Domain 2: Asset Security 13%

Question 1

Military Classification

Answer 1

Top Secret, Secret, Confidential, Unclassified

Question 2

Business Classification

Answer 2

Highly Sensitive, Sensitive, Internal, Public

Question 3

Formal Access Approval

Answer 3

Document from the data owner approving access to the data for the subject

Question 4

Need to know

Answer 4

Just because you have access does not mean you are allowed the data. You need a VALID reason for accessing the data.

Question 5

Least privilege

Answer 5

Users have the minimum necessary access to perform their job duties.

Question 6

Data has 3 States

Answer 6

Data at Rest (Stored data), Data in Motion (Data being transferred on a network), Data in Use (We are actively using the files/data, it can’t be encrypted)

Question 7

DAD

Answer 7

protect against Disclosure, Alteration, Destruction

Question 8

Data Remanence

Answer 8

Data left over after normal removal and deletetion of data.

Question 9

Scoping

Answer 9

is determining which part of a standard we will disploy in our organization.

Question 10

Tailoring

Answer 10

is customizing a standard to your organization.

Question 11

Classification

Answer 11

A system, and the security measures to protect it, meet the security requirements set by the data owner or by regulations/laws.

Question 12

Accreditation

Answer 12

The data owner accepts the certification and the residual risk. This is required before the system can be put into production.

Question 13

PCI-DSS

Answer 13

Payment Card Industry Data Security Standard

Question 14

OCTAVE

Answer 14

Operationally Critical Threat Asset, and Vulnerability Evalutation: Self-Directed Risk Management

Question 15

COBIT

Answer 15

Control Objectives for Information and related Technology: Goals for IT - Stakeholder needs are mapped down to IT related goals.

Question 16

COSO

Answer 16

Committee Of Sponsoring Organizations: Goals for the entire organization

Question 17

ITIL

Answer 17

Information Technology Infrasturcture Library: IT Service Managment (ITSM)

Question 18

FRAP

Answer 18

Facilitated Risk Analysis Process: Analyzes one business uit, application or system at a time in a roundtable brainstorm with internal employees. Impact is analyzed, threats and risks prioritized.

Question 19

ISO 27001

Answer 19

Establish, implement, control and improve the ISMS. ISMS = Info. Sec. Man. Sys. Uses PDCA = Plan, Do, Check, Act.

Question 20

ISO 27002

Answer 20

(From BS 799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It has 10 domains it uses for ISMS.

Question 21

ISO 27004

Answer 21

Provides metrics for measuring the success of your ISMS.

Question 22

ISO 27005

Answer 22

Standards-based approach to risk management.

Question 23

ISO 27799

Answer 23

Directives on how to protect PHI (Protected Health Information)