Domain 1: Security and Risk Management

Question 1

CIA Triad

Answer 1

Confidentiality: prevent the unauthorized disclosure of information.

Integrity: prevent unauthorized modification of information; keep accurate

Availability: ensures that the information is available when needed

Question 2

Identity
Subjects

Objects

Answer 2

Subjects: an active entity on an information system. (Doing something)

Object: a passive data file. (What is being accessed.)

Question 3

Risks

Annualized Loss Expectancy (ALE)

Safeguard (Control)

Total Cost of Ownership (TCO)

Return on Investment (ROI)

Answer 3

Risk: the likelihood of something bad happening and the impact if it did; threats (source) and vulnerabilities (weakness)

Annualized Loss Expectancy (ALE): the cost of loss due to a risk over a year

Safeguard (Control): a measure taken to reduce risk

Total Cost of Ownership (TCO): total cost of a safeguard/control

Return on Investment (RIO): money saved by deploying a safeguard.

Question 4

Information Security

Answer 4

Information security is managing the risks to the confidentiality, integrity, and availability of information using administrative and, physical and technical controls.

Question 5

Opposite of CIA

Answer 5

Disclosure

Alteration

Destruction

Question 6

Confidentiality

Answer 6

.Prevent unauthorized access; disclosure, or read access
.Keeping data secret
.Data accessible to subjects with clearance, formal approval, and need to know.

Question 7

Integrity

Answer 7

Prevent unauthorized modification or write access.

Data integrity:

System integrity:

Question 8

Availability

Answer 8

Ensure that data is available when needed

Question 9

Risk Management

Answer 9

In order to determine risk, we must first determine what our most important (or critical assets) are

We use safeguards (or controls) to protect our assets and mitigate (not eliminate) risk.

Risk tolerance: the amount of risk that the business is willing to tolerate (or accept).

Question 10

Privacy

Answer 10

Managing the risk to confidentiality, integrity and availability of personally identifiable information (PII) using administrative, technical and physical controls.

Privacy is not concerned with integrity and availability.

Question 11

Identity

Answer 11

A claim to be someone or something

Question 12

Authentication

Answer 12

Proof that I am who I say I am.

A subject proves identity to another subjects or object

3 types
.Something you know: Password, PIN
.Something you have: token, phone debit card
Something you are: biometrics

Strong multi-factor authentication: Using a combination of 2 or more factors

Question 13

Authorization

Answer 13

What actions are are a subject permitted to perform?

Read, write execute
Privileges, rights, permissions

Question 14

Rule 802

Answer 14

Hearsay Rule: second hand information is normally inadmissible in court.

There are exceptions

Question 15

Evidence integrity

Answer 15

Integrity of evidence in a critical forensic function

Checksum: can ensure that no data changes occurred as a result of the acquisition and analysis

One-way hash functions are used for this purpose.

Question 16

EU General Data Protection Regulation

Answer 16

2018
Designed to harmonise data privacy laws across Europe and give data protection rights to individuals.

Replaced the EU Data Protection Directive.

Question 17

Health Information Portability and Accountability Act

Answer 17

Passed 1996
Security Rule 2003 (HITECH)
Modified 2009
Omnibus Rule 2013

Question 18

Gramm-Leach-Bliley Act

Answer 18

GLBA

1999

Requires protection of the confidentiality and integrity of consumer financial information.

Question 19

Risk Calculations

Answer 19

Annualized Loss Expectancy ALE= SLE x ARO

Exposure Factor (EF) - expressed as a percent of asset exposed (given a threat or vulnerability)

Single Loss Expectancy (SLE) = AV x EF

Question 20

STRIDE

Answer 20

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privileges

Threat categorization scheme developed by MS

Question 21

ISC Code of Ethics

Answer 21

I. Protect society, the common good, necessary public trust and confidence and the infrastructure

II. Act honorably, honestly, justly, responsibility, and legal

III. Provide diligent and competent service to principals.

IV. Advance and protect the profession.

Question 22

Risk Management Framework (RMF) Steps

Answer 22

Prepare - to execute the RMF
Categorize - the system and information
Select - the initial set of controls
Implement -the controls
Assess - the controls to determine correctness
Authorize - the system or common controls
Monitor - the system and associated controls

Question 23

Business Continuity Plan Steps

Answer 23

Project scope and planning
.Perform a structured review of the business’s organization
.Create a BCP team
.Assess the resources available
.Analyze the legal and regulatory landscape

Business Impact Analysis
 .Identify priorities
 .Risk identification
 .Likelihood assessment
 .Impact analysis
 .Resource prioritization

Continuity Planning
.Strategy development
.Provisions and processes (procedures and mechanisms)

Approval and Implementation