Domain 1 Security Principles

Question 1

1. Confidentiality

Answer 1

Confidentiality means
permitting authorized access to information while at the same time protecting it from improper disclosure

Question 2

2. Integrity

Answer 2

Integrity is the property of information whereby it is
recorded, used, and maintained in a way that ensures its completeness, accuracy, internal consistency, and usefulness for a
stated purpose

Question 3

3. Availability

Answer 3

Availability means that systems and data are accessible at the time users need them

Question 4

4. GDPR

Answer 4

These laws, including national- and state-
level laws, dictate that any entity anywhere
in the world handling the private data of
people in a particular legal jurisdiction
must abide by its privacy requirements.

Question 5

Privacy

Answer 5

Privacy is the right of an
individual to control the
distribution of information
about themselves

Question 6

6. How do companies that offer identity theft insurance manage their own financial risk?

Answer 6

By calculating premium payments against potential payouts

Question 7

7. What term is used to refer to information that, when combined with other pieces of data, significantly narrows the possibility of association with more individuals?

Answer 7

Personally Identifiable Information (PII)

Question 8

8. In the United States, which act governs the privacy of medical information?

Answer 8

Health Insurance Portability and Accountability Act (HIPPA)

Question 9

9. Asset

Answer 9

is something in need of protection

Question 10

10. Vulnerability

Answer 10

is a gap or weakness in those protection efforts

Question 11

11. Threat

Answer 11

is something or someone that aims to exploit a vulnerability to thwart protection efforts.

Question 12

12. Who is responsible for determining risk tolerance in an organization?

Answer 12

Executive management and board of directors

Question 12

13. Vulnerability

Answer 12

Is a gap or weakness in an organization’s protection of its valuable assets including information.

Question 13

14. Threat

Answer 13

Is someone or something that aims to exploit a vulnerability to gain unauthorized access.

Question 13

15. What role might security professionals play in risk assessment at a system level?

Question 14

16. Who is responsible for identifying risks within an organization?

Answer 14

Employees at all levels of the organization

Question 15

17. Security Controls

Answer 15

Security controls pertain to the physical, technical, and administrative mechanisms
that act as safeguards or countermeasures to protect the confidentiality, integrity, and availability of the system and its information.

Question 16

18. Physical Controls

Answer 16

Physical controls address security needs using physical hardware devices, such as badge readers, architectural features of
buildings and facilities, and specific security actions taken by staff

Question 17

19. Technical Controls

Answer 17

Technical controls (also called logical controls) are security controls that
computer systems and networks directly implement.

Question 18

20. Administrative Controls

Answer 18

Administrative controls (also known as managerial controls) are directives,
guidelines, or advisories aimed at the people within the organization. They
provide frameworks, constraints, and
standards for human behavior and should cover the entire scope of the
organization’s activities and its interactions with external parties and stakeholders.

Question 19

21. What is an example of a physical control?

Answer 19

Walls, fences, guards, locks

Question 20

22. According to the code of ethics, what are information security professionals expected to uphold?

Answer 20

Be honorable, honest, just and responsible within legal conduct

Question 21

23. Authentication

Answer 21

Authentication is a process to prove the identity of the requestor.

Question 22

24. There are three common methods of authentication

Answer 22

●Something you know: Passwords or passphrases ● Something you have: Tokens, memory cards, smart cards ● Something you are: Biometrics, measurable characteristic

Question 23

25. Which of the following are considered a widely accepted factor for authentication?

Answer 23

Something you know Something you are Something you have

Question 24

26. ISC2 Code of Ethics Canon

Answer 24

● Protect society, the common good, necessary public trust and confidence, and the infrastructure. ● Act honorably, honestly, justly, responsibly, and legally. ● Provide diligent and competent service to principles. ● Advance and protect the profession.

Question 25

27. Procedures

Answer 25

Are the detailed steps to complete a task that support departmental or organizational policies.

Question 26

28. Policies

Answer 26

Are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.

Question 27

29. Standards

Answer 27

Are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.

Question 28

30. Regulations

Answer 28

Are commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for non-compliance.

Question 29

31. HIPPA

Answer 29

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an example of a law that governs the use of protected health information (PHI) in the United States. Violation of HIPAA carries the possibility of fines and/or imprisonment for both individuals and companies.

Question 30

32. GDPR

Answer 30

The General Data Protection Regulation (GDPR) was enacted by the European Union (EU) to control use of Personally Identifiable Information (PII) of its citizens and those in the EU. It includes provisions that apply financial penalties to companies who handle data of EU citizens and those living in the EU even if the company does not have a physical presence in the EU, giving this regulation an international reach.

Question 31

34. Standards

Answer 31

Standards cover a broad range of issues and ideas and may provide assurance that an organization is operating with policies and procedures that support regulations and widely accepted best practice

Question 32

34. NIST

Answer 32

Is a United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standard.

Question 33

35. IETF

Answer 33

Thanks to the Internet Engineering Task Force (IETF), there are standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language.

Question 34

36. IEEE

Answer 34

The Institute of Electrical and Electronics Engineers (IEEE) also sets standards for telecommunications, computer engineering, and similar discipline.

Question 35

38. ISO

Answer 35

The International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards. ISO solicits input from the international community of experts to provide input on its standards prior to publishing. Documents outlining ISO standards may be purchased online.

Question 36

38. Policies

Answer 36

Policy is informed by applicable law(s) and specifies which standards and guidelines the organization will follow. Policy is broad but not detailed; it establishes context and sets out strategic direction and priorities. Governance policies are used to moderate and control decision- making, to ensure compliance when necessary, and to guide the creation and implementation of other policies. Policies are often written at many levels across the organization. High- level governance policies are used by senior executives to shape and control decision-making process.

Question 37

39. Policies (continued)

Answer 37

Other high-level policies direct the behavior and activity of the entire organization as it moves toward goals and objectives. Functional areas such as human resources management, finance and accounting, and security and asset protection usually have their own sets of policies. Whether imposed by laws and regulations or by contracts, the need for compliance might also require the development of specific high-level policies that are documented and assessed for their effective use by the organization. Policies are implemented, or carried out, by people; for that, someone must expand the policies from statements of intent and direction into step-by- step instructions, or procedures.

Question 38

40. Procedures

Answer 38

Procedures define the explicit, repeatable activities necessary to accomplish a specific task or set of tasks. They provide supporting data, decision criteria, or other explicit knowledge needed to perform each task. Procedures can address one-time or infrequent actions or common, regular occurrences.

Question 39

41. Procedures (continued)

Answer 39

In addition, procedures establish the measurement criteria and methods to use to determine whether a task has been successfully completed. Properly documenting procedures and training personnel on how to locate and follow them is necessary for deriving the maximum organizational benefits from procedure.