Lesson 1

Question 1

Confidentiality

Answer 1

• Information should only be known to certain people

Question 2

Integrity

Answer 2

• Data is stored and transferred as intended and that any modification is
authorized

Question 3

Availability

Answer 3

• Information is accessible to those authorized to view or modify it

Question 4

• Non-repudiation

Answer 4

• Subjects cannot deny creating or modifying data

Question 5

Cybersecurity Framework

Answer 5

Identify, protect, detect, respond, Recover

Question 6

Information Security Roles and Responsibilities

Answer 6

• Overall responsibility
• Chief Security Officer (CSO)
• Chief Information Security Officer 
(CISO)
• Managerial
• Technical
• Information Systems Security 
Officer (ISSO)
• Non-technical
• Due care/liability

Question 7

Information Security Business Units

Answer 7

Security Operations Center (SOC)
• DevSecOps
• Development, security, and 
operations
• Incident response
• Cyber incident response team 
(CIRT)
• Computer security incident 
response team (CSIRT)
• Computer emergency response 
team (CERT)

Question 8

Security Control Categories

Answer 8

• Technical
• Controls implemented in operating 
systems, software, and security appliances
• Operational
• Controls that depend on a person for 
implementation
• Managerial
• Controls that give oversight of the system

Question 9

Security Control Functional Types (1)

Answer 9

Preventive
• Physically or logically restricts
unauthorized access
• Operates before an attack

• Detective
• May not prevent or deter access, but 
it will identify and record any 
attempted or successful intrusion
• Operates during an attack

• Corrective
• Responds to and fixes an incident 
and may also prevent its 
reoccurrence
• Operates after an attack

• Physical
• Controls such as alarms, gateways, and locks that deter access to premises and
hardware

• Deterrent
• May not physically or logically prevent access, but psychologically discourages
an attacker from attempting an intrusion

• Compensating
• Substitutes for a principal control

Question 10

CSF

Answer 10

(NIST) Cybersecurity Framework
(CSF) is a relatively new addition to the IT governance space and distinct from other
frameworks by focusing exclusively on IT security, rather than IT service provision more
generally

Question 11

RMF

Answer 11

Risk Managemetn Framework - designed for federal agencies

Question 12

FIPS

Answer 12

Federal Information Processing Standards (FIPS)

US Gov’t security standars for data and its

Question 13

ISO 27k

Answer 13

Information Security Standards

Question 14

ISO 31k

Answer 14

Enterprise risk management

Question 15

• Cloud Security Alliance

Answer 15

Cloud Security Alliance
• Security guidance for cloud service providers (CSPs)
• Enterprise reference architecture
• Cloud controls matrix

Question 16

SSAE)

Answer 16

Statements on Standards for Attestation Engagements are audit
specifications developed by the American Institute of Certified Public Accountants

SOC2 evaluates service provider
• Type I report assesses system design
• Type II report assesses ongoing effectiveness
• SOC3 public compliance report

Question 17

CIS

Answer 17

Center for Internet Security (CIS)
• The 20 CIS Controls
• CIS-RAM (Risk Assessment Method)

Question 18

OWASP

Answer 18

publishes several secure application development resources, such as
the Top 10 list of the most critical application security risks (

Question 19

SOX

Answer 19

Sarbanes-Oxley Act (SOX)

mandates the implementation of risk assessments, internal controls, and
audit procedures.

Question 20

Computer Security Act (1987)

Answer 20

requires federal agencies to

develop security policies for computer systems that process confidential information.

Question 21

FISMA

Answer 21

Federal Information Security Management Act (FISMA) was introduced to
govern the security of data processed by federal government agencies.

Question 22

GDPR

Answer 22

Fairness and the right to privacy,
as enacted by regulations such as the European Union’s General Data Protection
Regulation (GDPR), means that personal data cannot be collected, processed, or
retained without the individual’s informed consent.

Question 23

GLBA

Answer 23

Gramm–Leach–Bliley Act (GLBA) - for financial services

Question 24

CCPA

Answer 24

California Consumer Privacy Act

Question 25

ISO 22301

Answer 25

security & resilience, business continuity management

Question 26

ISO 27001

Answer 26

information security rules and requirements (compliance/regulations)

Question 27

ISO 27701

Answer 27

Privacy Information Management

Question 28

IS 27002

Answer 28

Information Security Best Practices