Lesson 1: Comparing Security Roles and Security Controls Flashcards
How might the goals of a basic network management not be well-aligned with the goals of security?
A. Management focuses on confidentiality and availability.
B. Management focuses on confidentiality over availability.
C. Management focuses on integrity and confidentiality.
D. Management focuses on availability over confidentiality.
D
A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit.
A. Managerial
B. Technical
C. Physical
D. Compensating
A
Managerial is the control that gives oversight of the information system including selection of other security controls. An example of this type of control is regular scans and audits.
An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the “detect” function, what does the engineer focus on?
A. Evaluate risks and threats
B. Install, operate, and decommission assets
C. Ongoing proactive monitoring
D. Restoration of systems and data
C
Detect refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. Which of the following ideas are consistent with industry definitions? (Select all that apply.)
A. Deploy a technical control to enforce network access policies.
B. Deploy an operational control to monitor compliance with external regulations.
C. Schedule quarterly security awareness workshops as a preventive control to mitigate social engineering attacks.
D. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.
A, C, D
A technical control is enforced by computer hardware and software, such as an access control list (ACL) configured on a network firewall.
Monitoring of risk and compliance is a type of managerial control, not an operational control. Operational controls are categorized as those performed by people, such as security guards.
A preventive control such as user education and training is one that eliminates or reduces the likelihood of an attack before it can take place.
A corrective control such as backup is used following an attack to eliminate or mitigate its impact.
The _____ requires federal agencies to develop security policies for computer systems that process confidential information.
A. Sarbanes-Oxley Act (SOX)
B. Computer Security Act
C. Federal information Security Management Act (FISMA)
D. Gramm-Leach-Bliley Act (GLBA)
B
The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information.
Which of the following has a cyber security framework (CSF) that focuses exclusively on IT security, rather than IT service provisioning?
A. National Institute of Standards and Technology (NIST)
B. International Organization for Standardization (ISO)
C. Control Objectives for Information and Related Technologies (COBIT)
D.Sherwood Applied Business Security Architecture (SABSA)
A
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a relatively new addition to the IT governance space, and is distinct from other frameworks by focusing exclusively on IT security, rather than IT service provision more generally.
Any external responsibility for an organization’s security lies mainly with which individuals?
A. The senior executives
B. Tech staff
C. Managers
D. Public relations
A
External responsibility for security (due care or liability) lies mainly with owners or senior executives. It is important to note that all employees share some measure of responsibility.
After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address?
A. Compensating
B. Deterrent
C. Corrective
D. Detective
C
An incident response plan is corrective. It responds to and fixes an incident. It may also prevent its recurrence.
Compensating is a security control that serves as a substitute for a principal control, as recommended by a security standard.
A deterrent is the control that may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
A detective is the control that may not prevent or deter access but will identify and record any attempted or successful intrusion.
Which security related phrase relates to the integrity of data?
A. Availability
B. Modification
C. Knowledge
D. Non-repudiation
B
Integrity means that any data is stored and transferred as intended and that any modification is authorized. Integrity is part of the CIA triad.
The National Institute of Standards and Technology (NIST) provides a framework that classifies security-related functions. Which description aligns with the “respond” function?
A. Evaluate risks, threats, and vulnerabilities.
B. Perform ongoing, proactive monitoring.
C. Implement resilience to restore systems.
D. Identify, analyze, and eradicate threats.
D
The identify function is to develop security policies and capabilities. This function is used to evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them.
