Exam1

Question 1

A category of security control that gives oversight of the information system. Risk assessments, vulnerability assessments.

Answer 1

Managerial Control

Question 2

help ensure that the day-to-day operations of an organization comply with the security policy. Awareness and training, configuration management, media protection, physical and environment protection.

Answer 2

Operational Control

Question 3

Attempt to prevent an incident before it occurs. n Hardening, training, Security guards, change management, account disablement policy

Answer 3

Preventative Control

Question 4

A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls. Encryption, antivirus software, IDSs, IPSs, Firewalls, Least privilege

Answer 4

Technical Control

Question 5

Attempt to discover incidents after they have occurred. Log monitoring, SIEM systems, security audit, video surveillance, Motion detection, IDSs

Answer 5

Detective Control

Question 6

Attempt to reverse the impact of an incident; includes IPS, backups, and system recovery. Backups and system recovery, incident handling processes.

Answer 6

Corrective Control

Question 7

Attempt to discourage individuals from causing an incident. Cable locks, physical locks

Answer 7

Deterrent Control

Question 8

Are alternative controls when a primary control is not feasible

Answer 8

Compensating Control

Question 9

Refer to controls you can physically touch

Answer 9

Physical Control

Question 10

A legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU)

Answer 10

General Data Protection Regulation (GDPR)

Question 11

*Gramm-Leach-Bliley Act (GLBA)
*Health Insurance Portability and Accountability Act (HIPAA)
*California Consumer Privacy Act (CCPA)

Answer 11

National, territory, or state laws

Question 12

an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud.

Answer 12

Payment Card Industry Data Security Standard (PCI DSS)

Question 13

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Answer 13

Center for Internet Security (CIS)

Question 14

An agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness.

Answer 14

National Institute of Standards and Technology (NIST)

Question 15

A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations

Answer 15

Risk management framework (RMF)

Question 16

A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

Answer 16

Cybersecurity Framework (CSF)

Question 17

An independent organization that establishes standards. They develop standards for a wide variety of industrial and commercial applications, and some directly address cybersecurity topics.

Answer 17

International Organization for Standardization (ISO)

Question 18

Information Security Management, provides information on security management system (ISMS) requirements. Organizations that implement is the ISMS requirements can go through a three stage certification process.

Answer 18

ISO 27001

Question 19

Information Technology Security Techniques, is a complement to ISO 27001. While ISO 27001 outlines the requirements to become certified, this standard provides organizations with a best practices guideline.

Answer 19

ISO 27002

Question 20

An extension to ISO 27001 and is a framework for managing privacy controls to reduce the risk of privacy breach to the privacy of individuals.

Answer 20

ISO 27701

Question 21

An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed between industries, subject matters, and regions

Answer 21

ISO 31000

Question 22

assesses the system design/assesses the ongoing effectiveness of the security architecture over a period of 6-12 months

Answer 22

SSAE SOC 2 Type I/II

Question 23

A nonprofit organization with a mission to promote best practices for using cloud computing securely.

Answer 23

Cloud Security Alliance (CSA)

Question 24

A de-facto standard for cloud security assurance and compliance.

Produced by the Cloud Security Alliance (CSA)

Answer 24

Cloud control matrix

Question 25

A document or set of documents to which a project manager or other interested party can refer for best practices. The lists and charts of functions, departments, products, and security practices that create a common vocabulary for IT and management to use to discuss current and future success make up the reference architecture.

Answer 25

reference architecture

Question 26

Offer guidance for setting up and operating computer systems to a secure level that is understood and documented.

Answer 26

Benchmarks/secure configuration guides

Question 27

Hardening guides that are specific to the software or platform.
No system is secure with the default configurations.
you may need some guidelines to keep everything safe.
Get feedback from the manufacturer or Internet interest groups.

Answer 27

Platform/Vendor specific guides

Question 28

Devices that run behind the scenes that keep our networks running but user’s don’t directly interact with. (switches, routers, firewalls, IPS, etc)

Answer 28

Network Infrastructure Devices

Question 29

Requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet

Answer 29

Acceptable Use Policy (AUP)

Question 30

Assesses the design of a company’s controls at a specific point in time. This type of report is often used as a short-term solution for companies that are trying to close a deal quickly, are new, or have recently made changes to their data security systems.

Answer 30

SOC 2 Type 1

Question 31

Assesses how well a company’s controls function over a period of time, usually between three and twelve months. This type of report is more comprehensive than a Type 1 report and provides insights into how effective the controls are.

Answer 31

SOC 2 Type 2

Question 32

What is the difference between SOC 2 Type 1 and Type 2?

Answer 32

SOC 2 Type 1 evaluates whether controls are designed properly at a point of time, whereas SOC 2 Type 2 evaluates whether controls are designed and functioning as intended over a specified period of time.

Question 33

____is an application that is managed and hosted by the CSP. CSCs access it using a web browser, mobile application, application programming interfaces (APIs), or
lightweight client application. In this model, the CSC only worries about the application’s configuration, not the underlying resources.

Answer 33

Software as a Service (SaaS)

Question 34

___ abstracts and provides platforms, such as application platforms (e.g., a place to develop and run code), databases, file storage, and collaborative environments.
Other examples include application processing environments for machine learning, big data
processing, or API access to SaaS functions. The key differentiator is that, with PaaS, the CSC
does not manage the underlying infrastructure.

Answer 34

Platform as a Service (PaaS)

Question 35

___offers access to a resource pool of fundamental computing infrastructure, such as network, or storage. In IaaS the CSCis responsible for managing the underlying virtual infrastructure, such as virtual machines, networking, storage, and running
applications.

Answer 35

Infrastructure as a Service (IaaS)

Question 36

A concept that has employees rotate through different jobs to learn the processes and procedures in each job. helps to prevent or expose dangerous shortcuts or even fraudulent activity.

Answer 36

job rotation

Question 37

A requirement that all employees take time off from work, which allows the organization to audit the individual’s areas of responsibility.

Answer 37

Mandatory Vacation Policy

Question 38

Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.

Answer 38

Separation of Duties

Question 39

a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization

Answer 39

Least Privilege

Question 40

A policy designed to ensure that all confidential or sensitive materials, either in paper form or electronic, are removed from a user’s workspace and secured.

Answer 40

Clean Desk Space

Question 41

Procedures used to verify the truthfulness and accuracy of information that applicants provide about themselves and to uncover negative, job-related background information not provided by applicants

Answer 41

Background checks

Question 42

A legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties

Answer 42

Non-Disclosure Agreement (NDA)

Question 43

The process of scouring the Internet to gather personal information and create a fuller profile of each potential juror’s attitudes, interests, and experiences

Answer 43

Social Media Analysis

Question 44

Programs that help employees to integrate and transition to new jobs by making them familiar with corporate policies, procedures, culture, and politics by clarifying work-role expectations and responsibilities

Answer 44

Onboarding

Question 45

Facilitates employee departure from the company by assisting the completion of exit tasks, including exit interviews, forms completion, the return of company property, and ensuring that employees receive the appropriate extended benefits.

Answer 45

Offboarding

Question 46

Instructing employees as to the security reasons behind security restrictions.

Answer 46

User training

Question 47

Selective use of game design and game mechanics to drive employee engagement in non-gaming business scenarios.

Answer 47

Gamification

Question 48

Training event where learners must identify a token within a live network environment.

Answer 48

Capture the Flag

Question 49

Sending simulated phishing messages to users; Users that respond to the messages can be targeted for follow-up training

Answer 49

Phishing Campaigns

Question 50

Exercises to help employees recognize phishing emails.

Answer 50

Phishing Simulations