Domain 1 Flashcards
Security Principles
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a _____ control.
Management/Administrative control
Which region enacted comprehensive legislation addressing personal privacy in 2016?
European Union
(In 2016, the European Union passed comprehensive legislation addressing personal privacy, deeming it an individual human right)
What is the purpose of implementing security controls in the risk management process?
To mitigate the risk to an acceptable level
If a pickpocket is a threat, what would be their attack vector?
Their technique and approach
What term is used to refer to information that, when combined with other pieces of data, significantly narrows the possibility of association with more individuals?
Personally Identifiable Information (PII)
How do companies that offer identity theft insurance manage their own financial risk?
By calculating premium payments against potential payouts
What potential risk can occur when a remote worker’s laptop is left unattended or unlocked?
Accidental introduction of unauthorized software with malware
Multifactor authentication involves using two or more instances of different authentication factors.
Which of the following are considered a widely accepted factor for authentication?
Something you are, something you know
While taking the certification exam for this certification, you notice another candidate for the certification cheating.
What should you do?
Report the candidate to ISC2
In the United States, which act governs the privacy of medical information?
HIPAA
What is an “asset” in the context of risk management terminology?
Something in need of protection
Who is responsible for determining risk tolerance in an organization?
Executive management and board of directors
What action is suggested to mitigate the risk associated with a threat?
Evaluate the likelihood of the event and take appropriate actions to mitigate the risk
Which regulation grants data protection and control to individuals within the EU, regardless of citizenship?
General Data Protection Regulation (GDPR)
What role might security professionals play in risk assessment at a system level?
Assisting in risk assessment at a system level
Who is responsible for identifying risks within an organization?
Employees at all levels of the organization
Procedures are
the detailed steps to complete a task that support
departmental or organizational policies
They are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations
Policies are
often used by governance teams to provide a framework to introduce policies and proceduresin support of regulations
Standards
commonly issued in the form of laws, usually from
government (not to be confused with governance) and typically carry financial penalties for non-compliance
Regulations are
Bot
Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities
Criticality
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function
Data Integrity
The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit
General Data Protection Regulation (GDPR)
In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right
Integrity
The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose
International Organization of Standards (ISO)
The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies
Internet Engineering Task Force (IETF)
The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus
Multi-Factor Authentication
Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification
National Institutes of Standards and Technology (NIST)
The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions
Non-repudiation
The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
Personally Identifiable Information (PII)
The National Institute of Standards and Technology (NIST) defines Personally Identifiable Information (PII) as any data that can distinguish or trace an individual’s identity, including common identifiers like name and Social Security number, as well as other information linked to an individual such as biometric records, medical, educational, financial, and employment information.
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many ____ control systems are linked to technical/logical systems, such as badge readers connected to door locks
Physical controls
Protected Health Information (PHI)
Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act)
Qualitative Risk Analysis
A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high
Quantitative Risk Analysis
A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain
Risk Acceptance
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action
Risk Assessment
The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
Risk Avoidance
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Risk Management
The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
Risk Management Framework
A structured approach used to oversee and manage risk for an enterprise
Risk Mitigation
Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk
Risk Tolerance
The level of risk an entity is willing to assume in order to achieve a potential desired result. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance
Risk Transference
Paying an external party to accept the financial impact of a given risk
Risk Treatment
The determination of the best way to address an identified risk
Sensitivity
A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection
Single-Factor Authentication
Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested
System Integrity
The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental
Technical Controls
Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system
Threat Vector
The means by which a threat actor carries out their objectives
Token
A physical object a user possesses and controls that is used to authenticate the user’s identity
Institute of Electrical and Electronics Engineers
IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.
What is the primary purpose of the ISC2 Code of Ethics?
Ensuring the safety and welfare of society and the common good
What type of authentication process is used at the bank with an ATM card?
Two-factor authentication
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting the personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs.
The published user agreement states that the company will not share personal user data with any entities without the users’ explicit permission.
According to the ISC2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation?
The users
In e-commerce and electronic transactions, what does non-repudiation protect against?
Falsely denying transactions
What type of cyber attack often targets the availability of data?
Ransomware attacks
What is meant by non-repudiation?
If a user does something, they can’t later claim that they didn’t do it
What does knowledge-based authentication involve?
Differentiating between authorized and unauthorized users using a passphrase or secret code
What is the purpose of using a risk matrix?
To prioritize risks based on likelihood and impact
What measures would a trauma center be most likely to take to ensure zero tolerance for power failure?
Redundancy in emergency power supplies, battery backup, and generators
Which of the following is NOT one of the four typical ways of managing risk?
Conflate
When a company chooses to ignore a risk and proceed with a risky activity, which treatment is being applied by default?
Acceptance
What is risk tolerance often likened to?
Risk appetite
Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account and is requesting Siobhan’s full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors.
Siobhan decides that the item for sale is not worth the value of Siobhan’s personal information, and decides to not make the purchase.
What kind of risk management approach did Siobhan make?
Avoidance
What is done with the result of the risk assessment process?
It is presented as a report or presentation to the management
What is an example of a physical control?
Walls, fences, guards, locks
Software security practitioners seek to maintain the CIA of systems and software based on business needs.
Which aspect of the CIA is focused on guaranteeing that authorized subjects are granted uninterrupted access to objects in a timely fashion?
Availability
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff.
This is an example of a: __________.
Management/Administrative control
What is the correct sequence of the elements in governance, starting from the highest level?
Regulations, standards, policies, procedures
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop.
This document is an example of a ________.
Procedure
