Security and Risk Management

Question 1

CIA Triad

Answer 1

Confidentiality, Integrity, and Availability

Question 2

Concepts of Confidentiality

Answer 2

Sensitivity- Quality of information
Discretion- Influence or control disclosure to minimize harm or damage
Criticality- Level of mission criticality
Concealment- Hiding or preventing disclosure
Secrecy- Maintaining a secret or preventing disclosure
Privacy- Keeping information confidential that is PII or that might cause harm, embarrassment, or disgrace to the individual
Seclusion- Storing data in out-of-way location
Isolation- Keeping information separated from others, prevents commingling of data and disclosure

Question 3

5 Elements of AAA Service

Answer 3

Identification- Claiming an identity
Authentication- Proving you are identity
Authorization- Defining allows and denials of resource and object access for identity
Auditing- Recording log of events for subject or object
Accounting- Reviewing log files to check for compliance and violations to hold accountability

Question 4

AAA Leads To

Answer 4

Nonrepudation- Subject cannot resort to denial. Established using digital certificates, session identifiers, transaction logs, access control mechanisms

Question 5

Protection Mechanisms

Answer 5

Common characteristics of security controls

Question 6

Layering

Answer 6

Defense in depth- Use of multiple controls in a series. Liner/Layer is better than parallel.

Question 7

Abstraction

Answer 7

Similar elements are put into groups, classes, and roles that are assigned security controls, restrictions, permissions as a collective. Subject Roles/Object Classification.

Question 8

Data Hiding

Answer 8

Preventing data from being discovered or accessed by a subject by positioning data in a logical storage compartment that is unseen by the subject

Question 9

Encryption

Answer 9

Art/science of hiding meaning or intent of communication from unintended recipients

Question 10

Security Governance

Answer 10

Collection of practices related to supporting, defining, and directing the organizational security efforts. Equates to Corporate/IT Governance. Implementation of a security solution and management method that are tightly connected.

Question 11

Security Management

Answer 11

Responsibility of upper management, not IT staff. Considered a business operation. Team responsible is autonomous. Security Plan MUST be approved by senior management.

Question 12

Security Management Planning

Answer 12

Ensures proper creation, implementation, and enforcement of a security policy

Question 13

Top Down Approach

Answer 13

Must be used. Begins with Senior Management and ends with Users.

Question 14

Security Management Plans

Answer 14

Strategic, Tactical, Operational

Question 15

Strategic Plans

Answer 15

Long term plan/stable. Defines organizational security purpose. Useful for 5 years if updated annually. Should include Risk Assessment.

Question 16

Tactical Plans

Answer 16

Midterm plan that provides more details on goals of strategic plan. Useful for 1 year. Includes project plans, acquisition plans, hiring plans, budget, maintenance, etc.

Question 17

Operational Plans

Answer 17

Short term, highly detailed plan. Must be updated monthly or quarterly. Includes resource allotments, budget requirements, staffing assignments, scheduling, and procedures.

Question 18

Change Management

Answer 18

Goal- to ensure any change does not compromise security. Purpose- to make changes subject to documentation and auditing and thus have it approved/scrutinized by senior management

Question 19

Change Advisory Board

Answer 19

Reviews and approves all changes

Question 20

Data Classification

Answer 20

Primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality

Question 21

Data Classification Basis

Answer 21

Usefulness, timeliness, value, cost, age, lifetime, storage, national security implications, who has access, who does not have access, disclosure/damage assessment.

Question 22

Declassification

Answer 22

Required once asset no longer warrants or needs protection of classification level

Question 23

Two Classification Schemes

Answer 23

Government/military and commercial business/private sector

Question 24

Government classification

Answer 24

Top-secret, secret, confidential, unclassified.

Top secret: unauthorized disclosure will have drastic effects and cause grave damage