Domain 1: Security and Risk Management Flashcards

Question 1

Q

Audit/Auditing

Answer

A

The tools, processes, and activities used to perform compliance reviews.

Question 2

Q

Availability

Answer

A

Ensuring timely and reliable access to and use of information by authorized users

Usability, Accessibility, Timeliness
sy. 7

Question 3

Q

Business Continuity(BC)

Answer

A

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

the Business …Continues

Question 4

Q

Business impact analysis(BIA)

Answer

A

An analysis that identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also
assesses the likelihood that each threat will actually occur and the impact those occurrences
will have on the business. Aka business impact analysis (BIA).

Question 5

Q

Compliance

Answer

A

Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.

Question 6

Q

Confidentiality

Answer

A

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
sy. 5

What is meant to be secret, stays secret

Question 7

Q

Data subject

Answer

A

The individual human related to a set of personal data.

The subject of the data

Question 8

Q

Disaster recovery(DR)

Answer

A

Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.

Question 9

Q

Due care

Answer

A

A legal concept pertaining to the duty owed by a provider to a customer.

practicing the individual activities that maintain the due diligence effort.

Question 10

Q

Due diligence

Answer

A

Actions taken by a vendor to demonstrate/provide due care.

establishing a plan, policy, and process to protect the interests of an organization.

Question 11

Q

Governance

Answer

A

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles. and procedures the organization uses to make those decisions.

Question 12

Q

Governance committee

Answer

A

A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Question 13

Q

Guidelines

Answer

A

Suggested practices and expectations of activity to best accomplish tasks and attain goals.

Question 14

Q

Integrity

Answer

A

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Reliability and correctness
sy. 5

Question 15

Q

Intellectual Property

Answer

A

Intangible assets (notably, includes software and data).

Question 16

Q

Maximum allowable downtime(MAD)

Answer

A

The measure of how long an organization can survive an interruption of critical functions. [also known as maximum tolerable downtime(MTD)]

our maximum allowable destruction

Question 17

Q

Personally Identifiable information (PII)

Answer

A

Any data about a human being that could be used to identify that person.

Question 18

Q

Policy

Answer

A

Documents published and promulgated by senior management dictating and describing the organization’s strategic goals.

Less Granular, Intention towards security

Question 19

Q

Privacy

Answer

A

The right of human individual to control the distribution of information about themselves.

Question 20

Q

Procedures

Answer

A

Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences.

Question 21

Q

Recovery time objective (RTO)

Answer

A

The target time set for recovering from any interruption

Question 22

Q

Residual Risk

Answer

A

The risk remaining after security controls have been put in place as a means of risk mitigation.

Risk that remains

Question 23

Q

Risk

Answer

A

The possibility of damage or harm and the likelihood that damage or harm will be realized.

Question 24

Q

Risk Acceptance

Answer

A

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

Question 25

Q

Risk avoidance

Answer

A

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Avoid risk by NOT doing it, it’s not worth

Question 26

Q

Risk mitigation

Answer

A

Putting security controls in place to attenuate the possible impact or likelihood, or both, of a specific risk.

Question 27

Q

Risk transference

Answer

A

Paying an external party to accept the financial impact of a given risk.

Question 28

Q

Security control framework

Answer

A

A notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures. and solutions used by the organization.

Security solution and management method connected.

Question 29

Q

Security governance

Answer

A

The entirety of the policies, roles. and processes the organization uses to make security decisions in an organization.

Question 30

Q

Standards

Answer

A

Specific mandates explicitly stating expectations of performance or conformance.

Question 31

Q

Sensitivity

Answer

A

refers to the quality of information, which could cause harm or damage if disclosed.
sy. 5

Question 32

Q

Discretion

Answer

A

is the act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
sy. 5

Question 33

Q

Criticality

Answer

A

the level to which information is mission critical is its measure of criticality.
sy. 5

Question 34

Q

Concealment

Answer

A

the act of hiding or preventing disclosure.
sy. 5

Question 35

Q

Secrecy

Answer

A

the act of keeping something a secret or preventing the disclosure of information.
sy. 5

Question 36

Q

Privacy

Answer

A

refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to some if revealed.
sy. 5

Question 37

Q

Seclusion

Answer

A

involves storing something in an out-of-the-way location, likely with strict access control.
sy. 5

Question 38

Q

Isolation

Answer

A

keeping something separated from others
sy. 5

Question 39

Q

DAD Triad

Answer

A

Disclosure, Alteration, and Destruction

sy. 8

Question 40

Q

Authenticity

Answer

A

Security concept that data is authentic or genuine and originates from its alleged source
sy. 8

Question 41

Q

Nonrepudiation

Answer

A

ensures that the subject of an activity or who cause an event cannot deny that the event occurred.

sy. 8

Question 42

Q

Identification

Answer

A

a subject must perform identification to start the process of auth, authz, and accountability
sy. 9

Question 43

Q

Authorization

Answer

A

ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.

sy. 10

Question 44

Q

Defense in depth

Answer

A

Layering, mulitple controls in a series.
sy. 11

Question 45

Q

Abstraction

Answer

A

for efficiency, similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Object Oriented programming
Sy. 12

Question 46

Q

Data hiding

Answer

A

preventing data from being discovered or access by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Can’t see or access the data - Steganography
sy. 12

Question 47

Q

Security Boundary

Answer

A

the line of intersection between any two areas, subnets, or environments that have different security needs or requirements.

Policy should state where one controls ends and another begins
sy. 13

Question 48

Q

Third-Party Governance

Answer

A

the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.

Verify compliance, know an org’s requirements to fulfill

Question 49

Q

Documentation review

Answer

A

process of reading the exchanged materials and verifying them against standards and expectations.

sy. 15

Question 50

Q

Security management planning ensures proper creation, implementation, and enforcement of a ______

Answer

A

Security policy

sy. 17

Question 51

Q

A _____ ____ is usually documented argument or state position in order to define a need to make a decision to take some form of action.

Answer

A

Business case

Sy. 17

Question 52

Q

The best security plan is useless without one key factor _____.

Answer

A

Senior management approval, understanding the risks, exposures for which security policy is deployed.

sy. 18

Question 53

Q

Developing a security policy is evidence of ____ and ____.

Answer

A

Due Diligence and Due Care, without either senior management can be held liable for negligence and accountable for asset and financial loss.

sy. 18

Question 54

Q

Strategic Plan

Answer

A

Long-term plan that is fairly stable

sy. 18

Question 55

Q

Tactical Plan

Answer

A

midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan.

sy. 18

Question 56

Q

Operational Plan

Answer

A

short-term, highly detailed plan based on the strategic and tactical plans.

sy. 19

Question 57

Q

Service Level requirement (SLR)

Answer

A

a statement of the expectations of service and performance from the product or service of a vendor.
sy. 20

Question 58

Q

Asset Owner

Answer

A

the person how is responsible for classifying information for placement and protection within the security solution.
sy. 21

Question 59

Q

Data custodian

Answer

A

the user who is responsible for the tasks of implementing the prescribed protections defined by the security policy and senior management.
sy. 21

Custodians clean Data, lock the doors at the end of the day

Question 60

Q

Control Objectives for Information and Related Technologies (COBIT)

Answer

A

Documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA).
Sy. 22
Controls orbit our technologies

Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System

Question 61

Q

NIST 800-53 v5

Answer

A

Security and Privacy Controls for Information Systems and Organizations.
Government sourced general recommendations for security.
Sy. 22

Question 62

Q

NIST Risk Management Framework (RMF)

and it’s 5 functions

Answer

A

U.S. government guide for establishing and maintaining security crafted by the National Institute of Standards and Technology (NIST) that
establishes mandatory requirements for federal agencies. Aka NIST Risk Management
Framework (RMF).

Identify, Protect, Detect, Respond, and Recover

Question 63

Q

NIST Cybersecurity Framework (CSF)

+ Five Stages

Answer

A

U.S. government guides for establishing and maintaining
security crafted by National Institute of Standards and Technology (NIST), which is designed for
critical infrastructure and commercial organizations. Aka NIST Cybersecurity Framework (CSF).
Identify, Protect, Detect, Respond, and Recover.

Question 64

Q

International Organization for Standardization (ISO)/ International Electrotechnical Commission(IEC) 27000

Answer

A

International standard that can be the basis of implementing organizational security and related management practices.

Answer 65

A

The continued maintenance of due care and due diligence

Answer 66

A

Compulsory requirements for the homogenous use of hardware, software, technology, and security controls.

Standards a REQUIRED to be followed for use

Answer 67

A

Minimum level of security that every system throughout the organization must meet.

sy 25

Answer 68

A

Recommendations on how standards and baselines are implemented and serves as an operational guide for security professionals and users.

sy 25

Answer 69

A

detailed, step by step hot to document that describes the exact actions necessary to implement a specific security control, mechanism, or solution.

sy 25

Answer 70

A

Security Process where potential threats are identified, categorized, and analyzed. Priority can be determined in which defenses to build controls around.

Answer 71

A

gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements.

Answer 72

A

Trust boundaries, where levels of security changes
dataflow paths, movement of data between locations
input points, where external input is received
Privileged operations, any activity that requires greater privileges, making changes to security or system changes.
Details of security stance, mapping to security policy and assumptions

Answer 73

A

ensures that all vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements.

Answer 74

A

detail process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost effective solutions for minimizing risk.

Answer 75

A

examination of an environment for risks, evaluating each threat event as its likelihood of occurring and the severity of the damage it would cause if it did occur.

Answer 76

A

evaluating countermeasures, safegaurds, and security controls using cost benefit analysis; adjusting findings based on the conditions, concerns, priorities, and resources and providing proposal of response options.

How we evaluate and respond to risk

Answer 77

A

percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

SLE = Asset Value * Exposure Factor

Answer 78

A

the percentage of loss that an organization would experience if a specific asset were violated by a realized risk

Loss Potential

the factor of something being exposed! How much loss

Answer 79

A

expected frequency with which a specific threat or risk will occur

Answer 80

A

the possible yearly loss of all instances of a specific realized threat against a specific asset.

ALE = ARO * SLE (ale is arousal)

Answer 81

A

are the policies and procedures defined by an organization’s security policy and other regulations or requirements.

managerial/procedural/management controls

Answer 82

A

involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems.

Technical controls

Answer 83

A

the formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation

Answer 84

A

a document that inventories all the identified risks to an organization or system or within an individual project.

Answer 85

A

trying to redirect traffic when a user mistypes the domain name or ip address of an intended resources.

Answer 86

A

Identification of Priorities, Risk identification, likelihood assessment, impact analysis, and resource prioritization

How would I evaluate Impact? Find the prorities, determine the risks, how likely would those risks happens, what would be the impact of those risks, and how would you prioritize resources to combat it.

Answer 87

A

Designed to provide for an orderly society and govern matters that are not crimes but require an impartial arbiter

Answer 88

A

Executive orders, policies, procedures, and regulations that govern the daily operations of the executive branch agency

Answer 89

A

first major legislation of computer cyber-specific crime
Built as part of the Comprehensive Crime Control Act of 1984

Doesn’t say Cyber, must be old

Answer 90

A

covered computer crimes that crossed state boundaries to avoid infringing on states’ rights and treading constitutional thin ice

Basic unauthorized access, using computers for fraud, damaging federal computer systems,

Answer 91

A

a set of amendments to the Computer fraud and abuse act that computer use to international and commercial use, and Industrial infrastructure (gas, trains, electric grids)

Key word: Infrastructure

Answer 92

A

prohibition of attempts to circumvent copywrite protection mechanisms placed on a protected work by the copywrite holder.

World Intellectual Property Organization

ISPs are not liable for the traffic done by a user

Answer 93

A

intellectual property that if disclosed would cause significant damage

coca-cola recipe

Answer 94

A

makes it a crime to invade the electronic privacy of an individual

Answer 95

A

Amended Electronics communications privacy act to make wiretapping for law enforcement with an appropriate court order

Answer 96

A

Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial of corporate espionage.

Answer 97

A

Clearly defines the rights of individuals who are the subject of medical records and organizations that maintain such records to disclose these rights.

Answer 98

A

Establishes the guidelines for implementing an information management system (ISMS). It is the foundation of numerous other ISO standards, many of which are within the ISO 27000 family group. It prescribes that management perform a
systematized evaluation of an organization’s assets and threats (i.e., risk assessment), then design and implement a security response strategy to address the identified risks and adopt an ongoing management, oversight, and governance process to maintain and improve the security infrastructure over time.

Answer 99

A

Prescribes best practices for the implementation and use of security controls within each of the 14 control groups from ISO 27001. ISO 27002 is effectively an extension of ISO 27001.

2700 2 steps further, specific controls

Answer 100

A

An extension of ISO 27001 that focuses on privacy. It describes how to establish and maintain a privacy information management system (PIMS). It includes guidance on
implementing compliance with a range of privacy regulations, including General Data Protection Regulation (GDPR).

double 7 007 secret privacy

Answer 101

A

A family of standards and guidelines for implementing a risk management–based security program

Answer 102

A

An operational investigation that seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future.

Answer 103

A

The standard of evidence in a criminal court case.

Answer 104

A

The standard of evidence in a civil court case.

Answer 105

A

Any items of evidence left behind by a suspect when performing a criminal or otherwise violating activity.

Answer 106

A

Evidence that is relevant to determining a fact. The fact that the evidence seeks to determine must be material (in other words, related) to the case. In addition, the evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent

Answer 107

A

In U.S. courts, for evidence to be considered usable in court (i.e., admissible),
it must meet three requirements: relevant, material, and competent. Evidence is relevant if
it helps to determine or establish a fact about the case. Evidence is material if the fact determined by the evidence is related to the case. Evidence is competent if it was obtained legally, such as via a search warrant or consent.

Answer 108

A

Items that can actually be brought into a court of law; aka object evidence.

Answer 109

A

Any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated.

Answer 110

A

A rule that states that when a document is used as evidence in a court
proceeding, the original document must be introduced. Copies will not be accepted as evidence unless certain exceptions to the rule apply.

Answer 111

A

A rule stating that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no
verbal agreements may modify the written agreement.

Answer 112

A

Evidence that consists of the testimony of a witness, either verbal
testimony in court or written testimony in a recorded deposition

Answer 113

A

Evidence that proves or disproves a specific act through oral testimony
based on information gathered through the witness’s five senses.

Answer 114

A

Evidence used to support testimonial evidence. It consists of
items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue

Answer 115

A

Hardware adapters that physically sever the portion of the cable used to
connect the storage device that would write data to the device, reducing the likelihood of
accidental tampering with the device. A software write blocker is a common feature of most
data duplication products, but it is not as reliable as a hardware write blocker.

Answer 116

A

A file that contains the contents of memory. A memory dump may be triggered by a system error or by a forensics tool for investigative purposes.

Answer 117

A

The act of willingly handing over evidence.

Answer 118

A

A court order that compels an individual or organization to surrender evidence
or to appear in court.

Answer 119

A

A law enforcement officer performing a legally permissible duty may
seize evidence that is visible to the officer in plain view if the officer has probable cause to
believe that the evidence is associated with criminal activity.

Answer 120

A

This means that a reasonable person would believe that the evidence would be destroyed if not immediately collected or another emergency exists, such as
the risk of physical harm. When officers enter a premises under exigent circumstances, they
may conduct a warrantless search.

Answer 121

A

A legal concept used to determine whether a person
had a common-sense ability to assume their activities and actions were not being monitored.

Answer 122

A

Questioning a person to gather information to assist with a criminal investigation. In an interview, the person being questioned is not suspected of committing the crime.
See also interrogation.

Answer 123

A

Questioning a person suspected of committing a crime. See also interview.

Answer 124

A

Any crime that is perpetrated against or with the use of a computer.

Answer 125

A

Attacks that are launched primarily to obtain secret and
restricted information from law enforcement or military and technological research sources.

Answer 126

A

An attack that focuses on illegally obtaining an organization’s confidential
information. Aka corporate espionage or industrial espionage.

Answer 127

A

A crime that is carried out to unlawfully obtain money or services.

Answer 128

A

Attacks that differ from military and intelligence attacks in that the
purpose is to disrupt normal life, whereas a military or intelligence attack is designed to
extract secret information.

Answer 129

A

An attack usually motivated by a feeling of resentment and carried out
to damage an organization or a person. The damage could be in the loss of information or
harm to the organization or a person’s reputation. Often the attacker is a current or former
employee or someone who wishes ill will upon an organization

Answer 130

A

An attack launched by crackers/hackers with few true skills. The main motivation behind thrill attacks is the “high” of getting into a system.

Answer 131

A

The rules that govern personal conduct. Several organizations have recognized the
need for standard ethics rules, or codes, and have devised guidelines for ethical behavior.
These rules are not laws but are minimum standards for professional behavior. They should
provide you with a basis for sound, professional, ethical judgment.

Answer 132

A

A law passed in 1999 that eased the strict governmental barriers between financial institutions. Banks, insurance companies, and credit providers were severely limited in the services they could provide and the information they could share with each other. GLBA somewhat relaxed the regulations concerning the services each organization could provide.

Answer 133

A

A U.S. law passed in 2002 requiring that federal agencies implement an information security program that covers the agency’s operations. FISMA also requires that government agencies include the activities of contractors in their security management programs.

Answer 134

A

A law in the United States that places specific demands on websites that cater to children or knowingly collect information from children.

Brainscape's Knowledge GenomeTM

Domain 1: Security and Risk Management Flashcards

Brainscape's Knowledge Genome^TM