Domain 1

Question 1

What are the three main components of the CIA Triad?

Answer 1

Confidentiality Integrity Availability

Question 2

What does confidentiality aim to prevent?

Answer 2

Unauthorized access to data.

Question 3

How can confidentiality be ensured?

Answer 3

Through measures like encryption access control and data classification.

Question 4

What is the focus of integrity in the CIA Triad?

Answer 4

Maintaining the reliability and correctness of data.

Question 5

What are some examples of integrity violations?

Answer 5

Unauthorized alterations errors in coding and malicious modifications.

Question 6

What is the goal of availability?

Answer 6

To ensure authorized access to objects without interruption.

Question 7

What threats does availability protect against?

Answer 7

Denial-of-service attacks device failures and environmental issues.

Question 8

What is the DAD Triad and how does it relate to the CIA Triad?

Answer 8

The DAD Triad represents Disclosure Alteration and Destruction highlighting security failures opposite to the goals of the CIA Triad.

Question 9

What is the risk associated with overprotection?

Answer 9

Excessive security measures can lead to constraints on availability or other security aspects.

Question 10

What does authenticity ensure?

Answer 10

Data originates from its claimed source verifying its integrity and preventing unauthorized alterations.

Question 11

What is the purpose of nonrepudiation in security?

Answer 11

To prevent denial of actions or events and hold subjects accountable for their actions.

Question 12

What are the elements of AAA services in security?

Answer 12

Identification Authentication Authorization and Accounting Auditing

Question 13

What does encryption achieve in security?

Answer 13

Hiding the meaning or intent of communication from unintended recipients.

Question 14

What are security boundaries and why are they important?

Answer 14

Lines between areas with different security requirements crucial for controlling the flow of information and deploying appropriate security mechanisms.

Question 15

What is the key principle behind defense in depth?

Answer 15

Using multiple security controls in a series to protect against various threats.

Question 16

What is abstraction in security?

Answer 16

Grouping similar elements and assigning security controls collectively for efficiency.

Question 17

How does data hiding contribute to security?

Answer 17

It prevents unauthorized access to data by positioning it in a compartment not accessible to unauthorized subjects.

Question 18

What is security governance?

Answer 18

Practices related to supporting, evaluating, defining, and directing security efforts within an organization.

Question 19

How is security governance ideally performed within an organization?

Answer 19

Ideally performed by a board of directors but smaller organizations may have the CEO or CISO oversee these activities.

Question 20

What is the importance of external sources in security governance?

Answer 20

Provide knowledge and insight against which the organization’s security processes and infrastructure are compared.

Question 21

What are some factors that impose governance on organizations?

Answer 21

Legislative and regulatory compliance needs industry guidelines or license requirements.

Question 22

What is the role of documentation review in governance and third parties?

Answer 22

Ensures that exchanged materials meet standards and expectations before on-site inspections reducing the risk of non-compliance.

Question 23

Why is third-party governance important?

Answer 23

Third-party governance ensures that external entities comply with security objectives requirements regulations and contractual obligations minimizing additional risks to the primary organization.

Question 24

What are the consequences of inadequate documentation in third-party governance?

Answer 24

Inadequate documentation can result in the loss or voiding of authorization to operate (ATO) requiring a complete documentation review and on-site inspection for reestablishment.

Question 25

How does risk management relate to documentation review?

Answer 25

Documentation review ensures that business tasks systems and methodologies support security goals through vulnerability reduction and risk mitigation.

Question 26

What does managing the security function entail?

Answer 26

Involves evaluating and improving security over time through proper governance; risk assessment; measurable security; and metrics evaluation.

Question 27

How should security planning align with business strategy?

Answer 27

Aligns with organizational strategy; goals; and objectives. Business cases are used to justify security initiatives; and a top-down approach is preferred for effective security management planning.

Question 28

What needs to be autonomous to avoid internal politicl issues?

Answer 28

The information Security Team for effective security management.

Question 29

Describe the different types of security plans.

Answer 29

Security plans include strategic plans (long-term); tactical plans (mid-term); and operational plans (short-term); each focusing on specific objectives and timelines.

Question 30

What are elements of security planning?

Answer 30

defining security roles; how security will be managed; responsibilities; testing for effectiveness; policies; education.

Question 31

What organizational processes should security governance address?

Answer 31

All aspects of organization including acquisitions; mergers; divestitures; etc.

Question 32

What are the key security roles within an organization?

Answer 32

Senior manager; security professional; asset owner; custodian; user; and auditor.

Question 33

Name some widely recognized security control frameworks.

Answer 33

COBIT; NIST; CIS; ISO/IEC; and ITIL; each providing guidelines and best practices for IT security management.

Question 34

What disproves negilgence in management?

Answer 34

Due diligence and due care

Question 35

What is a Security Policy?

Answer 35

It defines the scope of security needed by an organization outlines strategic objectives and goals assigns responsibilities and specifies compliance requirements and acceptable risk levels.

Question 36

What are the components of security documentation below Security Policies?

Answer 36

Standards Baselines and Guidelines.

Question 37

Define Standards in security documentation.

Answer 37

Compulsory requirements for hardware software technology and security controls within an organization.

Question 38

What is the purpose of Baselines in security documentation?

Answer 38

Establish a minimum level of security that all systems must meet providing a foundational secure state.

Question 39

Explain Guidelines in the context of security documentation.

Answer 39

Offer recommendations on implementing standards and baselines providing flexibility for customization based on unique system conditions.

Question 40

What do Security Procedures entail?

Answer 40

Detailed step-by-step documents describing actions necessary to implement specific security mechanisms controls or solutions.

Question 41

Why is it beneficial to keep security documentation separate?

Answer 41

This allows for tailored access to different users and makes it easier to update and redistribute affected material without overhauling entire policies.

Question 42

What role does security documentation play in an organization?

Answer 42

Guides decisions; training; problem-solving; and future expansion; supporting real-world security in a directed efficient and specific manner.

Question 43

What is threat modeling?

Answer 43

Involves identifying categorizing and analyzing potential threats to a system or product.

Question 44

What are defensive or proactive measures in threat modeling?

Answer 44

Involve threat modeling during design and development.

Question 45

What is reactive or adversarial threat modelling?

Answer 45

Threat modelling after deployment

Question 46

Name three methods for identifying threats.

Answer 46

Focusing on assets; attackers; or software.

Question 47

What is the STRIDE model used for in threat modeling?

Answer 47

The STRIDE model categorizes threats into Spoofing; Tampering; Repudiation; Information Disclosure; Denial of Service; and Elevation of Privilege.

Question 48

Describe the Process for Attack Simulation and Threat Analysis (PASTA).

Answer 48

Risk-centric methodology involving seven stages for threat modeling.

Question 49

What does VAST stand for and what is its purpose?

Answer 49

VAST stands for Visual Agile and Simple Threat and it integrates threat and risk management into Agile programming environments.

Question 50

What is the purpose of creating diagrams in threat modeling?

Answer 50

Visualize potential attack concepts and data flow within a system.

Question 51

What is reduction analysis in threat modeling?

Answer 51

This involves decomposing the application system or environment to understand its internal components and interactions.

Question 52

How are threats prioritized in threat modeling?

Answer 52

Threats are prioritized based on factors such as probability and damage potential.

Question 53

Name a risk assessment technique used in threat modeling.

Answer 53

The DREAD system which assesses Damage Potential; Reproducibility; Exploitability; Affected Users; and Discoverability.

Question 54

What is Supply Chain Risk Management (SCRM)?

Answer 54

Ensures the reliability security and integrity of the supply chain

Question 55

Why is it important to establish minimum security requirements within the supply chain?

Answer 55

Establishing minimum security requirements ensures that each entity within the supply chain meets or exceeds expected security levels

Question 56

What are Service-Level Requirements (SLRs) and how are they used in supply chain management?

Answer 56

They define the expected service and performance levels from vendors often incorporated into Service Level Agreements (SLAs) to ensure security and performance standards are met.