Domain 1 - part 3 Flashcards

1
Q

Controls implemented with or by automated or electronic systems. firewalls, electronic badge readers, access control list. Example would be routers

A

technical/logical controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Controls implemented through a tangible mechanism. walls, fence, guards, locks. Physical controls systems are linked to technical/logical systems, such as badge readers connected to door locks.

A

Physical controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Controls implemented through policy and procedure. includes access control processes and requiring multiple to conduct a specific operation. often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new user that requires login and approval by the hiring manager

A

Administrative controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

often performed with automated tools that reviews the org IT env for know vulnerabilities cataloging and often sending alerts for any detection. This method detect only detect know vulnerabilities.

A

Vulnerability assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

external, person has no access, and its not safe

simulate external attack and test orgs security defenses

A

Penetration testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

financial fraud

A

Coso

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Publishes the Risk it framework as connecting risk management from a strategic perspective with risk related it management

A

isaca

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SP 800-37 extremely influential and important on how US federal government agencies address risk.

A

nist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Both discuss risk from a holistic org perspective and specifically related to IT security is also endorsed by Europeoan union agency for network and information security as a means of managing risk

A

iso -Risk framework

standard 27001 ENISA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

created by Microsoft a threat classification system used to inform software developers during the dev process

A

STRIDE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

threat where attacker poses as entity other than the attacker, often as an authorized user

A

spoofing identify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

attacker attempts to modify the target date in an unauthorized way

A

tampering with data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

attacker as a participant of a transaction can deny or conceal the attacker’s participation in that transaction.

A

repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

can include both inadvertent release of data (authorized user gives it to attacker accidentally) or malicious access to data is where the attacker gets unauthorized access

A

information disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

an attack on the availability aspect of the CIA triad; creating a situation in the target where authorized users cannot get access to the system/app/data

A

Denial of Service DoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

when an attacker not only gains access to the target but can attain a level of control with which to completely disable/destroy the entire target system

A

elevation of privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Applicable list of security and privacy controls. one series only requires to be followed by federal agencies in the US. It can be applied to any kind of org as the methods and concepts are universal.

A

ISO 27001/27002

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Created by ISACA maintain and document enterprise IT security functions for an org. Uses a governance and process perspective for resource management and its intended to address IT performance security operations risk management and regulatory compliance.

A

COBIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Can generally be rated according to three factors: impact, likelihood, and exposure

A

risk assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

the damage/harm/seriousness caused if the risk is realized. can be measured monetarily as an effect to health and human safety, and/or the criticality of the affected asset to the org. The BIA is an excellent tool for use of impact.

A

impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

probability or the measure of the possibility the risk will be realized. This is a form of prediction.

A

likelihood

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

establishing the realistic potential for the org to face certain types of threats.

A

exposure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

typically split into two categories candidate should understand these for the purpose of adhering to the CBK

A

Risk analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

when the org does not have a sufficient availability of time, budget, or personnel trained in this to put toward the effort. High-Med-Low

A

Qualitative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

should produce objective, discrete numeric values. org should opt for this when they have sufficient time, budget, and personnel trained to put toward the effort

A

Quantitative

26
Q

remains after the security controls are put into place

A

residual risk

27
Q

parties must establish a mutual understanding of exactly what will be provided under which terms and at what times includes detailed description of both performance and security function. Defines the minimum requirements and codifies prevision. Include a discrete objective

A

SLA

28
Q

adherence to a mandate regardless of the source. The action on the part of the org to fulfill the mandate and the tools, processes, and documentation that demonstrates adherence.

A

compliance

29
Q

the right of a human being to control the manner and extent to which information about him or her is distributed. mandates take all forms: contractual, regulatory, and customary.

A

privacy

30
Q

tools, processes, and activities used to perform compliance reviews

A

audits

31
Q

legal concept pertaining to the duty owed by a provider to a customer.

A

due care

32
Q

activity used to demonstrate or provide due care. reviewing vendors and suppliers for adequate provision of security measure proper review of personnel before granting access to the org data or before hiring

A

due diligence

33
Q

Is publishing a policy insufficient form of due diligence

A

True- to meet the legal duty an org must also have a documented monitoring and enforcement capability in place and active to ensure the org is adhering to the policy

34
Q

contract between entities that issue credit cards in the US and the entity which is the merchant that accepts the cards as payment.

A

PCI-DSS

35
Q

are set by government bodies

A

regulations

36
Q

EU addressed personal privacy, deeming it individual human right. Associated with IT and data security in the world, influencing laws in many other countries and regions.

A

general data protection regulations - GDPR

37
Q

American federal law that affects medical providers and includes stipulations regarding the collection and dissemination of the health-related personal info, referred to in the Act and the industry as electronic protected health information. -ePHI

A

HIPPA - Health insurance portability and accountability act

38
Q

Federal us law that allowed banks to merge with insurance providers and includes protection, collection, and dissemination requirements for the personal information of individual account holders.

A

Graham-Leach-Bliley Act - GLBA

39
Q

created by us congress as a reponse to a series of dramatic frauds committed by publicly traded corps in the 1990s. Contains security, privacy, and availability requirements of great interest to IT security practitioners as resulting industry standards (SSAE 16) created for a mechanism for SOX audits have been accepted

A

SOX

40
Q

severely restrictive of privacy data collection and dissemination and requires intense security for such data

A

Canada’s personal info protection and electronic documents act - PIPEDA

41
Q

US national law applicable only to federal gov agencies, requires all covered entities to comply with NIST guidance and standards for securing IT env under those agencies control FedRAMP- Federal Risk and Authorization management program

A

Federal info systems management act - Fisma

42
Q

intangible asests can include proprietary material such as software owed by the org. proprietary software between the vendor and the customer through the use of a license, an agreement codifying the terms price duration number of copies that govern the use of the software

A

intellectual property - IP

43
Q

tools often create an additional layer of access control within the org for those files/data sets that contain proprietary material.

A

DRM

44
Q

access controls follow the product material wherever the material goes

A

persistency

45
Q

solution subject to a centralized administrative function that allows the owner of the ip to update and modify permissions as necessary

A

dynamic policy control

46
Q

solution should recognize a time limit on permissions for specific data sets/files.

A

automatic expiration

47
Q

solution should ensure that every protected element each file or data set is able to recognize and annotate access events open/view/running/copying, etc on itself and maintain that record

A

continuous audit trail

48
Q

solution should function properly within the env of whoever is running the DRM and work in concert with that org existing access control methodologies and tools. The DRM solution can integrate with the orgs file structure, email, etc

A

interoperability

49
Q

a multilateral export control restriction program involving 41 participating countries agree not to distribute export certain technologies, including both weapons and of more concern to our field cryptographic tools, to regions where an accumulation of these materials might disturb the local balance of power between nation-states.

A

Wassenaar agreement

50
Q

expressively intended to prevent the personal data of EU citizens from going to any country that does not have a national personal privacy law that is in accordance with EU law in terms of breadth and individual protection. The US does not adhere to this

A

GDPR-

51
Q

voluntary US program for American companies that want to do business that involves processing privacy data of EU citizens. Voluntary mechanism for US companies to agree to follow EU data protection law

A

Privacy Shield

52
Q

any data about a human being that could be used to identify that person such as name, tax id number, ssn, home address, mobile telephone number, specific computer data mac address ip of machine, credit card number, bank acct number, facial photo

A

PII - personally identifiable information

53
Q

creates or collects the data, is legally responsible for the protection of the data in their control and liable for any unauthorized release of the data.

A

data owner/controller

54
Q

person/role within the org who usually manages the data on a day-to-day basis on behalf of the data owner./controller. Could be a dba or system admin or anyone with priv access to the system or data set.

A

data custodian

55
Q

employee signs a formal agreement not to make any unauthorized disclosure of any of the orgs proprietary/sensitive info both during and after the term of employment

A

Non-disclosure agreement - NDA

56
Q

actions processes and tools ensuring an org can continue critical operations during a contingency

A

Business continuity - BC

57
Q

efforts are those tasks and activities required to bring an org back from contingency operations and reinstate needs of the org.

A

Disaster recovery -DR

58
Q

measure of how long an org can survive an interruption of critical functions, if exceeded the org will no longer be a viable unit

A

Max allowable downtime MAD

59
Q

target time set for recovering from any interruption must necessarily be less than MAD. SEnior management sets this based on their knowledgeable needs of the org. A goal for recovering availability of the critical path. This is a temporary state the org will endure until it can return to normal

A

Recovery time objective - RTO

60
Q

how much data an org can lose before it is no longer viable Senior management sets this

A

Recovery point objective - RPO

61
Q

effort to detemine the value of each asset belonging to the org as well as potential risk of losing assets, the threats likely to affect the org, and potential common threats to be realized.

A

Business impact analysis -BIA