Domain 1: Review Questions Flashcards
The Security and Risk Management domain encompasses many of the foundational elements of security solutions.
Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality?
A. Stealing passwords using a keystroke logging tool
B. Eavesdropping on wireless network communications
C. Hardware destruction caused by arson
D. Social engineering that tricks a user into providing personal information to a false website
C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include stealing passwords, eavesdropping, and social engineering.
Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security?
A. A network’s border perimeter
B. The CIA Triad
C. AAA services
D. Ensuring that subject activities are recorded
B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.
The other options are incorrect. A security infrastructure needs to establish a network’s border perimeter security, but that is not a primary goal or objective of security. AAA services are a common component of secured systems, which can provide support for accounting, but the primary goals of security remain the elements of the CIA Triad. Ensuring that subject activities are recorded is the purpose of auditing, but that is not a primary goal or objective of security.
Jamie recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?
A. Identification
B. Availability
C. Encryption
D. Layering
B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.
Identification is claiming an identity, the first step of AAA services. Encryption is protecting the confidentiality of data by converting plaintext into ciphertext. Layering is the use of multiple security mechanisms in series.
Emma is concerned that the recent breach of personal health information in a large healthcare corporation may affect her, but she has not yet been notified by the company that was breached. Emma, a resident of the state of Alabama, is researching the various laws under which she should be legally notified of the breach. Which of the following relevant laws or regulations dictates the timeframe under which she should be notified of the data breach of her PHI?
A. California Consumer Privacy Act (CCPA)
B. Health Information Technology for Economic and Clinical Health (HI-TECH) Act
C. General Data Protection Regulation (GDPR)
D. Federal Information Security Management Act (FISMA)
B Emma should be notified of the breach under the Health Information Technology for Economic and Clinical Health (HI-TECH) Act, which expands HIPAA regulations to include breach notification. As a resident of the state of Alabama, neither the California Consumer Privacy Act (CCPA), which protects state of California residents, nor the General Data Protection Regulation (GDPR), which protects citizens of the European Union, applies. FISMA is a federal regulation requiring government agencies to manage risk and implement security controls.
You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization’s security purpose. It also needs to define the security function and align it with the goals, mission, and objectives of the organization. What are you being asked to create?
A. Tactical plan
B. Operational plan
C. Strategic plan
D. Rollback plan
C. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. It defines the security function and aligns it with the goals, mission, and objectives of the organization.
The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based on unpredicted events. An operational plan is a short-term, highly detailed plan based on strategic and tactical plans. It is valid or useful only for a short time. A rollback plan is a means to return to a prior state after a change does not meet expectations.
Annaliese’s organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are examples of those risks? (Choose all that apply.)
A. Inappropriate information disclosure
B. Increased worker compliance
C. Data loss
D. Downtime
E. Additional insight into the motivations of inside attackers
F. Failure to achieve a sufficient return on investment (ROI)
A, C, D, F. Acquisitions and mergers place an organization at an increased level of risk. Such risks include inappropriate information disclosure, data loss, downtime, and failure to achieve a sufficient return on investment (ROI). Increased worker compliance is not a risk, but a desired security precaution against the risks of acquisitions. Additional insight into the motivations of inside attackers is not a risk, but a potential result of investigating breaches or incidents related to acquisitions.
Which security control framework is a set of security standards and requirements designed to ensure the protection of sensitive credit card and debit card information?
A. ITIL
B. ISO 27000
C. PCI DSS
D. CSF
C. Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards and requirements designed to ensure the protection of sensitive credit card and debit card information.
The other options are incorrect. Information Technology Infrastructure Library (ITIL) was initially crafted by the British government for domestic use but is now an international standard, which is a set of recommended best practices for core IT security and operational processes, and is often used as a starting point for the crafting of a customized IT security solution. ISO 27000 is a family group of international security standards that can be the basis for implementing organizational security and related management practices. NIST Cybersecurity Framework (CSF) is designed for critical infrastructure and commercial organizations and consists of five functions: Identify, Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time.
Which is the opposite of disclosure?
A. Integrity
B. Availability
C. Confidentiality
D. Authorization
C. The opposite of disclosure is confidentiality. The opposite of corruption is integrity. The opposite of destruction is availability. The opposite of disapproval is authorization.
Which of the following controls is an administrative control?
A. Security policy
B. CCTV
C. Data backups
D. Locks
A. A security policy is an administrative control. CCTV and locks are physical controls. Data backups are a technical control.
What is a vulnerability?
A. The entity that carries out a threat
B. The exposure of an organizational asset to losses
C. An absence or a system weakness that can be exploited
D. A control that reduces risk
C. A vulnerability is an absence or a weakness of a countermeasure that is in place. A threat occurs when a vulnerability is identified or exploited. A threat agent is the entity that carries out a threat. Exposure occurs when an organizational asset is exposed to losses. A countermeasure or safeguard is a control that reduces risk.
Which framework uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual)?
A. Six Sigma
B. SABSA
C. ITIL
D. ISO/IEC 27000 series
B. SABSA uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). Six Sigma is a process improvement standard that includes two project methodologies that were inspired by Deming’s Plan–Do–Check–Act cycle. ITIL is a process management development standard that has five core publications: ITIL Service Strategy, ITIL Service Design, ITIL Service Transition, ITIL Service Operation, and ITIL Continual Service Improvement. The ISO/IEC 27000 Series includes a list of standards, each of which addresses a particular aspect of information security management.
Which group of threat agents includes hardware and software failure, malicious code, and new technologies?
A. Human
B. Natural
C. Environmental
D. Technical
D. Technical threat agents include hardware and software failure, malicious code, and new technologies.
Human threat agents include both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel. Natural threat agents include floods, fires, tornadoes, hurricanes, earthquakes, or other natural disasters or weather events. Environmental threat agents include power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage).
Which term indicates the monetary impact of each threat occurrence?
A. Annual Rate of Occurrence (ARO)
B. Annual Loss Expectancy (ALE)
C. Exposure Factor (EF)
D. Single Loss Expectancy (SLE)
D. Single loss expectancy (SLE) indicates the monetary impact of each threat occurrence.
Annualized rate of occurrence (ARO) is the estimate of how often a given threat might occur annually. Annual loss expectancy (ALE) is the expected risk factor of an annual threat event. Exposure factor (EF) is the percent value or functionality of an asset that will be lost when a threat event occurs.
What is risk avoidance?
A. Risk that is left over after safeguards have been implemented
B. Terminating the activity that causes a risk or choosing an alternative that is not as risky
C. Passing the risk on to a third party
D. Defining the acceptable risk level the organization can tolerate and reducing the risk to that level
B. Risk avoidance is terminating the activity that causes a risk or choosing an alternative that is not as risky.
Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.
Which of the following security policies provides instruction on acceptable and unacceptable activities?
A. Informative security policies
B. Regulatory security policies
C. System-specific security policies
D. Advisory security policies
D. Advisory security policies provide instruction on acceptable and unacceptable activities. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.
Which organization role determines the classification level of the information to protect the data for which that role is responsible?
A. Data owner
B. Data custodian
C. Security administrator
D. Security analyst
A. The data owner determines the classification level of the information to protect the data for which that role is responsible.
The data custodian implements the information classification and controls after they are determined. The security administrator maintains security devices and software. The security analyst analyzes the security needs of the organizations and develops the internal information security governance documents.
Which type of crime occurs when a computer is used as a tool to help commit a crime?
A. Computer-assisted crime
B. Incidental computer crime
C. Computer-targeted crime
D. Computer prevalence crime
A. A computer-assisted crime occurs when a computer is used as a tool to help commit a crime.
An incidental computer crime occurs when a computer is involved in a computer crime without being the victim of the attack or the attacker. A computer-targeted crime occurs when a computer is the victim of an attack in which the sole purpose is to harm the computer and its owner. A computer prevalence crime occurs due to the fact that computers are so widely used in today’s world.
Which access control type reduces the effect of an attack or another undesirable event?
A. Compensative control
B. Preventive control
C. Detective control
D. Corrective control
D. A corrective control reduces the effect of an attack or other undesirable event.
A compensative control substitutes for a primary access control and mainly acts as mitigation to risks. A preventive control prevents an attack from occurring. A detective control detects an attack while it is occurring to alert appropriate personnel.
What is the first stage of the security program life cycle?
A. Plan and Organize
B. Implement
C. Operate and Maintain
D. Monitor and Evaluate
A. Plan and Organize
The four stages of the security program life cycle, in order, are as follows:
- Plan and Organize
- Implement
- Operate and Maintain
- Monitor and Evaluate
Which of the following frameworks is a two-dimensional model that intersects communication interrogatives (what, why, where, and so on) with various viewpoints (planner, owner, designer, and so on)?
A. SABSA
B. Zachman Framework
C. TOGAF
D. ITIL
B. The Zachman Framework is a two-dimensional model that intersects communication interrogatives (what, why, where, and so on) with various viewpoints (planner, owner, designer, and so on). It is designed to help optimize communication between the various viewpoints during the creation of the security architecture.
Which management officer implements and manages all aspects of security, including risk analysis, security policies and procedures, training, and emerging technologies?
A. Data protection officer (DPO)
B. Chief financial officer (CFO)
C. Chief security officer (CSO)
D. Chief information officer (CIO)
C. The chief security officer (CSO) is the officer that leads any security effort and reports directly to the chief executive officer (CEO).
The chief privacy officer (CPO) is the officer responsible for private information and usually reports directly to the chief information officer (CIO). The chief financial officer (CFO) is the officer responsible for all financial aspects of an organization. The CFO reports directly to the CEO and must also provide financial data for the shareholders and government entities. The CIO is the officer responsible for all information systems and technology used in the organization and reports directly to the CEO or CFO.
Which of the following do organizations have employees sign to protect trade secrets?
A. Trademark
B. Patent
C. Digital Rights Management (DRM)
D. Nondisclosure agreement (NDA)
D. Most organizations that have trade secrets attempt to protect these secrets using nondisclosure agreements (NDAs). These NDAs must be signed by any entity that has access to information that is part of the trade secret.
A trademark is an intellectual property type that ensures that the symbol, sound, or expression that identifies a product or an organization is protected from being used by another. A patent is an intellectual property type that covers an invention described in a patent application and is granted to an individual or company. Digital rights management (DRM) is used by hardware manufacturers, publishers, copyright holders, and individuals to control the use of digital content. This often also involves device controls.
Which type of access control type is an acceptable use policy (AUP) most likely considered?
A. Corrective
B. Detective
C. Compensative
D. Directive
D. The most popular directive control is an acceptable use policy (AUP) that lists proper (and often examples of improper) procedures and behaviors that personnel must follow.
Corrective controls are in place to reduce the effect of an attack or other undesirable event. Examples of corrective controls include installing fire extinguishers and implementing new firewall rules.
Detective controls are in place to detect an attack while it is occurring to alert appropriate personnel. Examples of detective controls include motion detectors, IDSs, or guards.
Compensative controls are in place to substitute for a primary access control and mainly act as a mitigation to risks. Examples of compensative controls include requiring two authorized signatures to release sensitive or confidential information and requiring two keys owned by different personnel to open a safety deposit box.
What is the legal term used to describe an organization taking all reasonable measures to prevent security breaches and also taking steps to mitigate damages caused by successful breaches?
A. Due care
B. Due diligence
C. Default security posture
D. Qualitative risk analysis
A. Due care is a legal term that is used when an organization took all reasonable measures to prevent security breaches and also took steps to mitigate damages caused by successful breaches.
Due diligence is a legal term that is used when an organization investigated all vulnerabilities. The default security posture is the default security posture used by the organization. An allow-by-default security posture permits access to any data unless a need exists to restrict access. A deny-by-default security posture is much stricter because it denies any access that is not explicitly permitted. Qualitative risk analysis is a method of analyzing risk whereby intuition, experience, and best practice techniques are used to determine risk.