Domain 1: Security and Risk Management

Question 1

Audit/Auditing

Answer 1

The tools, processes, and activities used to perform compliance reviews.

Question 2

Availability

Answer 2

Ensuring timely and reliable access to and use of information by authorized users.

Usability, Accessibility, Timeliness
sy. 7

Question 3

Business Continuity(BC)

Answer 3

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

the Business …Continues

Question 4

Business impact analysis(BIA)

Answer 4

An analysis that identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also
assesses the likelihood that each threat will actually occur and the impact those occurrences
will have on the business. Aka business impact analysis (BIA).

Question 5

Compliance

Answer 5

Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.

Question 6

Confidentiality

Answer 6

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
sy. 5

What is meant to be secret, stays secret

Question 7

Data subject

Answer 7

The individual human related to a set of personal data.

The subject of the data

Question 8

Disaster recovery(DR)

Answer 8

Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.

Question 9

Due care

Answer 9

A legal concept pertaining to the duty owed by a provider to a customer.

practicing the individual activities that maintain the due diligence effort.

Question 10

Due diligence

Answer 10

Actions taken by a vendor to demonstrate/provide due care.

establishing a plan, policy, and process to protect the interests of an organization.

Question 11

Governance

Answer 11

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles. and procedures the organization uses to make those decisions.

Question 12

Governance committee

Answer 12

A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Question 13

Guidelines

Answer 13

Suggested practices and expectations of activity to best accomplish tasks and attain goals.

Question 14

Integrity

Answer 14

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Reliability and correctness
sy. 5

Question 15

Intellectual Property

Answer 15

Intangible assets (notably, includes software and data).

Question 16

Maximum allowable downtime(MAD)

Answer 16

The measure of how long an organization can survive an interruption of critical functions. [also known as maximum tolerable downtime(MTD)]

our maximum allowable destruction

Question 17

Personally Identifiable information (PII)

Answer 17

Any data about a human being that could be used to identify that person.

Question 18

Policy

Answer 18

Documents published and promulgated by senior management dictating and describing the organization’s strategic goals.

Less Granular, Intention towards security

Question 19

Privacy

Answer 19

The right of human individual to control the distribution of information about themselves.

Question 20

Procedures

Answer 20

Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences.

Question 21

Recovery time objective (RTO)

Answer 21

The target time set for recovering from any interruption

Question 22

Residual Risk

Answer 22

The risk remaining after security controls have been put in place as a means of risk mitigation.

Risk that remains

Question 23

Risk

Answer 23

The possibility of damage or harm and the likelihood that damage or harm will be realized.

Question 24

Risk Acceptance

Answer 24

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

Question 25

Risk avoidance

Answer 25

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Question 26

Risk mitigation

Answer 26

Putting security controls in place to attenuate the possible impact or likelihood, or both, of a specific risk.

Question 27

Risk transference

Answer 27

Paying an external party to accept the financial impact of a given risk.

Question 28

Security control framework

Answer 28

A notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures. and solutions used by the organization.

Security solution and management method connected.

Question 29

Security governance

Answer 29

The entirety of the policies, roles. and processes the organization uses to make security decisions in an organization.

Question 30

Standards

Answer 30

Specific mandates explicitly stating expectations of performance or conformance.

Question 31

Sensitivity

Answer 31

refers to the quality of information, which could cause harm or damage if disclosed.
sy. 5

Question 32

Discretion

Answer 32

is the act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
sy. 5

Question 33

Criticality

Answer 33

the level to which information is mission critical is its measure of criticality.
sy. 5

Question 34

Concealment

Answer 34

the act of hiding or preventing disclosure.
sy. 5

Question 35

Secrecy

Answer 35

the act of keeping something a secret or preventing the disclosure of information.
sy. 5

Question 36

Privacy

Answer 36

refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to some if revealed.
sy. 5

Question 37

Seclusion

Answer 37

involves storing something in an out-of-the-way location, likely with strict access control.
sy. 5

Question 38

Isolation

Answer 38

keeping something separated from others
sy. 5

Question 39

DAD Triad

Answer 39

Disclosure, Alteration, and Destruction

sy. 8

Question 40

Authenticity

Answer 40

Security concept that data is authentic or genuine and originates from its alleged source
sy. 8

Question 41

Nonrepudiation

Answer 41

ensures that the subject of an activity or who cause an event cannot deny that the event occurred.

sy. 8

Question 42

Identification

Answer 42

a subject must perform identification to start the process of auth, authz, and accountability
sy. 9

Question 43

Authorization

Answer 43

ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.

sy. 10

Question 44

Defense in depth

Answer 44

Layering, mulitple controls in a series.
sy. 11

Question 45

Abstraction

Answer 45

for efficiency, similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Object Oriented programming
Sy. 12

Question 46

Data hiding

Answer 46

preventing data from being discovered or access by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Can’t see or access the data - Steganography
sy. 12

Question 47

Security Boundary

Answer 47

the line of intersection between any two areas, subnets, or environments that have different security needs or requirements.

Policy should state where one controls ends and another begins
sy. 13

Question 48

Third-Party Governance

Answer 48

the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.

Verify compliance, know an org’s requirements to fulfill

Question 49

Documentation review

Answer 49

process of reading the exchanged materials and verifying them against standards and expectations.

sy. 15

Question 50

Security management planning ensures proper creation, implementation, and enforcement of a ______

Answer 50

Security policy

sy. 17

Question 51

A _____ ____ is usually documented argument or state position in order to define a need to make a decision to take some form of action.

Answer 51

Business case

Sy. 17

Question 52

The best security plan is useless without one key factor _____.

Answer 52

Senior management approval, understanding the risks, exposures for which security policy is deployed.

sy. 18

Question 53

Developing a security policy is evidence of ____ and ____.

Answer 53

Due Diligence and Due Care, without either senior management can be held liable for negligence and accountable for asset and financial loss.

sy. 18

Question 54

Strategic Plan

Answer 54

Long-term plan that is fairly stable

sy. 18

Question 55

Tactical Plan

Answer 55

midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan.

sy. 18

Question 56

Operational Plan

Answer 56

short-term, highly detailed plan based on the strategic and tactical plans.

sy. 19

Question 57

Service Level requirement (SLR)

Answer 57

a statement of the expectations of service and performance from the product or service of a vendor.
sy. 20

Question 58

Asset Owner

Answer 58

the person how is responsible for classifying information for placement and protection within the security solution.
sy. 21

Question 59

Data custodian

Answer 59

the user who is responsible for the tasks of implementing the prescribed protections defined by the security policy and senior management.
sy. 21

Custodians clean Data and secure locks

Question 60

Control Objectives for Information and Related Technologies (COBIT)

Answer 60

Documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA).
Sy. 22
Controls orbit our technologies

Question 61

NIST 800-53 v5

Answer 61

Security and Privacy Controls for Information Systems and Organizations.
Government sourced general recommendations for security.
Sy. 22

Question 62

NIST Risk Management Framework (RMF)

and it’s 5 functions

Answer 62

U.S. government guide for establishing and maintaining security crafted by the National Institute of Standards and Technology (NIST) that
establishes mandatory requirements for federal agencies. Aka NIST Risk Management
Framework (RMF).

Identify, Protect, Detect, Respond, and Recover

Question 63

NIST Cybersecurity Framework (CSF)

+ Five Stages

Answer 63

U.S. government guides for establishing and maintaining
security crafted by National Institute of Standards and Technology (NIST), which is designed for
critical infrastructure and commercial organizations. Aka NIST Cybersecurity Framework (CSF).
Identify, Protect, Detect, Respond, and Recover.

Question 64

International Organization for Standardization (ISO)/ International Electrotechnical Commission(IEC) 27000

Answer 64

International standard that can be the basis of implementing organizational security and related management practices.

Question 65

Operational Security

Answer 65

The continued maintenance of due care and due diligence

Question 66

Standards

Answer 66

Compulsory requirements for the homogenous use of hardware, software, technology, and security controls.

Standards a REQUIRED to be followed for use

Question 67

Baseline

Answer 67

Minimum level of security that every system throughout the organization must meet.

sy 25

Question 68

Guideline

Answer 68

Recommendations on how standards and baselines are implemented and serves as an operational guide for security professionals and users.

sy 25

Question 69

Procedures

Answer 69

detailed, step by step hot to document that describes the exact actions necessary to implement a specific security control, mechanism, or solution.

sy 25

Question 70

Threat Modeling

Answer 70

Security Process where potential threats are identified, categorized, and analyzed. Priority can be determined in which defenses to build controls around.

Question 71

Reduction Analysis

Answer 71

gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements.

Question 72

Steps of Decomposition Process

Answer 72

Trust boundaries, where levels of security changes
dataflow paths, movement of data between locations
input points, where external input is received
Privileged operations, any activity that requires greater privileges, making changes to security or system changes.
Details of security stance, mapping to security policy and assumptions

Question 73

Supply Chain Risk Management

Answer 73

ensures that all vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements.

Question 74

Risk Management

Answer 74

detail process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost effective solutions for minimizing risk.

Question 75

Risk assessment/analysis

Answer 75

examination of an environment for risks, evaluating each threat event as its likelihood of occurring and the severity of the damage it would cause if it did occur.

Question 76

Risk Response

Answer 76

evaluating countermeasures, safegaurds, and security controls using cost benefit analysis; adjusting findings based on the conditions, concerns, priorities, and resources and providing proposal of response options.

How we evaluate and respond to risk

Question 77

Single-loss expectancy (SLE)

Answer 77

percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

SLE = Asset Value * Exposure Factor

Question 78

Exposure factor

Answer 78

the percentage of loss that an organization would experience if a specific asset were violated by a realized risk

Loss Potential

the factor of something being exposed! How much loss

Question 79

Annualized Rate of Occurrence

Answer 79

expected frequency with which a specific threat or risk will occur

Question 80

Annualized Loss Expectancy

Answer 80

the possible yearly loss of all instances of a specific realized threat against a specific asset.

ALE = ARO * SLE (ale is arousal)

Question 81

Administrative controls

Answer 81

are the policies and procedures defined by an organization’s security policy and other regulations or requirements.

managerial/procedural/management controls

Question 82

Logical controls

Answer 82

involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems.

Technical controls

Question 83

Security Control Assessment (SCA)

Answer 83

the formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation

Question 84

Risk register

Answer 84

a document that inventories all the identified risks to an organization or system or within an individual project.

Question 85

Typo Squating

Answer 85

trying to redirect traffic when a user mistypes the domain name or ip address of an intended resources.

Question 86

Five stages of business impact analysis

Answer 86

Identification of Priorities, Risk identification, likelihood assessment, impact analysis, and resource prioritization

How would I evaluate Impact? Find the prorities, determine the risks, how likely would those risks happens, what would be the impact of those risks, and how would you prioritize resources to combat it.

Question 87

Civil Law

Answer 87

Designed to provide for an orderly society and govern matters that are not crimes but require an impartial arbiter

Question 88

Administrative law

Answer 88

Executive orders, policies, procedures, and regulations that govern the daily operations of the executive branch agency

Question 89

Computer Fraud and abuse act

Answer 89

first major legislation of computer cyber-specific crime
Built as part of the Comprehensive Crime Control Act of 1984

Doesn’t say Cyber, must be old

Question 90

Comprehension Crime Control Act

Answer 90

covered computer crimes that crossed state boundaries to avoid infringing on states’ rights and treading constitutional thin ice

Basic unauthorized access, using computers for fraud, damaging federal computer systems,

Question 91

National Information Infrastructure Protection Act of 1996

Answer 91

a set of amendments to the Computer fraud and abuse act that computer use to international and commercial use, and Industrial infrastructure (gas, trains, electric grids)

Key word: Infrastructure

Question 92

Digital Millennium Copywright Act (DMCA)

Answer 92

prohibition of attempts to circumvent copywrite protection mechanisms placed on a protected work by the copywrite holder.

World Intellectual Property Organization

ISPs are not liable for the traffic done by a user

Question 93

Trade secrets

Answer 93

intellectual property that if disclosed would cause significant damage

coca-cola recipe

Question 94

Electronic communications privacy act of 1986

Answer 94

makes it a crime to invade the electronic privacy of an individual

Question 95

Communication assistance for law enforcement act 1994

Answer 95

Amended Electronics communications privacy act to make wiretapping for law enforcement with an appropriate court order

Question 96

Economic Espionage Act of 1996

Answer 96

Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial of corporate espionage.

Question 97

Health Insurance Portability and Accountability Act of 1996

Answer 97

Clearly defines the rights of individuals who are the subject of medical records and organizations that maintain such records to disclose these rights.

Question 98

ISO 27001

Answer 98

Establishes the guidelines for implementing an information security
management system (ISMS). It is the foundation of numerous other ISO standards, many
of which are within the ISO 27000 family group. It prescribes that management perform a
systematized evaluation of an organization’s assets and threats (i.e., risk assessment), then
design and implement a security response strategy to address the identified risks and adopt
an ongoing management, oversight, and governance process to maintain and improve the
security infrastructure over time.

Question 99

ISO 27002

Answer 99

Prescribes best practices for the implementation and use of security controls
within each of the 14 control groups from ISO 27001. ISO 27002 is effectively an extension
of ISO 27001.

Question 100

ISO 27701

Answer 100

An extension of ISO 27001 that focuses on privacy. It describes how to establish and maintain a privacy information management system (PIMS). It includes guidance on
implementing compliance with a range of privacy regulations, including General Data Protection Regulation (GDPR).

Question 101

ISO 31000

Answer 101

A family of standards and guidelines for implementing a risk management–
based security program