IA 2 - UNIT 3

Question 1

Benefits of Incorporating Security Considerations

Answer 1

1. Early integration reduces disruptions and costs.
2. Ongoing security adaptation to evolving threats.
3. Retrofitting post-incident is costly and less effective.
4. Regular updates to the security plan are vital.
5. Documenting decisions aids comprehensive coverage and audits.

Question 2

is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal.

Answer 2

system development life cycle

Question 3

SDLC Phases

Answer 3

1. Initiation
2. Development
3. Implementation
4. Maintenance
5. Disposal

Question 4

INITIATION PHASE

Answer 4

• Need establishment
• Security categorization
• Initial Risk Assessment

Question 5

DEVELOPMENT/ACQUISITION PHASE

Answer 5

• Requirement analysis/ development
• Risk assessment
• Budgeting
• Security planning
• Security control development
• Security test and evaluation

Question 6

IMPLEMENTATION PHASE

Answer 6

• Security test and evaluation
• Inspection and acceptance
• System integration/installation
• Security accreditation

Question 7

OPERATION/MAINTENANCE PHASE

Answer 7

• Configuration management and control
• Continuous monitoring and continuous accreditation (authorization)\

Question 8

2 Layer of Defense

Answer 8

1. Physical security of premises and offices
2. Physical security of equipment

Question 9

Main Threats For Physical and Environmental Security

Answer 9

• Energy (Electricity)
• Equipment (Mechanical or electronic components) Fire and Chemical Hazard (smoke, industrial pollution)
• Manmade Disasters (war, terrorist attack, bombing) Natural Disaster (earthquake, volcano, landslide, storms)
• Pandemic Disease (bacteria, virus) Radiation (electromagnetic pulse)
• Weather (Sandstorm, humidity, flood, lightning)

Question 10

DISPOSAL PHASE

Answer 10

Information preservation Media sanitization
Hardware and software disposal

Question 11

• Premises that contain critical information or systems require special protection.

The following controls are related to the physical security of premises.
* One of the controls is to establish the security perimeter as the outer boundary.
* This perimeter should contain all critical assets. Within this perimeter, there may be more secure areas or enclaves.

Answer 11

Physical security of premises and offices

Question 12

• Protect information-processing equipment physically to minimize the risk of unauthorized access to information and to safeguard against loss or damage.
• Offsite computing systems for reconstitution or contingency operations should also be addressed in a physical security plan.

Answer 12

Physical security of equipment

Question 13

Physical Entry Controls

Answer 13

• Employee Access
• Visitor Access

Question 14

Positive identification and access control are mandatory; therefore, all employees should be required to always wear some form of visible identification (ID badge) whenever they are on the premises.

Answer 14

Employee Access

Question 15

require redundancy in electric power system availability. (UPS or Backup Generators)

Answer 15

Electrical Power

Question 16

• Maintenance of information processing equipment based on the manufacturer’s recommended service intervals and specifications.
• All maintenance services to the equipment either onsite or sent off from the premises also need to be recorded and tracked.

Answer 16

Equipment Maintenance

Question 17

Use of any equipment outside an organization’s premises should be authorized by management.

Answer 17

PHYSICAL SECURITY OF EQUIPMENT OFF-PREMISES

Question 18

Careless disposal, disposition, or recycling of equipment can put information at risk.

Answer 18

SECURE DISPOSAL AND REUSE OF EQUIPMENT

Question 19

These devices can help mitigate the risks associated with malicious code and the loss of proprietary information by raising employee awareness about removable media usage policies and minimizing potential damage.

Answer 19

MANAGEMENT OF REMOVABLE MEDIA

Question 20

Disposal of Media
The following are some guidelines of proper media disposal:

Answer 20

1. Electronic media
2. Printed materials

Question 21

• containing sensitive customer information should be degaussed prior to disposal.
• Degaussing completely erases the information stored on the magnetic surface.

Answer 21

Electronic media

Question 22

which hold confidential and restricted data, should be
destroyed in a secure way, such as by shredding

Answer 22

Printed materials

Question 23

An effective AT&E program has four stages:

Answer 23

literacy, awareness, training, and education (LATE).

Question 24

• To cultivate a strong information assurance culture among employees, emphasize the organization’s commitment to safeguarding information assets through training

Answer 24

Purpose of the AT&E Program

Question 25

Types of Learning Programs

Answer 25

1. IA AWARENESS
2. IA TRAINING
3. IA EDUCATION

Question 26

serve to motivate a sense of responsibility and encourage employees to be more cautious about their work environment.

Answer 26

IA AWARENESS

Question 27

Training aims to teach or improve an individual’s skill, knowledge, or attitude, which allows a person to carry out a specific function.

Answer 27

IA TRAINING

Question 28

Using internalized concepts and skills to perform operations such as analyzing, evaluating, and judging to reach **higher cognitive-level decisions **.

Answer 28

IA EDUCATION

Question 29

Restrict internet access for end users, enabling administrators to block specific websites based on local policies.

Answer 29

Content Filters

Question 30

Examples of protocols that implement network services

Answer 30

1. Secure Sockets Layer (SSL)
2. Transport Layer Security (TLS)
3. IP Security (IPSec) protocols

Question 31

preferred information security protocols in web environments

Answer 31

TLS and SSL

Question 32

are preferred for implementing virtual private networks (VPNs).

Answer 32

IPSec

Question 33

Preventive Information Assurance Tools

Answer 33

1. backup
2. Change and Configuration Management
3. IT Support
4. Media Controls and Documentation
5. Patch Management

Question 34

Primary information assurance control.

Answer 34

FIREWALLS

Question 35

Enforces organizational infosec policies by analyzing network traffic (Content- based and Anomaly-based)

Answer 35

NETWORK INTRUSION PREVENTION SYSTEM

Question 36

Serve as intermediaries between clients and the internet. (e.g., gateway)

Answer 36

PROXY SERVERS

Question 37

A secure network that uses the Internet for user connections, ensuring security through encryption. (e.g., IPSec, SSL, and PPTP)

Answer 37

VIRTUAL PRIVATE NETWORKS

Question 38

Provides secure communication over unsecured networks.

Answer 38

PUBLIC KEY INFRASTRUCTURE

Question 39

In a dynamic tech landscape, organizations must adapt and bolster their security measures.

Answer 39

Preventive Information Assurance Controls

Question 40

Vital for information assurance, providing copies of data, software, and hardware. (e.g., full, differential, incremental, and mirror)

Answer 40

Backups

Question 41

Organizations must adapt constantly in an ever-changing environment. (e.g., alliances, market demands, competition, operations, and regulations)

Answer 41

Change and Configuration Management

Question 42

Handles various issues. Trained technicians
address security problems.

Answer 42

IT Support

Question 43

Securing information goes beyond servers;
* Environmental safeguards against fires, temperature, and humidity issues.
* Usage logging (e.g., check-in/check-out).
* Maintenance (data overwriting, disposal).
* Unauthorized access prevention.
* Proper labeling (owner, date, version, classification).
* Storage options (off-site or locked server rooms).

Answer 43

Media Controls and Documentation

Question 44

Involves timely and planned updates
* Establishing dedicated resources
* Monitoring/identifying patches
* Identifying risk in applying a patch
* Testing a patch before installing

Answer 44

Patch Management

Question 45

should protect vital resources not only from unauthorized external access but also from internal attacks.

Answer 45

ACCESS CONTROL SYSTEM

Question 46

prevents actions on an object (target to be accessed) by unauthorized users (subjects).

Answer 46

ACCESS CONTROL SYSTEM

Question 47

is the first line of defense to protect the system from unauthorized modification

Answer 47

ACCESS CONTROL SYSTEM

Question 48

ACCESS CONTROL TYPES

Answer 48

1. physical
2. logical

Question 49

it serves as an auditing tool (to trace information security breaches, incidents, and events).

Answer 49

ACCESS CONTROL SYSTEM

Question 50

• Organizations usually manage physical access with human, technological, or mechanical controls.
• A physical control might be biometric identification technology used to restrict entry to a property, a building, or a room to authorized persons.

Answer 50

PHYSICAL

Question 51

• Logical access controls manage access based on processes such as identification, authentication, authorization, and accountability.
• Examples of logical access controls are digital signatures and hashing.

Answer 51

LOGICAL

Question 52

Access Control Models

Answer 52

1. Discretionary
2. Mandatory
3. Role-based

Question 53

• Owner of the object determines the access policy.
• Owner decides which subjects may access the object and what privileges the subject has.
• This model is adapted by Windows, Apple and various linux system

Answer 53

Discretionary

Question 54

• control access to sensitive or controlled data in systems with multiple level classification
• Owner does not establish access policy since the system decides on the access control based on the information security classification and policy rules

Answer 54

Mandatory

Question 55

• Uses a centrally managed set of rules, which grants access to objects based on the roles of the subject
• Since subjects are not assigned permission directly like other models, they acquire it through roles and the management of access becomes relatively easier

Answer 55

Role-based

Question 56

• uses simple rules to determine the result of privileges, which a subject can have over an object.
• determines what can and cannot be allowed.

Answer 56

RULE-BASED ACCESS CONTROL

Question 57

• a static, abstract, formal computer protection and information assurance model used in computer systems
• represents the relationship of subjects and objects in a tabulated form

Answer 57

ACCESS CONTROL MATRIX

Question 58

a list containing information about the individual or group permission given to an object; the ACL specifies the access level and functions allowed onto the object.

Answer 58

ACCESS CONTROL LISTS

Question 59

ACCESS CONTROL LISTS TWO TYPES

Answer 59

1. Network
2. File system

Question 60

implemented on servers and routers

Answer 60

Network

Question 61

implement file access by tracking subjects’ access to objects

Answer 61

File System

Question 62

Access Control Techniques

Answer 62

1. rule-based access control
2. access control matrix
3. access control list
4. capability table
5. contrained user interfaces
6. content-dependent access control
7. context-dependent access control

Question 63

• an authorization table that identifies a subject and specifies the access right allowed to that subject
• the rows list the capabilities that the subject can have
• frequently used to implement the RBAC model

Answer 63

CAPABILITY TABLES

Question 64

• technique is used in databases
• access to objects is dependent on the content of the objects aims at controlling the availability of information by means of views

Answer 64

CONTENT-DEPENDENT ACCESS CONTROL

Question 65

defines the access controls of a subject on objects based on a context or situation

Answer 65

CONTEXT-DEPENDENT ACCESS CONTROL

Question 66

• contained in a department, unit or information security administrator
• ensures uniformity
• simplified method and cost effective
• slow because all changes are processed by single entity

Answer 66

ACCESS CONTROL ADMINISTRATION - CENTRALIZED

Question 67

• gives control to people who are closer to the objects
• does not ensure uniformity more relaxed
• faster since changes are made to function rather to the whole organization

Answer 67

ACCESS CONTROL ADMINISTRATION -DECENTRALIZED

Question 68

a way to limit access of subjects to a resource or information by presenting them with only the information, function, or access to the resource for which they have privileges.

Answer 68

CONSTRAINED USER INTERFACES