Domain 1 - Security & Risk Management Flashcards

1
Q

Incident

A

Some sort of occurrence or event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Breach

A

An occurrence or event that has a negative outcome

A countermeasure being bypassed or rendered ineffective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Disclosure

A

Making ‘secret’ information ‘public’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Patent

A

A set of exclusive rights granted by a sovereign state to an inventor for a limited period of time (typically 20 years), in exchange for public disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Copyright

A

Protects published or unpublished original work (for the duration of the authors life, plus 50 years) from unauthorized duplication without due credit and compensation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Trademark

A

A recognizable sign, design, or unique expression related to products or services of a particular source from those of others, usually called service marks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Three major International intellectual-property protection treaties are…

A

Berne Convention
Universal Copyright Convention
WIPO Copyright Treaty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The five rights associated with a copyright

A
[ R A M P D ]
Reproduce the work in any form, language, or medium
Adapt or derive more works from it
Make and distribute its copies
Perform it in public
Display it in public
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

International Traffic in Arms Regulations (ITAR)

A

What is considered exportable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Export Administration Regulations (EAR)

A

Under what conditions we can export

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The Wassenaar Arrangement

A

Dual-use goods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the OECD Principles?

A

Organization for Economic Cooperations and Development

Eight Core Principles:

  1. Collections Limitation
  2. Data Quality
  3. Purpose Specification
  4. Use Limitation
  5. Security Safeguards
  6. Openness
  7. Individual Participation
  8. Data Controller Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

(ISC)2 Code of Professional Ethics

A
  1. Protect society, the commonwealth, and the infrastructure (Do no harm, Protect life FIRST)
  2. Act honorable, honestly, justly, responsible, and legally
  3. Provide diligently and competent service to principals
  4. Advance and protect the profession

“Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Policy

A

Direction from senior management (Strategic)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Standard

A

Formalized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Procedure

A

Step-by-step method of accomplishing something (Tactical)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Guideline

A

Best Practice recommendation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Business Impact Analysis (BIA) goals

A
  1. Determine Criticality
  2. Estimate Maximum downtime
  3. Evaluate Internal and External Resource Requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Business Impact Analysis (BIA) process steps

A
  1. Gather requirements/info
  2. Vulnerability assessment
  3. Risk Analysis
    + QUANT-itative (ALE = SLE * ARO)
    - Facts, numbers, money
    + QUAL-itative
  4. Communicate findings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

RTO

A

Recovery Time Objective

The amount of time that would be a sweet spot to get a system back online in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

RPO

A

Recovery Point Objective

Data or information that we are willing to walk away from in order to restore (Backup time)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Risk

A

The probability that a given threat sources will exercise a particular vulnerability and the resulting impact should that occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Threat

A

An event or situation that if it occurred, would prevent the organization from operating in its normal manner

A potential occurrence that may cause an undesirable outcome

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Vulnerability

A

Weakness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Likelihood
Chance that something might happen
26
Impact
What a threat will cost (quantitative/qualitative)
27
Countermeasure (control)
Mechanism applied to minimize risk
28
Residual Risk
Remaining risks after all the countermeasures/controls have been applied
29
Risk Assessment Process (NIST SP800-30R1)
Step 1: Prepare for assessment Step 2: Conduct assessment a) Identify threat sources and events b) Identify vulnerabilities and predisposing conditions c) Determine likelihood or occurrence d) Determine magnitude of impact e) Determine risk Step 3: Communicate results Step 4: Maintain assessment
30
Risk Response
1. Avoid (choose not to engage in activities that lead to risk) 2. Accept (agree to carry on activities knowing risk) 3. Transfer (insurance) 4. Mitigate
31
Countermeasure selection and implementation
Cost Effectiveness Appropriateness
32
Types of Controls
Physical Administrative Logical (Technical)
33
Seven Types of Control
1. Directive 2. Deterrent 3. Preventative 4. Compensating 5. Detective 6. Corrective 7. Recovery
34
Tailoring
Filtering
35
Scoping
Deciding what is in and what is out. What are you going to focus on. Think rifle scope.
36
Security Control Assessment (SAC) | Penetration Test Methodology
1. Reconnaissance 2. Enumeration 3. Vulnerability Analysis 4. Execution / Exploitation 5. Document findings
37
Process Steps for Qualitative Assessment
1. Seek Senior Mgmt Approval 2. Form a risk assessment team 3. Analyze Data 4. Calculate Risk 5. Countermeasure Recommendations
38
The Deming Cycle (PDCA) is part of which stage of the process?
Continuous Improvement (CI)
39
PDCA stands for what?
Plan Do Check Act
40
COSO is a risk management framework associated with which sector?
Financial - Reporting and Disclosure Objectives
41
What are the 5 Lifecycle Phases of ITIL?
1. Service STRATEGY 2. Service DESIGN 3. Service TRANSITION 4. Service OPERATION 5. Continual Service Improvement (CSI)
42
COBIT
IT Governance Framework | Governance Risk and Compliance (GRC)
43
What is the NIST document number for 'Guide to Conducting Risk Assessments'?
NIST800-30R1
44
What is 'threat modeling'?
A process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized - all from a hypothetical attackers point of view.
45
What are the 5 steps in the threat modeling process?
1. Identify Security Objectives 2. Survey the Application / System 3. Decompose it 4. Identify Threats 5. Identify Vulnerabilities
46
What type of model is STRIDE?
Threat Model
47
What type of model is OCTAVE?
Threat Model
48
Which thread model(s) would be used to provide a visual representation based on Data Flow Diagrams?
PASTA | TRIKE
49
Which thread model(s) would be used to provide a visual representation based on Process Flow Diagrams?
VAST
50
What is the NIST document number for 'Supply Chain Risk Management Practices for Federal Information Systems and Organizations'?
NIST800-SP161
51
How does a SLA differ from a SLR?
SLA is a contract between you the customer and the vendor around certain minimum guarantees for service SLR is a list of the things that the service must provide
52
What is the role of a Data Owner?
Responsible for data classification
53
What is the role of the Data Custodian?
Responsible for implementing data protections at the direction of the Data Owner Performs all activities necessary to provide CIA protection.
54
What is another name for a user?
Subject
55
What is another name for data?
Object
56
What is an Asset?
Anything within the organization that has value and should be afforded CIA protections
57
What is Asset Valuation?
Dollar value assigned to an asset
58
What is deployed to mitigate risk?
Safeguard Control Countermeasure
59
Define 'attack'
The exploitation of a vulnerability by a threat agent
60
Formula to determine ALE
ALE = SLE * ARO
61
What is Governance
All about Oversight Due Care Due Diligence Guidance from Sr Mgmt
62
What is CRIMINAL law?
Harms done to one of more individuals or organizations JAIL TIME
63
What is CIVIL law?
Interactions between business and the individual FINANCIAL PENALTY
64
What is ADMINISTRATIVE law?
Day-to-day oversight and regulation