Domain 1: (Security and Risk Management) Flashcards by Elijah Turner

When evaluating a third party for your security integration, what should you consider?

On-site assessment
Document exchange and review
Process/policy review
Third-party audit

How well did you know this?

Not at all

Perfectly

What are the six phases of the RMF?

Categorize
Select
Implement
Assess
Authorize
Monitor

How well did you know this?

Not at all

Perfectly

What was designed for critical infrastructure and commercial orgs?

Cybersecurity framework

How well did you know this?

Not at all

Perfectly

What are the five functions of the cybersecurity framework?

Identify
Protect
Detect
Respond
Recover

How well did you know this?

Not at all

Perfectly

What was crafted by the British gov, is a set of recommended best practices for optimization of IT services, and is used as a starting point for a customized IT security solution?

ITIL

How well did you know this?

Not at all

Perfectly

Describe due diligence.

Establishing a plan, policy, and process to protect the interests of an org.
Knowing what should be done and planning for it
Developing a formalized security structure

How well did you know this?

Not at all

Perfectly

Describe due care.

Practicing the individual activities that maintain the policies, plans, and processes implemented
The continued application of the security structure onto the IT infrastructure of an org
Doing the right action at the right time

How well did you know this?

Not at all

Perfectly

What contains prohibitions against acts such as murder, assault, robbery, and arson?

Criminal law

How well did you know this?

Not at all

Perfectly

What type of laws create the framework of government, budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws?

Civil law

How well did you know this?

Not at all

Perfectly

What type of laws are in the form of executive orders, policies, procedures, and regulations that govern the daily operations of the agency and is published in the Code of Federal Regulations (CFR).

Administrative law

How well did you know this?

Not at all

Perfectly

What act protects computers used by the gov or the interstate commerce from a variety of abuses?

Computer fraud and abuse act CFAA

How well did you know this?

Not at all

Perfectly

What act makes it a crime to invade the electronic privacy of an individual?

Electronic communications privacy act ECPA

How well did you know this?

Not at all

Perfectly

What requires senior executives to take personal responsibility for ensuring the due care that ordinary, individuals would exercise in the same situation?

Prudent person rule

How well did you know this?

Not at all

Perfectly

What standard is required for use in federal computing systems and also used as a industry cybersecurity benchmark?

NISP SP 800-53

How well did you know this?

Not at all

Perfectly

What standard is commonly used with enforcing compliance with contractual requirements for federal contractors ?

NIST SP 800-171

How well did you know this?

Not at all

Perfectly

What is a set of standards designed to serve as a risk-based framework for securing information and systems?

NIST Cybersecurity Framework

How well did you know this?

Not at all

Perfectly

What was created to protect copy-prevention mechanisms placed on digital media?

DMCA, Digital Millennium Copyright Act

How well did you know this?

Not at all

Perfectly

What is the best way to protect computer software?

Trade secret protection

How well did you know this?

Not at all

Perfectly

What was enacted in support and protection of companies with trade secrets?

Economic Espionage Act of 1996

How well did you know this?

Not at all

Perfectly

What type of licensing is commonly found for high-priced or highly specialized software ?

Contractual license agreements

How well did you know this?

Not at all

Perfectly

What license is commonly used on the outside of software packaging and agreement is acknowledged by breaking the seal on the package ?

Shrink-wrap license agreements

How well did you know this?

Not at all

Perfectly

What type of agreement is accepted by clicking an acknowledgment button when installing software ?

Click-through license agreements

How well did you know this?

Not at all

Perfectly

What type of agreement is more extreme than click-through agreements and users are known for accidentally accepting without reading the terms ?

Cloud services license agreements

How well did you know this?

Not at all

Perfectly

What law mandates that agencies maintain only records that are necessary for conducting their business and to destroy those records when no longer needed ?

Privacy Act of 1974

How well did you know this?

Not at all

Perfectly

What makes it a crime to invade the electronic privacy of an individual Broadens the Federal Wiretap Act Makes it illegal to monitor mobile telephone conversations

ECPA, Electronic communications privacy act of 1986

What amended the ECPA of 1986 Requires all communications carriers to make wiretaps possible for law enforcement with appropriate court order

CALEA, Communications assistance for law enforcement act of 1994

What requires strict security measures for orgs that process and store medical information?

HIPPA, Health insurance portability and accountability act of 1996

What updated the HIPPA’s privacy and security requirements through the HIPPA Omnibus Rule in 2013 Covers entities that experience a data breach must notify affected individuals

HITECH Health Information Technology for Economic and Clinical Health Act of 2009

What law protects children and require: Websites to have a privacy notices of information they collect Parents must be provided the opportunity to review any info collected Parents must give verifiable consent to the collection of info

COPPA Children’s Online Privacy Protection Act of 1998

What law required financial institutions to provide written privacy policies to all their customers?

Gramm-Leach-Bliley Act of 1999

What law allows authorities to obtain a blanket authorization for a person to monitor all communications under warrant Broadens the powers of law enforcements and intelligence agencies Allows the gov to obtain info on user activity through subpoena

The Patriot Act

What law protects: Parents/Students to inspect any educational records maintained by an institution Parents/Students can request correction of records they think are erroneous Schools may not release personal info from student records without written consent

FERPA Family Educational Rights and Privacy Act

What is required to perform an operational/administrative investigation?

A root cause analysis

What identifies the business process and tasks that are critical to an organization’s viability and the threats posed to those resources ?

BIA Business impact analysis

What describes the maximum length of time a business function can tolerate a disruption before suffering irreparable harm?

MTD/MTO Maximum tolerable downtime

What describes the point in time before the incident where the org should be able to recover data ?

Recovery Point Objective RPO

What reflects the criticality of the BCP to the organization’s viability and commonly takes the form of a letter?

Statement of Importance

What reflects a list of business functions considered critical to continued business ops in a prioritized order?

Statement of priorities

What comes from a senior level executive, can come in the same letter as the statement of importance, expresses the responsibility of everyone for business viability?

Statement of Organizational Responsibility

What expresses the critically of implementing a BCP, outlines the implementation of one, and should include a detailed implementation timeline ?

Statement of Urgency and Timing

What should be included in a BCP Documentation?

Continuity Planning Goals Statement of Importance Statement of Priorities Statement of Organizational Responsibility Statement of Urgency and Timing Risk Assessment Risk Acceptance/Mitigation Vital Records Program Emergency Response Guidelines Maintenance Testing and Exerciese

What are the essential elements of proving a candidate is adequate, qualified, and trustworthy?

Background checks Reference checks Education verification Security clearance validation

What was developed by Microsoft for assessing threats against applications or OSs?

STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

What describes the goal of gaining access to a system through the use of a falsified identity?

Spoofing

What is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?

PASTA Process for Attack Simulation and Threat Analysis

What are the seven stages of PASTA?

Stage I: Definition of Objectives for the Analysis of Risks Stage II: Definition of the Technical Scope Stage III: Application Decomposition and Analysis Stage IV: Threat Analysis Stage V: Weakness and Vulnerability Analysis Stage VI: Attack Modeling & Simulation Stage VII: Risk Analysis & Management

What concept has the goal of integrating threat and risk management into an Agile programming environment?

VAST Visual Agile Simple Threat

What provides a flexible rating solution that is based on the answers to five main questions about each threat?

DREAD Damage Potential Reproducibility Exploitability Affected Users Discoverability

What is an open-source threat modeling process that implements a requirements model?

TRIKE

What is an IT Mangement and Government security control framework crafted by the ISACA for mapping IT security ideals to business objectives?

COBIT

What are the six key principles of COBIT?

Provide Stakeholder Value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-End Governance System

What are the five key concepts in a reduction analysis?

Trust Boundaries Dataflow Paths Input Points Privilege Operations Details about Security Stance and Approach

What are examples of administrative controls?

Policies, procedures, hiring practices, data classifications and labeling, reports and reviews, testing

What are examples of logical/technical controls?

Encryption, firewalls, protocols, clipping levels, IDSs

What are examples of physical controls?

Guards, motion detectors, lights, badges, swipe cards, alarms, access control vestibules

What are the security control types?

Preventative, Deterrent, Detective, Compensating, Corrective, Recovery, Directive

What are examples of preventive controls?

Access control vestibules, data loss prevention, antimalware, separation of duties, fences, locks, pen testing

What are examples of deterrent controls?

Locks, fences, security badges, guards, security-awareness training

What are examples of detective controls?

Job rotation, mandatory vacations, audit trails, violation reports, incident investigations

What are examples of compensating controls?

Disaster recovery plan

What are examples of recovery controls?

Hot, warm, and cold sites, system imaging, server clustering, database and virtual machine shadowing, service bureaus, cloud providers

What are examples of directive controls?

Posted notifications, escape route exit signs, monitoring, supervision, and procedures

What control is an extention of corrective controls?

Recovery controls

What control modifies the environment to return systems to normal?

Corrective controls

What control directs, confines, or control the actions of subjects?

Directive controls

What control is deployed to discourage violation of security policies?

Deterrent controls

What control is deployed to thwart or stop unwanted or unauthorized activity from occuring?

Preventative controls

What control provides options to other existing controls?

Compensating controls

What are the business continuity planning issues that pertain to information security?

Strategy development Provisions and processes Plan approval Plan implementation Training and education