Domain 1 - Security and Risk Management

Question 1

Administrative, Physical, and Technical controls

Answer 1

Three categories of access controls

Question 2

Technical Control

Answer 2

Protects access to systems, network architecture, control zones, auditing, and encryption and protocols (Access Control categories). AC category that restricts access.

Question 3

Administrative Control

Answer 3

Dictates how security policies are implemented to fulfill the company’s security goals. Includes policies, procedures, personnel controls, supervisory structure, security training, and testing. Includes policies and procedures, personnel controls, supervisory structure, security training, and testing (Access Control category).

Question 4

Physical Control

Answer 4

Access control category that includes badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling; used to secure physical access to an object, such as a building, a room, or a computer (access control category).

Question 5

Preventive control

Answer 5

Prevents security breaches and avoids risks.

Question 6

Detective control

Answer 6

Looks for security breaches as they occur.

Question 7

Corrective control

Answer 7

Restores control and attempts to recover from any damage that was inflicted during a security breach.

Question 8

Deterrent control

Answer 8

Stops potential violations.

Question 9

Recovery control

Answer 9

Restores resources.

Question 10

Compensative control

Answer 10

Provides an alternative control if another control may be too expensive. All controls are generally considered this type of control.

Question 11

Directive controls

Answer 11

Provides mandatory controls based on regulations or environmental requirements.

Question 12

Recovery-Technical control

Answer 12

Restores system capabilities and covers data backups.

Question 13

Detective-Technical control

Answer 13

Detects when a security breach occurs; covers audit logs and intrusion detection systems (IDS).

Question 14

Corrective-Technical control

Answer 14

Corrects any issue that arises because of security breaches; Antivirus software and server images are included in this category.

Question 15

Compensative-Technical control

Answer 15

Considered an alternative to other controls (example, server isolation).

Question 16

Preventative-Technical control

Answer 16

A router plus encryption used to improve network security.

Question 17

Deterrent, Preventive, Detective, Compensative, Corrective, Recovery, and Directive.

Answer 17

Access control types (types, not categories).

Question 18

Preventative control measures

Answer 18

Security awareness training, Firewalls, Anti-virus, security guards, and IPS.

Question 19

Detective control measures

Answer 19

System monitoring, IDS, Anti-Virus, motion detector, IPS.

Question 20

Corrective control measures

Answer 20

OS upgrade, backup data rostral, Anti-virus, vulnerability mitigation.

Question 21

Compensatory control measures

Answer 21

Backup generator, hot site, server isolation.

Question 22

To prevent the threat from coming into contact with the weakness.

Answer 22

Purpose for Preventative controls.

Question 23

To identify that a threat has landed in a system.

Answer 23

Purpose for Detective controls.

Question 24

To mitigate or lesson the effects of the threat that has manifested.

Answer 24

Purpose for Corrective controls.

Question 25

ISO/IEC 27000

Answer 25

ISO/IEC standard on developing and maintaining information security management systems (ISMS).

Question 26

Zachman Framework

Answer 26

An enterprise schema with two dimensional classification: six questions and six views intersecting in a matrix (what, how, where, who, when, why + planner, owner, designer, builder, programmer, users). This framework is NOT security orientated; it is used to relay information for personnel in a common language that is helpful to different groups in understanding each group’s responsibilities.

Question 27

TOGAF (The Open Group Architecture Framework)

Answer 27

An enterprise framework that helps organizations design, plan, implement, and govern enterprise information architecture. Its four domains are technology, applications, data, and, business.

Question 28

DoDAF (Department of Defense Architecture Framework)

Answer 28

Architect framework with 8 viewpoints used to ensure DoD technologies integrate correctly with current infrastructures.

Question 29

All Viewpoint (AV); Capability Viewpoint (CV); Data and Information Viewpoint (DIV); Operation Viewpoint (OV); Project Viewpoint (PV); Services Viewpoint (SvcV); Standards Viewpoint (STDV); and Systems Viewpoint (SV).

Answer 29

The eight views of the DoDAF

Question 30

MODAF (British Ministry of Defense Architecture Framework)

Answer 30

An Architecture Framework which divides information into seven views points.

Question 31

SABSA (Sherwood Applied Business Security Architecture)

Answer 31

An enterprise security architecture, which asks six communication questions that intersect with six layers; it is a a risk-driven architecture. The six layers of questions include: What, Where, When, Why, Who, and How. These question layers intersect with six additional layers: Operational, Component, Physical, Logical, Conceptual, and Contextual.

Question 32

CobiT (Control Objectives for Information and Related Technology)

Answer 32

A security controls development framework documenting five principles, which drive control objectives of seven enablers: Meeting stakeholder needs; Steering the enterprise end-to-end; Applying a single integrated framework; Enabling a holistic approach; Separating and governance from management. The seven enablers include: Principles; Policies, and frameworks; Processes; Organizational structures; Culture, ethics, and behaviors; Information; Services, infrastructure, and applications; and People, skills, and competencies.

Question 33

Meeting stakeholder needs; Steering the enterprise end-to-end; Applying a single integrated framework; Enabling a holistic approach; Separating and governance from management.

Answer 33

Five principles of CobiT

Question 34

Principles, Policies, and frameworks; Processes; Organizational structures; Culture, ethics, and behaviors; Information; Services, infrastructure, and applications; and People, skills, and competencies.

Answer 34

Seven enablers of Cobit

Question 35

Downstream Liabilities

Answer 35

When you outsource a system - you can outsource responsibility but you cannot outsource accountability

Question 36

What is Due Care?

Answer 36

Setting and enforcing policy to bring organisation into compliance.

Question 37

What does IAAA stand for?

Answer 37

Identification, Authentication, Authorization, Accountability

Question 38

What is the difference between Authentication and Authorization?

Answer 38

Authentication is using your password to access a file which you have permissions (Authorization) to access.

Question 39

What is a control?

Answer 39

A control or countermeasure is put into place to mitigate (reduce) the potential risk. It’s PREVENTATIVE.

Question 40

What is Strategic Alignment?

Answer 40

Strategic Alignment means that business drivers and the regulatory and legal requirements are being met by the security enterprise architecture.

Question 41

What does Security Effectivenes deal with?

Answer 41

Security Effectiveness deals with metrics, SLA requirements, achieving ROI, meeting set baselines etc.

Question 42

What is a Computer Assisted Crime?

Answer 42

Computer Assisted Crime is where a computer was used as a tool to help carry out a crime.

Question 43

What is a Computer Targetted Crime?

Answer 43

A Computer Targetted Crime occurs when a computer is the victim of an attack crafted to harm it and its owners specifically.

Question 44

What is a Computer Incidential Crime?

Answer 44

Where a computer happens to have been part of the crime, but did not assist the criminal and was not the victim.

Question 45

In GDPR, who is the Data Subject?

Answer 45

The Individual to whom the data pertains

Question 46

In GDPR, what is the Data Controller?

Answer 46

Any organization that collects data on EU residents

Question 47

In GDPR, what is the Data Processor?

Answer 47

Any organization that processes datra for a data controller

Question 48

What is the Concent provision for GDPR?

Answer 48

Data Collectors and Data Processors cannot use personal data without explicit consent of the data subjects

Question 49

What is the Right to be Informed provision for GDPR?

Answer 49

Data Controllers and Data Processors must inform data subjects about how their data is, will, or could be used.

Question 50

What is the Right to Restrict Processing provision for GDPR?

Answer 50

Data Subjects can agree to have their data stored by a collector but disallow it to be processed.

Question 51

What is Right to Be Forgotten provision for in GDPR?

Answer 51

Data Subjects can request that their personal data be permanently deleted.

Question 52

What is the Data Breaches provision for in GDPR?

Answer 52

Data Controllers must report a data breach within 72 hours of becoming aware of it.

Question 53

What is a Trade Secret?

Answer 53

A Trade Secret is something that is proprietary to a company and important for it’s survival and profitability.

Question 54

What is a Copyright?

Answer 54

Copyright Law protects the right of the creator of an original work to control the public distribution, reproduction, display and adaptation of that original work.

Question 55

What is a Trademark?

Answer 55

A Trademark is slightly different from a copyright in that it is used to protect a word, name, symbol, sound, shape, color etc.

Question 56

What is a Patent?

Answer 56

Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent.

Question 57

What is the strongest form of intellectual property protection?

Answer 57

A patent

Question 58

What is an Issue-spesific policy?

Answer 58

Also called a functional policy, addresses spesific security issues that management feel need more detailed explanation and attention.

Question 59

What is a System-Spesific Policy?

Answer 59

Spesific to the actual computers, networks, applications.

Question 60

What types of Policies are there?

Answer 60

Regulatory, Advisory, Informative

Question 61

What is a Standard?

Answer 61

Standard refer to mandatory activities, actions or rules. Standards can give a policy its support and reinforcement in direction.

Question 62

What is a Procedure?

Answer 62

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.

Question 63

What can declare a Disaster and Emergency?

Answer 63

Anyone can declare an emergency, only the BCP coordinator can decalre a disaster. (Anyone can pull the fire alarm or trigger an emergency alarm. Only the BCP coordinator or someone specified in the BCP can declare disaster which will then trigger failover to another facility).

Question 64

Regulatory, Advisory, Informative are examples of

Answer 64

Policies

Question 65

MTD/MTO: Maximum Tolerable Downtime/Outage

Answer 65

Longest time the function can be inoperable because causing a loss to senior management that is unacceptable

Question 66

RTO Recovery Time Objective

Answer 66

This is the amount of time in a which you can easily recover the function in the even of a disruption (must be less than MTD)

Question 67

RPO Recovery Point Objective

Answer 67

Tolerance for Data Loss

Question 68

What is the different between Business Impact Assessment and Risk Assessment?

Answer 68

Business Impact Assessment is focused on assets and how important they are to the business where as Risk Management is the same but includes vulnerabilities and likelihood.

Question 69

How do you calculate Total Risk?

Answer 69

Asset Value * Probability * Impact = Total Risk

Question 70

How do you calculate Residual Risk?

Answer 70

Total Risk * Controls Gap = Residual Risk

Question 71

What is a Checklist Test?

Answer 71

Copies of plan distributed to different departments. No disruption to the business.

Question 72

What is a Structured Walk-Through (Table Top) Test?

Answer 72

Representatives from each department go over the plan. Still paper based.

Question 73

What is a Simulation Test?

Answer 73

Going through the disaster scenario. Still does not distrupt business.

Question 74

What is a Parallel Test?

Answer 74

Systems moved to alternative site, and processing takes place there. This involves risk.

Question 75

What is a Full-Interruption Test?

Answer 75

Original Site shut down and all processing moved to offsite facility.

Question 76

What is Layering?

Answer 76

Layering (also known as Defense in Depth), is simply the use of multiple controls in a series.

Question 77

What is Abstraction?

Answer 77

Abstraction is used for efficiency. Simular elements are put into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective.

Question 78

What is Data Hiding?

Answer 78

Data Hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Question 79

What is Security Governance?

Answer 79

Security Governance is the collection of practices related to supporting, defining, and directing the security efforts of an organisation.

Question 80

What is a Business Case?

Answer 80

A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.

Question 81

What is a Strategic Plan (as opposed to Tactical and Operational)?

Answer 81

A strategic plan is a long term plan that is fairly stable.

Question 82

What is a Tactical Plan (as oppsed to Strategic or Operational)?

Answer 82

The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events.

Question 83

What is a Operational Plan (as opposed to Strategic or Tactical)?

Answer 83

An Operational Plan is a short-term, highly detailed plan based on the strategic and tactical plans.

Question 84

What is the goal of Change Management?

Answer 84

The goal of change management is to ensure that any change does not lead to reduced to compromised security.

Question 85

Who reviews and approves Changes?

Answer 85

The Change Advisory Board (CAB).

Question 86

What does the Change Advisory Board do?

Answer 86

Review and Approve changes

Question 87

What is Data Classification?

Answer 87

Data Classification, or categorization, is the primary means by which data is protected based on its need for security, sensitivity, or confidentiality.

Question 88

What are the levels of government/military classification?

Answer 88

Top Secret, Secret, Confidential, Sensitive but unclassified, Unclassified. TO REMEMBER: US CAN STOP TERRORISM

Question 89

What data is Sensitive but Unclassified?

Answer 89

Sensitive but Unclassified (SBU) is used for data that is for internal use or for office use only.

Question 90

What are the levels of data classification for the private sector?

Answer 90

Confidential, Private, Sensitive, Public

Question 91

What is the difference between confidential and private data?

Answer 91

Confidential Data is company data and Private Data relates to individuals.

Question 92

What is the Data Owners responsibilities?

Answer 92

The Data Owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution.

Question 93

What is the Data Custodians responsibilites?

Answer 93

Data Custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.

Question 94

What is STRIDE?

Answer 94

A threat model designed by Microsoft which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.

Question 95

What is PASTA?

Answer 95

Process for Attack Simulation and Threat Analysis (PASTA) is a seven step threat model

Question 96

What are the steps of PASTA?

Answer 96

1) Definition of Objectives 2) Definitions of Technical Scope 3) Application Decomposition and Analysis 4) Threat Analysis 5) Weakness and Vulnerability Analysis 6) Attack Modeling and Simulation 7) Risk Analyusis and Management

Question 97

What is Reduction Analysis?

Answer 97

Reduction Analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interaction with external elements.

Question 98

What are the five key concepts of Reduction Analysis which must be considered?

Answer 98

Trust Boundaries, Data Flow Paths, Input Points, Privilege Operations, Details about Security Stance and Approac.

Question 99

In the decomposition process, what is Trust Boundaries?

Answer 99

Trust Boundaries are any location where the level of trust or security changes.

Question 100

In the decomposition process, what is Data Flow Paths?

Answer 100

Data Flow Paths is the movement of data between locations

Question 101

In the decomposition process, what is Input Points?

Answer 101

Input points are locations where external input is received

Question 102

In the decomposition process, what is Privileged Operations?

Answer 102

Privileged Operations are any activity that requires greater privileges than that of a standard user.

Question 103

What is DREAD used for?

Answer 103

Prioritization and Response

Question 104

What are the considerations of DREAD?

Answer 104

Damage Potential, Reproducibility, Exploitability, Affected Users and Discoverability

Question 105

What is Seperation of Duties?

Answer 105

Separation of Duties is the security concept in which critical, significant and sensitive work tasks are divided among several individual administrators or high level operators. Prevents one person from having too much control.

Question 106

What is Onboarding?

Answer 106

Onboarding is the process of adding new employees to the identity and access management (IAM) system of an organization.

Question 107

What is a Vulnerability?

Answer 107

A vulnerability is the weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability.

Question 108

What is Exposure?

Answer 108

Exposure is being susceptible to asset loss because of a threat, there is the possibility that a vulnerability can or will be exploited by a threat agent or event.

Question 109

How is Risk calculated?

Answer 109

Risk = Threat * Vulnerability

Question 110

What are the six major elements of Quantitative Risk Analysis?

Answer 110

Assign Asset Valuation (AV)
Calculate Exposure Factor (EF)
Calculate the Single Loss Expectancy (SLE)
Assess Rate of Occurrence (ARO)
Assess Annualized Loss Expectancy (ALE)
Perform Cost/Benifit analysis of Countermeasures

Question 111

What is Asset Valuation (AV)?

Answer 111

The monatory value of an asset

Question 112

What is Exposure Factor (EF)?

Answer 112

The exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

Question 113

What is the Annualized Loss Expectancy (ALE)?

Answer 113

Possible yearly cost of all instances of a specific realized threat against a specific asset.

Question 114

How is Annualized Loss Expectancy (ALE) calculated?

Answer 114

ALE = SLE * ARO. ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).

Question 115

What does a Safeguard reduce?

Answer 115

To reduce ARO

Question 116

How is Single Loss Expectancy (SLE) calculated?

Answer 116

SLE = AV * EF. SLE = Asset Value (AV) * Exposure Factor (EF).

Question 117

How do you calculate the value of a safeguard?

Answer 117

(ALE1 - ALE2) - ACS (Annual Cost of Safegaurd)

Question 118

What is the Delphi Technique?

Answer 118

The Delphi Technique is simply an anonymous feedback and response process used to enable a group to reach an anonymous consensus.

Question 119

In what situation is the Delphi Technique used?

Answer 119

In Qualitative Risk Analysis

Question 120

What is Risk Assignment?

Answer 120

Assigning or transferring risk is placement of the cost of a loss that a risk represents to a third party. For example, Insurance.

Question 121

What is Risk Deterrence?

Answer 121

Risk Deterrence is the process of implementing deterrents to would-be-violators of security and policy.

Question 122

What is Risk Avoidance?

Answer 122

Risk Avoidance is the process of selecting alternate options or activities that have less associated risk than the default.

Question 123

What is Risk Rejection?

Answer 123

A final but unacceptable possibile response to risk is to reject risk or ignore risk.

Question 124

How is Total Risk calculated?

Answer 124

Threats * Vulnerabilities * Asset Value = Total Risk

Question 125

How is Residual Risk calculated?

Answer 125

Total Risk - Control Gaps = Residual Risk

Question 126

What are the Six Steps of the NIST RMF (Risk Management Framework)? **

Answer 126

Step 1) CATEGORIZE Information Systems
Step 2) SELECT Security Controls
Step 3) IMPLEMENT Security Controls
Step 4) ASSESS Security Controls
Step 5) AUTHORIZE Information Systems
Step 6) MONITOR Security Controls

Question 127

Once a Business Continuity Planning (BCP) team is selected, what is their first responsibility?

Answer 127

To perform an analysis of the business organization to identify all departments and individuals who have a stake in the BCP process.

Question 128

What does MTD stand for?

Answer 128

Maximum torable downtime

Question 129

What does Maximum Tolerable Downtime (MTD) mean?

Answer 129

Also known as the MTO Maximum Tolerable Outage. This is the maximum time that a business function can be inoperable before causing irreparable harm.

Question 130

What does RTO stand for?

Answer 130

Recovery Time Objective (RTO)

Question 131

What does Recovery Time Objective (RTO) mean?

Answer 131

This is the amount of time that you think you can feasibly recover the function in the event of a disruption

Question 132

What is the Computer Fraud and Abuse Act (CFAA)?

Answer 132

CFAA was carefully written in 1984 to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states rights and reading on thin constitutional ice. This covers any computer exclusively used by US government or financial institutions.

Question 133

What law woudl you use If you want to protect the Intellectual Property of source code?

Answer 133

Copyright, while you can protect the source code you cannot protect the idea.

Question 134

How long is a patent valid for?

Answer 134

20 years

Question 135

What is a Contractual License Agreement?

Answer 135

A written contract between software vendor and the customer

Question 136

What is Shrink-Wrap license agreements?

Answer 136

Shrink-Wrap license agreements are written on the outside of the software packaging. You accept the agreement by opening the packaging.

Question 137

What is Click-Throuh license agreements?

Answer 137

A license agreement which you accept if you click next

Question 138

What are Cloud Service license agreements?

Answer 138

This simply flashes legal terms on the screen for review

Question 139

Who does the Privacy Act of 1974 apply to?

Answer 139

Government Agencies only

Question 140

What agreement is in place in the USA to comply with GDPR?

Answer 140

Privacy Shield