Domain 1 - Security & Risk Management

Question 1

Incident

Answer 1

Some sort of occurrence or event

Question 2

Breach

Answer 2

An occurrence or event that has a negative outcome

A countermeasure being bypassed or rendered ineffective

Question 3

Disclosure

Answer 3

Making ‘secret’ information ‘public’

Question 4

Patent

Answer 4

A set of exclusive rights granted by a sovereign state to an inventor for a limited period of time (typically 20 years), in exchange for public disclosure.

Question 5

Copyright

Answer 5

Protects published or unpublished original work (for the duration of the authors life, plus 50 years) from unauthorized duplication without due credit and compensation.

Question 6

Trademark

Answer 6

A recognizable sign, design, or unique expression related to products or services of a particular source from those of others, usually called service marks.

Question 7

Three major International intellectual-property protection treaties are…

Answer 7

Berne Convention
Universal Copyright Convention
WIPO Copyright Treaty

Question 8

The five rights associated with a copyright

Answer 8

[ R A M P D ]
Reproduce the work in any form, language, or medium
Adapt or derive more works from it
Make and distribute its copies
Perform it in public
Display it in public

Question 9

International Traffic in Arms Regulations (ITAR)

Answer 9

What is considered exportable

Question 10

Export Administration Regulations (EAR)

Answer 10

Under what conditions we can export

Question 11

The Wassenaar Arrangement

Answer 11

Dual-use goods

Question 12

What are the OECD Principles?

Answer 12

Organization for Economic Cooperations and Development

Eight Core Principles:

1. Collections Limitation
2. Data Quality
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness
7. Individual Participation
8. Data Controller Accountability

Question 13

(ISC)2 Code of Professional Ethics

Answer 13

1. Protect society, the commonwealth, and the infrastructure (Do no harm, Protect life FIRST)
2. Act honorable, honestly, justly, responsible, and legally
3. Provide diligently and competent service to principals
4. Advance and protect the profession

“Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.”

Question 14

Security Policy

Answer 14

Direction from senior management (Strategic)

Question 15

Standard

Answer 15

Formalized

Question 16

Procedure

Answer 16

Step-by-step method of accomplishing something (Tactical)

Question 17

Guideline

Answer 17

Best Practice recommendation

Question 18

Business Impact Analysis (BIA) goals

Answer 18

1. Determine Criticality
2. Estimate Maximum downtime
3. Evaluate Internal and External Resource Requirements

Question 19

Business Impact Analysis (BIA) process steps

Answer 19

1. Gather requirements/info
2. Vulnerability assessment
3. Risk Analysis
   + QUANT-itative (ALE = SLE * ARO)
   - Facts, numbers, money
   + QUAL-itative
4. Communicate findings

Question 20

RTO

Answer 20

Recovery Time Objective

The amount of time that would be a sweet spot to get a system back online in.

Question 21

RPO

Answer 21

Recovery Point Objective

Data or information that we are willing to walk away from in order to restore (Backup time)

Question 22

Risk

Answer 22

The probability that a given threat sources will exercise a particular vulnerability and the resulting impact should that occur

Question 23

Threat

Answer 23

An event or situation that if it occurred, would prevent the organization from operating in its normal manner

A potential occurrence that may cause an undesirable outcome

Question 24

Vulnerability

Answer 24

Weakness

Question 25

Likelihood

Answer 25

Chance that something might happen

Question 26

Impact

Answer 26

What a threat will cost (quantitative/qualitative)

Question 27

Countermeasure (control)

Answer 27

Mechanism applied to minimize risk

Question 28

Residual Risk

Answer 28

Remaining risks after all the countermeasures/controls have been applied

Question 29

Risk Assessment Process (NIST SP800-30R1)

Answer 29

Step 1: Prepare for assessment

Step 2: Conduct assessment

a) Identify threat sources and events
b) Identify vulnerabilities and predisposing conditions
c) Determine likelihood or occurrence
d) Determine magnitude of impact
e) Determine risk

Step 3: Communicate results

Step 4: Maintain assessment

Question 30

Risk Response

Answer 30

1. Avoid (choose not to engage in activities that lead to risk)
2. Accept (agree to carry on activities knowing risk)
3. Transfer (insurance)
4. Mitigate

Question 31

Countermeasure selection and implementation

Answer 31

Cost
Effectiveness
Appropriateness

Question 32

Types of Controls

Answer 32

Physical
Administrative
Logical (Technical)

Question 33

Seven Types of Control

Answer 33

1. Directive
2. Deterrent
3. Preventative
4. Compensating
5. Detective
6. Corrective
7. Recovery

Question 34

Tailoring

Answer 34

Filtering

Question 35

Scoping

Answer 35

Deciding what is in and what is out. What are you going to focus on. Think rifle scope.

Question 36

Security Control Assessment (SAC)

Penetration Test Methodology

Answer 36

1. Reconnaissance
2. Enumeration
3. Vulnerability Analysis
4. Execution / Exploitation
5. Document findings

Question 37

Process Steps for Qualitative Assessment

Answer 37

1. Seek Senior Mgmt Approval
2. Form a risk assessment team
3. Analyze Data
4. Calculate Risk
5. Countermeasure Recommendations

Question 38

The Deming Cycle (PDCA) is part of which stage of the process?

Answer 38

Continuous Improvement (CI)

Question 39

PDCA stands for what?

Answer 39

Plan
Do
Check
Act

Question 40

COSO is a risk management framework associated with which sector?

Answer 40

Financial - Reporting and Disclosure Objectives

Question 41

What are the 5 Lifecycle Phases of ITIL?

Answer 41

1. Service STRATEGY
2. Service DESIGN
3. Service TRANSITION
4. Service OPERATION
5. Continual Service Improvement (CSI)

Question 42

COBIT

Answer 42

IT Governance Framework

Governance Risk and Compliance (GRC)

Question 43

What is the NIST document number for ‘Guide to Conducting Risk Assessments’?

Answer 43

NIST800-30R1

Question 44

What is ‘threat modeling’?

Answer 44

A process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized - all from a hypothetical attackers point of view.

Question 45

What are the 5 steps in the threat modeling process?

Answer 45

1. Identify Security Objectives
2. Survey the Application / System
3. Decompose it
4. Identify Threats
5. Identify Vulnerabilities

Question 46

What type of model is STRIDE?

Answer 46

Threat Model

Question 47

What type of model is OCTAVE?

Answer 47

Threat Model

Question 48

Which thread model(s) would be used to provide a visual representation based on Data Flow Diagrams?

Answer 48

PASTA

TRIKE

Question 49

Which thread model(s) would be used to provide a visual representation based on Process Flow Diagrams?

Answer 49

VAST

Question 50

What is the NIST document number for ‘Supply Chain Risk Management Practices for Federal Information Systems and Organizations’?

Answer 50

NIST800-SP161

Question 51

How does a SLA differ from a SLR?

Answer 51

SLA is a contract between you the customer and the vendor around certain minimum guarantees for service

SLR is a list of the things that the service must provide

Question 52

What is the role of a Data Owner?

Answer 52

Responsible for data classification

Question 53

What is the role of the Data Custodian?

Answer 53

Responsible for implementing data protections at the direction of the Data Owner

Performs all activities necessary to provide CIA protection.

Question 54

What is another name for a user?

Answer 54

Subject

Question 55

What is another name for data?

Answer 55

Object

Question 56

What is an Asset?

Answer 56

Anything within the organization that has value and should be afforded CIA protections

Question 57

What is Asset Valuation?

Answer 57

Dollar value assigned to an asset

Question 58

What is deployed to mitigate risk?

Answer 58

Safeguard
Control
Countermeasure

Question 59

Define ‘attack’

Answer 59

The exploitation of a vulnerability by a threat agent

Question 60

Formula to determine ALE

Answer 60

ALE = SLE * ARO

Question 61

What is Governance

Answer 61

All about Oversight
Due Care
Due Diligence
Guidance from Sr Mgmt

Question 62

What is CRIMINAL law?

Answer 62

Harms done to one of more individuals or organizations

JAIL TIME

Question 63

What is CIVIL law?

Answer 63

Interactions between business and the individual

FINANCIAL PENALTY

Question 64

What is ADMINISTRATIVE law?

Answer 64

Day-to-day oversight and regulation