Domain 1 - Security and Risk Management Flashcards

1
Q
Which of the following contains the primary goals and objectives of security?
A. A network’s border perimeter
B. The CIA Triad
C. A stand-alone system
D. The Internet
A

B. The CIA Triad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Vulnerabilities and risks are evaluated based on their threats against which of the
following?
A. One or more of the CIA Triad principles
B. Data usefulness
C. Due care
D. Extent of liability

A

A. One or more of the CIA Triad principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is a principle of the CIA Triad that means authorized subjects are
granted timely and uninterrupted access to objects?
A. Identification
B. Availability
C. Encryption
D. Layering

A

B. Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
Which of the following is not considered a violation of confidentiality?
A. Stealing passwords
B. Eavesdropping
C. Hardware destruction
D. Social engineering
A

C. Hardware destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is not true?
A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.

A

C. Violations of confidentiality are limited to direct intentional attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

STRIDE is often used in relation to assessing threats against applications or operating
systems. Which of the following is not an element of STRIDE?
A. Spoofing
B. Elevation of privilege
C. Repudiation
D. Disclosure

A

D. Disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

If a security mechanism offers availability, then it offers a high level of assurance that
authorized subjects can _________________________ the data, objects, and resources.
A. Control
B. Audit
C. Access
D. Repudiate

A

C. Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
\_\_\_\_\_\_\_\_\_\_\_ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed.
A. Seclusion
B. Concealment
C. Privacy
D. Criticality
A

C. Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

All but which of the following items requires awareness for all individuals affected?
A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages

A

D. The backup mechanism used to retain email

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
What element of data categorization management can override all other forms of access control?
A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership
A

D. Taking ownership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
What ensures that the subject of an activity or event cannot deny that the event occurred?
A. CIA Triad
B. Abstraction
C. Nonrepudiation
D. Hash totals
A

C. Nonrepudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
Which of the following is the most important and distinctive concept in relation to layered security?
A. Multiple
B. Series
C. Parallel
D. Filter
A

B. Series

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is not considered t an example of data hiding?
A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being accessed by unauthorized visitors
C. Restricting a subject at a lower classification level from accessing data at a higher classification level
D. Preventing an application from accessing hardware directly

A

A. Preventing an authorized reader of an object from deleting that object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
What is the primary goal of change management?
A. Maintaining documentation
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Preventing security compromises
A

D. Preventing security compromises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the primary objective of data classification schemes?
A. To control access to objects for authorized subjects
B. To formalize and stratify the process of securing data based on assigned labels of
importance and sensitivity
C. To establish a transaction trail for auditing ccountability
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality

A

B. To formalize and stratify the process of securing data based on assigned labels of

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
W hich of the following is typically not a characteristic considered when classifying data?
A. Value
B. Size of object
C. Useful lifetime
D. National security implications
A

B. Size of object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the two common data classification schemes?
A. Military and private sector
B. Personal and government
C. Private sector and unrestricted sector
D. Classified and unclassified

A

A. Military and private sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
Which of the following is the lowest military data classification for classified data?
A. Sensitive
B. Secret
C. Proprietary
D. Private
A

B. Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
Which commercial business/private sector data classification is used to control information about individuals within an organization?
A. Confidential
B. Private
C. Sensitive
D. Proprietary
A

B. Private

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
Data classifications are used to focus security controls over all but which of the following?
A. Storage
B. Processing
C. Layering
D. Transfer
A

C. Layering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A threat categorization scheme developed by Microsoft. It is an acronym standing for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

A

STRIDE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

To prevent unauthorized disclosure

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

No unauthorized modifications, consistent data

A

Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Reliable and timely access to resources

A

Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

User claims identity. Used for user access control

A

Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Process of verifying a user’s identity

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Linking actions to a user

A

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Granting rights and permissions to an authorized identity

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Recording a log of events and activities related to subjects and systems

A

Auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Ensures subject of activity or event cannot deny that they event happened

A

Nonrepudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A long-term plan that is fairly stable and not a lot of detail. It defines the organizations goals and objectives. It is part of Security Management Planning

A

Strategic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A midterm plan developed to provide more details on accomplishing the goals in the strategic plan. It is part of Security Management Planning.

A

Tactical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Plans that are short-term and highly detailed. Based on Strategic and Tactical plans.

A

Operational

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The user of multiple security controls in a series.

A

Layering or Defense in Depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Put similar elements into groups, classes or roles for efficiency. Used when classifying objects or assigning roles to subjects.

A

Abstraction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Preventing data from being discovered or accessed by a subject.

A

Data Hiding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The collection of practices related to supporting, defining, and directing the security efforts of an entire organization.

A

Security Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Document that defines the scope of security needed by the organization. It also discusses the assets that need protection and the extent which security solutions should go to provide protection. An overview of the organizations security needs. Part of a Security Policy Structure

A

Security Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Tactical documents that define steps or methods to accomplish the goals and direction defined by security policies. Part of a Security Policy Structure

A

Standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Defines a minimum level of security that every system must meet. Part of a Security Policy Structure

A

Baselines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Offers recommendations on how standards and baselines are implemented and servers as an operational guide for both security professionals and users. Part of a Security Policy Structure

A

Guidelines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A detailed, step-by-step how to document that describes the exact actions necessary to implement a specific security solution. Part of a Security Policy Structure

A

Procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Also known as organizational manager. The person ultimately responsible for the security maintained by an organization and the protection of assets. They rarely implement security solutions.

A

Senior Manager

44
Q

Responsible for following the directives mandated by senior management. They write security policies and implement them.

A

Security Professional

45
Q

Person responsible for classifying information for placement and protection within the security solution.

A

Data Owner

46
Q

User who performs all activities necessary to provide adequate protection of the CIA Triad of data and to fulfill the requirements delegated from upper management.

A

Data Custodian

47
Q

Any person who accesses a secure system

A

User

48
Q

Person responsible for reviewing and verifying the security policy is properly implemented.

A

Auditor

49
Q

Change in a secure environment can introduce loopholes and oversights. Only way to manage security is to systematically manage change. The goal of ____ ________ is to ensure that any change does not reduce security.

A

Change Management

50
Q

This is done to data to simplify the process of assigning security controls to groups of objects rather than to individual objects.

A

Data Classifications

51
Q

Government Data Classifications

A

Top Secret, Secret, Confidential, Sensitive but unclassified, Unclassified

52
Q

Private Sector Data Classifications

A

Confidential, Private, Sensitive, Public

53
Q

This is required once an asset no longer warrants the protection of its currently assigned classification or sensitivity level.

A

Declassification

54
Q

A security framework that is a documented set of best IT security practices crafted by ISACA. It encourages the mapping of IT security ideals to business objectives.

A

COBIT

55
Q

The process when potential threats are identified, categorized and analyzed.

A

Threat modeling

56
Q

Integrating security risk management with acquisition strategies is a means to ensure a successful security strategy across the organization.

A

Security-Minded acquisitions

57
Q

Active prevention of unauthorized access to information that is personally identifiable

A

Privacy

58
Q

A system of oversight that may be mandated by law, regulation, industry standards or licensing requirements.

A

Third-Party governance

59
Q

The process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost and implementing cost effective solutions for reducing risk.

A

Risk Management

60
Q

The process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred and which should be accepted. You must analyze assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks and breaches.

A

Risk Analysis

61
Q

Potential danger to an asset

A

Threat

62
Q

Focuses on hard numbers and percentages. The process involves asset valuation, threat identification, threat’s potential frequency and the resulting damage. The result is a cost/benefit analysis.

A

Quantitative Risk Analysis

63
Q

The percentage of loss a company would experience if an asset were violated by a risk.

A

Exposure Factor (EF)

64
Q

The cost associated with a single risk against a specific asset. SLE = AV*EF

A

Single Loss Expectancy (SLE)

65
Q

The expected frequency a specific threat or risk will occur within a single year.

A

Annualized Rate of Occurrence (ARO)

66
Q

The yearly cost of all instances of a specific threat against an asset. ALE = SLE*ARO

A

Annualized Loss Expectancy (ALE)

67
Q

Determine the value of a safeguard to a company. Same as the ALE if the safeguard is implemented. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard = value of the safeguard to the company

A

Safeguard evaluation

68
Q

An anonymous feedback-and-response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.

A

Delphi technique

69
Q

Three ways of handling risk

A

Reducing risk, assigning risk or accepting risk

70
Q

The implementation of safeguards and countermeasures.

A

Reducing risk or risk mitigation

71
Q

Placing the cost of loss a risk represents onto another entity or organization like insurance

A

Assigning risk or transferring risk

72
Q

Management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.

A

Accepting risk

73
Q

The amount of risk an organization would face if no safeguards were implemented.

A

Total risk

74
Q

Risk that management has chosen to accept rather than mitigate

A

Residual risk

75
Q

Controls that prevent unauthorized users from gaining access to resources.

A

Access Controls

76
Q

The seven Access control types

A

Preventive, Detective, Corrective, Deterrent, Recovery, Directive, Compensation

77
Q

Security concept of dividing work tasks among several individuals.

A

Separation of Duties

78
Q

Users should be granted the minimum amount of access necessary for them to complete their required work.

A

Principle of Least Privilege

79
Q

Six steps of a Risk Management Framework

A

Categorize, Select, Implement, Assess, Authorize and Monitor

80
Q

Project scope and planning, Business impact assessment, Continuity planning, Approval and implementation

A

Business Continuity Planning Process

81
Q

Individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This process is used for BCP team selection.

A

Business Organization Analysis

82
Q

Leaders must exercise due diligence to ensure shareholders’ interests are protected.

A

Legal or regulatory requirements

83
Q

Identification of priorities, Risk identification, Likelihood assessment, Impact assessment and Resource prioritization

A

Business Impact assessment process

84
Q

BCP team determines which risks will be mitigated, Solutions to mitigate the risks are designed, The plan must then be approved by senior management, and Personnel must receive training for their roles

A

Continuity Strategy

85
Q

Committing the plan to writing provides a written record of the procedures to follow when disaster strikes.

A

BCP Documentation

86
Q

Protects society against acts that violate the basic principles we believe in. They are prosecuted by federal and state governments.

A

Criminal Law

87
Q

Provides the framework for the transaction of business between people and organizations. They are brought to the court and argued by the two parties.

A

Civil Law

88
Q

Used by government agencies to effectively carry out their day to day business.

A

Administrative Law

89
Q

Computer Crime Law - Protects computers used by the government or in interstate commerce

A

Computer Fraud and Abuse Act (CFAA)

90
Q

Computer Crime Law - Outlines steps the government must take to protect its own systems from attack

A

Computer Security Act (CSA)

91
Q

Computer Crime Law - Further develops the federal govt info security program. Maintaining the security and integrity of govt information and systems falls on individual agency leaders.

A

Government Information Security Reform Act (GISRA)

92
Q

Computer Crime Law - Requires that federal agencies implement an information security program that covers the agencies operations.

A

Federal Information Security Management Act (FISMA)

93
Q

Protect original works of authorship, such as books, poems and songs.

A

Copyrights

94
Q

Names, slogans and logos that identify a company, product or service

A

Trademarks

95
Q

Provide protection to the creators of new inventions

A

Patents

96
Q

Protects the operating secrets of an organization

A

Trade Secrets

97
Q

Prohibits the circumvention of copy right protection mechanisms placed in digital media. It also limits the liability of Internet service providers for the activities of their users

A

Digital Millennium Copyright Act (1998)

98
Q

Provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the info will benefit a foreign govt.
Software License Agreements

A

Economic Espionage Act (1996)

99
Q

Software license agreement that is a written agreement between a software vendor and a user

A

Contractual License agreements

100
Q

Software license agreement that is written on software packaging and take effect when a user opens the package.

A

Shrink-wrap agreements

101
Q

Software license agreement that are included in a package but require the user to accept the terms during the software installation process.

A

Click-wrap agreements

102
Q

Provides a framework for the enforcement of shrink‐wrap and click‐wrap agreements by federal and state governments.

A

Uniform Computer Information Transactions Act

103
Q

California’s SB 1386 implemented the first statewide requirement to notify individuals of a breach of their personal information. All but three states eventually followed suit with similar laws. Currently, federal law only requires the notification of individuals when a HIPAA‐covered entity breaches their protected health information.

A

Data Breach Requirements

104
Q

Organizations may find themselves subject to a wide variety of laws and regulations imposed by regulatory agencies or contractual obligations. PCI DSS for credit card industry.

A

Compliance

105
Q

Security professionals should conduct reviews of the security controls put in place by vendors, both during the initial vendor selection and evaluation process, and as part of ongoing vendor governance reviews.

A

Contracting and Procurement