Domain 1

Question 1

What is the CIA Triad

Answer 1

1. Confidentiality
2. Integrity
3. Availability

Question 2

Achieving CIA Best Practices

Answer 2

1. Separation of Duties
2. Mandatory Vacations
3. Job Rotation
4. Least Privilege
5. Need-to-know
6. Dual Control

Question 3

BIA

Answer 3

Business Impact Analysis

Question 4

Define RTO

Answer 4

Planned recovery time. The amount of time allocated for a recovery plan to be executed

Question 5

WRT

Answer 5

Work Recovery Time

Question 6

Define WRT

Answer 6

The time needed to test and make sure everything is ready to go into live production environment

Question 7

SLO

Answer 7

Service Level Objective

Question 8

Define SLO

Answer 8

The level of Service a business needs to recover to in order to meet contractual requirements

Question 9

RTO

Answer 9

Recovery Time Objective

Question 10

COOP

Answer 10

Continuation of Operations

Question 11

Define COOP

Answer 11

Focuses on delivering “something”, even if not optimal, while recovering critical systems to nominal

Question 12

MTD

Answer 12

Maximum Tolerable Downtime

Question 13

Define MTD

Answer 13

Amount of time we can be without a critical business function before business can no longer function from pain (pain of loss)

Question 14

MTO

Answer 14

Maximum Tolerable Outage

Question 15

Define MTO

Answer 15

The amount of time business can operate in recovery mode. May be limited by resources or constraint of inventory (example fuel in generators)

Question 16

Steps of BIA

Answer 16

1. Inventory and Define Assets (critical assets)
2. Learn the business (understand what it does)
3. Identify critical business functions
4. Total list, critical and not of assets and their function
5. Derive Plans - Create different plans for management to select from

Question 17

Risk Management Constraints

Answer 17

Time and budget

Question 18

Opposite of CIA Triad (DAD)

Answer 18

Disclosure, Alteration, Destruction

Question 19

Protection Mechanisms

Answer 19

1. Layering (defense in Depth)
2. Abstractions
3. Encryption

Question 20

Security Control Categories

Answer 20

1. Directive (administrative) -mandated requirements
2. Deterrent - Reduces someone’s will to attack
3. Preventative - Controls to prohibit activity
4. Detective - Recognize hostile activity
5. Corrective - Reacts to a situation to stop and restore 5. Recovery - restore operations to known good state

Question 21

Define Risk Management

Answer 21

Process of identifying, examining, measuring, mitigating, or transferring (sharing) risk

Question 22

Risk Terminology

Answer 22

Asset - Anything of value to a company
Vulnerability - a weakness; the absence of a safeguard
Threat - Things that could pose a risk to an asset
Threat agent - The entity which carries out attack
Exploit - An instance of compromise

Question 23

Popular Security Frameworks

Answer 23

ISO 27001/27002
COBIT
ITIL
RMF
CSA STAR

Question 24

ISO 27001

Answer 24

ISO 27001 is known as the information security management system (ISMS) and is a comprehensive, holistic view of security governance within and organization, mostly focused on policy

Question 25

ISO 27002

Answer 25

ISO 27002 is a comprehensive list of security controls that can be applied to an organization; the organization uses ISO 27002 to select the controls appropriate to its own ISMS, which the organization designs according to ISO 27001

Question 26

COBIT

Answer 26

The COBIT framework (currently COBIT 5) is designed as a way to manage and document enterprise IT and IT security functions for an organization. COBIT widely uses a governance and process perspective for resource management and is intended to address IT performance, security operations, risk management, and regulatory compliance.

Question 27

ITIL

Answer 27

“concentrates on how an organization’s IT environment should enhance and benefit its business goals. ITIL is also mapped to the ISO 20000 standard, perhaps the only non-ISO standard to have this distinction”

Question 28

RMF

Answer 28

NIST, the U.S. National Institute of Standards and Technology, publishes two methods that work in concert (similar to how ISO 27001 and 27002 function);

Risk Management Framework (RMF), and the applicable list of security and privacy controls that goes along with it (respectively, these documents are Special Publications (SPs) 800-37 and 800-53).

Required to be followed by federal agencies in the United States,

Question 29

CSA STAR

Answer 29

Cloud Security Alliance (CSA) publishes standards and tools for industry and practitioners, at no charge. The CSA also hosts the Security, Trust, and Assurance Registry (STAR), which is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance

“STAR framework is a composite of various standards, regulations, and statutory requirements from around the world, covering a variety of IT security. Three tiers

Question 30

Three Tiers of STAR Framework

Answer 30

Tier 1. Only requires vendor self-assessment, uses CAIQ

Tier 2. Assessment of the organization by an external auditor certified by CSA to perform CAIQ audits

Tier 3. will require continuous monitoring of the target organization by independent, certified entities

Question 31

Due Care

Answer 31

“a legal concept pertaining to the duty owed by a provider to a customer. In essence, a vendor has to engage in a reasonable manner so as not to endanger the customer: the vendor’s products/services should deliver what the customer expects, without putting the customer at risk of undue harm.”

Question 32

Due Diligence

Answer 32

“is any activity used to demonstrate or provide due care. Using the previous example, the car vendor might engage in due diligence activities such as quality control testing (sampling cars that come off the production line for construction/assembly defects), subjecting itself to external safety audit, prototype and regular safety testing”

Question 33

Samples of Types of Vulnerabilities

Answer 33

1. Software
2. Physical
3. Personnel

Question 34

Two Risk Analysis Categories

Answer 34

Qualitative, Quantitative

Question 35

Define Qualitative

Answer 35

A subjective approach to risk analysis. The organization should opt for this method when the organization does not have a sufficient availability of time, budget, or personnel trained in risk analysis to put toward the effort.

Question 36

Define Quantitative

Answer 36

An objective approach to risk analysis; the quantitative method should produce objective, discrete numeric values. The organization should opt for this method when it has sufficient time, budget, and personnel trained in risk analysis to put toward the effort.

Question 37

General Risk Management Options

Answer 37

Avoidance, Acceptance, Mitigation, Transference

Question 38

Remaining risk after risk management efforts is called

Answer 38

Residual risk

Question 39

ALE

Answer 39

Annual Loss Expectancy
(ex. if ARO is 1000 and SLE is 5 then;
ALE = 1000*5; ALE = 5000)

Question 40

SLE

Answer 40

Single Loss Expectancy

ex. a single incident you expect $5 in loss

Question 41

ARO

Answer 41

Annual (annualized) Rate of Occurrence

Question 42

What is the loss expectancy model (equation)

Answer 42

ALE = ARO * SLE

Question 43

EF

Answer 43

Exposure Factor

Question 44

AV

Answer 44

Asset Value

Question 45

how is SLE calculated

Answer 45

SLE = AV * EF

Question 46

Define ARO

Answer 46

Number of times per year a given impact is expected expressed as a number.

(ex1. 1000 events in the course of a yr is 1000/1; is 1000)
(ex. once every 50 years is 1/50 so; ARO = .02)

Question 47

Define Defense in Depth (Layered Defense)

Answer 47

Using multiple types of security controls to prevent single failures, and improve likelihood to stop attacks

Question 48

SCA

Answer 48

Security Control Assessment

Question 49

Define SCA

Answer 49

“a plan and process for determining the proper function and management of controls is necessary and should be customized to the needs of the organization. This is very similar to an audit with specific focus on security controls and includes performance of those controls”

Question 50

Control Assessment Techniques

Answer 50

Vulnerability Assessment

Penetration Test

Question 51

What NIST Special Publication is 800-37

Answer 51

RMF (publication)

Question 52

S.T.R.I.D.E

Answer 52

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Escalation of Privilege's

Question 53

What are the Threat Modeling Concepts

Answer 53

STRIDE, DREAD, MART

Question 54

D.R.E.A.D.

Answer 54

Damage
Reproducibility
Exploitability
Affected
Discoverability

Question 55

M.A.R.T.

Answer 55

Mitigate
Accept
Reject
Transfer

Question 56

SLA

Answer 56

Service Level Agreement

Question 57

GDPR

Answer 57

General Data Protection Regulation

Question 58

Define GDPR

Answer 58

European Union privacy protection Act

Question 59

Define HIPPA

Answer 59

American federal law that impacts medical privacy

Question 60

GLBA Graham-Leach-Bliley Act

Answer 60

US law that allows banks to merge with insurance providers for information

Question 61

Sarbanes-Oxley Act (SOX)

Answer 61

Law created to regulate fraud prevention and finances of publicly traded companies

Question 62

FISMA Federal Information Systems Management Act

Answer 62

Law applicable only to federal government to comply with NIST

Question 63

Computer Related Crimes

Answer 63

Malware
Unauthorized Access
Ransomware
Theft
Illegal Use of Source (botnet, DDOS attacks)
Fraud

Question 64

Intangible Assets are called

Answer 64

Intellectual Property

Question 65

Modern Forms Of Licensing Include

Answer 65

Site Licensing
Per-seat Licensing
Shareware
Public Domain

Question 66

DRM

Answer 66

Digital Rights Management

Question 67

DRM Traits

Answer 67

Persistency, Dynamic policy control, Automatic expiration, continuous audit trail, interoperability

Question 68

Define Import/Export Controls

Answer 68

The controls to limit and monitor the Trans border passing of data, software and hardware. Protects US interest and intellectual property

Question 69

As of 2018, does US Adhere to GDPR

Answer 69

No

Question 70

Types of Laws

Answer 70

Criminal, 
Civil, 
Administrative, 
comprehensive crime act (1984)
Computer Fraud and Abuse act (1986)
Computer Security Act (1987)
Gov information security reform act (2000)
Federal information security Management Act (2002)

Question 71

Types of Intellectual Property

Answer 71

Copyright
Trademarks
Patents
Trade Secrets
Licensing

Question 72

6 steps of Risk Management Framework

Answer 72

1. Categorize information systems
2. Select security controls
3. Implement security controls
4. Assess controls
5. Authorize system
6. Monitor controls

Question 73

Risk Value Equation

Answer 73

Risk Value = Probability * Impact

Question 74

Security Governances

Answer 74

ISO 27000 Series
COBIT 
COSO
OCTAVE
ITIL