Domain 1 Security and Risk Management

Question 1

Vulnerability

Answer 1

A vulnerability is a weakness in a system that can be exploited, such as software bugs, hardware flaws, or procedural gaps.

Question 2

Threat

Answer 2

A threat is a potential danger that exploits a vulnerability, while a
threat agent is the entity that actually exploits the vulnerability.

Question 3

Risk

Answer 3

Risk is the probability of a threat exploiting a vulnerability and the
impact it would have on the business.

Question 4

exposure

Answer 4

An exposure is when an organization is open to potential losses due to vulnerabilities.

Question 5

Control or Countermeasures

Answer 5

Controls or countermeasures are action taken to mitigate risks, such as firewalls, password management, and security training.

Question 6

Name the three Control Types

Answer 6

● Administrative: Management-oriented like security policies, risk
management, and training.
● Technical: Hardware or software like firewalls, Intrusion Detection
System(IDS), encryption, and authentication mechanisms.
● Physical: Protect facilities and resources with measures like locks,
security guards, and CCTV.

Question 7

Defense in Depth

Answer 7

Layered security approach to reduce the success of attacks.
- Multilayered defenses increase the difficulty for attackers to access
critical assets.
- Layers include various physical and technical controls based on asset sensitivity.
- Security Layers: Network Layer Security, Platform Layer Security, Application Layer Security, Data Layer Security, Response Layer Mechanism

Question 8

Control Functionalities
Preventive

Answer 8

Avoid incidents (e.g., policies, hiring practices, encryption).

Question 9

Control Functionalities
Detective

Answer 9

Identify incidents or intruders (e.g., auditing logs).

Question 10

Control Functionalities
Corrective

Answer 10

Fix issues after an incident (e.g., reloading computer images).

Question 11

Control Functionalities
Deterrent

Answer 11

Discourage potential attacks (e.g., visible CCTV).

Question 12

Control Functionalities
Recovery

Answer 12

Return to normal operations (e.g., data backup systems).

Question 13

Control Functionalities
Compensating

Answer 13

Alternative measures when primary control isn’t feasible (e.g., fence instead of security guards).

Question 14

Name three of the Frameworks that describes Security Controls Development in their Framwork.

Answer 14

Frameworks like COBIT 5, NIST SP 800-53, and COSO aim to provide
business frameworks and sets of controls for IT management, US federal systems, and internal corporate controls, respectively.

Question 15

Name three of the Frameworks that describes Process Management Development in their Framwork.

Answer 15

Frameworks such as ITIL, Six Sigma, and CMMI offer processes for IT
service management, business management strategies, and organizational development for process improvement.

Question 16

Name three of the Frameworks that describes Enterprise Architecture Development in their Framwork.

Answer 16

Organizations can follow ad hoc approaches or defined security
architectures, with frameworks like Zachman, TOGAF, DoDAF, MODAF, and SABSA providing guidelines for enterprise architectures.

Question 17

What steps involves Security Program Development?

Answer 17

Involves planning and organizing, implementing, operating, maintaining, monitoring, and evaluating. It’s supported by management and involves continuous improvement.

Question 18

What are Intrusion Detection Systems (IDS)?

Answer 18

Intrusion Detection Systems (IDS) can alert companies to breaches but may not always identify the attacker.

Question 19

Name the Law for Import/Export Legal Requirements

Answer 19

Organizations must comply with different countries’ import and export laws, like the Wassenaar Arrangement, which controls the export of dual-use goods and technologies.

Question 20

Name six types of Legal Systems (Law system)

Answer 20

Civil (Code) Law System: Rule-based, used in continental Europe.
Common Law System: Precedent-based, developed in England.
Customary Law System: Based on regional traditions and customs.
Religious Law System: Based on religious texts and beliefs.
Mixed Law System: Combination of different legal systems.
Data Protection Regulations

Question 21

Describe the Intellectual Property (IP) Law

Answer 21

Protect a company’s or individual’s creations from unauthorized use or duplication.
Companies must take reasonable steps to safeguard their Intellectual property (IP) and demonstrate due care.
Failure to protect IP adequately may lead to losing legal protection or cases such as wrongful termination suits.

Question 22

What is Software Piracy?

Answer 22

Occurs when software is used or duplicated without authorization.

Question 23

Name for typical Personally Identifiable Information (PII)

Answer 23

PII is data that can uniquely identify an individual. It’s essential to protect PII due to its use in identity theft and other crimes. Definitions of PII vary across jurisdictions and are based on risk assessments.
Typical PII includes full name, national ID numbers, IP addresses, and credit card numbers.

Question 24

Privacy Laws

Answer 24

Privacy laws have been enacted globally in response to the need for PII protection.
Examples include the U.S. Federal Privacy Act of 1974, The Gramm-
Leach-Bliley Act, and HIPAA.
Canada and New Zealand have enacted horizontal privacy laws,
addressing privacy across all sectors.

Question 25

Federal Privacy Act of 1974

Answer 25

Restricts government data collection and sharing of individual records.

Question 26

Federal Information Security Management Act of 2002

Answer 26

Requires federal agencies to implement security programs for their information systems.

Question 27

Department of Veterans Affairs Information Security Protection Act

Answer 27

Enforces additional controls and reporting for the Veterans Administration (VA) after a data breach.

Question 28

Health Insurance Portability and Accountability Act (HIPAA)

Answer 28

Sets standards for handling personal medical information.

Question 29

Health Information Technology for Economic and Clinical Health
(HITECH) Act

Answer 29

Directs Health and Human Services (HHS) to publish annual guidance
on data protection controls.
Compliance with these controls exempts organizations from reporting breaches, while non-compliance requires reporting within 60 days.
Strengthens enforcement of HIPAA rules.

Question 30

USA PATRIOT Act

Answer 30

Expands law enforcement powers for surveillance and intelligence gathering.

Question 31

Gramm-Leach-Bliley Act (GLBA)

Answer 31

Mandates financial institutions to protect customers’ personal information.

Question 32

Prescreening Personnel

Answer 32

Organizations must follow legal limitations when conducting background checks on potential employees.

Question 33

Personal Privacy Protection

Answer 33

Users are encouraged to use encryption, firewalls, and antivirus software, and to shred personal documents to protect their privacy.

Question 34

Economic Espionage Act of 1996

Answer 34

Provides structure for investigating corporate espionage.
Protects corporate IP from unauthorized exposure or theft.

Question 35

State Laws

Answer 35

Most U.S. states have laws mandating disclosure of data breaches
involving PII.
Definitions of PII and conditions for notification vary, complicating
compliance.

Question 36

Who should create Security policies?

Answer 36

Senior management or a designated body should create an overarching security policy, defining the scope and enforcement of security within the organization and addressing legal compliance.

Question 37

Definiton of Standard

Answer 37

Standards are mandatory rules that ensure uniformity in technology usage and behavior within an organization.

Question 38

Definiton of Baselines

Answer 38

Baselines are reference points establishing a minimum level of protection, which can be used to measure future changes.

Question 39

Definiton of Guidelines

Answer 39

Guidelines offer recommendations for actions when no specific standard applies, providing flexibility for unforeseen circumstances.

Question 40

Definiton of Procedures

Answer 40

Procedures are detailed instructions for achieving goals, such as
configuring systems or handling sensitive materials.

Question 41

Definiton of Implementation

Answer 41

To be effective, security policies and their supportive documents must be actively implemented and enforced, with employees made aware of expectations and consequences for noncompliance. This shows due care and prevents potential liability.

Question 42

Definiton of Risk Management

Answer 42

Involves identifying and assessing risk, reducing it to an acceptable level, and maintaining that level.
Encompasses a variety of risks, not only IT-related but also business
decisions like acquisitions and product line expansions.

Question 43

Definiton of Hollistic Risk Management

Answer 43

Often misunderstood and not sufficiently prioritized by those inside and outside the security profession.
Should be viewed as a business issue, with a focus on how risks
impact the bottom line.
Requires understanding of the context in which risk exists and a
holistic approach across all organizational tiers.

Question 44

Name the three NIST SP 800-39 RISK MANAGEMENT TIERS

Answer 44

Organizational Tier: Focuses on the business as a whole, setting risk
tolerance and framing the risk management approach.
Business Process Tier: Deals with risks to major organizational
functions and information flows.
Information Systems Tier: Focuses on information system-related
risks within the context of the broader organizational risk management

Question 45

THE RISK MANAGEMENT PROCESS (NIST SP 800-39)

Answer 45

Frame Risk: Defines the context, assumptions, constraints, priorities, and risk tolerance.
Assess Risk: Identification of threats, vulnerabilities, and potential
impacts.
Respond to Risk: Allocating resources to prioritize and implement
controls based on the risk assessment.
Monitor Risk: Ongoing monitoring to adapt to changes and ensure
control effectiveness.

Question 46

THREAT MODELING METHODOLOGIES
Attack Trees

Answer 46

Visualize multiple paths to achieve a malicious objective.
Multiple conditions (leaf nodes) lead to a single goal (root node).
Helps to identify various ways an attacker can accomplish each
objective.

Question 47

THREAT MODELING METHODOLOGIES
Reduction Analysis

Answer 47

Attack trees require significant resources; reduction analysis helps
manage
Aims to reduce the number of attacks to consider by finding
commonalities.
Identifies the most effective mitigation techniques by applying controls closer to the root node.
Controls or countermeasures are implemented to mitigate identified attacks.

Question 48

SUPPLY CHAIN RISK MANAGEMENT

Answer 48

Organizations often overlook supply chain risks, which can be exploited by attackers.
A supply chain includes all suppliers of products and services to a
company.
Different suppliers have different security perspectives and threat
models.

Question 49

Name three commonly accepted Risk Management Frameworks

Answer 49

NIST RMF (SP 800-37r1): Used by U.S. federal agencies; focuses on the
life-cycle of information systems and their certification and accreditation.
ISO 31000:2018: Focuses on managing uncertainty and its effects,
both negative and positive , across various aspects of an organization.
ISACA Risk IT: Bridges the gap between generic frameworks and ITcentricones; integrates well with COBIT.

Question 50

Disaster Recovery (DR)

Answer 50

DR focuses on minimizing the effects of a disaster and resuming
operations quickly.
-DR is IT-focused and implemented during emergency mode.

Question 51

Business Continuity Planning (BCP)

Answer 51

BCP deals with longer-term outages, keeping business going after a
disaster.
BCP includes moving to alternative environments, managing
communication, and maintaining operations.

Question 52

Standard for Disaster Recovery and Buisness Continuity Planning

Answer 52

The National Institute of Standards and Technology (NIST) and ISO
provide guidelines for BCP and BCM.
NIST SP 800-34, ISO/IEC 27031, ISO 22301, and other industry
guidelines offer frameworks for continuity planning.

Question 53

Business Continuity Management (BCM)

Answer 53

BCM is the holistic process that integrates DR and BCP.
It aims to maintain business operations under various conditions,
focusing on resilience and effective response.

Question 54

Key Components in BCM

Answer 54

Availability, integrity, and confidentiality must be maintained even after a disaster.
Plans must integrate security to protect against increased vulnerability post-disaster.

Question 55

Business Impact Analysis (BIA)

Answer 55

BIA identifies critical functions, resources, and the Maximum Tolerable Downtime (MTD) for each.
It assesses the potential impact of disruptions on business functions.
The BIA process includes interviews, data collection, risk assessment,
and establishing criticality levels.

Question 56

Risk Assessment in BCP

Answer 56

Risk assessment evaluates the potential impact and likelihood of threats.
It considers both qualitative and quantitative impacts on the business.

Question 57

PERSONNEL SECURITY

Answer 57

People are crucial to a company’s success but can also be the weakest link in security.
Security issues often arise from personnel mistakes, lack of training,
or intentional acts like fraud.
Preventive measures can reduce risks, such as hiring qualified
individuals, performing a background check, and implementing strict access controls.
Separation of duties, split knowledge, dual control, and rotation of
duties are key strategies to prevent fraud and misuse of resources.

Question 58

Due Care

Answer 58

behavioral expectations that organizations must adhere to.
e.g.
-following standards to mitigate Risks
-fix vulnerabilities

Question 59

Due Diligence

Answer 59

research necessary to make good, informed decisions
e.g.
-doing background checks on employees
-Risk assessment of physical security systems
-Testing of backup services

Question 60

Liability

Answer 60

legal responsibility for damage caused by an individual or buisness entity
e.g.
Organization must protect themselves from liability with creating policies and procedures.
Everybody must be aware of the policies & procedures

Question 61

Name the Fromular for Risk

Answer 61

Risk = Threat * Vulnerability
e.g.
Burning Company = Fire * no Fireeraser

Question 62

Risk Management Principles (Types)

Answer 62

Avoidance = too high risk and we dont start it
Mitigation = pay amount of Money to mitigate and reduce the risk
Acceptance = accept the Risk
Transfer = transfer the risk to someone else

Question 63

Name the Formular to calculate Single Lost Expectancy (SLE)

Answer 63

SLE = Asset Value * Exposure Factor

Question 64

Name the Formular to calculate Anual rate Accurancy (ARO)

Answer 64

ARO = x/n
x= how many times the event happen
n= amount of years

Question 65

Name the Formular to calculate Anual Lost Expectancy (ALE)

Answer 65

ALE = SLE * ARO

Question 66

Calculate SLE, ARO and ALE for example:
Asset Value = 100.000
Exposure Factor = 30%
amount of times that this dmg accure per year = 2

Answer 66

SLE = 100.000* 0,3 = 300.000
ARO = 2/1 = 2
ALE = 300.000 * 2 = 600.000

Question 67

Risk Analysis Quantitative vs Qualitative

Answer 67

Quantitative = A mathematical estimate based on the historical occurences of an incident
Qualitative = A best-guess estimate based on the judgement and experience of analysts

Question 68

PCI-DSS

Answer 68

PCI-DSS requires firewalls, encryption, antivirus software, physical restrictions, regular testing, and more to protect cardholder data.

Question 69

Fuzz-Testing

Answer 69

Fuzz-testing applications load tons of random input into fields.
e.g.
the name, address, phone number and so on.

Question 70

Acceptable Use Policy (AUP)

Answer 70

An AUP states practice users must agree to access the organization’s network or internet. For best security, all users must accept the AUP.