Domain 1: Security and Risk Management Flashcards

Question 1

Q

What is type 1 authentication?

Answer

A

Something you know (passwords, pass phrase, PIN etc.).

Question 2

Q

What is type 2 authentication?

Answer

A

Something you have (ID, passport, smart card, token, cookie on PC etc.).

Question 3

Q

What is type 3 authentication?

Answer

A

Something you are (and Biometrics) (Fingerprint, iris scan, facial geometry etc.).

Question 4

Q

What is type 4 authentication?

Answer

A

Somewhere you are (IP/MAC Address).

Question 5

Q

What is type 5 authentication?

Answer

A

Something you do (Signature, pattern unlock).

Question 6

Q

How does top down security management differ from bottom up security management?

Answer

A

Bottom-Up: IT Security is seen as a nuisance and not a helper, often change when breaches happen.
Top-Down: IT leadership is on board with IT Security, they lead and set the direction. (The exam).

Question 7

Q

What is OCTAVE?

Answer

A

OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation. Self Directed Risk Management.

Question 8

Q

What is COBIT?

Answer

A

COBIT - Control Objectives for Information and related Technology. COBIT is a control framework for employing information security governance best practices within an organization. Goals for IT – Stakeholder needs are mapped down to IT related goals.

Question 9

Q

What is COSO?

Answer

A

COSO – Committee Of Sponsoring Organizations. Goals for the entire organization.

Question 10

Q

What is FRAP?

Answer

A

FRAP - Facilitated Risk Analysis Process. Analyses one business unit, application or system at a time in a roundtable brainstorm with internal employees. Impact analyzed, threats and risks prioritized.

Question 11

Q

What is the purpose of ISO 27001?

Answer

A

ISO 27001: Establish, implement, control and improve the ISMS. Uses PDCA (Plan, Do, Check, Act)

Question 12

Q

What is the purpose of ISO 27002?

Answer

A

ISO 27002: (Formerly ISO 17799) Provides practical advice on how to implement security controls. It has 10 domains it uses for ISMS.

Question 13

Q

What is the purpose of ISO 27004?

Answer

A

ISO 27004: Provides metrics for measuring the success of your ISMS.

Question 14

Q

What does ISO 27005 contain?

Answer

A

ISO 27005: Standards-based approach to risk management.

Question 15

Q

What does ISO 27799 contain?

Answer

A

ISO 27799: Directives on how to protect PHI (Protected Health Information)

Question 16

Q

What are the four types of evidence?

Answer

A

Real Evidence, Direct Evidence, and Circumstantial Evidence, Corroborative Evidence

Question 17

Q

What is real evidence?

Answer

A

Real Evidence: Tangible and physical objects in IT Security: Hard disks, USB drives – NOT the data on them.

Question 18

Q

What is direct evidence?

Answer

A

Direct Evidence: Testimony from a firsthand witness, what they experienced with their 5 senses.

Question 19

Q

What is circumstantial evidence?

Answer

A

Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.

Question 20

Q

What is corroborative evidence?

Answer

A

Corroborative Evidence: Supports facts or elements of the case: not a fact on its own, but support other facts.

Question 21

Q

What is hearsay?

Answer

A

Hearsay: Not first-hand knowledge – normally inadmissible in a case

Question 22

Q

What does the fourth amendment protect against?

Answer

A

The Fourth Amendment to the United States Constitution protects citizens from unreasonable search and seizure by the government

Question 23

Q

When do exigent circumstances apply? Who decides this?

Answer

A

Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.

Question 24

Q

What is entrapment?

Answer

A

Entrapment (Illegal and unethical): When someone is persuaded to commit a crime they had no intention of committing and is then charged with it.

Question 25

Q

What is enticement?

Answer

A

Enticement (Legal and ethical): Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so.

Question 26

Q

What is the GPDR?

Answer

A

GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It does not matter where we are based, if we have customers in EU/EEA we have to adhere to the GDPR.

Question 27

Q

What is required for personal data to be processed under the GPDR?

Answer

A

Unless a data subject has provided informed consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so.

Question 28

Q

What is right to access under the GPDR?

Answer

A

Right to access: Data controllers must be able to provide a free copy of an individual’s data if requested.

Question 29

Q

What is right to erasure under the GPDR?

Answer

A

Right to erasure: All users have a ‘right to be forgotten’.

Question 30

Q

What is data portability under the GPDR?

Answer

A

Data portability: All users will be able to request access to their data ‘in an electronic format’.

Question 31

Q

What is the data breach notification requirement under the GPDR?

Answer

A

Data breach notification: Users and data controllers must be notified of data breaches within 72 hours.

Question 32

Q

What is privacy by design under the GPDR?

Answer

A

Privacy by design: When designing data processes, care must be taken to ensure personal data is secure. Companies must ensure that data collection is only ‘absolutely necessary for the completion of duties’.

Question 33

Q

What are the 3 rules of HIPAA? What 3 safeguards do they mandate?

Answer

A

HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
The rules mandate Administrative, Physical and Technical safeguards.

Question 34

Q

What is the purpose of the ECPA?

Answer

A

Electronic Communications Privacy Act (ECPA): Protection of electronic communications against warrantless wiretapping. The Act was weakened by the Patriot Act.

Question 35

Q

What is the purpose of the Patriot Act?

Answer

A

PATRIOT Act of 2001. : Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.

Question 36

Q

What is the CFAA?

Answer

A

Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030. Most commonly used law to prosecute computer crimes.

Question 37

Q

Who does the GLBA apply to? Who drives it?

Answer

A

Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by the Federal Financial Institutions

Question 38

Q

What are the requirements of the EU Data Protection Directive? (4 points)

Answer

A

EU Data Protection Directive Very aggressive pro-privacy law.

Organizations must notify individuals of how their data is gathered and used.
Organizations must allow for opt-out for sharing with 3rd parties.
Opt-in is required for sharing “most” sensitive data.
No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor, optional between organization and EU

Question 39

Q

What is the ISC2 code of ethics preamble?

Answer

A

Code of Ethics Preamble:
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification.

Question 40

Q

What are the ISC2 code of ethics canons?

Answer

A

Code of Ethics Canons:

Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principles.
Advance and protect the profession.

Question 41

Q

What are the 5 components of information security governance?

Answer

A

Information Security Governance:

Policies – High level, non-specific
Standards – Describes specific use of a technology
Guidelines – Recommendatins
Procedures – Specific step by step guides
Baselines (Benchmarks) - Minimum requirements.

Question 42

Q

What are policies within information security governance?

Answer

A

Policies

High level management directives, non-specific.
They can contain “Patches, updates, strong encryption”
They will not be specific to “OS, encryption type, vendor Technology”

Question 43

Q

What are standards within information security governance?

Answer

A

Standards

-Describes a specific use of technology (All laptops are W10, 64bit, 8gig memory … )

Question 44

Q

What are guidelines within information security governance?

Answer

A

Guidelines

Recommendations, discretionary
Suggestions on how you would to do it.

Question 45

Q

What are procedures within information security governance?

Answer

A

Procedures

Low level step-by-step guides, specific.
They will contain “OS, encryption type, vendor Technology”

Question 46

Q

What are baselines within information security governance?

Answer

A

Baselines (Benchmarks)

Baselines are uniform ways of implementing a standard. Serves as a minimum requirement.

Question 47

Q

What are the 7 access control types?

Answer

A

Access Control Defensive Types:

Preventive: Prevents an action from occurring
Detective: Controls that Detect during or after an attack – IDS, CCTV, alarms, antivirus.
Corrective: Controls that Correct an attack – Anti-virus, patches, IPS.
Recovery: Controls that help us Recover after an attack – DR Environment,backups, HA Environments .
Deterrent: Controls that Deter an attack – Fences, security guards, dogs, lights, Beware of the dog signs.
Compensating: Controls that Compensate – other controls that are impossible or too costly to implement.
Directive: directs, confines, or controls the actions of subjects to force or encourage compliance with security policy

Question 48

Q

What are the 5 types of risk responses?

Answer

A

Types of risk responses:

Accept the Risk – We know the risk is there, but the mitigation is more costly than the
cost of the risk (Low risks). We ensure we have a paper trail and this was a calculated decision.
Mitigate the Risk (Reduction) – The laptop encryption/wipe is an example – acceptable level (Leftover risk = Residual).
Transfer the Risk – The insurance risk approach – We could get flooding insurance for the data center, the flooding will still happen, we will still lose 15% of the infrastructure, but we are insured for cost.
Risk Avoidance – We don’t issue employees laptops (if possible) or we build the data center in an area that doesn’t flood. (Most often done before launching new projects – this could be the data center build).
Risk Rejection – You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).

Question 49

Q

What is NIST 800-30?

Answer

A

NIST 800-30 - United States National Institute of Standards and Technology Special Publication. A 9-step process for Risk Management.

Question 50

Q

What are the 9 steps in the risk management process within NIST 800-30?

Answer

A

NIST 800-30 - United States National Institute of Standards and Technology Special Publication. A 9-step process for Risk Management.

System Characterization (Risk Management scope, boundaries, system and data sensitivity).
Threat Identification (What are the threats to our systems?).
Vulnerability Identification (What are the vulnerabilities of our systems
Control Analysis (Analysis of the current and planned safeguards, controls and mitigations).
Likelihood Determination (Qualitative – How likely is it to happen)?
Impact Analysis (Qualitative – How bad is it if it happens? Loss of CIA).
Risk Determination (Look at 5-6 and determine Risk and Associate Risk Levels).
Control Recommendations (What can we do to Mitigate, Transfer, … the risk).
Results Documentation (Documentation with all the facts and recommendations).

Question 51

Q

What is confidentiality?

Answer

A

Confidentiality seeks to prevent the unauthorized disclosure of information; it keeps data secret

Question 52

Q

What is integrity?

Answer

A

Integrity seeks to prevent unauthorized modification of information

Question 53

Q

What is availability?

Answer

A

Availability ensures that information is available when needed

Question 54

Q

What is authentication?

Answer

A

Proving an identity claim is called authentication

Question 55

Q

What is authorization?

Answer

A

Authorization describes the actions you can perform on a system once you have been identified and authenticated

Question 56

Q

What is accountability?

Answer

A

Accountability holds users accountable for their actions. This is typically done by logging and analyzing audit data.

Question 57

Q

What is a subject?

Answer

A

A subject is an active entity on a data system. Most examples of subjects involve people accessing data files. A subject manipulates an object.

Question 58

Q

What is an object?

Answer

A

An object is any passive data within the system. Objects can range from documents on physical paper to database tables to text files

Question 59

Q

What is the difference between due diligence and due care?

Answer

A

Due care: What would a prudent person due in this situation? Negligence is the opposite of due care. Due diligence is acting on due care.

Question 60

Q

What are the three types of financial damages?

Answer

A

3 types of financial damages:

Statutory, Compensatory, and Punitive.

Question 61

Q

What are statutory damages?

Answer

A

Statutory damages are those prescribed by law, which can be awarded to the victim even if the victim incurred no actual loss or injury

Question 62

Q

What is the OECD?

Answer

A

The Organisation for Economic Co-operation and Development (OECD), though often considered exclusively European, consists of 30 member nations from around the
world. The OECD provides a forum in which countries can focus on issues that impact the global economy. The OECD will routinely issue consensus recommendations that can serve as
an impetus to change current policies and legislation in the OECD member countries and beyond.

Question 63

Q

What are the 10 commandments of computer ethics?

Answer

A

Ten Commandments of Computer Ethics are:

Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people’s computer work.
Thou shalt not snoop around in other people’s computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people’s computer resources without authorization or proper compensation.
Thou shalt not appropriate other people’s intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Question 64

Q

What are compensatory damages?

Answer

A

Compensatory: provide the victim with a financial award in effort to compensate for the loss or injury incurred as a direct result of the wrongdoing

Answer 65

A

Punitive: The intent of punitive damages is to punish an individual or organization. These damages are typically awarded to attempt to discourage a particularly egregious violation where the compensatory or statutory damages alone would not act as a deterrent.

Answer 66

A

70 years after creator’s death or 95 years for corporations.

Answer 67

A

How many percentage points of an asset is lost

Answer 68

A

Privacy rule, security rule, breach notification rule.

Answer 69

A

Senior management and legal team

Answer 70

A

FRAP (Facilitated Risk Analysis Process) analyses one business unit, application or system at a time in a roundtable brainstorm with internal employees. Impact analyzed, Threats and Risks Prioritized.

Answer 71

A

Typo squatting - potentially illegal

Cyber squatting - legal

Answer 72

A

Supporting facts and elements

Answer 73

A

Total Risk = Threat * Vulnerability * Asset Value.

Risk = Threat * Vulnerability

Answer 74

A

Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.

Answer 75

A

Trademarks ™ and ® (Registered Trademark). Brand Names, Logos, Slogans – Must be registered, is valid for 10 years at a time, can be renewed indefinitely.

Answer 76

A

Federal Sentencing Guidelines

Answer 77

A

Communications Assistance for Law Enforcement Act of 1994.

Answer 78

A

Microsoft’s security development lifecycle with the motto “secure by design, secure by default, secure in deployment and communication”

Answer 79

A

Identification of priorities
Risk identification
Likelihood assessment
Impact assessment
Resource prioritization

Answer 80

A

States that when an agreement between two parties is put into written form, the written document is assumed to contain all terms of the agreement, and no verbal agreements may modify it.

Answer 81

A

Evidence must be relevant, material, and competent.

Answer 82

A

The difference between total risk and residual risk. The controls gap is the amount of risk that is reduced by implementing safeguards.

Answer 83

A

Microsoft’s threat categorization scheme. Stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Answer 84

A

Federal Information Security Management Act, passed in 2002, requires that federal agencies implement an information security program that covers the agency’s operations. Activities of contractors must be included in their security management programs.

Answer 85

A

Strategic plan-long-term and fairly stable
Tactical plan- midterm and somewhat detailed
Operational plan- short term and highly detailed

Answer 86

A

Family Educational Rights and Privacy Act

Answer 87

A

HIPAA covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals.

Answer 88

A

The invention must be new, useful, and non-obvious.

Answer 89

A

Law requiring websites to provide parents with the opportunity to review any information collected from their children

Answer 90

A

Physical, technical, administrative

Answer 91

A

ISO 27002 has 11 areas, focusing on specific information security controls:

Policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Information security incident management
Business continuity management
Compliance

Answer 92

A

ISO 17799 was renumbered to ISO 27002 in 2005 in order to make it consistent with the 27000 series of ISO security standards

Answer 93

A

COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Answer 94

A

ITIL® contains five Service Management Practices—Core Guidance publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement

Answer 95

A

Wassenaar Arrangement - 1996 – present. Limits exports on military and “dual-use” technologies. Cryptography is part of that. Some nations also use it to prevent their citizens from having strong encryption (easier to spy on your own people if they can’t use strong cryptography). SQL databases are not covered.

Answer 96

A

e-Discovery or Discovery of electronically stored information (ESI) is the process of producing all relevant documentation and data to a court or external attorneys in a legal proceeding.

Answer 97

A

Information Governance 
Identification 
Preservation 
Collection 
Processing 
Review 
Analysis 
Production
Presentation

Answer 98

A

Notice
Choice
Onward Transfer
Security
Data Integrity
Access
Enforcement

Brainscape's Knowledge GenomeTM

Domain 1: Security and Risk Management Flashcards

Brainscape's Knowledge Genome^TM