Domain 1: (Security and Risk Management) Flashcards

1
Q

When evaluating a third party for your security integration, what should you consider?

A

On-site assessment
Document exchange and review
Process/policy review
Third-party audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the six phases of the RMF?

A

Categorize
Select
Implement
Assess
Authorize
Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What was designed for critical infrastructure and commercial orgs?

A

Cybersecurity framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the five functions of the cybersecurity framework?

A

Identify
Protect
Detect
Respond
Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What was crafted by the British gov, is a set of recommended best practices for optimization of IT services, and is used as a starting point for a customized IT security solution?

A

ITIL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe due diligence.

A

Establishing a plan, policy, and process to protect the interests of an org.
Knowing what should be done and planning for it
Developing a formalized security structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe due care.

A

Practicing the individual activities that maintain the policies, plans, and processes implemented
The continued application of the security structure onto the IT infrastructure of an org
Doing the right action at the right time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What contains prohibitions against acts such as murder, assault, robbery, and arson?

A

Criminal law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of laws create the framework of government, budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws?

A

Civil law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of laws are in the form of executive orders, policies, procedures, and regulations that govern the daily operations of the agency and is published in the Code of Federal Regulations (CFR).

A

Administrative law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What act protects computers used by the gov or the interstate commerce from a variety of abuses?

A

Computer fraud and abuse act CFAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What act makes it a crime to invade the electronic privacy of an individual?

A

Electronic communications privacy act ECPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What requires senior executives to take personal responsibility for ensuring the due care that ordinary, individuals would exercise in the same situation?

A

Prudent person rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What standard is required for use in federal computing systems and also used as a industry cybersecurity benchmark?

A

NISP SP 800-53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What standard is commonly used with enforcing compliance with contractual requirements for federal contractors ?

A

NIST SP 800-171

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a set of standards designed to serve as a risk-based framework for securing information and systems?

A

NIST Cybersecurity Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What was created to protect copy-prevention mechanisms placed on digital media?

A

DMCA, Digital Millennium Copyright Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the best way to protect computer software?

A

Trade secret protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What was enacted in support and protection of companies with trade secrets?

A

Economic Espionage Act of 1996

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What type of licensing is commonly found for high-priced or highly specialized software ?

A

Contractual license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What license is commonly used on the outside of software packaging and agreement is acknowledged by breaking the seal on the package ?

A

Shrink-wrap license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of agreement is accepted by clicking an acknowledgment button when installing software ?

A

Click-through license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What type of agreement is more extreme than click-through agreements and users are known for accidentally accepting without reading the terms ?

A

Cloud services license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What law mandates that agencies maintain only records that are necessary for conducting their business and to destroy those records when no longer needed ?

A

Privacy Act of 1974

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What makes it a crime to invade the electronic privacy of an individual Broadens the Federal Wiretap Act Makes it illegal to monitor mobile telephone conversations
ECPA, Electronic communications privacy act of 1986
26
What amended the ECPA of 1986 Requires all communications carriers to make wiretaps possible for law enforcement with appropriate court order
CALEA, Communications assistance for law enforcement act of 1994
27
What requires strict security measures for orgs that process and store medical information?
HIPPA, Health insurance portability and accountability act of 1996
28
What updated the HIPPA’s privacy and security requirements through the HIPPA Omnibus Rule in 2013 Covers entities that experience a data breach must notify affected individuals
HITECH Health Information Technology for Economic and Clinical Health Act of 2009
29
What law protects children and require: Websites to have a privacy notices of information they collect Parents must be provided the opportunity to review any info collected Parents must give verifiable consent to the collection of info
COPPA Children’s Online Privacy Protection Act of 1998
30
What law required financial institutions to provide written privacy policies to all their customers?
Gramm-Leach-Bliley Act of 1999
31
What law allows authorities to obtain a blanket authorization for a person to monitor all communications under warrant Broadens the powers of law enforcements and intelligence agencies Allows the gov to obtain info on user activity through subpoena
The Patriot Act
32
What law protects: Parents/Students to inspect any educational records maintained by an institution Parents/Students can request correction of records they think are erroneous Schools may not release personal info from student records without written consent
FERPA Family Educational Rights and Privacy Act
33
What is required to perform an operational/administrative investigation?
A root cause analysis
34
What identifies the business process and tasks that are critical to an organization’s viability and the threats posed to those resources ?
BIA Business impact analysis
35
What describes the maximum length of time a business function can tolerate a disruption before suffering irreparable harm?
MTD/MTO Maximum tolerable downtime
36
What describes the point in time before the incident where the org should be able to recover data ?
Recovery Point Objective RPO
37
What reflects the criticality of the BCP to the organization’s viability and commonly takes the form of a letter?
Statement of Importance
38
What reflects a list of business functions considered critical to continued business ops in a prioritized order?
Statement of priorities
39
What comes from a senior level executive, can come in the same letter as the statement of importance, expresses the responsibility of everyone for business viability?
Statement of Organizational Responsibility
40
What expresses the critically of implementing a BCP, outlines the implementation of one, and should include a detailed implementation timeline ?
Statement of Urgency and Timing
41
What should be included in a BCP Documentation?
Continuity Planning Goals Statement of Importance Statement of Priorities Statement of Organizational Responsibility Statement of Urgency and Timing Risk Assessment Risk Acceptance/Mitigation Vital Records Program Emergency Response Guidelines Maintenance Testing and Exerciese
42
What are the essential elements of proving a candidate is adequate, qualified, and trustworthy?
Background checks Reference checks Education verification Security clearance validation
43
What was developed by Microsoft for assessing threats against applications or OSs?
STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
44
What describes the goal of gaining access to a system through the use of a falsified identity?
Spoofing
45
What is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?
PASTA Process for Attack Simulation and Threat Analysis
46
What are the seven stages of PASTA?
Stage I: Definition of Objectives for the Analysis of Risks Stage II: Definition of the Technical Scope Stage III: Application Decomposition and Analysis Stage IV: Threat Analysis Stage V: Weakness and Vulnerability Analysis Stage VI: Attack Modeling & Simulation Stage VII: Risk Analysis & Management
47
What concept has the goal of integrating threat and risk management into an Agile programming environment?
VAST Visual Agile Simple Threat
48
What provides a flexible rating solution that is based on the answers to five main questions about each threat?
DREAD Damage Potential Reproducibility Exploitability Affected Users Discoverability
49
What is an open-source threat modeling process that implements a requirements model?
TRIKE
50
What is an IT Mangement and Government security control framework crafted by the ISACA for mapping IT security ideals to business objectives?
COBIT
51
What are the six key principles of COBIT?
Provide Stakeholder Value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-End Governance System
52
What are the five key concepts in a reduction analysis?
Trust Boundaries Dataflow Paths Input Points Privilege Operations Details about Security Stance and Approach
53
What are examples of administrative controls?
Policies, procedures, hiring practices, data classifications and labeling, reports and reviews, testing
54
What are examples of logical/technical controls?
Encryption, firewalls, protocols, clipping levels, IDSs
55
What are examples of physical controls?
Guards, motion detectors, lights, badges, swipe cards, alarms, access control vestibules
56
What are the security control types?
Preventative, Deterrent, Detective, Compensating, Corrective, Recovery, Directive
57
What are examples of preventive controls?
Access control vestibules, data loss prevention, antimalware, separation of duties, fences, locks, pen testing
58
What are examples of deterrent controls?
Locks, fences, security badges, guards, security-awareness training
59
What are examples of detective controls?
Job rotation, mandatory vacations, audit trails, violation reports, incident investigations
60
What are examples of compensating controls?
Disaster recovery plan
61
What are examples of recovery controls?
Hot, warm, and cold sites, system imaging, server clustering, database and virtual machine shadowing, service bureaus, cloud providers
62
What are examples of directive controls?
Posted notifications, escape route exit signs, monitoring, supervision, and procedures
63
What control is an extention of corrective controls?
Recovery controls
64
What control modifies the environment to return systems to normal?
Corrective controls
65
What control directs, confines, or control the actions of subjects?
Directive controls
66
What control is deployed to discourage violation of security policies?
Deterrent controls
67
What control is deployed to thwart or stop unwanted or unauthorized activity from occuring?
Preventative controls
68
What control provides options to other existing controls?
Compensating controls
69
What are the business continuity planning issues that pertain to information security?
Strategy development Provisions and processes Plan approval Plan implementation Training and education