting sensitivity or importance to a topic/issue to all personnel

Question 8

Indoctrination

Answer 8

Incorporating an individual or group into the culture of the larger organization

Question 9

CEO

Answer 9

Chief Executive Officer; Responsible for overall organization and its mission

Question 10

CIO

Answer 10

Chief Information Officer; Responsible for aligning information & technical strategies; Most senior official in an organization responsible for IT & Systems that support enterprise; Senior Technology official;

Question 11

CPO

Answer 11

Chief Policy Officer: Responsible for ensuring that there is compliance with org and regulatory privacy rules

Question 12

CISO

Answer 12

Chief Information Security Officer; Responsible for monitoring & analyzing risk information associate with data protection

Question 13

CSO

Answer 13

Chief Security Officer; Responsible for physical & Technical security of orgs assets; Responsible for development, oversight, mitigation, & other risk strategies; Senior most security official;

Question 14

CTO

Answer 14

Chief Technology Officer; Chooses technology & scientific items; Executive person tasked with identifying useful technology, IT strategies, & partnerships;

Question 15

ISSO

Answer 15

Information Systems Security Officer; Organizational role charged with developing, implementing, testing, & reviewing IT security;

Question 16

Risk Management Categorize

Answer 16

Related to assigning a security role to an IT system

Question 17

Risk Management Select

Answer 17

Identifies the appropriate measures needed to reduce risk satisfactorily

Question 18

Risk Management Implement

Answer 18

Regards enacting the selected security controls

Question 19

Risk Management Assess

Answer 19

Involves an independent assessor to test the controls

Question 20

Risk Management Authorize

Answer 20

Take the risk assessment and make a risk determination

Question 21

Risk Management Monitor

Answer 21

Relates to ongoing review & updating of controls and security status

Question 22

Opportunity Cost

Answer 22

Next best use for funds

Question 23

Depreciated Cost

Answer 23

Reflects wear, tear, and evaluation over time

Question 24

Replacement Cost

Answer 24

current expenditure to gain an identical item

Question 25

Purchase Cost

Answer 25

Original cost

Question 26

Code of Regulations

Answer 26

Administrative law is published here

Question 27

Constitution

Answer 27

Provides for information about interpretation of laws

Question 28

NIST

Answer 28

National Institute of Standards & Technology; Publishes Special Publications, but NO laws; Publishes recommendations and standards, many related to IT security; Government standards body;

Question 29

United States Code

Answer 29

Laws enacted by Congress published here

Question 30

Accept Risk

Answer 30

Accept with knowledge of risk.

Question 31

Avoid Risk

Answer 31

Change course or cancelling a project.

Question 32

Deter Risk

Answer 32

Pursue the threat actor.

Question 33

Mitigate Risk

Answer 33

Addressing risk and its factors. Try to reduce/prevent risk.

Question 34

Transfer Risk

Answer 34

Assign risk to another party, insurance.

Question 35

Ignore Risk

Answer 35

Move ahead without knowledge of the risk. NEVER an appropriate response.

Question 36

Copyright

Answer 36

Legal right for creator of original work

Question 37

Trademark

Answer 37

Recognized signs or expressions to identify product or service;

Question 38

Patent

Answer 38

Intellectual property rights to a product/process for a limited period of time; protect innovative product/process; Exclusive rights to product/process;

Question 39

Trade Secret

Answer 39

Formula, process, or design that is generally not known by others and has a viable commercial use; Guarded info not disclosed to the world;

Question 40

DRM

Answer 40

Digital Rights Management; Systematized access control for digital media; Encrypted PDFs; Access control technology for restricting the use of propriety hardware & copyrighted works;

Question 41

Wassenaar

Answer 41

Covers conventional arms sales and controls.

Question 42

Economic Espionage Act

Answer 42

Criminalized stealing trade secrets

Question 43

GDRP

Answer 43

General Data Protection Regulation; European law endorsed by the US that handles privacy issues; Enforced by Department of Commerce; International data privacy regulation;

Question 44

FISMA

Answer 44

Federal Information Security Management Act; Handles risk management in the US government; US requirements for data security within federal orgs; Requires each federal agency to develop, document, & implement an agency wide pgm to provide info sec; Uses RMF

Question 45

PCI

Answer 45

Payment Card Industry; Self-regulation for banking cards

Question 46

Data Owner

Answer 46

Party that collects & is responsible for the information

Question 47

Data Subject

Answer 47

The person/thing referred to by data;

Question 48

Data Processor

Answer 48

Group/organization responsible for manipulation & computations with the data w/in their systems;

Question 49

Data Custodian

Answer 49

Manages the information systems that perform processing; has physical control & server control; Facilitates use;

Question 50

ISO 27000

Answer 50

Information system management system standards are a flexible set of standards and practices to manage security risks in an org.

Question 51

NIST RMF

Answer 51

National Institute of Science & Technology Risk Management Framework; Government created set of guides to manage and control risk

Question 52

COSO

Answer 52

Committee of Sponsoring Organizations is an initiative to combat organizational fraud; Preventing fraud and abuse; dedicated to guiding managers & government w/ regard to ethics, controls, & risk mgmt.;

Question 53

COBIT

Answer 53

Control Objectives for Information and Related Technologies; is a best practice security framework from ISACA

Question 54

AGILE

Answer 54

Software development methodology; Emphasize customer involvement & simple deliverables. Expects continual refinement of requirements, capabilities, & features through dev process;

Question 55

Directive Security Control

Answer 55

Rules promulgated by management; EX] Policy, NDA, Exit Signs, Need to know policy;

Question 56

Deterrent Security Control

Answer 56

Affect threat agents; EX] Guards, cameras, Logon banner with warning;

Question 57

Preventative Security Control

Answer 57

stop an active attack; EX] Walls, fence, Biometric doorway control;

Question 58

Compensating Security Control

Answer 58

take over for another function/measure while a threat is active; EX] RAID array;

Question 59

Detective Security Control

Answer 59

only identify and do not stop threats; EX} motion detector, dogs, logs & audits;

Question 60

Corrective Security Control

Answer 60

implements after a threat has manifested; EX] IPS, Fire Suppression;

Question 61

Recovery Security Control

Answer 61

Restores operations to way they were; EX: Backups, DRP, cloud-based backup;

Question 62

STRIDE Threat Modeling

Answer 62

Created by Microsoft; Spoofing, Tampering, Repudiation, Information Disclosure, DOS, Elevation of Privilege; Initially created as part of the process of Threat Modeling;

Question 63

VAST Threat Modeling

Answer 63

Visual Agile & Simple Threat modeling; promotes its use across the entire infrastructure & the SDLC

Question 64

ISA

Answer 64

Interconnection Service Agreement; Defines VPNs; Agreed-upon measures, settings & protocols taken by two orgs to facilitate communication;

Question 65

OLA

Answer 65

Operating Level Agreement

Question 66

MOU

Answer 66

Memorandum of Understanding; Provides refinement of duties and responsibilities; Provides terms & details necessary for two parties to work together;

Question 67

MOA

Answer 67

Memorandum of Agreement; Achieving consensus toward a common goal; Document describing cooperative work to be taken together by two parties toward an objective;

Question 68

SLA

Answer 68

Service Level Agreement; Contractual guarantee of performance; A promise; An agreement on the characteristics of quality and performance between two parties;

Question 69

MSA

Answer 69

Master Services Agreement

Question 70

MTD

Answer 70

Maximum Tolerable Downtime; Beginning of a disaster; Estimated time until catastrophic damage to an org has occurred;

Question 71

MTBF

Answer 71

Mean Time Between Failures; The average failure rate; Estimation as to how often serious errors occur, typically measured in thousands of hours; Predicted elapsed time between failures of a mechanical or electronic system; Hardware reliability;

Question 72

MTTR

Answer 72

Mean Time to Recovery (Repair); how long a system can take to recovery from a failure; Time needed to fix something; Standard recovery statistic indicating swiftness of DRP responses; Restoration average; Timely time it will take to regain functionality;

Question 73

MTPD

Answer 73

Maximum Tolerable Period of Disruption; Identifies the point at which services must be restored or irrevocably damage the business;

Question 74

RPO

Answer 74

Recovery Point Objective; What data must be available upon restoration & defines acceptable loss; Maximum # of transactions lost; # of transactions or quality of data that can be acceptably lost; Targeted maximum loss quantity;

Question 75

RTO

Answer 75

Recovery Time Objective; When data must be available; Maximum amount of time lost; Maximum amount of time allowed for an outage;

Question 76

MITM

Answer 76

Man-in-the-Middle; An attacker insinuates itself between client and server, observing or modifying communications; Intercepting and changing;

Question 77

GDRP Lawful

Answer 77

Data must be legal to possess;

Question 78

GDRP Purpose

Answer 78

Must have purpose for possessing the information;

Question 79

GDRP Minimal

Answer 79

Data can only be retained as long as necessary;

Question 80

GDRP Accuracy

Answer 80

Data must be as accurate as possible;

Question 81

GDRP Storage Limitation

Answer 81

Only the information necessary for its purposes should be retained;

Question 82

GDRP Integrity & Confidentiality

Answer 82

Must take measures to ensure integrity & confidentiality;

Question 83

PCI DSS

Answer 83

Payment Card Industry Data Security Standard; Credit Card industry established to ensure regulated control & consumer confidence;

Question 84

WIPO

Answer 84

World Intellectual Property Organization; Promote the protection of intellectual property; United Nations agency that overseas international trademarks & patents;

Question 85

GLBA

Answer 85

Gramm-Leach-Biley Financial Services Modernization Act; Involves privacy concerns with financial institutions; Requires financial orgs to protect customer data and to disclose how this is done; Provide each consumer with a privacy notice at time of consumer relation started; Financial Rules overhaul;

Question 86

SOX

Answer 86

Sarbanes-Oxley; Financial accountability; Implements criminal penalties for incorrect reporting of losses or liabilities; Requirements for US companies & mgmt. to provide accurate information;

Question 87

COPPA

Answer 87

Federal Children’s Online Privacy Protection Act. Applies to collection of info/accounts for children < 13yo; AKA: CaliOPPA

Question 88

HIPAA

Answer 88

Health Insurance Portability & Accountability Act; Medical security; Requires proper encryption of data transmission & storage as well as secure disposal; US law designed to protect the privacy of patient information;

Question 89

PII

Answer 89

Personally Identifiable Information; EX] DL#, SSN, Credit Card #; Unique identifier; data or pieces of data used to uniquely correspond to or identify one individual and requires special handling;

Question 90

PHI

Answer 90

Personal Health Information; Info within an EMR; Sensitive info regarding health of individual;

Question 91

PIPEDA

Answer 91

Personal Information Protection & Electronic Documents Act; Canadian law involving privacy; Canadian PII;

Question 92

Baselines

Answer 92

Required minimum levels of protection and performance that must be met

Question 93

Guidelines

Answer 93

Recommended settings or levels and are considered optional

Question 94

Standards

Answer 94

Security practices based on industry or governmental documents. Mandates steps to follow

Question 95

Procedures

Answer 95

Step-By-Step instructions. Repeatable, Detailed.

Question 96

Policies

Answer 96

High level written

Question 97

NIST SP 800-30

Answer 97

9 steps: System characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, recommend controls, & results documentation;

Question 98

Due Care

Answer 98

Requires an organization to act and enforce security mechanisms put into place; Being careful; Legal standard

Question 99

Due Diligence

Answer 99

Demonstrating that the organization is following its own policies; verifying work, researching, being forewarned & prepared;

Question 100

Prudent Man

Answer 100

Relates to taking appropriate responsibility for actions; Test for activies in the protection of assets, considered what a careful & responsible person would de;

Question 101

Preponderance of Guilt

Answer 101

In civil litigation it is only necessary for a preponderance of guilt to be believed;

Question 102

Compliance

Answer 102

Adherence to external mandates

Question 103

Audits

Answer 103

Tools, processes, & activities used to preform compliance reviews;

Question 104

Virus

Answer 104

Attaches itself to programs in order to replicate; Most common; Copies itself; Requires interaction from user;

Question 105

Backdoor

Answer 105

Privileged access to software or a system;

Question 106

Worm

Answer 106

Replicates independently to infect systems; Fastest; Attacks the OS; No user interaction is needed;

Question 107

Trojan Horse

Answer 107

Appears to provide a valid service hiding its malicious nature; Commonly downloaded; Introduced to system by misdirection or trust

Question 108

Logic Bomb

Answer 108

Set to happen based on certain events; Typically date & time; Launches malicious activity when predetermined conditions are met/triggered;

Question 109

Spyware/Adware

Answer 109

Secretly installed; Collects info about user; plays, displays, or downloads w/o consent; designed to spy on system activity;

Question 110

Rootkit

Answer 110

Capable of hiding user files and processes; Maliciously disguises or blocks observation of malware;

Question 111

Polymorphic

Answer 111

Constantly re-factoring code to evade detection by signatures

Question 112

Macro

Answer 112

Capable of attacking multiple operating systems

Question 113

Bipartile

Answer 113

A multimodal virus that may infect boot sectors and executable files

Question 114

Boot Sector

Answer 114

Attacks an operating system prior to the kernel being loaded

Question 115

Risk Formula

Answer 115

Risk = Threat * Vulnerability; sometimes risk = threat * value * vulnerability

Question 116

RMF Authorize

Answer 116

Based upon a determination of risk by independent parties

Question 117

Dynamic Policy

Answer 117

Is one that can be implemented and changed from a central location as needed;

Question 118

1st Amendment

Answer 118

Freedom of speech

Question 119

4th Amendment

Answer 119

Search & seizures

Question 120

Accountability

Answer 120

Holding individuals responsible for their actions

Question 121

Availability

Answer 121

refers to providing data when and where a user requires access

Question 122

Non-Repudiation

Answer 122

refers to the characteristic of data where the user cannot deny they performed their actions on the data;

Question 123

Authenticity

Answer 123

Data which can be described as not corrupted, or genuine;

Question 124

CSS / XSS

Answer 124

Cross Site Scripting; Users inserting JavaScript into a URL or blog page to force unwanted actions by other users; Sends unwanted code to clients; Web Application attack; Malicious user using script input to steal info from other users;

Question 125

Session Hijacking

Answer 125

Allowing another user to login and then seizing control;

Question 126

SQL Injection

Answer 126

Using web front end to implement database actions on the backend; Insertion of DB commands by client that cause unwanted server actions.

Question 127

Privilege Escalation

Answer 127

The surfing of authority in order to gain additional access;

Question 128

CSRF / XSRF

Answer 128

Cross-Site Request Forgery; Devising a webpage that bounces commands often unwary client to an unsecured site to force a transaction; Attack wherein a message is spoofed from a user to a trusted site; Web application attack; Iframes & server flaws that allow illicit fake message to be processed;

Question 129

Buffer Overflow

Answer 129

The insertion of assembler-level commands into the input data stream by exploiting a boundary error; Corrupting the memory of a host by causing lg amount of data to be inserted in the stack/heap; lg amt data cause other instructions to be overwritten; Cause DoS or take over completely.

Question 130

What do Privacy Laws protect

Answer 130

Customers data, Employees data, & Employee rights

Question 131

What is the purpose of a BIA

Answer 131

Determine the impact to business operations of disruptions

Question 132

Countermeasures

Answer 132

Reactive controls to mitigate or correct an incident

Question 133

Safeguards

Answer 133

Proactive controls to mitigate or correct an incident

Question 134

Responses

Answer 134

Actions after an incident has occurred

Question 135

Exposures

Answer 135

How vulnerable are systems to threats

Question 136

Qualitative Assessments

Answer 136

Use non-numerical levels or categories, and Expert or best judgement

Question 137

Quantitative Assessments

Answer 137

Use consistent numerical values, Financial performance measurements

Question 138

DRP

Answer 138

Disaster Recovery Plan; An immediate plan to cope with disasters & problems; aid in recovery from short-term issues

Question 139

Change Management Policy

Answer 139

Dictates how and when changes are made to a system; enforces accountability and create an audit trail of modifications;

Question 140

AIC

Answer 140

Another way of saying CIA; Availability, Integrity, and Confidentiality; Primary security goals; Having a system that is able to be accessed, accurate with its info and maintain proper access controls;

Question 141

ARO

Answer 141

Annualized Rate of Occurrence; frequency in which an attack occur; Number of attacks per year; Total # of expected successful attacks on an annual basis;

Question 142

EMI

Answer 142

Electromagnetic Interference; Threat to copper-based media

Question 143

ESP

Answer 143

Encapsulating Security Payload; Protocol to encrypt IPsec payloads

Question 144

EF

Answer 144

Exposure Factor; Percentage of an asset lost from a single attack; Indicates value loss from one attack; Assessed damage level;

Question 145

SPIM

Answer 145

Spam over Internet Messaging; Unwanted messages; Chat messages delivered as a hoax to induce purchase;

Question 146

SPIT

Answer 146

Spam over Internet Telephony; Use of SMS to deliver unwanted messages;

Question 147

Pivot

Answer 147

Gaining control of one application or host in order to manipulate a secondary target; Staging a new attack;

Question 148

MITM

Answer 148

Man in the Middle; Between Client and Server; An attack wherein a node listens to and takes over a conversation by insinuating itself into the stream of communication;

Question 149

BO

Answer 149

Buffer Overflow; The insertion of malicious computer instructions into the RAM of a host to accomplish a DoS or injecting shellcode;

Question 150

Brute Force

Answer 150

Discovers a has or encrypted secret by attempting all combinations and permutations; Always works if time is not a factor;

Question 151

ALE

Answer 151

Annualized Loss Expectancy: SLE * ARO; hint: SLEAROoooo -> Drunk at a bar with ALE; Total annual damage;

Question 152

APT

Answer 152

Advanced Persistence Threat; Highly target threat; Full featured exploit designed to attack specific target, commonly assembled by teams of attackers to achieve a particular goal;

Question 153

BIA

Answer 153

Business Impact Analysis: Impact estimate; Prerequisite for disaster recovery and continuity planning to identify potential losses;

Question 154

BPA

Answer 154

Business Partners Agreement: Outlines the goals and responsibilities between entities pursuing a common work product; Cooperation and partnership;

Question 155

CERT

Answer 155

Computer Emergency Response Team; IT First responders; A multi-discipline group designated to handle IT incidents;

Question 156

CIRT

Answer 156

Computer Incident Response Team: A group that investigates & resolves IT security problems; Handles breaches;

Question 157

DBA

Answer 157

Database Administrator; Creates & maintains large data repositories; Personnel capable of managing automated and large information repositories;

Question 158

DDoS

Answer 158

Distributed Denial of Service; Attack methodology involves a multitude of remotely controlled devices focusing upon a single target; Mass attack; Attacker leverages thousands/millions of zombies/bots to degrade a victim;

Question 159

DEP

Answer 159

Data Execution Prevention; Stops buffer overflows; An operating system memory management technique that prevents user data from overlapping into computer instructions;

Question 160

DoS

Answer 160

Denial of Service; Stopping operation; A one on one attack that causes access or utility to cease; Singular attackers seeks to make a resource unavailable;

Question 161

MSP

Answer 161

Managed Service Provider; Handle specific applications of IT; Specialty provider of IT services management contracted by a client;

Question 162

POODLE

Answer 162

Padding Oracle on Downgrade Legacy Encryption; An attack technique that could support confidentiality in SSL connection; Decryption threat;

Question 163

RAT

Answer 163

Remote Access Trojan; Backdoor placement; Software that implements illicit remote control software;

Question 164

ROI

Answer 164

Return on Investment; Cost divided by expense; Primary metric to be used when evaluating whether something is worth the time, effort, or cost;

Question 165

RMF

Answer 165

Risk Management Framework; NIST created framework; Paradigm that was promulgated by the US government;

Question 166

SCAP

Answer 166

Security Content Automation Protocol; Security Automation; Framework promoted by US govt to create open standards for automation of information assurance;

Question 167

SEH

Answer 167

Structured Exception Handler; Memory Corruption; facility within windows that identifies memory corruption and contingencies;

Question 168

SLE

Answer 168

Single Loss Expectancy; Damage from one incident; The value of an asset multiplied by the exposure factor (EF); One time cost;

Question 169

AV

Answer 169

Asset Value; Cost of an asset; The value of an asset or its repair cost as measured in risk formulas;

Question 170

BSI

Answer 170

British Standards Institute; Engineering Standards; US engineering groups that defines various terms and standards;

Question 171

CBK

Answer 171

Common Body of Knowledge; ISC2 goals; Collection of topics related to information security professionals;

Question 172

CC

Answer 172

Common Criteria; Framework in which computer system users can specify their security functional & assurance requirements (SFRs & SARs respectively) in a security target (ST) & may be taken from Protection Profiles (PPs);

Question 173

CSF

Answer 173

Critical Success Factor; Important results; Necessary for an organization or project to achieve its mission;

Question 174

CVE

Answer 174

Common Vulnerabilities & Exposures; List of software flaws that is published by Mitre to act as a dictionary of known issues; Vulnerability list;

Question 175

DoDAF

Answer 175

Department of Defense Architecture Framework; Overview & details aimed to specific stakeholders; Provides visualization infrastructure for specific stakeholders concerns through viewpoints organized by various views;

Question 176

DPA

Answer 176

Data Protection Act; Provision about the processing of personal data; UK law that complements the GDRP;

Question 177

GDRP

Answer 177

General Data Protection Regulation; European Union’s;

Question 178

DSS

Answer 178

Decision Support Systems; Planning and organizational tool;

Question 179

EULA

Answer 179

End-user Licensing Agreement; Terms of use; type of software agreement;

Question 180

FIPS

Answer 180

Federal Information Processing Standard; Federal requirements; Openly announced standards developed by the US Govt for use in computer systems or network;

Question 181

HSPD

Answer 181

Homeland Security Presidential Directive; Presidential commands; issues by presidents involving foreign, military, & domestic policies;

Question 182

IA

Answer 182

Information Assurance; Securing computers & other information; The orgs function associated with assessing & managing risk so as to reduce it to an acceptable level;

Question 183

IAB

Answer 183

Internet Architecture Board; Architectural oversight of IEFT; seeks to improve the Internet by providing high quality technical documents & guidance in the way the internet is used and managed;

Question 184

IAM

Answer 184

Information Assurance Management; In charge of IT; Management personnel associated with defense of IT resources;

Question 185

IAM

Answer 185

Identity & Access Management; Granting or blocking access; An organizational function associated with creating & managing digital identities;

Question 186

IAT

Answer 186

Information Assurance Technical; Hands on IT security; Technical person associated with the defense of IT resources;

Question 187

IEC

Answer 187

International Electrotechnical Commission; Electrical & electronic standards; Covers vast range of technologies from power generation, transmission, & distribution to home appliance and office equipment;

Question 188

IP

Answer 188

Intellectual Property; Proprietary stuff; Plans, designs, creative works of human thought that have value;

Question 189

ISMS

Answer 189

Information Security Management Systems; Standards body; Cohesive set of policies, plans, & procedures for an org;

Question 190

ITIL

Answer 190

Information Technology Infrastructure Library; Linking business & technology; groups of practices for IT service mgmt. that focuses on creating synergy between IT services & business requirements;

Question 191

ITSEC

Answer 191

Information Technology Security Evaluation Criteria; Security evaluation; Organized set of criteria for evaluating computer security within products & systems;

Question 192

IV&V

Answer 192

Independent Verification & Validation; Objective assurance; Ensuring a product, service, or system meets specified requirements and designs;

Question 193

KEDB

Answer 193

Known-Error Database; Compendium of problems with solutions; Collection of problems that are successfully diagnosed & which either a work around or a perm solution has been determined;

Question 194

KMS

Answer 194

Key Management Server; Licensing; Provide software activation through a central system to handle compliance;

Question 195

MDC

Answer 195

Modification Detection Codes; Hashing; Mathematical algorithm designed to create message digest that can be used to indicate when a message has been altered;

Question 196

OEM

Answer 196

Original Equipment Manufacturer; An org/company that manufactures parts & components that may be marketed by other companies; “Third-party products”;

Question 197

PDCA

Answer 197

Plan-Do-Check-Act; Continuous improvement; Iterative four step management system designed to facilitate control & improvement;

Question 198

PP

Answer 198

Protection Profile; Certifification document; Element of the CC that specifies evaluation criteria to validate the security claims of a product;

Question 199

SABSA

Answer 199

Sherwood Applied Business Security Architecture: Security framework; Methodology for enterprise architecture & management of security services;

Question 200

TCSEC

Answer 200

Trusted Computer System Evaluation Criteria; Standard IT security verification; US DoD standard for assessing the effectiveness of computer security;

Question 201

TOC/TOU

Answer 201

Time of check/Time of use; Problem with race condition vulnerability; Problematic time period of time between the time at which a resource is set or known and the time at which it is ultimately used;

Question 202

TOE

Answer 202

Target of Evaluation; Item being inspected; System or application that is being subjected to detailed examination & analysis for security features;

Question 203

TOGAF

Answer 203

The Open Group Architecture Framework; Enterprise architecture for design, planning, implementing, & governing IT; Four level framework for modeling the business, application, data, & technology;