Requirements Pt.1 Flashcards
Which term is used to describe the minimum acceptable configuration for a system or component?
- Guideline
- Policy
- Baseline
- Procedure
Baseline
What is the primary purpose of doing data classification?
- To protect against legal liability for a breach
- To ensure the secure operation of systems by users
- To protect sensitive data from disclosure
- To ensure that all data is protected appropriately
To ensure that all data is protected appropriately
What is a common mistake made in requirements gathering?
- To overstate skill of developers
- To focus on use and not security
- To fix requirements so that they cannot be changed
- To underestimate time for testing
To focus on use and not security
What two terms are commonly used to classify data?
- Age and usefulness
- Archival and creation
- Impact and likelihood
- Sensitivity and criticality
Sensitivity and criticality
Which document is used to track all requirements in one central place?
- Configuration Management Database (CMDB)
- Requirements Tracking System (RTS)
- Requirements Traceability Matrix (RTM)
- Change Control Board (CCB)
Requirements Traceability Matrix (RTM)
What does “protection of IP” refer to?
- Trade secrets
- Intelligence policy
- Improvement processes
- Internet procedures
Trade secrets
What can help ensure that requirements are gathered correctly?
- To develop a customized solution for each software project
- To interview managers and system architects
- To follow external standards and regulations
- To seek to discover business needs
To seek to discover business needs
What is a characteristic of a “good” overarching security policy?
- Complex/detailed
- Technical
- Comprehensive
- Understandable
Understandable
What is the main purpose of gathering security requirements?
- To develop a control framework
- To develop software that meets business requirements
- To ensure development of a comprehensive test plan
- To ensure adequate budget and management support
To develop a control framework
What forms of data must be protected during the data lifecycle?
- Unclassified
- Public
- Deleted
- Paper
Paper
WTF does that even mean
Which term is used to describe the way a new user is registered on the system in a consistent manner?
- Standard
- Baseline
- Recommendation
- Procedure
Procedure
What does the term “Big Data” often refer to?
- Reporting on external data compliance
- Analysis of unstructured data
- Protection of highly sensitive data
- Massive storage of archived data
Analysis of unstructured data
What is a common problem with software requirements?
- Inflexible to changing business requirements
- Too technical and product-oriented
- Focused on both long and short term needs
- Insufficient detail and depth
Inflexible to changing business requirements
In addition to a recognition of a security requirement, what other effect may a policy have on the organization?
- Additional regulations
- Increased liability
- Prioritization of threats
- Ignorance of risk
Increased liability
Policy is an admission of knowledge of actions to be taken… was action taken?
What is the responsibility of the data or information owner?
- To monitor and audit for data usage and compliance
- To limit access to authorized users of a specific system
- To ensure protection of sensitive data on all systems or procedures
- To follow data access procedures mandated by the system owner
To ensure protection of sensitive data on all systems or procedures
What is a concern with the long term archiving of electronic data?
- Size of storage buildings required
- Lack of replication
- Network connectivity
- Age of storage media
Age of storage media
What is a common method of hiding sensitive data in a database that is accessed by an application?
- View-based access control
- Multiple paths to information
- Logging of all access
- Constrained User Interface
View-based access control
What term is used to describe the process of sanitizing production data from improper disclosure?
- Anonymization
- Logging
- Inference
- Deletion
Anonymization
Information security is usually considered which type of requirement?
- Managerial
- Preventive
- Non-functional
- Environmental
Non-functional
Which of the following are the common roles with regard to data in an information classification program? Each correct answer represents a complete solution. Choose all that apply.
- Editor
- Custodian
- Owner
- User
- Security auditor
Custodian, Owner, User, Security auditor
- Owner: Determining what level of classification the information requires. Reviewing the classification assignments at regular time intervals and making changes as the business needs change. Delegating the responsibility of the data protection duties to the custodian.
- Custodian: Running regular backups and routinely testing the validity of the backup data. Performing data restoration from the backups when necessary. Controlling access adding and removing privileges for individual users
- User: Must comply with the requirements laid out in policies and procedures.
- Security auditor: Examines an organization’s security procedures and mechanisms.
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.
- What is being secured?
- Where is the vulnerability, threat, or risk?
- Who is expected to exploit the vulnerability?
- Who is expected to comply with the policy?
- What is being secured?
- Where is the vulnerability, threat, or risk?
- Who is expected to comply with the policy?
Which is the BEST technique to validate whether documented requirements are accurate?
- Observation
- Management input
- Surveys
- Analysis
Observation