Design Requirements Flashcards
Which of the following is the best example of a physical control? A. Carpets B. Ceilings C. Doors D. Fences
D. Fences are physical controls; carpets and ceilings are architectural features, and a door is not necessarily a control: the lock on the door would be a physical security control. Although you might think of a door as a potential answer, the best answer is the fence; the exam will have questions where more than one answer is correct, and the answer that will score you points is the one that is most correct.
In which cloud service model is the customer required to maintain the OS? A. CaaS B. SaaS C. PaaS D. IaaS
D. In IaaS, the service is bare metal, and the customer has to install the OS and the software; the customer is then is responsible for maintaining that OS. In the other models, the provider installs and maintains the OS.
What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? A. Homomorphic B. Polyinstantiation C. Quantum-state D. Gastronomic
A. Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption.
Gathering business requirements can aid the organization in determining all of these facets of organizational assets except: A. Full inventory B. Usefulness C. Value D. Criticality
B. When we gather information about business requirements, we need to do a complete inventory, receive an accurate valuation of assets (usually from the owners of those assets), and assess criticality. However, this collection of information does not objectively tell us how useful an asset is.
To protect data on user devices in a BYOD environment, the organization should consider requiring all the following except: A. DLP agents B. Local encryption C. Multifactor authentication D. Two-person integrity
D. Although all the other options are ways to harden a mobile device, two-person integrity is a concept that has nothing to do with the topic and, if implemented, would require everyone in your organization to walk around in pairs while using their mobile devices.
Risk appetite for an organization is determined by which of the following? A. Reclusion evaluation B. Senior management C. Legislative mandates D. Contractual agreement
B. Senior management decides the risk appetite of the organization. There is no such thing as “reclusion evaluation.” Legislative mandates (laws) do not tell an organization which risks are acceptable except in very, very specific industries, and those are outliers. Contracts don’t dictate acceptable risk for an organization; the organization should use its risk appetite to guide how it crafts contracts.
Devices in the cloud data center should be secure against attack. All the following are means of hardening devices except? A. Using a strong password policy B. Removing default passwords C. Strictly limiting physical access D. Removing all admin accounts
D. Although the rest of the options are good tactics for securing devices, we can’t remove all admin accounts; the device will need to be administered at some point, and that account needs to be there. This question is good practice for the exam, where every word in each question and each answer is important.
The BIA can be used to provide information about all the following elements except which? A. Risk analysis B. Secure acquisition C. BC/DR planning D. Selection of security controls
B. When we gather information about business requirements, we need to do a complete inventory, receive an accurate valuation of assets (usually from the owners of those assets), and assess criticality. However, this collection of information does not objectively tell us how useful an asset is.
In a cloud environment, encryption should be used for all the following except:
A. Long-term storage of data
B. Near-term storage of virtualized images
C. Secure sessions/VPN
D. Profile formatting
D. All of these activities should incorporate encryption except for profile formatting, which is a made-up term.
In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type? A. Technological B. Physical C. Administrative D. All of the above
D. Layered defense calls for a diverse approach to security.
All the following are ways of addressing risk except: A. Acceptance B. Reversal C. Mitigation D. Transfer
B. Reversal is not a method for handling risk.
The process of hardening a device should include all the following except: A. Improve default accounts B. Close unused ports C. Delete unnecessary services D. Strictly control administrator access
A. We don’t want to improve default accounts—we want to remove them. All the other options are steps we take to harden devices.
Which of the following is considered a technological control? A. Firewall software B. Fireproof safe C. Fire extinguisher D. Firing personnel
A. A firewall is a technological control. The safe and extinguisher are physical controls, and firing someone is an administrative control.
Which of the following best describes risk?
A. Preventable
B. Everlasting
C. The likelihood that a threat will exploit a vulnerability
D. Transient
C. Option C is the definition of risk—and risk is never preventable. It can be obviated, attenuated, reduced, and minimized, but never completely prevented. Any particular, specific risk may be everlasting or transient, but it’s not the case that all risks could be described by either of these terms.
The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified? A. RMF B. Contract C. MOU D. BIA
B. The contract codifies the rights and responsibilities of the parties involved upon completion of the negotiation. The RMF aids in risk analysis and design of the environment. A memorandum of agreement/understanding (MOA/MOU) is shared between parties for a number of possible reasons. The BIA aids in risk assessment, DC/BR efforts, and selection of security controls by determining the criticality and value of assets.