Domain 1: (Security and Risk Management) Flashcards
When evaluating a third party for your security integration, what should you consider?
On-site assessment
Document exchange and review
Process/policy review
Third-party audit
What are the six phases of the RMF?
Categorize
Select
Implement
Assess
Authorize
Monitor
What was designed for critical infrastructure and commercial orgs?
Cybersecurity framework
What are the five functions of the cybersecurity framework?
Identify
Protect
Detect
Respond
Recover
What was crafted by the British gov, is a set of recommended best practices for optimization of IT services, and is used as a starting point for a customized IT security solution?
ITIL
Describe due diligence.
Establishing a plan, policy, and process to protect the interests of an org.
Knowing what should be done and planning for it
Developing a formalized security structure
Describe due care.
Practicing the individual activities that maintain the policies, plans, and processes implemented
The continued application of the security structure onto the IT infrastructure of an org
Doing the right action at the right time
What contains prohibitions against acts such as murder, assault, robbery, and arson?
Criminal law
What type of laws create the framework of government, budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws?
Civil law
What type of laws are in the form of executive orders, policies, procedures, and regulations that govern the daily operations of the agency and is published in the Code of Federal Regulations (CFR).
Administrative law
What act protects computers used by the gov or the interstate commerce from a variety of abuses?
Computer fraud and abuse act CFAA
What act makes it a crime to invade the electronic privacy of an individual?
Electronic communications privacy act ECPA
What requires senior executives to take personal responsibility for ensuring the due care that ordinary, individuals would exercise in the same situation?
Prudent person rule
What standard is required for use in federal computing systems and also used as a industry cybersecurity benchmark?
NISP SP 800-53
What standard is commonly used with enforcing compliance with contractual requirements for federal contractors ?
NIST SP 800-171
What is a set of standards designed to serve as a risk-based framework for securing information and systems?
NIST Cybersecurity Framework
What was created to protect copy-prevention mechanisms placed on digital media?
DMCA, Digital Millennium Copyright Act
What is the best way to protect computer software?
Trade secret protection
What was enacted in support and protection of companies with trade secrets?
Economic Espionage Act of 1996
What type of licensing is commonly found for high-priced or highly specialized software ?
Contractual license agreements
What license is commonly used on the outside of software packaging and agreement is acknowledged by breaking the seal on the package ?
Shrink-wrap license agreements
What type of agreement is accepted by clicking an acknowledgment button when installing software ?
Click-through license agreements
What type of agreement is more extreme than click-through agreements and users are known for accidentally accepting without reading the terms ?
Cloud services license agreements
What law mandates that agencies maintain only records that are necessary for conducting their business and to destroy those records when no longer needed ?
Privacy Act of 1974
What makes it a crime to invade the electronic privacy of an individual
Broadens the Federal Wiretap Act
Makes it illegal to monitor mobile telephone conversations
ECPA, Electronic communications privacy act of 1986
What amended the ECPA of 1986
Requires all communications carriers to make wiretaps possible for law enforcement with appropriate court order
CALEA, Communications assistance for law enforcement act of 1994
What requires strict security measures for orgs that process and store medical information?
HIPPA, Health insurance portability and accountability act of 1996
What updated the HIPPA’s privacy and security requirements through the HIPPA Omnibus Rule in 2013
Covers entities that experience a data breach must notify affected individuals
HITECH
Health Information Technology for Economic and Clinical Health Act of 2009
What law protects children and require:
Websites to have a privacy notices of information they collect
Parents must be provided the opportunity to review any info collected
Parents must give verifiable consent to the collection of info
COPPA
Children’s Online Privacy Protection Act of 1998
What law required financial institutions to provide written privacy policies to all their customers?
Gramm-Leach-Bliley Act of 1999
What law allows authorities to obtain a blanket authorization for a person to monitor all communications under warrant
Broadens the powers of law enforcements and intelligence agencies
Allows the gov to obtain info on user activity through subpoena
The Patriot Act
What law protects:
Parents/Students to inspect any educational records maintained by an institution
Parents/Students can request correction of records they think are erroneous
Schools may not release personal info from student records without written consent
FERPA
Family Educational Rights and Privacy Act
What is required to perform an operational/administrative investigation?
A root cause analysis
What identifies the business process and tasks that are critical to an organization’s viability and the threats posed to those resources ?
BIA
Business impact analysis
What describes the maximum length of time a business function can tolerate a disruption before suffering irreparable harm?
MTD/MTO
Maximum tolerable downtime
What describes the point in time before the incident where the org should be able to recover data ?
Recovery Point Objective
RPO
What reflects the criticality of the BCP to the organization’s viability and commonly takes the form of a letter?
Statement of Importance
What reflects a list of business functions considered critical to continued business ops in a prioritized order?
Statement of priorities
What comes from a senior level executive, can come in the same letter as the statement of importance, expresses the responsibility of everyone for business viability?
Statement of Organizational Responsibility
What expresses the critically of implementing a BCP, outlines the implementation of one, and should include a detailed implementation timeline ?
Statement of Urgency and Timing
What should be included in a BCP Documentation?
Continuity Planning Goals
Statement of Importance
Statement of Priorities
Statement of Organizational Responsibility
Statement of Urgency and Timing
Risk Assessment
Risk Acceptance/Mitigation
Vital Records Program
Emergency Response Guidelines
Maintenance
Testing and Exerciese
What are the essential elements of proving a candidate is adequate, qualified, and trustworthy?
Background checks
Reference checks
Education verification
Security clearance validation
What was developed by Microsoft for assessing threats against applications or OSs?
STRIDE
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
What describes the goal of gaining access to a system through the use of a falsified identity?
Spoofing
What is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?
PASTA
Process for Attack Simulation and Threat Analysis
What are the seven stages of PASTA?
Stage I: Definition of Objectives for the Analysis of Risks
Stage II: Definition of the Technical Scope
Stage III: Application Decomposition and Analysis
Stage IV: Threat Analysis
Stage V: Weakness and Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management
What concept has the goal of integrating threat and risk management into an Agile programming environment?
VAST
Visual
Agile
Simple
Threat
What provides a flexible rating solution that is based on the answers to five main questions about each threat?
DREAD
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability
What is an open-source threat modeling process that implements a requirements model?
TRIKE
What is an IT Mangement and Government security control framework crafted by the ISACA for mapping IT security ideals to business objectives?
COBIT
What are the six key principles of COBIT?
Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System
What are the five key concepts in a reduction analysis?
Trust Boundaries
Dataflow Paths
Input Points
Privilege Operations
Details about Security Stance and Approach
What are examples of administrative controls?
Policies, procedures, hiring practices, data classifications and labeling, reports and reviews, testing
What are examples of logical/technical controls?
Encryption, firewalls, protocols, clipping levels, IDSs
What are examples of physical controls?
Guards, motion detectors, lights, badges, swipe cards, alarms, access control vestibules
What are the security control types?
Preventative, Deterrent, Detective, Compensating, Corrective, Recovery, Directive
What are examples of preventive controls?
Access control vestibules, data loss prevention, antimalware, separation of duties, fences, locks, pen testing
What are examples of deterrent controls?
Locks, fences, security badges, guards, security-awareness training
What are examples of detective controls?
Job rotation, mandatory vacations, audit trails, violation reports, incident investigations
What are examples of compensating controls?
Disaster recovery plan
What are examples of recovery controls?
Hot, warm, and cold sites, system imaging, server clustering, database and virtual machine shadowing, service bureaus, cloud providers
What are examples of directive controls?
Posted notifications, escape route exit signs, monitoring, supervision, and procedures
What control is an extention of corrective controls?
Recovery controls
What control modifies the environment to return systems to normal?
Corrective controls
What control directs, confines, or control the actions of subjects?
Directive controls
What control is deployed to discourage violation of security policies?
Deterrent controls
What control is deployed to thwart or stop unwanted or unauthorized activity from occuring?
Preventative controls
What control provides options to other existing controls?
Compensating controls
What are the business continuity planning issues that pertain to information security?
Strategy development
Provisions and processes
Plan approval
Plan implementation
Training and education