Domain 1: (Security and Risk Management) Flashcards

1
Q

When evaluating a third party for your security integration, what should you consider?

A

On-site assessment
Document exchange and review
Process/policy review
Third-party audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the six phases of the RMF?

A

Categorize
Select
Implement
Assess
Authorize
Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What was designed for critical infrastructure and commercial orgs?

A

Cybersecurity framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the five functions of the cybersecurity framework?

A

Identify
Protect
Detect
Respond
Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What was crafted by the British gov, is a set of recommended best practices for optimization of IT services, and is used as a starting point for a customized IT security solution?

A

ITIL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe due diligence.

A

Establishing a plan, policy, and process to protect the interests of an org.
Knowing what should be done and planning for it
Developing a formalized security structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe due care.

A

Practicing the individual activities that maintain the policies, plans, and processes implemented
The continued application of the security structure onto the IT infrastructure of an org
Doing the right action at the right time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What contains prohibitions against acts such as murder, assault, robbery, and arson?

A

Criminal law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of laws create the framework of government, budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws?

A

Civil law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of laws are in the form of executive orders, policies, procedures, and regulations that govern the daily operations of the agency and is published in the Code of Federal Regulations (CFR).

A

Administrative law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What act protects computers used by the gov or the interstate commerce from a variety of abuses?

A

Computer fraud and abuse act CFAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What act makes it a crime to invade the electronic privacy of an individual?

A

Electronic communications privacy act ECPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What requires senior executives to take personal responsibility for ensuring the due care that ordinary, individuals would exercise in the same situation?

A

Prudent person rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What standard is required for use in federal computing systems and also used as a industry cybersecurity benchmark?

A

NISP SP 800-53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What standard is commonly used with enforcing compliance with contractual requirements for federal contractors ?

A

NIST SP 800-171

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a set of standards designed to serve as a risk-based framework for securing information and systems?

A

NIST Cybersecurity Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What was created to protect copy-prevention mechanisms placed on digital media?

A

DMCA, Digital Millennium Copyright Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the best way to protect computer software?

A

Trade secret protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What was enacted in support and protection of companies with trade secrets?

A

Economic Espionage Act of 1996

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What type of licensing is commonly found for high-priced or highly specialized software ?

A

Contractual license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What license is commonly used on the outside of software packaging and agreement is acknowledged by breaking the seal on the package ?

A

Shrink-wrap license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of agreement is accepted by clicking an acknowledgment button when installing software ?

A

Click-through license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What type of agreement is more extreme than click-through agreements and users are known for accidentally accepting without reading the terms ?

A

Cloud services license agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What law mandates that agencies maintain only records that are necessary for conducting their business and to destroy those records when no longer needed ?

A

Privacy Act of 1974

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What makes it a crime to invade the electronic privacy of an individual

Broadens the Federal Wiretap Act

Makes it illegal to monitor mobile telephone conversations

A

ECPA, Electronic communications privacy act of 1986

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What amended the ECPA of 1986

Requires all communications carriers to make wiretaps possible for law enforcement with appropriate court order

A

CALEA, Communications assistance for law enforcement act of 1994

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What requires strict security measures for orgs that process and store medical information?

A

HIPPA, Health insurance portability and accountability act of 1996

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What updated the HIPPA’s privacy and security requirements through the HIPPA Omnibus Rule in 2013

Covers entities that experience a data breach must notify affected individuals

A

HITECH
Health Information Technology for Economic and Clinical Health Act of 2009

29
Q

What law protects children and require:

Websites to have a privacy notices of information they collect

Parents must be provided the opportunity to review any info collected

Parents must give verifiable consent to the collection of info

A

COPPA
Children’s Online Privacy Protection Act of 1998

30
Q

What law required financial institutions to provide written privacy policies to all their customers?

A

Gramm-Leach-Bliley Act of 1999

31
Q

What law allows authorities to obtain a blanket authorization for a person to monitor all communications under warrant

Broadens the powers of law enforcements and intelligence agencies

Allows the gov to obtain info on user activity through subpoena

A

The Patriot Act

32
Q

What law protects:

Parents/Students to inspect any educational records maintained by an institution

Parents/Students can request correction of records they think are erroneous

Schools may not release personal info from student records without written consent

A

FERPA
Family Educational Rights and Privacy Act

33
Q

What is required to perform an operational/administrative investigation?

A

A root cause analysis

34
Q

What identifies the business process and tasks that are critical to an organization’s viability and the threats posed to those resources ?

A

BIA
Business impact analysis

35
Q

What describes the maximum length of time a business function can tolerate a disruption before suffering irreparable harm?

A

MTD/MTO
Maximum tolerable downtime

36
Q

What describes the point in time before the incident where the org should be able to recover data ?

A

Recovery Point Objective
RPO

37
Q

What reflects the criticality of the BCP to the organization’s viability and commonly takes the form of a letter?

A

Statement of Importance

38
Q

What reflects a list of business functions considered critical to continued business ops in a prioritized order?

A

Statement of priorities

39
Q

What comes from a senior level executive, can come in the same letter as the statement of importance, expresses the responsibility of everyone for business viability?

A

Statement of Organizational Responsibility

40
Q

What expresses the critically of implementing a BCP, outlines the implementation of one, and should include a detailed implementation timeline ?

A

Statement of Urgency and Timing

41
Q

What should be included in a BCP Documentation?

A

Continuity Planning Goals
Statement of Importance
Statement of Priorities
Statement of Organizational Responsibility
Statement of Urgency and Timing
Risk Assessment
Risk Acceptance/Mitigation
Vital Records Program
Emergency Response Guidelines
Maintenance
Testing and Exerciese

42
Q

What are the essential elements of proving a candidate is adequate, qualified, and trustworthy?

A

Background checks
Reference checks
Education verification
Security clearance validation

43
Q

What was developed by Microsoft for assessing threats against applications or OSs?

A

STRIDE
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

44
Q

What describes the goal of gaining access to a system through the use of a falsified identity?

A

Spoofing

45
Q

What is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?

A

PASTA
Process for Attack Simulation and Threat Analysis

46
Q

What are the seven stages of PASTA?

A

Stage I: Definition of Objectives for the Analysis of Risks
Stage II: Definition of the Technical Scope
Stage III: Application Decomposition and Analysis
Stage IV: Threat Analysis
Stage V: Weakness and Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management

47
Q

What concept has the goal of integrating threat and risk management into an Agile programming environment?

A

VAST
Visual
Agile
Simple
Threat

48
Q

What provides a flexible rating solution that is based on the answers to five main questions about each threat?

A

DREAD
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability

49
Q

What is an open-source threat modeling process that implements a requirements model?

A

TRIKE

50
Q

What is an IT Mangement and Government security control framework crafted by the ISACA for mapping IT security ideals to business objectives?

A

COBIT

51
Q

What are the six key principles of COBIT?

A

Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System

52
Q

What are the five key concepts in a reduction analysis?

A

Trust Boundaries
Dataflow Paths
Input Points
Privilege Operations
Details about Security Stance and Approach

53
Q

What are examples of administrative controls?

A

Policies, procedures, hiring practices, data classifications and labeling, reports and reviews, testing

54
Q

What are examples of logical/technical controls?

A

Encryption, firewalls, protocols, clipping levels, IDSs

55
Q

What are examples of physical controls?

A

Guards, motion detectors, lights, badges, swipe cards, alarms, access control vestibules

56
Q

What are the security control types?

A

Preventative, Deterrent, Detective, Compensating, Corrective, Recovery, Directive

57
Q

What are examples of preventive controls?

A

Access control vestibules, data loss prevention, antimalware, separation of duties, fences, locks, pen testing

58
Q

What are examples of deterrent controls?

A

Locks, fences, security badges, guards, security-awareness training

59
Q

What are examples of detective controls?

A

Job rotation, mandatory vacations, audit trails, violation reports, incident investigations

60
Q

What are examples of compensating controls?

A

Disaster recovery plan

61
Q

What are examples of recovery controls?

A

Hot, warm, and cold sites, system imaging, server clustering, database and virtual machine shadowing, service bureaus, cloud providers

62
Q

What are examples of directive controls?

A

Posted notifications, escape route exit signs, monitoring, supervision, and procedures

63
Q

What control is an extention of corrective controls?

A

Recovery controls

64
Q

What control modifies the environment to return systems to normal?

A

Corrective controls

65
Q

What control directs, confines, or control the actions of subjects?

A

Directive controls

66
Q

What control is deployed to discourage violation of security policies?

A

Deterrent controls

67
Q

What control is deployed to thwart or stop unwanted or unauthorized activity from occuring?

A

Preventative controls

68
Q

What control provides options to other existing controls?

A

Compensating controls

69
Q

What are the business continuity planning issues that pertain to information security?

A

Strategy development
Provisions and processes
Plan approval
Plan implementation
Training and education