Security and Risk Management Flashcards

Understand key concepts and facts in the Security and Risk Management domain.

1
Q

Information security objectives are to provide:

A) Accountability, Confidentiality and Integrity
B) Confidentiality, Audit and Availability
C) Availability, Confidentiality and Integrity
D) None of the above

A

C) Availability, Confidentiality and Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A(n) _____ is a weakness in a system which allows a threat source to compromise its security.

A) Vulnerability
B) Risk
C) Exploit
D) None of the above

A

A) Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A ______ is the possibility that someone or something could exploit a vulnerability, accidentally or intentionally, causing harm to an asset.

A) Risk
B) Threat
C) Vulnerability
D) Exploit

A

B) Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A _____ is the probability of a threat agent exploiting a vulnerability and the potential for loss from that exploit.

A) Loss Expectancy
B) Risk
C) Likelihood
D) Residual Risk

A

B) Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What mitigates a risk?

i. Countermeasure
ii. Avoidance
iii. Control
iv. Safeguard

A) i
B) ii and iii
C) i, iii, iv
D) All of the above

A

C) i, iii, iv

‘Countermeasure’, ‘control’ and ‘safeguard’ may be used interchangeably for the same mitigation of risk.

‘Avoidance’ and ‘mitigation’ of risk are two different options for addressing risk; ‘avoidance’ does not itself ‘mitigate’ risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A control can be characterized by one of the following :

A) Avoidance, acceptance, or transference
B) Administrative, technical, or empirical
C) Logical, mitigation or remediation
D) Administrative, technical, or physical

A

D) Administrative, technical, or physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A ____ control is put into place for financial or business function reasons.

A) Adminstrative
B) Acceptance
C) Compensating
D) None of the above

A

C) Compensating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

One framework for IT governance and control objectives is:

A) Six Sigma
B) NIST
C) SANS
D) COBIT

A

D) COBIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The standard for the establishment, implementation, control and improvement of of the information security management system is:

A) ISO 27005
B) ISO 27004
C) ISO 27001
D) OCTAVE

A

C) ISO 27001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is used to develop architectures for specific stakeholders and to present information in ‘views’?

A) Constrained user interfaces
B) The KANBAN methodology
C) NIST 800-53
D) Enterprise architecture frameworks

A

D) Enterprise architecture frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A coherent set of policies, processes and systems to manage risks is, according to ISO27001, called:

A) Risk management lifecycle
B) SIEM
C) Information Security Management System (ISMS)
D) None of the above

A

C) Information Security Management System (ISMS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Enterprise security architecture is a subset of:

A) Data architecture
B) Enterprise architecture
C) Business architecture
D) Classical architecture

A

C) Business architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A _____ is a functional definition for the integration of technology into business processes.

A) Roadmap
B) Blueprint
C) Procedure
D) None of the above

A

B) Blueprint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Enterprise architecture is used to build individual architectures that best map to:

A) Users
B) Business teams
C) Business drivers
D) All of the above

A

C) Business drivers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SABSA is a(n):

A) Capability Maturity Model
B) Security enterprise architecture framework
C) Enterprise architecture framework
D) Continuous improvement process

A

B) Security enterprise architecture framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

____ is a governance model used to help prevent fraud within a corporate setting.

A) PCI-DSS
B) COSO Internal Control-Integrated Framework
C) Sarbanes Oxley
D) SANS

A

B) COSO Internal Control-Integrated Framework

17
Q

____ is/are a set of best practices for service management.

A) ISO
B) NIST
C) ITIL
D) All of the above

A

C) ITIL

18
Q

A framework used to identify process defects in order to remedy them is:

A) CMMI
B) SABSA
C) ITIL
D) Six Sigma

A

D) Six Sigma

19
Q

____ is a maturity model which allows for processes to improve in an incremental and standard fashion.

A) SABSA
B) Six Sigma
C) CMMI
D) ITIL

A

C) CMMI

20
Q

Security enteprise architecture should include:

i. Strategic alignment
ii. Control implementation
iii. Business enablement
iv. Business planning

A) i, iii
B) i, iv
C) ii, iii
D) i, ii, iii

A

C) ii, iii

21
Q

NIST 800-53 identifies which of the following control categories:

i. Procedural
ii. Business
iii. Technical
iv. Operational
v. Management

A) i, iii, iv
B) ii, iii, iv
C) iii, iv, v
D) ii, iii, iv

A

C) iii, iv, v

22
Q

The civil law system:

A) Is based on pre-written rules
B) is based on precedence
C) Is different from tort law
D) Both A and C

A

D) Both A and C

23
Q

The common law system made up of:

A) Criminal laws
B) Civil laws
C) Administrative laws
D) All of the above

A

D) All of the above

24
Q

A customary law system:

A) Addresses primarily personal conduct
B) Uses local/regional customs and traditions as its foundation
C) Is usually mixed with another type of legal system
D) All of the above

A

D) All of the above

25
Q

A religious law system:

A) Derives its laws from religious belief and addresses individual religious responsibilities
B) Is based on common law
C) Is based on civil law
D) None of the above

A

A) Derives its laws from religious belief and addresses individual religious responsibilities

26
Q

A mixed law system:

A) Uses only civil and common law
B) Uses only civil and customary law
C) Uses two or more legal systems
D) None of the above

A

C) Uses two or more legal systems

27
Q

____ deals with individual conduct that violates government laws which protect the public.

A) Tort law
B) Criminal law
C) Common law
D) Civil law

A

B) Criminal law

28
Q

____ deals with wrongs committed against an individual or companies which result in injuries or damages.

A) Tort law
B) Criminal law
C) Common law
D) Civil law

A

D) Civil law

29
Q

What type of law deals with standards of performance or conduct for companies, industries and officials?

A) Civil law
B) Administrative law
C) Tort law
D) Statutes

A

B) Administrative law

30
Q

What grants ownership rights and enables the owner to enforce those rights?

A) Copyright
B) Trademark
C) Patent
D) All of the above

A

C) Patent

31
Q

____ protects the expression of ideas–not the ideas themselves.

A) Copyright
B) Trademark
C) Patent
D) All of the above

A

A) Copyright

32
Q

___ protects words, shapes, symbols, colors or combinations of these items used to identify a product and/or company.

A) Copyright
B) Trademark
C) Patent
D) All of the above

A

B) Trademark

33
Q

What is the term commonly used to describe knowledge proprietary to a company, including that which provides a competitive edge?

A) Confidential information
B) Trade secrets
C) Patent
D) None of the above

A

B) Trade secrets

34
Q

Which of the following has raised issues of court jurisdiction?

A) Sarbanes Oxley
B) PCI-DSS
C) Civil law
D) Internet crimes

A

D) Internet crimes

35
Q

Privacy laws for government agencies enforce which of the following principles?

i. Information must be collected fairly and lawfully
ii. Information must be used only for the purpose for which it was obtained
iii. Information must be held only for a reasonable period
iv. Information must be accurate and timely

A) i
B) ii, iii
C) i, iii, iv
D) i, ii, iii, iv

A

D) i, ii, iii, iv

36
Q

When choosing a safeguard to reduce risk, which of the following should be considered?

A) Cost
B) Functionality
C) Effectiveness
D) All of the above

A

D) All of the above

In addition, a cost/benefit analysis should be performed.