Domain 1 - Security and Risk Management Flashcards

1
Q

What is the NIST Risk Management Publication?

A

NIST 800-30

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the ISO standard for risk management?

A

ISO 27005

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is water holing?

A

Creating a bunch of websites with similar names, or an attacker infecting websites that are frequented by members of the group being attacked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is data diddling?

A

act of modifying info, programs or documents to commit fraud. tampering with input data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is COSO?

A

develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. these are goals for the entire organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is COBIT?

A

Created by ISACA, COBIT allows practitioners to govern and manage IT holistically, bridging gap between business requirements, control needs and technical issues. TLDR - IT Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is OCTAVE?

A

Self Directed Risk Management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is ISO 27799?

A

Directives on how to protect PHI (Protected Health Information)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the PCI-DSS principles?

A
  1. Build and Maintain a Secure Network and Systems
  2. Protect Account Data (stored data and cryptography of data in transit)
  3. Maintain a Vulnerability Management program
  4. Implement Strong Access Control Measures
  5. Regularly monitor and test networks
  6. Maintain an info sec policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which CSA Star Level requires 3rd party certification?

A

Star Level 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which CSA Star Level has continuous auditing?

A

Star Level 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which CSA Star Level(s) have continuous self assessment?

A

Star Level 1 Continuous and Star Level 2 Continuous

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which CSA Star Level is only self-assessment?

A

Star Level 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does the Computer Security Act (CSA) focus on?

A

Creating computer security plans and ensuring adequate training of system users and owners where the systems would hold sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the purpose of CALEA?

A

This is a communication assistance law to aid lawful interception of communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is COPPA?

A

Children online privacy protection act. For those collecting information on those under 13 years of age. Restrictions against marking, must receive consent and display privacy policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What law protects against espionage?

A

The Economic Espionage Act (EEA) 1996.

18
Q

Who are exempted from the DMCA?

A

nonprofit organisations such as libraries and schools

19
Q

What are the requirements of FISMA?

A
  • Deployment of risk assessments
  • Development and maintenance of an information assurance program. with IT security architecture and framework
  • Security training conduction
  • Periodic testing and evaluation
  • Security awareness programs
20
Q

The following example would be what kind of security document:
“All users must choose a long passphrase that will be changed annually”

A

This would exist in a high level policy.

21
Q

The following example would be what kind of security document:
“SoE must be Windows 11 and use AES 128bit key encryption”

A

This would exist in a standard.

22
Q

The following example would be what kind of security document:
“Use AES for encryption”

A

This would be a baseline as it does not define what key length is required. Leaving it somewhat discretionary for users.

23
Q

What is the NIST 800-53?

A

This is security and privacy controls for Information Systems and Organizations that provides detailed security controls for US FEDERAL systems. Rev 5 also provides privacy controls, supply chain and insider threat.

24
Q

What is the NIST 800-37

A

This is the Risk Management Framework for Info Systems and Organizations

25
Q

What are the steps in the NIST Cyber Security Framework?

A
  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recovery
26
Q

What is another name of a bot?

A

Zombie

27
Q

Who can complain about Canon I and II?

A

Any member of the general public may file a complaint for canon I or II

28
Q

Who can complain about Canon III?

A

Any principal that has a employer/contractor relationship with the certificate holder

29
Q

Who can complain about Canon IV?

A

any other profession and also subscribed to a code of ethics

30
Q

What may be compromised if we over subscribe in confidentiality?

A

Availability may be impacted

31
Q

What may happen if we overprotect integrity

A

Availability may be impacted as well.

32
Q

What are the three types of plans that a security planning team develop?

A
  1. Strategic Plan (3-5 years)
  2. Tactical Plan (1 year plan)
  3. Operational Plain (updated frequently)
33
Q

What types of entities does HIPAA regulate?

A

HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

34
Q

What 3 rules does the HIPAA have?

A
  1. Privacy Rule
  2. Security Rule
  3. Breach notification rule
35
Q

What are the controls of Crime Prevention Through Environmental Design (CPTED)?

A
  1. Natural access control
  2. Natural Surveillance
  3. Territorial Reinforcement
36
Q
A
36
Q
A
37
Q
A
37
Q
A
38
Q
A