Domain 1 - Security and Risk

Question 1

An emphasis on confidentiality can affect which other part of the CIA triad?

Answer 1

Availability. The data is harder to access.

Question 2

What is cryptanalysis?

Answer 2

Attacks on encryption.

Question 3

What is data in use?

Answer 3

Live data on your screen.

Question 4

What is the opposite of the CIA triad?

Answer 4

DAD

Disclosure
Alteration
Destruction

Question 5

A focus on integrity can cause what part of the CIA triad to suffer?

Answer 5

Availability

Question 6

A focus on availability can cause what part of the CIA triad to suffer?

Answer 6

Confidentiality and Integrity

Question 7

What does IAAA stand for?

Answer 7

Identification,
Authentication
Authorization,
Accountability

Question 8

What is Type 1 Authentication?

Answer 8

Something you know.

Passwords, Pass phrases, PIN, etc..

Question 9

What is Type 2 Authentication?

Answer 9

Something you have.

Your ID, smartcard, token, cookie, etc.

Question 10

What is Type 3 Authentication?

Answer 10

Something you are.

fingerprint reader, iris scan, palm print, etc.

Question 11

What is “Authorization”

Answer 11

Assignment of access to objects.

RBAC, MAC, DAC, etc.

Question 12

What is the need to know security governance principal?

Answer 12

Even when you have access, if you do not need to know then you should not access the data.

Question 13

What do “subjects” do?

Answer 13

They are usually users or programs and they manipulate objects.

Question 14

Who manages security governance?

Answer 14

C-level executives, board of directors, owners, etc.

Question 15

What is management’s job in security governance?

Answer 15

Implementing standards, policies, and procedures to meet the governance requirements.

Question 16

What are some examples of governance standards and control frameworks?

Answer 16

PCI-DSS, ISO 27001, HITRUST, COBIT, etc…

Question 17

What is criminal law?

Answer 17

Society is the victim, Proof must be beyond a reasonable doubt.

Question 18

What is Civil Law (Tort Law)

Answer 18

Individuals, groups, or organizations are the victims. Proof must be the majority of proof.

Question 19

What is Administrative Law?

Answer 19

Laws enacted by government bodies. FDA Laws, HIPAA, FAA, etc.

Question 19

What are Private Regulations?

Answer 19

PCI DSS by the credit card industry

Question 20

What is real evidence?

Answer 20

Tangible objects (drives, USB drives, etc.)

Question 21

What is direct evidence?

Answer 21

Testimony from first hand witnesses

Question 22

What is hearsay?

Answer 22

Not first-hand knowledge. Normally inadmissible

Question 23

What evidence should you provide to a court first?

Answer 23

Your best evidence. It should be complete, accurate, relevant, and authentic.

Question 24

What evidence should be supplied to the court as secondary evidence?

Answer 24

IT Logs and documents from the system.

Question 25

How do you prove evidence integrity in court?

Answer 25

Hashes, forensics, etc.

Question 26

What does the fourth amendment protect the people from?

Answer 26

Unreasonable search and seizure by the government. This can only be ignored in certain cases like human life or threat of destroying evidence.

Question 27

What is Entrapment?

Answer 27

When someone is persuaded to commit a crime that they has no intention of committing.

Question 28

What is Enticement?

Answer 28

Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so.

Question 29

How long does copyright last?

Answer 29

70 years after creator's death or 95 years for creation by corporations.H

Question 30

How long do trademarks last?

Answer 30

Ten years

Question 31

How long to patents last?

Answer 31

Twenty years?

Question 32

Can cryptographic algorithms be patented?

Answer 32

Yes

Question 33

Are security breach notification laws federal?

Answer 33

No, each state has their own rules.

Question 34

What is the Electronic communications Privacy Act?

Answer 34

It protects against warrantless wiretapping, but it was weakened by the patriot act.

Question 35

What is the Patriot Act?

Answer 35

Expands Law Enforcement's electronic monitoring connectivity.

Question 36

What is the Computer Fraud and Abuse Act?

Answer 36

Most commonly used to prosecute computer crimes.

Question 37

What is the Gramm-Leach-Bliley act?

Answer 37

applies to financial institutions driven by federal financial institutions.

Question 38

What is the GDPR?

Answer 38

Data protection law for all people who live in the EU or EEA. It covers everyone regardless of citizenship.

Question 39

Does GDPR have the right to be forgotten?

Answer 39

Yes.

Question 40

What are legacy EU laws that should be noted?

Answer 40

EU Data Protection Directive EU-US Safe Harbor Privacy Shield

Question 40

What are the organization for economic cooperation and development privacy guidelines

Answer 40

30 member nations including the US that provide guidelines on the protection of privacy and transborder flows of personal data.

Question 41

What is the Wassenaar Arrangement?

Answer 41

41 member countries. Details export and import controls for conventional arms, but has details on cryptography.

Question 42

What is the ISC2 code of ethics preamble?

Answer 42

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere to the highest ethical standards. Therefore, strict adherence to this code is a condition of certification.

Question 43

What is the ISC2 code of ethics cannons

Answer 43

Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.

Question 44

What is the "Mission" in governance?

Answer 44

Motivation or purpose

Question 45

What are strategic plans?

Answer 45

Long-term, reviewed annually, 3 - 5 years

Question 46

What are tactical plans?

Answer 46

1 year, projects, hiring, budgets, etc.

Question 47

What are operational plans?

Answer 47

High detail, updated frequently

Question 48

What are policies?

Answer 48

Mandatory, high-level, non-specific. They use language like "strong encryption".

Question 49

What are standards?

Answer 49

Describes a specific use of technology. For example, laptop specs for the enterprise.

Question 50

What are Guidelines?

Answer 50

Not mandatory. They are recommendations.

Question 51

What are procedures?

Answer 51

Low level step by step guides for how to complete a task. Very specific.

Question 52

What does user awareness accomplish?

Answer 52

Change user behavior.

Question 53

What does user training accomplish?

Answer 53

Provides user with a skillset.

Question 54

What are administrative controls?

Answer 54

Policies, procedures, training, awareness, regulation (HIPAA)

Question 55

What are examples of corrective access controls?

Answer 55

Anti-Virus, Patches, IPS

Question 56

What are examples of recovery access controls

Answer 56

DR, Backups, High Availability

Question 57

What is the equation for risk?

Answer 57

Threat x vulnerability

Question 58

What is the equation for risk with impact?

Answer 58

Threat x vulnerability x impact

Question 59

What is the equation for total risk?

Answer 59

Threat x vulnerability x asset value

Question 60

What is the definition of exposure factor in quantitative risk analysis?

Answer 60

It is the percentage of asset loss.

Question 61

What is the definition of Single Loss Expectancy in quantitative risk analysis?

Answer 61

It is the cost if "it" happens once

Question 62

What is the definition of Annual Rate of Occurrence in quantitative risk analysis?

Answer 62

How often will "it" happen in a year

Question 63

What is the definition of Annualized Loss Expectancy in quantitative risk analysis?

Answer 63

It is the cost per year if we do NOTHING

Question 64

What is NIST 800-30

Answer 64

A nine step process for risk management

Question 65

What is a Key Goal Indicator (KGI)?

Answer 65

Measured after the fact as to whether an IT process has achieved its business requirements.

Question 66

What is a Key Performance Indicator (KPI)?

Answer 66

Defines measures that determines how well the process is performing.

Question 67

What is a Key Risk Indicator (KRI)?

Answer 67

Measures risks that the organization is facing or how risky and activity is. Measures adherence to risk appetite Can be used as an early warning sign

Question 68

What are RACI charts stand for?

Answer 68

Responsible Accountable Consulted Informed

Question 69

What is the definition of governance?

Answer 69

Ensures IT goals aligns with business objectives

Question 70

What is the definition of Compliance?

Answer 70

Conforming with a stated requirement such as a laws, regulations, auditing, monitoring, ethics, privacy, etc..

Question 71

What is NIST 800-53?

Answer 71

Provides detailed security controls for US federal systems. Provides guidance and a comprehensive risk based approach.

Question 72

What are control families?

Answer 72

Focus on a specific aspect of security and privacy.

Question 73

What are control classes?

Answer 73

management, operational, and technical

Question 74

What are baseline controls?

Answer 74

The minimum level of security in a system.

Question 75

What is a grey hat hacker?

Answer 75

They look for vulnerabilities in code, systems, or products

Question 76

What is a bot?

Answer 76

A computer system that has been infected by malware.

Question 77

What is a botnet?

Answer 77

a command and control network of bots. can be hundreds of thousands

Question 78

What is voice phishing over voip?

Answer 78

Vishing

Question 79

What should a change of senior leadership invoke in the BCP?

Answer 79

A BCP review with the new leadership

Question 80

What is the most important part of the BCP?

Answer 80

The Business Impact Analysis (BIA)

Question 81

What is Maximum Tolerable Downtime?

Answer 81

The total amount of time a system can be inoperable before the organization is severely impacted.

Question 82

What is the Work Recovery Time?

Answer 82

The amount of time required to configure a recovered system.

Question 83

What is mean time between failures?

Answer 83

How long a new or repaired system or component will function on average?

Question 84

What is the mean time to repair?

Answer 84

How long will it take to recover a failed system

Question 85

What is the minimum operating requirements

Answer 85

The minimum requirements for our critical systems to function

Question 86

What are external dependencies?

Answer 86

All third party services.