Domain 1: Everything Else

Question 1

• When a user cannot deny having performed a certain action on a system.
• Both authentication and integrity are combined.

Answer 1

Nonrepudiation

Question 2

Users should be granted the minimum amount of access required to do their jobs no more.

Answer 2

Least privilege

Question 3

Users must know a specific piece of info before accessing it.

Answer 3

Need to know

Question 4

• Term used to describe an active entity on a system.

- Users and computer programs can be labeled this as well.

Answer 4

Subjects

Question 5

Term used to describe data on a system

Answer 5

Objects

Question 6

Multiple safeguards are put into place in order to protect an asset. Safeguards aka controls are measures taken to reduce risks

Answer 6

Defense in Depth

Question 7

What are some auditing frameworks for the purpose of a security assessment?

Answer 7

SOC1 and SOC2

Question 8

• Report that covers internal controls over financial reporting.
• Gives your company’s user entities some assurance that their financial information is being handled safely and securely

Answer 8

SOC1

Question 9

Focuses on implemented security controls in relation to availability security, integrity privacy, and confidentiality

Answer 9

SOC2

Question 10

A thirty-party is brought in to review the practices of the service provider and make a statement regarding their security posture

Answer 10

Attestation

Question 11

Documents provided that give written approval to the security company to perform pen test or audit the organization network.

Answer 11

Right to penetration test/right to audit

Question 12

Process of acquiring products or services from a third party

Answer 12

Procurement

Question 13

Ensures that the business is continually getting sufficient quality from its third-party vendors

Answer 13

Vendor Governance

Question 14

What are some steps taken before an acquisition of a company?

Answer 14

Due diligence of acquired company’s current cybersecurity program and assessment of current network security.

Question 15

When one company is split into two or more companies

Answer 15

Divestitures

Question 16

What are security concerns relating to divestitures?

Answer 16

The split companies inadvertently maintaining duplicate accounts and passwords

Question 17

• “protect society, the commonwealth, and the infrastructure.”
• Security professionals are charred with the promotion of safe security practices and improvement of system infrastructure for the public good.
• (ISC)^2 Code of Ethics

Answer 17

First canon of (ISC)^2 Code of Ethics

Question 18

• “act honorably, honestly, justly, responsibly, and legally.”
• If laws from different jurisdictions are found to be in conflict. Then priority should be given to the jurisdiction in which services are being provided.
• (ISC)^2 Code of Ethics

Answer 18

Second canon of (ISC)^2 Code of Ethics

Question 19

• “provide diligent and competent service to principles.”
• Security professionals provide competent services for which he or she is qualified.
• (ISC)^2 Code of Ethics

Answer 19

Third canon of (ISC)^2 Code of Ethics

Question 20

• “advance and protect the profession.”
• Requires security professionals to maintain their skills and advance the skills and knowledge of others.
• (ISC)^2 Code of Ethics

Answer 20

Fourth canon of (ISC)^2 Code of Ethics

Question 21

A document defined by the RFC regarding the expected ethical behavior on the internet.

Answer 21

Internet Activities Board (IAB) Code of Ethics

Question 22

According to the Internet Activities Board (IAB) what are some examples of unethical behavior?

Answer 22

Someone who purposely:
Seeks to gain unauthorized access to a resource
Disrupt the intended use of the internet
Wastes resources (people, capacity, computer) through such actions
Destroy the Integrity of computer-based information
Compromises to privacy of users

Question 23

The collection of practices related to supporting, defining and directing the security efforts of an organization

Answer 23

Security Governance

Question 24

• High-level management directives

- Mandatory document

Answer 24

Policies

Question 25

• A step-by-step guide for accomplishing a task.

- Mandatory document

Answer 25

Procedures

Question 26

• Describes the specific use of technology, often applied to hardware and software.
• Mandatory document

Answer 26

Standards

Question 27

• Are best practices.

- Discretionary document

Answer 27

Guidelines

Question 28

• Uniform ways of implementing a standard

- Discretionary document

Answer 28

Baselines

Question 29

• Intended to change user behavior

- i.e. reminding users to never write their passwords down

Answer 29

Security awareness

Question 30

Intended to teach a user how to do something

Answer 30

Security Training

Question 31

Use of a third party to provide IT support services that were once done in-house.

Answer 31

Outsourcing

Question 32

• Outsourcing to another country.

- One problem here that will require due diligence is understanding the industry regulations of the other country.

Answer 32

Offshoring

Question 33

• Control Category

- Are implemented by creating and following organizational policy, procedure or regulation

Answer 33

Administrative Controls

Question 34

• Control Category
• Are implemented using software, hardware, or firmware that restricts access on an IT system
• i.e. firewalls, encryption, ACLs, protocols, IDS, clipping levels etc..

Answer 34

Logical/Technical Controls

Question 35

• Control Category

- Are implemented with physical devices ( i.e. locks, fences, gates and security guards)

Answer 35

Physical controls

Question 36

• Control that restricts or stops unwanted or unauthorized activity from occurring
• i.e. fences, locks, biometrics, mantraps, lighting, alarm systems, separation-of-duties policies, job rotation policies, data classification, penetration testing, access control methods, encryption, auditing and etc…

Answer 36

Preventive Access Control

Question 37

• Control that attempts to discover or detect unwanted or unauthorized activity.
• i.e. security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection systems, violation reports and etc…

Answer 37

Detective Access Control

Question 38

• Control that modifies the environment to return systems to normal after unwanted security incident has occurred
• i.e. Antivirus that remove or quarantine virus, IPS, backup and restore plans

Answer 38

Corrective Access Control

Question 39

• Control that restores the functionality of a system after a security incident.
• i.e. Reimage, backup and restore fault-tolerate drives

Answer 39

Recovery Access Control

Question 40

• Control used to discourage people from performing actions that violate security policy
• i.e. Banner messages, policies, security awareness training, locks, fences, security badges, guards, mantraps, and security cameras.

Answer 40

Deterrent Access Control

Question 41

• Control put in place to temporary alleviate the weaknesses in another control
• i.e. Security policy dictating that smartcards be used for all employees, this process may take awhile to implement. In the meantime, hardware tokens are issues out instead

Answer 41

Compensating Access Control

Question 42

• Control that attempts to confine or control the actions of users to force or encourage compliance with security policies
• i.e. security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.

Answer 42

Directive Access Control

Question 43

• Type of third-party auditing report
• Provides a description of the controls provided by the audited organization as well as the auditor’s opinion based upon that description.
• Cover a single point in time and do not involve actual testing of the controls by the auditor.

Answer 43

Type I

Question 44

• Type of third-party auditing report
• Cover a minimum six-month time period and also include an opinion from the auditor on the effectiveness of those controls based upon actual testing performed by the auditor.

Answer 44

Type II

Question 45

Which auditing report types are considered more reliable?

Answer 45

Type II reports

Type I reports simply take the audited organization at their word that the controls are implemented as described