Information Security 1

Question 1

5 Pillars of Information Assurance

Answer 1

1. Integrity
2. Availability
3. Confidentiality
4. Authentication
5. Non repudiation

Question 2

role of information assurance

Answer 2

to protect and defend information and information systems

Question 3

integrity

Answer 3

assurance that information is not tampered with

Question 4

authentication

Answer 4

assuring those who have access in information, are they say who they are

Question 5

availability

Answer 5

timely, reliable access to data for authorized users

Question 6

confidentiality

Answer 6

assurance that information is not disclosed to unauthorized persons

Question 7

non repudiation

Answer 7

someonewith access to your organizations
information system cannot deny having
completed an action within the system, as
there should be methods in place to prove
that they did make said action.

Question 8

2011-2016 National Security

Answer 8

It is to ensure the permanent inviolability of our national territory and its effective control by the Government and the State.

Question 9

Republic Act No. 8792

Answer 9

• recognizes use of electronic commercial and non-commercial transactions and electronic signature
• legal recognition to electronic data messages, electronic documents and electronic signatures

Question 10

REPUBLIC ACT NO. 9995

Answer 10

protects the victims who are made to believe that they are performing sexual acts in private

Question 11

Republic Act No. 10173

Answer 11

aims to protect personal data in information and communications systems both in the government and the private sector

Question 12

REPUBLIC ACT NO. 9775

Answer 12

“Child” refers to a person below eighteen (18) years of age or over but is unable to fully take care of, or protect, himself/herself from abuse, neglect, cruelty, exploitation or discrimination because of a physical or mental disability or condition.

Question 13

Republic Act No. 10175

Answer 13

completely address crimes committed against and by means of computer system

Question 14

• prevents negligence
• the development and implementation of
  policies and procedures to aid in performing the ongoing maintenance necessary to keep an information assurance process operating properly to protect assets and peoplefrom threats.

Answer 14

due care

Question 15

due care

Answer 15

development and implementation of policies and procedures to did in performing the ongoing maintenance necessary to keep information assurance process operating properly to protect assets and people from threats

Question 16

due diligence

Answer 16

is the reasonable investigation, research, and understanding of the risks an organization faces
before committing to a particular course of action. The organization should do its homework and ensure
ongoing monitoring.

Question 17

Implications from lack of AI

Answer 17

1. penalties from legal authorities
2. loss of information assets
3. customer loss
4. loss of image and reputation
5. operational losses and operational risk management

Question 18

information assurance fundamental expectations and common beliefs

Answer 18

1. be a business enabler
2. protect interconnecting element of an organization’s systems
3. be cost effective and cost benefitial
4. establish responsibility and accountability
5. require robust method
6. be assessed periodically
7. be restricted by social obligations

Question 19

includes all information an organization may process, store, transmit, or disseminate regardless of media. Thus, information on paper, on a hard drive, in the mind of an employee, or in the cloud is considered to be “in scope.”

Answer 19

Information assurance

Question 20

INFORMATION ASSURANCE AND SECURITY
PARTNER AGENCIES

Answer 20

1. DOST ICT Office
2. National Security Agency (NSA)
3. National Bureau of Investigation (NBI) -Cybercime
   Division
4. Philippine National Police
5. DOJ Office of Cybercrime
6. Data Privacy Commission

Question 21

Memorandum Order No. 37, s. 2001

Answer 21

PROVIDING FOR THE FOURTEEN PILLARS OF POLICY AND ACTION OF THE GOVERNMENT AGAINST TERRORISM

Question 22

Administrative Order No. 39, s. 2013

Answer 22

MANDATING GOVERNMENT AGENCIES TO MIGRATE TO THE GOVERNMENT WEB HOSTING SERVICE (GWHS) OF THE DEPARTMENT OF SCIENCE AND TECHNOLOGY-INFORMATION AND COMMUNICATIONS TECHNOLOGY OFFICE (DOST-ICTO)

Question 23

Executive Order No. 810, s. 2009

Answer 23

INSTITUTIONALIZING THE CERTIFICATION SCHEME FOR DIGITAL SIGNATURES AND DIRECTING THE APPLICATION OF DIGITAL SIGNATURES IN E-GOVERNMENT SERVICES

Question 24

ISO/IEC 27001:2005

Answer 24

specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks.

Question 25

PNS ISO/IEC 27002:2005

Answer 25

(Information technology — Security techniques — Code of practice for information security management)

Question 26

Laws/Policies/Standards in force relating to cyber/information security (Abstract or summary of each document with URL pointing to authoritative source)

Answer 26

1. 2011-2016 National Security Policy
2. R.A. 8792 (E-Commerce Act)
3. R.A. 9775 (Anti-Child Pornography Act of 2009)
4. R.A. 9995 (Anti-Photo and Video Voyeurism Act of 2009)
5. R.A. 10173 (Data Privacy Act of 2012)
6. R.A. 10175 (Cybercrime Prevention Act of 2012)
7. M.O. 37, s2001 (Providing for the Fourteen Pillars of Policy and Action of the Government Against Terrorism – critical infrastructure is defined in this document and requires the preparation of a comprehensive security plan [1][a] above)
8. E.O. 810, s2009 (Institutionalizing the Certification Scheme for Digital Signature)
9. A.O. 39, s2013 (Government Web hosting Service of DOST ICT Office
10. PNS ISO/IEC 270001:2005 (Information technology — Security techniques — Information security management systems – Requirements)
11. PNS ISO/IEC 27002:2005 (Information technology — Security techniques — Code of practice for information security management)

Question 27

STRATEGIES OF INFORMATION ASSURANCE

Answer 27

1. COMPREHENSIVE
2. INDEPENDENT
3. LEGAL AND REGULATORY REQUIREMENTS
4. LIVING DOCUMENT
5. LONG LIFE SPAN
6. CUSTOMIZABLE AND PRAGMATIC
7. RISK-BASED APPROACH
8. ORGANIZATIONALLY SIGNIFICANT
9. STRATEGIC, TACTICAL, AND OPERATIONAL
10. CONCISE, WELLSTRUCTURED, AND EXTENSIBLE

Question 28

COMPREHENSIVE

Answer 28

programs should cover topics, areas, and domains needed for modern organizations. Each topic, domain, and area within a policy should contain sufficient breadth and detail to support strategic, tactical, and operational implementation

Question 29

A strategy should contain independent contents and perspectives related to the defined mission. Organizations are various sizes and use products and services from vendors

Answer 29

INDEPENDENT

Question 30

must be consistent with existing laws and regulations
applicable to but not limited to information assurance, human resources, healthcare, finance, disclosure, internal control, and privacy within the organizational context.

Answer 30

LEGAL AND REGULATORY
REQUIREMENTS

Question 31

organizations benefit from updated written policies,
procedures guidance, and standards to direct
operations. Organizations should use the ideas,
concepts, and approach outlined in this work to keep
their own policies, procedures, standards, and
practices up to date.

Answer 31

LIVING DOCUMENT

Question 32

To increase the value and relevance of an organization’s information assurance strategy, the strategy must focus on the fundamentals of information assurance that remain constant over time

Answer 32

LONG LIFE SPAN

Question 33

Organizations should adopt and adapt their tactical and operational plans to reflect identified organizational information assurance requirements and risk profiles.

Answer 33

CUSTOMIZABLE AND
PRAGMATIC

Question 34

must be broad enough to give guidance to subcomponents with diverse risk profiles. This is analogous to risk portfolio approaches in finance

Answer 34

RISK-BASED APPROACH

Question 35

should be considered significant in an organization’s strategy and ongoing operations, and it is a significant investment and area of concern for any organization.

Answer 35

ORGANIZATIONALLY
SIGNIFICANT

Question 36

provides a framework to assist senior managers
and executives in making strategic (long-term)
planning and decisions.

Answer 36

STRATEGIC, TACTICAL,
AND OPERATIONAL

Question 37

The structure and contents of the organization’s
information assurance strategy should
demonstrate high cohesion and low coupling.

Answer 37

CONCISE, WELL-STRUCTURED, AND EXTENSIBLE

Question 38

Security Controls for IA

Answer 38

1. PROTECTION OF CRITICAL AND SENSITIVE ASSETS
2. COMPLIANCE TO REGULATIONS AND CIRCULARS/LAWS
3. MEETING AUDIT AND COMPLIANCE REQUIREMENTS
4. PROVIDING COMPETITIVE ADVANTAGE

Question 39

Prior to implementing security controls, an
organization must identify the critical business
processes and value of the associated assets

Answer 39

PROTECTION OF CRITICAL AND
SENSITIVE ASSETS

Question 40

the organization is required to analyze how the
requirements can be addressed without compromising the policies and procedures already available within the organization.

Answer 40

COMPLIANCE TO REGULATIONS AND
CIRCULARS/LAWS

Question 41

is a process that checks and verifies compliance with
generally accepted standards, a particular
regulation, or a specific requirement

Answer 41

MEETING AUDIT AND COMPLIANCE
REQUIREMENTS

Question 42

Frequently, individuals fail to recognize that
information assurance is a competitive advantage.
Organizations with proactive controls stay competitive and survive longer.

Answer 42

PROVIDING COMPETITIVE
ADVANTAGE

Question 43

DEFENSE IN DEPTH

Answer 43

cannot be expected torespond to unknown and potentially urgent risk situations such as last-minute patches and catch-up planning, but it can reduce the
impact of such weaknesses

Question 44

SIX CHARACTERISTICS-OF A
DEFENSE-IN-DEPTH STRATEGY

Answer 44

1. Self-organizing
2. Adapting to unpredictable situations
3. Evolving in concert with an ever-changing environment
4. Reactively resilient
5. Proactively innovative
6. Harmonious with system purpose

Question 45

INFORMATION ASSET LIFE CYCLE

Answer 45

1. create
2. process
3. use of transmission
4. retain
5. dispose

Question 46

PLAN-DO-CHECK-ACT MODEL

Answer 46

• demonstrates the process of managing security throughout the life cycle
• includes implementation of continuous improvement process to attain an effective information management system

Question 47

Boyd’s OODA Loop

Answer 47

Observe
Orient
Decide
Act

Question 48

Boyd’s OODA Loop ORIENT

Answer 48

this step is designed to weed out bias and includes areas such as genetic heritage, cultural tradition, and previous experiences

Question 48

Boyd’s OODA Loop OBSERVE

Answer 48

gather raw information about the situation at hand. be as accurate and thorough as possible

Question 49

Boyd’s OODA Loop DECIDE

Answer 49

based on output of orientation, a decision is made to act

Question 50

Boyd’s OODA Loop ACT

Answer 50

the action is performed

Question 51

THE KILL CHAIN

Answer 51

US millitary targeting doctrine describes the kill chain as find, track, target, engage, and assess (FT2TEA)

Question 51

Organizations and institutions exist to train and equip security professionals

Answer 51

1. The International Information System Security Certification Consortium (ISC)2
2. The Computing Technology Industry Association (CompTIA)
3. Information System Audit and Control Association (ISACA)
4. Information System Security Association (ISSA)
5. SysAdmin, Audit, Network and Security (SANS)
6. Disaster Recovery Institute, International (DRII)
7. Business Continuity Institute (BCI)

Question 52

PROFESSIONAL CERTIFICATIONS