Domain 1 (Security and Risk Management)

Question 1

What does CIA stand for?

Answer 1

Confidentiality, Integrity and Availability

Question 2

What is the purpose of confidentiality?

Answer 2

Enforces secrecy

Question 3

What is the purpose of integrity?

Answer 3

Accuracy, reliability of data

Question 4

What are example controls that enforce confidentiality?

Answer 4

Encryption, Access control

Question 5

What are example controls that enforce Integrity?

Answer 5

Hashing, Change Control

Question 6

What are example controls that enforce availability?

Answer 6

RAID, backups

Question 7

Definition of Vulnerability

Answer 7

System weakness that allow treat agent to compromise

Question 8

Definition of Threat

Answer 8

Danger associated with exploiting vulnerability

Question 9

Examples of a Treat Agent

Answer 9

Intruder, careless employee or bad policy

Question 10

Definition of Risk

Answer 10

Likelihood of threat source exploiting vulnerability and its business impact

Question 11

Definition of Exposure

Answer 11

Instance of being exposed to loss. Example: Weak Password

Question 12

Definition of Control

Answer 12

Countermeasure to mitigate risk

Question 13

What are the three control types?

Answer 13

Administrative, Technical and Physical

Question 14

Examples of Administrative controls

Answer 14

Documents, training, management related

Question 15

Examples of Technical controls

Answer 15

Firewall, encryption, IDS

Question 16

Example of physical control

Answer 16

Fences

Question 17

Definition of Defense-In-Depth

Answer 17

coordinated use of several controls in layered approach

Question 18

Name the six control functions

Answer 18

Preventative, Detective, Corrective, Deterrent, Recovery and Compensating

Question 19

What does a Preventative control function do?

Answer 19

Intend to avoid incident happening

Question 20

What does a detective control function do?

Answer 20

Identify incident activities

Question 21

What does a corrective control function do?

Answer 21

Fixes systems after incident

Question 22

What does a deterrent control function do?

Answer 22

Discourages attackers

Question 23

What does a recovery control function do?

Answer 23

Brings environment back to operation

Question 24

What does a compensating control function do?

Answer 24

Alternative measure of control

Question 25

Definition of Security Through Obscurity

Answer 25

Assume your enemies are not as smart as you are

Question 26

Definition of Methodology

Answer 26

Process to follow to build architecture

Question 27

Definition of Strategic Alignment

Answer 27

Business drivers being met by security

Question 28

Definition of Business enablement

Answer 28

Core business processes are integrated into security model

Question 29

What does a system architect do?

Answer 29

Structure of software

Question 30

What does a enterprise architect do?

Answer 30

Structure of organization

Question 31

What is computer assisted crime?

Answer 31

Computer used to carry out crime

Question 32

What is computer targeted crime?

Answer 32

Computer was victim

Question 33

What is computer incidental crime?

Answer 33

A computer happen to have been used in crime

Question 34

Definition of Advanced Persistent Threat

Answer 34

Very focused and motivated attacker

Question 35

Characteristics of Civil law system

Answer 35

Decide liability not guilt. Financial compensation

Question 36

Characteristics of criminal law

Answer 36

Innocent until proven guilty. Punishment loss of freedom

Question 37

Characteristics of Customary Law Systems

Answer 37

Based on tradition, Deals with personal conduct, Fine or community service

Question 38

What is a mixed law system?

Answer 38

Mostly mix civil and common law

Question 39

Characteristics of Administrative law

Answer 39

Regulatory standards for performance and conduct

Question 40

Characteristics of Trade Secret

Answer 40

Qualify only if provides company with competitive edge. Must require skill, money effort develop. Proprietary.

Question 41

Examples of a Trade Secret

Answer 41

Algorithms, source code, recipe

Question 42

Characteristics of Copyright

Answer 42

Does not cover resource but expression of idea

Question 43

Examples of Copyright

Answer 43

Drawing, music

Question 44

Examples of Trademark

Answer 44

Work, symbol, sound

Question 45

Characteristics of Patent

Answer 45

Excludes others from copying, lasts 20 years

Question 46

What do you call non practicing entities that do not use patent?

Answer 46

Patent troll

Question 47

What is Freeware

Answer 47

Can use and share

Question 48

What is Shareware

Answer 48

Released for marketing

Question 49

What is Personally Identifiable Information?

Answer 49

Data that can identify a single person

Question 50

What is privacy?

Answer 50

The ability to control who has information about you

Question 51

What is a Chief Privacy Officer?

Answer 51

Usually lawyer oversees how data managed

Question 52

Name three privacy problems

Answer 52

Data aggregation, loss of borders, convergent technologies

Question 53

What is a generic approach regulation?

Answer 53

Stretches across industries, also called horizontal enactment

Question 54

Tip for Reasonable Exception of Privacy?

Answer 54

Tell staff they are being monitored

Question 55

Definition of Threat?

Answer 55

Something that has the potential to cause harm

Question 56

Quality of a safeguard?

Answer 56

It’s proactive

Question 57

Quality of a Countermeasure?

Answer 57

It’s reactive

Question 58

What is a Secondary Risk?

Answer 58

A risk that comes later as the result of another risk response

Question 59

What is Residual Risk?

Answer 59

The risk left over after a risk response

Question 60

What does the Delphi Technique do?

Answer 60

Get users to contribute to risk analysis anonymously

Question 61

Quantitative Analysis - what does AV stand for?

Answer 61

Asset value, Dollar number asset is worth

Question 62

Quantitative Analysis - what does EF stand for?

Answer 62

Exposure factor. % of loss expected as result

Question 63

Quantitative Analysis - what does SLE stand for?

Answer 63

Single loss expectancy. Dollar amount cost single occurrence of threat

Question 64

Quantitative Analysis - what does ARO stand for?

Answer 64

Annual Rate of Occurrence. How often a threat is expected to materialize

Question 65

Quantitative Analysis - what does ALE stand for?

Answer 65

Annual loss expectancy. Cost per year as a result of the threat

Question 66

Quantitative Analysis - what does TCO stand for?

Answer 66

Total cost of ownership. Cost of implementing the safeguard

Question 67

What is Asset Value (AV)?

Answer 67

Dollar number asset is worth

Question 68

What is Exposure Factor (EF)?

Answer 68

% of loss expected as result

Question 69

What is Single Loss Expectancy (SLE)?

Answer 69

Dollar amount cost single occurrence of threat

Question 70

What is Annual Rate of Occurrence (ARO)?

Answer 70

How often the threat is expected to materialize

Question 71

What is Annual Loss Expectancy (ALE)?

Answer 71

Cost per year as a result of the threat

Question 72

What is Total Cost of Ownership (TCO)?

Answer 72

Total cost of implementing a safeguard

Question 73

Formula for Single Loss Expectancy (SLE)?

Answer 73

SLE (Single Loss Expectancy) = AV (Asset Value) * EF (Exposure Factor)

Question 74

Formula for Annual Loss Expectancy (ALE)?

Answer 74

ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) * ARO (Annual Rate of Occurrence)

Question 75

What are the five ways to mitigate risk?

Answer 75

Reduce, Accept, Transfer, Avoidance, Rejection

Question 76

What does Risk Reduction do?

Answer 76

Lessen the probability and/or impact of a risk

Question 77

What is Risk Transference?

Answer 77

Shares the risk with someone else. Insurance or SLA. Lessen portion of loss. Does not reduce likelihood.

Question 78

What is Risk Acceptance?

Answer 78

Logical solution when cost of mitigation is greater than the potential for loss

Question 79

What is Risk Rejection?

Answer 79

Happens when we ignore the risk

Question 80

What is Risk Avoidance?

Answer 80

When we don’t go ahead with whatever would expose us to that risk

Question 81

What is Total Risk?

Answer 81

The risk that exists before any control is implemented

Question 82

What is Governance?

Answer 82

Ensures that stakeholder needs and goals understood

Question 83

What is Management?

Answer 83

Plans, build, runs and monitors activities as directed by governance

Question 84

COBIT and COSO buzzword

Answer 84

Goal orientated

Question 85

OCTAVE buzzword

Answer 85

Self directed risk assessment

Question 86

What does ISO 27002 do?

Answer 86

Practical advise for implementing security controls in ISMS (Information Security Management System)

Question 87

What does ISO 27001 do?

Answer 87

Establish, Implement, Control and Improve ISMS (Information Security Management Systems).

Question 88

What does ISO 27004 do?

Answer 88

Provides metrics for measuring the success of ISMS (Information Security Management Systems).

Question 89

What does ISO 27799 do?

Answer 89

Directives on protecting personal health information

Question 90

What does ISO 27005 do?

Answer 90

A standards based approach to risk management

Question 91

What standard replaced ISO 17799?

Answer 91

ISO 27002

Question 92

Who is ultimately responsible for the security within an organization?

Answer 92

Senior management

Question 93

What is Due Diligence?

Answer 93

Continuously monitoring an organizations practices to ensure they are meeting the security requirements

Question 94

What is Due Care?

Answer 94

Ensuring that best practices and implemented and followed.

Question 95

What is the Prudent Man Rule?

Answer 95

Acting responsibly and cautiously as a prudent man would

Question 96

What are the three characteristics of the Organization Security Policy?

Answer 96

Very high level management statement,
Assign responsibility,
Explains drivers.

Question 97

What is a System Specific Policy?

Answer 97

Every system has a different policy (printers, AD etc)

Question 98

What is a Issue Specific Policy?

Answer 98

Company stance on various employee issues. Privacy, e-mail usage etc

Question 99

What are Standards within Policies?

Answer 99

Mandatory, gives specifics about how to support policy

Question 100

What are Procedures?

Answer 100

Mandatory, Step by step instructions

Question 101

What are Guidelines?

Answer 101

Not mandatory, suggestive in nature. Recommended actions and guides to users

Question 102

What are Baselines?

Answer 102

Mandatory, minimum acceptable security configuration for a system or process

Question 103

What is Disaster Recovery Planning (DRP)?

Answer 103

Handels disaster and ramification right after disaster hits

Question 104

What is Business Continuity Planning (BCP)?

Answer 104

Deals with long term effects of outage

Question 105

What is Business Continuity Management (BCM)?

Answer 105

Holistic management process that cover both

Question 106

Who is the leader of the BCP (Business Continuity Management) team?

Answer 106

Business continuity coordinator

Question 107

What is Maximum Tolerable Downtime (MTD)?

Answer 107

Classifications for how long each system can be down (Critical, Normal, nonessential etc)

Question 108

What is performed before Business Continuity Planning (BCP)?

Answer 108

A business impact analysis (BIA)

Question 109

What is Separation of Duties?

Answer 109

Ensure no individual cannot complete a critical task by himself

Question 110

What is Collusion?

Answer 110

At least two people working together to cause fraud

Question 111

What is Split Knowledge?

Answer 111

No one person knows how to completely perform a task (IE launch codes)

Question 112

What is Dual Control?

Answer 112

Two people must perform action such as key turn

Question 113

What is Rotation of Duties?

Answer 113

No one person hold position for too long

Question 114

What is the WASSENAAR agreement?

Answer 114

Cannot export crypto to terrorist countries

Question 115

What is cyber squatting?

Answer 115

Registering a URL that somebody else would need

Question 116

What is HIPPA (Health Insurance Portability and Accountability Act)?

Answer 116

Applies to healthcare

Question 117

What is a Crisis Communication Plan?

Answer 117

How to report to staff and public

Question 118

What is a Occupant Emergency Plan (OEP)?

Answer 118

Keep people safe

Question 119

How often should a Disaster Recovery Plan be tested?

Answer 119

At least once a year

Question 120

What is a Failover?

Answer 120

Action taken to recover

Question 121

What is a Failback?

Answer 121

Go back to normal after failover

Question 122

What is a Parallel test in DRP?

Answer 122

System moved and used offsite, risky

Question 123

What is a Full Interruption Test?

Answer 123

Shutdown original site, risky

Question 124

What is Recovery Point Objective (RPO)?

Answer 124

How current must my data be if restoring from a backup?

Question 125

What is Maximum Tolerable Downtime (MTD)?

Answer 125

What is the longest that a system can be down?

Question 126

What is Mean Time Between Failures (MTBF)?

Answer 126

Lifespan of hardware

Question 127

What is Minimum Operating Requirements (MOR)?

Answer 127

What is the minimum system spec

Question 128

What is the opposite of CIA?

Answer 128

Disclosure, Alteration and Destruction

Question 129

What does IAAA stand for?

Answer 129

Identity and Authentication, Authorization and Accountability

Question 130

What in an example of Identity and Authentication?

Answer 130

Username and password

Question 131

What is an example of Authorization as it relates to IAAA?

Answer 131

Actions done on a system after Authentication such as read and write access

Question 132

What is nonrepudiation?

Answer 132

A user cannot deny having performed a transaction

Question 133

What is the difference between subjects and objects?

Answer 133

Subject is a user, object is a file

Question 134

What are the three types of Financial Damages in legal terms?

Answer 134

Statutory, Compensatory and Punitive

Question 135

What are Statutory Financial Damages?

Answer 135

Prescribed by law awarded to victim even if they have suffered no loss

Question 136

What are Compensatory Financial Damages?

Answer 136

Provide victim with financial award to compensate for loss

Question 137

What are Punitive Financial Damages?

Answer 137

Punish individual or organization

Question 138

What is Attestation?

Answer 138

Having a third-party audit a service provider to ensure they can be trusted

Question 139

What is a Divestiture?

Answer 139

The opposite of an acquisition in which two companies become one

Question 140

Is a Policy mandatory or discretionary?

Answer 140

Mandatory

Question 141

Is a Procedure mandatory or discretionary?

Answer 141

Mandatory

Question 142

Is a Standard mandatory or discretionary?

Answer 142

Mandatory

Question 143

Is a Guideline mandatory or discretionary?

Answer 143

Discretionary

Question 144

Is a Baseline mandatory or discretionary?

Answer 144

Discretionary

Question 145

What is offshoring?

Answer 145

Outsourcing to another country