Securit+

Question 1

What is the CIA Triad?

Answer 1

Three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad

Question 2

Confidentiality

Answer 2

The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.

Question 3

Integrity

Answer 3

The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.

Question 4

Availability

Answer 4

The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need

Question 5

Non-repudiation

Answer 5

The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data

Question 6

National Institute of Standards and Technology (NIST)

Answer 6

Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research

Question 7

cybersecurity frameworks (CSF)

Answer 7

Standards, best practices, and guidelines for effective security risk management. Some frameworks are general in nature, while others are specific to industry or technology types.

Question 8

security controls

Answer 8

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Question 9

Gap analysis

Answer 9

An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.

Question 10

identity and access management (IAM)

Answer 10

A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.

Question 11

Identification

Answer 11

The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.

Question 12

Authentication

Answer 12

A method of validating a particular entity’s or individual’s unique credentials.

Question 13

Authorization

Answer 13

The process of determining what rights and privileges a particular entity has.

Question 14

Accounting

Answer 14

Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

Question 15

authentication, authorization, and accounting (AAA)

Answer 15

A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.

Question 16

security control

Answer 16

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Question 17

Managerial

Answer 17

The control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

Question 18

Operational

Answer 18

A category of security control that is implemented by people.

Question 19

Technical

Answer 19

The control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls.

Question 20

Physical

Answer 20

Controls such as alarms, gateways, locks, lighting, security cameras, and security guards that deter and detect access to premises and hardware are often placed in a separate category to technical controls.

Question 21

Preventive

Answer 21

A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.

Question 22

Access control lists (ACL)

Answer 22

The collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read-only, read/write, and so on).

Question 23

Detective

Answer 23

A type of security control that acts during an incident to identify or record that it is happening.

Question 24

Corrective

Answer 24

A type of security control that acts after an incident to eliminate or minimize its impact.

Question 25

Directive

Answer 25

A type of control that enforces a rule of behavior through a policy or contract.

Question 26

Deterrent

Answer 26

A type of security control that discourages intrusion attempts.

Question 27

Compensating

Answer 27

A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

Question 28

Chief Information Officer (CIO)

Answer 28

A company officer with the primary responsibility for management of information technology assets and procedures.

Question 29

Chief Technology Officer (CTO)

Answer 29

A company officer with the primary role of making effective use of new and emerging computing platforms and innovations.

Question 30

Chief Security Officer (CSO)

Answer 30

Typically the job title of the person with overall responsibility for information assurance and systems security.

Question 31

Information Systems Security Officer (ISSO)

Answer 31

Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.

Question 32

Security operations center (SOC)

Answer 32

The location where security professionals monitor and protect critical information assets in an organization.

Question 33

Development and operations (DevOps)

Answer 33

A combination of software development and systems operations, and refers to the practice of integrating one discipline with the other.

Question 34

DevSecOps

Answer 34

A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.

Question 35

Computer incident response team (CIRT)

Answer 35

Team with responsibility for incident response. The CSIRT must have expertise across a number of business domains (IT, HR, legal, and marketing, for instance).

Question 36

Vulnerability

Answer 36

A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

Question 37

Threat

Answer 37

A potential for an entity to exploit a vulnerability (that is, to breach security).

Question 38

Intentional

Answer 38

A threat actor with a malicious purpose.

Question 39

Unintentional

Answer 39

A threat actor that causes a vulnerability or exposes an attack vector without malicious intent.

Question 40

Risk

Answer 40

Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.