IA 2 - UNIT 2

Question 1

different types of assets

Answer 1

1. Tangible
2. Intangible

Question 2

Three Controls Assigning Responsibility

Answer 2

1. Inventory
2. Ownership
3. Acceptable Use

Question 3

Responsibilities of Assets

Answer 3

• provides adequate levels of security
• assigned to identified entities
• risk management and security responsibilities
• provides accountability for asset protection

Question 4

Organization’s Assets

Answer 4

1. Data / Information
2. Hardware
3. Intangible
4. People
5. Service
6. Software

Question 5

• Identify and record information about the
  assets
• Movements and changes are documented and updated

Answer 5

Inventory

Question 6

• Assets have established owners
• Responsibility of security of assets
• Review of Classification and use authorisation

Answer 6

Ownership

Question 7

• Develop policies and guidelines
• Similar categories covered under the same policy
• Disclosure and release of information are cited

Answer 7

Acceptable Use

Question 8

Organising information by sensitivity and loss disclosure, modification and unavailability.

Answer 8

Classification and Handling

Question 9

Two controls in place

Answer 9

1. Classification Guidelines
2. Information labeling and handling

Question 10

• Organised by information needs and impact in case of breach
• Originator is responsible for classifying and protecting information based on policies and procedures

Answer 10

Classification Guidelines

Question 11

Classification is based on value and impact
determines the level of

Answer 11

• confidentiality
• integrity
• availability

Question 12

Classification Guidelines Considers

Answer 12

• Security classification
• Information assurance
• Information owners Business,
• Industry, and Legal requirements
• Organisation Culture

Question 13

Classification Process

Answer 13

1. Creation ->
2. access control implementation ->
3. method of process ->
4. information disposal

Question 14

• Organisations must develop information handling protocols based on the policy on classification
• This preserves information assets

Answer 14

Labeling and Handling

Question 15

Risk Management Process

Answer 15

1. Background Planning
2. Asset Analysis
3. Threat Analysis
4. Vulnerability Analysis
5. Risk Identification
6. Risk Analysis
7. Risk Treatment

Question 16

Organisations must develop information handling protocols based on the policy on classification This preserves information assets

Answer 16

Labeling and Handling

Question 17

Background Planning Critical Elements

Answer 17

1. Establish the Aim, Scope and Boundary
2. Establish the risk evaluation criteria

Question 18

process of managing the risks involved in Information Technology systems. These include identifying, assessing, and acting on risks to data confidentiality or integrity.

Answer 18

Risk Management

Question 19

• The measure or the extent of which an entity is threatened by circumstance or event
• The likelihood of a threat event occuring

Answer 19

Risks

Question 20

Using the CIA Triad

Answer 20

• Confidentiality: What happens if people could see this?
• Integrity: What happens if people could change this?
• Accessibility: What happens if authorized users can’t use this?

Question 21

• Analyze your assets based on their type (Hardware, Software, People, Services, Platforms)
• Determine their owner, the value and their impact to the organization using the CIA triad

Answer 21

Asset Analysis

Question 22

conducted while referring to a database of known major threats.

Answer 22

threat analysis

Question 23

Human threats are divided into three dimensions

Answer 23

1. The Motive
2. The Opportunity
3. The Means

Question 24

are typically weather-related phenomena.

Answer 24

Natural Threats

Question 25

• Identify the vulnerabilities for which threat events.
• The goal is to identify flaws or weaknesses that the threat can exploit.

Answer 25

Vulnerability Analysis

Question 26

• Risks should be identified as early as possible.
• A good practice is to brainstorm with the risk management team. If the team lacks the expertise, outside help should be brought in.

Answer 26

Risk Identification

Question 27

• A qualitative approach to risk analysis using the “quadrants” method.
• Risk in the “Low” category may be ignored or lowered in priority

Answer 27

Risk Matrix

Question 28

• Periodical Risk Assessment should be conducted. Risk reviews should occur when there are changes to the I.T. infrastructure.
• Organizations should develop “risk dashboards”. This ensures that the risks are monitored in accordance to their priority.

Answer 28

Monitoring Risks

Question 29

identify what methods are in place to control the risk, and the strengths/weaknesses of the system.

Answer 29

Risk Analysis

Question 30

Basing off of the risk assessment:

Answer 30

Avoid risk: If the activity causes risk, don’t do it.
Reduce Likelihood of Occurrence
Reduce the consequences
Transfer Risk: Insurances, partnerships, etc.
Accept Risk: Just let it happen.

Question 31

Integration w/ Other Management Practices

Answer 31

1. Budgeting
2. Business Planning
3. Internal Audit
4. Periodic Reporting

Question 32

Risk management requires resources that may otherwise be used in other areas of the organization.

Answer 32

Budgeting

Question 33

Organization may have a busin s plan. Certain exercise such as SWOT & PEST may be u n risk analysis

Answer 33

Business Planning

Question 34

a tool that Management may use to monitor risks Frequency of the reporting should be based on impact of the risk.

Answer 34

Periodic Reporting

Question 35

Organizations should use data from the risk manage ent team to aid in internal auditing & control reviews

Answer 35

Internal Audit

Question 36

Assures that unauthorized people do not have access to any information and every information that is transferred must be encrypted wherein only authorized people have the ability to decrypt it.

Answer 36

Confidentiality

Question 37

It is the practice of managing risks involving information such as the use, storage, transmission and processing. This includes the systems or devices that are being used in the process.

Answer 37

Information Assurance Policy

Question 38

It prevents unauthorized access, use, disclosure, disruption, modification, or destruction of the data

Answer 38

Information Assurance Policy

Question 39

Pillars of Information Assurance Security

Answer 39

1. Confidentiality
2. Integrity
3. Availability
4. Authenticity
5. Non-repudiation

Question 40

This assures that the system is capable of protecting the data thus the information shall retain its original state. It ensures that no one can tamper and modify the information without authorization.

Answer 40

Integrity

Question 41

This ensures that the people who are guaranteed access have easy and timely access to the information. Wherein information is available even during unexpected scenarios.

Answer 41

Availability

Question 42

Ensures that the information transmitted through parties are accurate and specific. The system must be capable of preventing impersonation and must confirm the identities before giving access to the information.

Answer 42

Authenticity

Question 43

Ensures that both parties receive confirmation or proof that their messages are delivered to the correct individuals which means by confirming these identities both parties shall allow each other to send or receive data respectively.

Answer 43

Non-repudiation

Question 44

There are four essential areas of focus applicable to the
recruitment process.

Answer 44

• Inclusion of information assurance aspects in the job scope and description.
• Defined level of confidentiality or sensitivity required
• Filling the vacant positions with suitable candidates
• Use of legal documents to enforce information assurance

Question 45

eliminates “gray” areas about employee responsibilities and how to respond in different situations.

Answer 45

job scope and description

Question 46

should give a clear explanation about employees’ roles, responsibilities, and authorities in the organization. It is crucial to state the access level during the employee’s tenure.

Answer 46

scope and description

Question 47

NICE

Answer 47

United States National Initiative for Cybersecurity Education

Question 48

The NICE framework features:

Answer 48

1. Operate and Maintain
2. Protect and Defend
3. Investigate
4. Collect and Operate
5. Analyze
6. Securely Provision
7. Oversight and Development

Question 49

Individuals should be placed in specific positions within an organization based on their qualifications.
the position’s confidentiality level, suitable screening, and selection methods. Insert the the best candidate for the job.

Answer 49

Filling the Position

Question 50

There are two general principles that apply when
granting access

Answer 50

1. job division
2. employee rights restriction

Question 51

• brings more privacy issues on the table
• organization’s information assurance requirements should follow the organizations information onto any media or platform

Answer 51

BYOD

Question 52

Two documents used frequently as legally binding in organizations

Answer 52

1. employment contract
2. nondisclosure agreements (NDAs)

Question 53

• an agreement between the organization and the employee defining all the terms and conditions of employment.
• Hence, from the point of view of information assurance, the employee’s information assurance roles and responsibilities should be defined pertaining, but not limited to, copyright, data protection rights, information ownership, information management, and information classification.

Answer 53

employment contract

Question 54

• Organizations must ensure they clearly delineate the expectations of the employee in terms of privacy when it comes to employee- owned devices or employees using organizational equipment for personal use.
• Organizations may offer a de minimus policy for employees that states an employee may use organizational information systems and resources for personal use during a break or lunch period as long as there is no material cost to the organization.
• de minimus is Latin for “minimal things,” and in risk assessment it refers to a level of risk too low to be concerned with.
• If the organization is intercepting the connection and decrypting the information,
• it may be wading into the waters of a privacy violation.
• Organizations must work carefully with their legal departments to determine appropriate policies for work- life balance that ensure proper scoped monitoring can be performed when needed.

Answer 54

Monitoring and Privacy Expectations

Question 55

• defines the identity of the organization and the employee, the level of confidentiality of the information covered, and to whom information may not be divulged.
• Hence, an employee should sign an before they have access to the organization’s information systems or facilities.
• Furthermore, ________ should be reviewed whenever terms and conditions of employment change.

Answer 55

NDA

Question 56

• a form of control that minimizes fraud. It may also keep an individual from staying in a job position for long periods; it helps manage their level of motivation.
• keeping an employee in one job position for extended periods may lead the employee to having too much control over certain business functions.
• Such employee control may lead to fraud, can lead to misuse of resources, or may even jeopardize data integrity.

Answer 56

Rotation of Duties

Question 57

• An organization may perform periodic monitoring of employees’ activities to detect potential fraud.
• Clearly, this must be consistent with local laws; however, it is important for employees to know that such monitoring may take place.
• The organization should be cautioned against routine and undisclosed monitoring because this may trigger employees’ uneasiness: feelings that they are not being trusted and are being spied upon.

Answer 57

Periodic Monitoring

Question 58

• Organizations must ensure they clearly delineate the expectations of the employee in terms of privacy when it comes to employee- owned devices or employees using organizational equipment for personal use

Answer 58

Monitoring and Privacy Expectations

Question 59

• The recruitment process does not stop once an employee is hired.
• The new employee will be trained to perform job-specific tasks including information assurance duties and responsibilities.

Answer 59

Employee Training and Awareness

Question 60

• Organizations should establish policy and procedures for secure offboarding by defining actions to be taken to handle absence and departure.
• The actions should include temporary or permanent closing of accounts, steps for forwarding e-mails, change of critical passwords and phone numbers, and disabling access to all systems.

Answer 60

Termination or Change of Employment

Question 61

• Establish and explain a formal disciplinary process for all employees specific to security breaches.
• The disciplinary process should ensure that employees suspected of committing any security breach are treated correctly and fairly.

Answer 61

Disciplinary Process

Question 62

• Refers to the formal process of assessing and certifying that an organization’s information systems and processes meet certain security standards and compliance requirements.
• The Information Assurance Planning Process involves a series of steps and activities aimed at ensuring the confidentiality, integrity, and availability of an organization’s information assets.

Answer 62

Accreditation

Question 63

This process includes identifying the information systems and assets to be accredited, understanding the relevant security requirements, and establishing an accreditation team.

Answer 63

Preparation and Planning:

Question 64

• outlines the system’s security requirements, policies, procedures, and controls.
• It serves as a foundational document for the accreditation process.

Answer 64

System Security Plan (SSP) Development

Question 65

• Organizations perform a comprehensive risk assessment to identify potential threats, vulnerabilities, and risks associated with the information systems.
• This assessment helps in determining the appropriate security controls and countermeasures

Answer 65

Risk Assessment

Question 66

Based on the SSP and risk assessment, the organization implements the necessary security controls to mitigate identified risks and meet security requirements. This may involve the deployment of technical safeguards, security policies, and employee training.

Answer 66

Security Controls Implementation

Question 67

The organization conducts security testing and evaluation to assess the effectiveness of the implemented security controls. This may include vulnerability scanning, penetration testing, and other security assessments.

Answer 67

Security Testing and Evaluation

Question 68

Detailed documentation of all security-related activities, including security control implementation, testing results, and incident response procedures, is essential for the accreditation process.

Answer 68

Documentation

Question 69

The accreditation team compiles all relevant documentation and evidence into an accreditation package. This package is submitted to the accrediting authority for review.

Answer 69

Accreditation Package Preparation

Question 70

• employees that states an employee may use organizational information systems and resources for personal** use during a break or lunch period as long as there is no material cost to the organization**
• and in risk assessment it refers to a level of risk too low to be concerned with

Answer 70

de minimus policy

Question 71

• often a designated security or compliance officer within the organization or a regulatory body, reviews the accreditation package.
• They assess whether the security controls are effectively mitigating risks and whether the organization is in compliance with applicable standards and regulations.

Answer 71

Accrediting Authority Review

Question 72

This decision can be to accredit the system (grant authorization to operate), deny accreditation, or require further remediation and reevaluation

Answer 72

Accreditation Decision

Question 73

• Organization must maintain continuous monitoring and oversight of the accredited systems.
• This includes ongoing security assessments, incident response, and periodic reviews to ensure compliance with security requirements.

Answer 73

Continuous Monitoring

Question 74

• Accreditation is not a one-time process.
• Periodically, the organization must undergo reaccreditation to ensure that the security controls remain effective and that the system remains compliant with evolving security standards and regulations.

Answer 74

Reaccreditation

Question 75

Two Approaches to Implementing Information Assurance

Answer 75

1. The Bottom-up Approach
2. The Top-down Approach

Question 76

places the responsibility of successful information security on a single staff member or security department

Answer 76

The Bottom-up Approach

Question 77

starts with upper management and top-level managers are the ones responsible for initiating, creating, and implementing your data protection strategy

Answer 77

The Top-down Approach

Question 78

The Bottom-up Approach Advantages

Answer 78

• uses a person or team’s experience and expertise to handle intricate security concerns
• you may be able to assign the task to an existing employee with the appropriate background instead of hiring someone new

Question 79

The Top Down Approach Advantages

Answer 79

• has more efficacy because it makes data protection a company-wide priority instead of placing all the responsibility on one person or team
• incorporates more available resources and a clearer overview of the company’s assets and concerns

Question 80

The Bottom-up Approach Disadvantages

Answer 80

• it doesn’t involve assistance or input from top-level management
• infosec program won’t have the same thoroughness that it would have if you were incorporating information and directives from the top

Question 81

Structure of an Information Assurance Organization

Answer 81

1. Centralized Structure
2. Distributed Structure
3. Hybrid Structure

Question 82

where an information assurance management program is managed under a centralized unit with ultimate accountability and responsibility for the program

Answer 82

Centralized Structure

Question 83

where roles, responsibilities, and authorities are spread throughout the organization’s business units, operations areas, and geographical locations

Answer 83

Distributed structure

Question 84

• that is a mix of the centralized and distributed structures
• features centralized management of information assurance with decentralized execution of security activities.

Answer 84

Hybrid structure