Domain 1 (Security and Risk Management) Flashcards
1
Q
What does CIA stand for?
A
Confidentiality, Integrity and Availability
2
Q
What is the purpose of confidentiality?
A
Enforces secrecy
3
Q
What is the purpose of integrity?
A
Accuracy, reliability of data
4
Q
What are example controls that enforce confidentiality?
A
Encryption, Access control
5
Q
What are example controls that enforce Integrity?
A
Hashing, Change Control
6
Q
What are example controls that enforce availability?
A
RAID, backups
7
Q
Definition of Vulnerability
A
System weakness that allow treat agent to compromise
8
Q
Definition of Threat
A
Danger associated with exploiting vulnerability
9
Q
Examples of a Treat Agent
A
Intruder, careless employee or bad policy
10
Q
Definition of Risk
A
Likelihood of threat source exploiting vulnerability and its business impact
11
Q
Definition of Exposure
A
Instance of being exposed to loss. Example: Weak Password
12
Q
Definition of Control
A
Countermeasure to mitigate risk
13
Q
What are the three control types?
A
Administrative, Technical and Physical
14
Q
Examples of Administrative controls
A
Documents, training, management related
15
Q
Examples of Technical controls
A
Firewall, encryption, IDS
16
Q
Example of physical control
A
Fences
17
Q
Definition of Defense-In-Depth
A
coordinated use of several controls in layered approach
18
Q
Name the six control functions
A
Preventative, Detective, Corrective, Deterrent, Recovery and Compensating
19
Q
What does a Preventative control function do?
A
Intend to avoid incident happening
20
Q
What does a detective control function do?
A
Identify incident activities
21
Q
What does a corrective control function do?
A
Fixes systems after incident
22
Q
What does a deterrent control function do?
A
Discourages attackers
23
Q
What does a recovery control function do?
A
Brings environment back to operation
24
Q
What does a compensating control function do?
A
Alternative measure of control
25
Definition of Security Through Obscurity
Assume your enemies are not as smart as you are
26
Definition of Methodology
Process to follow to build architecture
27
Definition of Strategic Alignment
Business drivers being met by security
28
Definition of Business enablement
Core business processes are integrated into security model
29
What does a system architect do?
Structure of software
30
What does a enterprise architect do?
Structure of organization
31
What is computer assisted crime?
Computer used to carry out crime
32
What is computer targeted crime?
Computer was victim
33
What is computer incidental crime?
A computer happen to have been used in crime
34
Definition of Advanced Persistent Threat
Very focused and motivated attacker
35
Characteristics of Civil law system
Decide liability not guilt. Financial compensation
36
Characteristics of criminal law
Innocent until proven guilty. Punishment loss of freedom
37
Characteristics of Customary Law Systems
Based on tradition, Deals with personal conduct, Fine or community service
38
What is a mixed law system?
Mostly mix civil and common law
39
Characteristics of Administrative law
Regulatory standards for performance and conduct
40
Characteristics of Trade Secret
Qualify only if provides company with competitive edge. Must require skill, money effort develop. Proprietary.
41
Examples of a Trade Secret
Algorithms, source code, recipe
42
Characteristics of Copyright
Does not cover resource but expression of idea
43
Examples of Copyright
Drawing, music
44
Examples of Trademark
Work, symbol, sound
45
Characteristics of Patent
Excludes others from copying, lasts 20 years
46
What do you call non practicing entities that do not use patent?
Patent troll
47
What is Freeware
Can use and share
48
What is Shareware
Released for marketing
49
What is Personally Identifiable Information?
Data that can identify a single person
50
What is privacy?
The ability to control who has information about you
51
What is a Chief Privacy Officer?
Usually lawyer oversees how data managed
52
Name three privacy problems
Data aggregation, loss of borders, convergent technologies
53
What is a generic approach regulation?
Stretches across industries, also called horizontal enactment
54
Tip for Reasonable Exception of Privacy?
Tell staff they are being monitored
55
Definition of Threat?
Something that has the potential to cause harm
56
Quality of a safeguard?
It's proactive
57
Quality of a Countermeasure?
It's reactive
58
What is a Secondary Risk?
A risk that comes later as the result of another risk response
59
What is Residual Risk?
The risk left over after a risk response
60
What does the Delphi Technique do?
Get users to contribute to risk analysis anonymously
61
Quantitative Analysis - what does AV stand for?
Asset value, Dollar number asset is worth
62
Quantitative Analysis - what does EF stand for?
Exposure factor. % of loss expected as result
63
Quantitative Analysis - what does SLE stand for?
Single loss expectancy. Dollar amount cost single occurrence of threat
64
Quantitative Analysis - what does ARO stand for?
Annual Rate of Occurrence. How often a threat is expected to materialize
65
Quantitative Analysis - what does ALE stand for?
Annual loss expectancy. Cost per year as a result of the threat
66
Quantitative Analysis - what does TCO stand for?
Total cost of ownership. Cost of implementing the safeguard
67
What is Asset Value (AV)?
Dollar number asset is worth
68
What is Exposure Factor (EF)?
% of loss expected as result
69
What is Single Loss Expectancy (SLE)?
Dollar amount cost single occurrence of threat
70
What is Annual Rate of Occurrence (ARO)?
How often the threat is expected to materialize
71
What is Annual Loss Expectancy (ALE)?
Cost per year as a result of the threat
72
What is Total Cost of Ownership (TCO)?
Total cost of implementing a safeguard
73
Formula for Single Loss Expectancy (SLE)?
SLE (Single Loss Expectancy) = AV (Asset Value) * EF (Exposure Factor)
74
Formula for Annual Loss Expectancy (ALE)?
ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) * ARO (Annual Rate of Occurrence)
75
What are the five ways to mitigate risk?
Reduce, Accept, Transfer, Avoidance, Rejection
76
What does Risk Reduction do?
Lessen the probability and/or impact of a risk
77
What is Risk Transference?
Shares the risk with someone else. Insurance or SLA. Lessen portion of loss. Does not reduce likelihood.
78
What is Risk Acceptance?
Logical solution when cost of mitigation is greater than the potential for loss
79
What is Risk Rejection?
Happens when we ignore the risk
80
What is Risk Avoidance?
When we don't go ahead with whatever would expose us to that risk
81
What is Total Risk?
The risk that exists before any control is implemented
82
What is Governance?
Ensures that stakeholder needs and goals understood
83
What is Management?
Plans, build, runs and monitors activities as directed by governance
84
COBIT and COSO buzzword
Goal orientated
85
OCTAVE buzzword
Self directed risk assessment
86
What does ISO 27002 do?
Practical advise for implementing security controls in ISMS (Information Security Management System)
87
What does ISO 27001 do?
Establish, Implement, Control and Improve ISMS (Information Security Management Systems).
88
What does ISO 27004 do?
Provides metrics for measuring the success of ISMS (Information Security Management Systems).
89
What does ISO 27799 do?
Directives on protecting personal health information
90
What does ISO 27005 do?
A standards based approach to risk management
91
What standard replaced ISO 17799?
ISO 27002
92
Who is ultimately responsible for the security within an organization?
Senior management
93
What is Due Diligence?
Continuously monitoring an organizations practices to ensure they are meeting the security requirements
94
What is Due Care?
Ensuring that best practices and implemented and followed.
95
What is the Prudent Man Rule?
Acting responsibly and cautiously as a prudent man would
96
What are the three characteristics of the Organization Security Policy?
Very high level management statement,
Assign responsibility,
Explains drivers.
97
What is a System Specific Policy?
Every system has a different policy (printers, AD etc)
98
What is a Issue Specific Policy?
Company stance on various employee issues. Privacy, e-mail usage etc
99
What are Standards within Policies?
Mandatory, gives specifics about how to support policy
100
What are Procedures?
Mandatory, Step by step instructions
101
What are Guidelines?
Not mandatory, suggestive in nature. Recommended actions and guides to users
102
What are Baselines?
Mandatory, minimum acceptable security configuration for a system or process
103
What is Disaster Recovery Planning (DRP)?
Handels disaster and ramification right after disaster hits
104
What is Business Continuity Planning (BCP)?
Deals with long term effects of outage
105
What is Business Continuity Management (BCM)?
Holistic management process that cover both
106
Who is the leader of the BCP (Business Continuity Management) team?
Business continuity coordinator
107
What is Maximum Tolerable Downtime (MTD)?
Classifications for how long each system can be down (Critical, Normal, nonessential etc)
108
What is performed before Business Continuity Planning (BCP)?
A business impact analysis (BIA)
109
What is Separation of Duties?
Ensure no individual cannot complete a critical task by himself
110
What is Collusion?
At least two people working together to cause fraud
111
What is Split Knowledge?
No one person knows how to completely perform a task (IE launch codes)
112
What is Dual Control?
Two people must perform action such as key turn
113
What is Rotation of Duties?
No one person hold position for too long
114
What is the WASSENAAR agreement?
Cannot export crypto to terrorist countries
115
What is cyber squatting?
Registering a URL that somebody else would need
116
What is HIPPA (Health Insurance Portability and Accountability Act)?
Applies to healthcare
117
What is a Crisis Communication Plan?
How to report to staff and public
118
What is a Occupant Emergency Plan (OEP)?
Keep people safe
119
How often should a Disaster Recovery Plan be tested?
At least once a year
120
What is a Failover?
Action taken to recover
121
What is a Failback?
Go back to normal after failover
122
What is a Parallel test in DRP?
System moved and used offsite, risky
123
What is a Full Interruption Test?
Shutdown original site, risky
124
What is Recovery Point Objective (RPO)?
How current must my data be if restoring from a backup?
125
What is Maximum Tolerable Downtime (MTD)?
What is the longest that a system can be down?
126
What is Mean Time Between Failures (MTBF)?
Lifespan of hardware
127
What is Minimum Operating Requirements (MOR)?
What is the minimum system spec
128
What is the opposite of CIA?
Disclosure, Alteration and Destruction
129
What does IAAA stand for?
Identity and Authentication, Authorization and Accountability
130
What in an example of Identity and Authentication?
Username and password
131
What is an example of Authorization as it relates to IAAA?
Actions done on a system after Authentication such as read and write access
132
What is nonrepudiation?
A user cannot deny having performed a transaction
133
What is the difference between subjects and objects?
Subject is a user, object is a file
134
What are the three types of Financial Damages in legal terms?
Statutory, Compensatory and Punitive
135
What are Statutory Financial Damages?
Prescribed by law awarded to victim even if they have suffered no loss
136
What are Compensatory Financial Damages?
Provide victim with financial award to compensate for loss
137
What are Punitive Financial Damages?
Punish individual or organization
138
What is Attestation?
Having a third-party audit a service provider to ensure they can be trusted
139
What is a Divestiture?
The opposite of an acquisition in which two companies become one
140
Is a Policy mandatory or discretionary?
Mandatory
141
Is a Procedure mandatory or discretionary?
Mandatory
142
Is a Standard mandatory or discretionary?
Mandatory
143
Is a Guideline mandatory or discretionary?
Discretionary
144
Is a Baseline mandatory or discretionary?
Discretionary
145
What is offshoring?
Outsourcing to another country
