Domain 1 - Security and Risk Management

Question 1

ITIL - Four Foundations

Answer 1

• Service
• Change
• Release
• Configuration

Question 2

ISO 27005

Answer 2

Risk management framework - The standard doesn’t specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:

Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
Keep stakeholders informed throughout the process; and
Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.

Question 3

Copyright

Answer 3

Protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70
years after author dies

Question 4

Trademarks

Answer 4

Words, names, product shape, symbol, color or a combination used to identify products
and distinguish them from competitor products (McDonald’s M) @10 years

Question 5

SOX Section 302

Answer 5

CEO’s and CFO’s can be sent to jail when information they sign is incorrect

Question 6

SOX Section 404

Answer 6

Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.

The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

Question 7

COSO Initiative

Answer 7

Framework to work with Sarbanes-Oxley 404. COSO is a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence compliance

Question 8

COBIT

Answer 8

Examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and
reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated
industry.

Question 9

Incident

Answer 9

An event that has potential to do harm

Question 10

Breach

Answer 10

Incident that results in disclosure or potential disclosure of data

Question 11

Data Disclosure

Answer 11

Unauthorized acquisition of personal information

Question 12

Threat Event

Answer 12

Threat events are accidental and intentional exploitation of vulnerabilities

Question 13

GLBA

Answer 13

It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.

Question 14

1974 US Privacy Act

Answer 14

Protection of PII on federal databases

Question 15

1980 Organization for Economic Cooperation and Development (OECD)

Answer 15

Provides guidelines for datacollection, specifications, safeguards

Question 16

1986 (amended in 1996) US Computer Fraud and Abuse Act.

Answer 16

Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment.

Question 17

1986 Electronic Communications Privacy Act

Answer 17

Prohibits eavesdropping or interception w/o distinguishing private/public data. Was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer , added new provisions prohibiting access to stored electronic communications,

Question 18

1991 US Federal Sentencing Guidelines

Answer 18

Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations.

Question 19

1996 US Economic and Protection of Propriety Information Act

Answer 19

Industrial and corporate espionage

Question 20

HITECH

Answer 20

Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and
security requirements. One of the changes is a change in the way the law treats business associates
(BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a
covered entity and a BA must be govern ed by a written contract known as a business associate
agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA
enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach
notification requirement.

Question 21

Separation of duties

Answer 21

Assigns parts of tasks to different individuals thus no single person has total control of the system’s security mechanisms; prevent collusion

Question 22

Least privilege -

Answer 22

A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest time. Three types: Read only, Read/write and Access/change

Question 23

Two-man control

Answer 23

Two persons review and approve the work of each other, for very sensitive operations

Question 24

Dual Control

Answer 24

Two persons are needed to complete a task

Question 25

Rotation of duties

Answer 25

Limiting the amount of time a person is assigned to perform a security related task
before being moved to different task to prevent fraud; reduce collusion

Question 26

Mandatory vacations

Answer 26

Prevent fraud and allowing investigations, one week minimum; kill processes

Question 27

Threat

Answer 27

Damage

Question 28

Vulnerability

Answer 28

Weakness to threat vector (never does anything)

Question 29

Impact

Answer 29

Overall effects R

Question 30

Residual Risk

Answer 30

amount left over Organizations own

the risk Risk is determined as a byproduct of likelihood and impact

Question 31

Goal of Risk Management

Answer 31

Reduce risk to an acceptable level.

Question 32

Inherent Risk

Answer 32

Chance of making an error with no controls in place

Question 33

Control Risk

Answer 33

Chance that controls in place will prevent, detect or control errors

Question 34

Detection Risk

Answer 34

Chance that auditors won’t find an error

Question 35

Business Risk

Answer 35

Concerns about effects of unforeseen circumstances

Question 36

ANALYSIS Steps

Answer 36

Identify assets, identify threats, and calculate risk.

Question 37

Four major steps in Risk assessment

Answer 37

Prepare, Perform, Communicate, Maintain

Question 38

Loss=

Answer 38

probability * cost

Question 39

Residual risk

Answer 39

Where cost of applying extra countermeasures is more than the estimated loss resulting
from a threat or vulnerability (C > L).

Question 40

Controls gap

Answer 40

Is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: total risk – controls gap = residual risk

Question 41

Risk Avoidance

Answer 41

Discontinue activity because you don’t want to accept risk

Question 42

Risk Transfer

Answer 42

Passing on the risk to another entity

Question 43

Risk Mitigation

Answer 43

Elimination or decrease in level of risk

Question 44

Risk Acceptance

Answer 44

Live with it and pay the cost

Question 45

Administrative/Managerial Policy Controls

Answer 45

• Preventive: hiring policies, screening security awareness (also called soft-measures!)
• Detective: screening behavior, job rotation, review of audit records

Question 46

Technical (aka Logical) - Preventive

Answer 46

Protocols, encryption, biometrics smartcards, routers, firewalls

Question 47

Technical (aka Logical) -Detective

Answer 47

IDS and automatic generated violation reports, audit logs, CCTV(never preventative)

Question 48

Physical Controls

Answer 48

Fences, door, lock, windows etc

Question 49

Types of Controls

Answer 49

Administrative, Physical, Technical (Logical)

Question 50

Deming Cycle

Answer 50

Plan – ID opportunity & plan for change Do – implement change on small scale Check – use data to
analyze results of change Act – if change successful, implement wider scale, if fails begin cycle again

Question 51

Open source License

Answer 51

Source code made available with a license in which the copyright holder provides the
rights to study, change, and distribute the software to anyone

Question 52

Freeware

Answer 52

Proprietary software that is available for use at no monetary cost. May be used without
payment but may usually not be modified, re-distributed or reverse-engineered without the author’s
permission

Question 53

Assurance

Answer 53

Degree of confidence in satisfaction of security requirements. OUTSIDE AUDIT

Question 54

Data Diddling

Answer 54

Act of modifying information, programs, or documents to commit fraud, tampers with INPUT data

Question 55

Water holing

Answer 55

Create a bunch of websites with similar names

Question 56

Work Function (factor):

Answer 56

The difficulty of obtaining the clear text from the cipher text as measured by cost/time

Question 57

Fair Cryptosystems

Answer 57

In this escrow approach, the secret keys used in a communication are divided
into two or more pieces, each of which is given to an independent third party. When the government
obtains legal authority to access a particular key, it provides evidence of the court order to each of the
third parties and then reassembles the secret key.

Question 58

FISMA (federal agencies) - Phase 1

Answer 58

Categorizing, selecting minimum controls, assessment

Question 59

FISMA (federal agencies) - Phase 2

Answer 59

Create national network of secures services to assess