Information Security Risk Management

Question 1

a combination of public and private clouds

Answer 1

Hybrid cloud

Question 2

a cloud service reserved for only one customer or company

Answer 2

Private cloud

Question 3

IaaS

Answer 3

(Infrastructure-as-a-Service)

Question 4

Paas

Answer 4

(Platform-as-a-Service)

Question 5

SaaS

Answer 5

(Software-as-a-Service)

Question 6

a cloud-based system managed by a cloud provider and shared among multiple customers, like

Answer 6

Public cloud

Question 7

It’s simply means that the application is running in a shared environment. Businesses must make sure that there is adequate isolation between different processes in shared environments.

Answer 7

Cloud Security

Question 8

The sender must not be able to deny sending the data or communication.

Answer 8

(non-repudiation)

Question 9

The recipient should be able to ______ the sender,

Answer 9

authenticate

Question 10

Its _______ must be maintained in transit (meaning the data isn’t altered)

Answer 10

integrity

Question 11

Information must be kept __________

Answer 11

confidential

Question 12

are commonly used in cryptography to validate the authenticity of data.

Answer 12

Digital Signatures

Question 13

Encrypting data in transit and data at rest helps ensure data confidentiality and integrity.

Answer 13

Encryption

Question 14

Validates that a user has permission to access the application by comparing the user’s identity with a list of authorized users

Answer 14

Authorization

Question 15

Software developers build procedures into an application to ensure that only authorized users gain access to it. This procedure ensure that a user is who they say they are.

Answer 15

Authentication

Question 16

Involves using a mathematical algorithm called a hash function to convert input data into a fixed-size string of characters, known as a hash value or hash code.

Answer 16

Hash Function

Question 17

• One key is used to only encrypt the data (the public key) and another key is used to decrypt (the private key).

Answer 17

Asymmetric Cryptography

Question 18

The same key used to encrypt the data is used to decrypt the data. This makes sharing the key difficult, as anyone who intercepts the message and sees the key can then decrypt your data

Answer 18

Symmetric Cryptography

Question 19

Resource owners can manage access using discretionary access control (DAC).

Answer 19

Discretionary Access Control (DAC):

Question 20

Authorization based on preestablished rules is known as rule-based authorization.

Answer 20

Rule-Based Authorization:

Question 21

ABAC bases choices on the user, resource, and context attributes. It makes use of rules that specify circumstances affecting these characteristics.

Answer 21

ABAC (Attribute-Based Authorization):

Question 22

Role-Based Authorization (RBAC): RBAC grants access permissions based on the roles allocated to users.

Answer 22

Authorization

Question 23

This authorization technique verifies the user using the authorization server’s authentication. an interoperable authentication protocol based on the OAuth 2.0 framework of specifications

Answer 23

OpenID Authorization

Question 24

This authorization technique enables an API to authenticate and provide access (access token) to the user for the requested resource or action.

Answer 24

Oauth

Question 25

Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application

Answer 25

SAMlL

Question 26

This authorization technique is a Single Sign-On format, also called SS0, in which the authentication information is transferred through XML documents signed digitally

Answer 26

SAML (Security Assertion Markup Language):

Question 27

Validates that a user has permission to access the application by comparing the user�s identity with a list of authorized users

Answer 27

AUTHORIZATION

Question 28

The best authentication method should not compromise a user�

Answer 28

PRIVACY

Question 29

If your authentication process ask the user to follow too many instructions, or if it takes too long, or it needs repeated attempts before succeeds, there�s a risk of drop-offs and lost business, this impacts any organization, whether it�s a retailer dealing with abandoned baskets or citizens failing to return to access online government services

Answer 29

COMPLETION RATES

Question 30

Its possible to make things too easy

Answer 30

REASSURANCE

Question 31

Customers value convenience, and some authentication methods are better than others in this regard

Answer 31

CONVENIENCE

Question 32

If authentication is overly complex, people find workarounds � consider who your service is aimed at but remember to be inclusive, most online services need to offer maximum inclusivity, so simplicity and effortlessness are always the aim

Answer 32

USABILITY

Question 33

If the risk profile of the transaction is high, you�ll need a more secure method of authentication

Answer 33

SECURITY

Question 34

Where you are

Answer 34

LOCATION FACTOR

Question 35

What you are

Answer 35

INHERENCE FACTOR

Question 36

What you have

Answer 36

POSSESSION FACTOR

Question 37

What you knew

Answer 37

KNOWLEDGE FACTOR

Question 38

The combination of the following factors

Answer 38

? Multi-Factor Authentication (MFA)

Question 39

Security system that requires combination of distinct forms of identification in order to access something or confirm an identity

Answer 39

? Dual- Factor Authentication (2FA)

Question 40

A process for securing access to a given system such as a network or a website, that identifies the party requesting access through only one category of credentials

Answer 40

? Single- Factor Authentication (SFA)

Question 41

The individuality of authentication o When you claim to be someone, you need to provide further information to prove that you are who you say you are

Answer 41

FACTOR

Question 42

Where you are

Answer 42

USERS LOCATION

Question 43

Something who you are - Biometrics such as fingerprints

Answer 43

USERS CHARACTERISTICS

Question 44

Something that you have - Tangible assets( smartphones, laptops, wearable devices), OTP

Answer 44

USERS POSSESSIONS

Question 45

Something that you know; memory sharpness - Passwords/ passcodes/ pins

Answer 45

USERS KNOWLEDGE

Question 46

Software developers build procedures to ensure that only authorized users gain access to it

Answer 46

AUTHENTICATION

Question 47

Commonly used when logging into an account or authorizing a financial transaction remotely

Answer 47

AUTHENTICATION

Question 48

Needed to securely identify online users

Answer 48

AUTHENTICATION

Question 49

These vulnerabilities may be found in authentication and authorization of users, integrity of code and configurations, and mature policies and procedure.

Answer 49

APPLICATION SECURITY

Question 50

Covers software vulnerabilities in web and mobile applications and application programming interfaces(APIs)

Answer 50

APPLICATION SECURITY

Question 51

Risk management reporting ensures that those responsible for governance, oversight, and compliance are well-informed and can make decisions that align with the organization�s security objectives

Answer 51

MONITORING & REPORTING

Question 52

Another critical aspect is the reporting processincludes creating detailed reports, presentations, or dashboards that convey complex information in a format understandable to non-technical stakeholders

Answer 52

MONITORING & REPORTING

Question 53

Must monitor risk and update treatment plans regularly because new assets, vulnerabilities, threats, and controls are constantly emerging

Answer 53

MONITORING & REPORTING

Question 54

A continuous process

Answer 54

MONITORING & REPORTING

Question 55

Discontinuing the use of a software application

Answer 55

AVOIDANCE

Question 56

Eliminating risk by changing processes, technologies, or practices

Answer 56

AVOIDANCE

Question 57

For risk that are too costly or difficult to mitigate

Answer 57

ACCEPTANCE

Question 58

A strategy appropriate for risk that are low in likelihood or impact

Answer 58

ACCEPTANCE

Question 59

Making a conscious decision to accept the risk

Answer 59

ACCEPTANCE

Question 60

Transferring the risk to another party

Answer 60

Transference

Question 61

Lessen the risk by implementing a business continuity plan or educating employees on cybersecurity best practices

Answer 61

MITIGATION

Question 62

Reducing the likelihood or impact of a risk

Answer 62

MITIGATION

Question 63

Patching a software vulnerability or implementing a new security control

Answer 63

REMEDIATION

Question 64

Eliminating the underlying vulnerability that is creating the risk

Answer 64

REMEDIATION

Question 65

There is involvement

Answer 65

Risk

Question 66

The likelihood of a hazard causing harm

Answer 66

Risk

Question 67

something that has the potential to harm

Answer 67

HAZARD

Question 68

No contactor involvement

Answer 68

HAZARD

Question 69

Risk scoring is not a precise science

Answer 69

PRIORITIZING RISK

Question 70

RISK = LIKELIHOOD x IMPACT

Answer 70

PRIORITIZING RISK

Question 71

Not all risk are equal

Answer 71

PRIORITIZING RISK

Question 72

Impact is the severity of the consequences if it does occur

Answer 72

RISK ASSESSMENT

Question 73

Likelihood is the probability of the danger

Answer 73

RISK ASSESSMENT

Question 74

Can be preventive like firewalls, or detective like security monitoring and log reviews

Answer 74

CONTROL

Question 75

Measures that organizations implement to mitigate risk

Answer 75

CONTROL

Question 76

Bugs are unintentional and seen on codes while malwares are intentional to harm the system

Answer 76

VULNERABILITY

Question 77

Can be technical (software bugs, security configuration flaws) or procedural (no strong password policy, lack of training)

Answer 77

VULNERABILITY

Question 78

Are weaknesses

Answer 78

VULNERABILITY

Question 79

Can be internal ( malicious insiders) or external ( hackers, cyber criminals, natural disasters)

Answer 79

THREATS

Question 80

Actors or events that could exploit vulnerabilities and harm assets

Answer 80

THREATS

Question 81

Digital assets like data, software and intellectual property

Answer 81

ASSETS

Question 82

Physical equipment like server, laptops, and mobile devices

Answer 82

ASSETS

Question 83

End goal of this process is treat risk in accordance with an organizations overall risk tolerance

Answer 83

Information Security Risk Management

Question 84

Phases, Identifying, assessing and treating risks

Answer 84

Information Security Risk Management

Question 85

Process of managing risks associated with the use of Information Technology

Answer 85

Information Security Risk Management