Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Security Governance Through Principles and Policies > Flashcards

Security Governance Through Principles and Policies Flashcards

1
Q

Sensitivity

A

the quality of information, which could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Discretion

A

an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Criticality

A

The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Concealment

A

hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy. While security through obscurity is typically not considered a valid security measure, it may still have value in some cases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Secrecy

A

the act of keeping something a secret or preventing the disclosure of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Privacy

A

keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Seclusion

A

storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement of confidentiality protections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Isolation

A

the act of keeping something separated from others. Isolation can be used to prevent commingling of information or disclosure of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Confidentiality

A
  • the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it.
  • provides a means of protection for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so.
  • encryption, access controls, and steganography.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Integrity

A

the concept of protecting the reliability and correctness of data, preventing unauthorized alterations of data.

  • ensures that data remains correct, unaltered, and preserved.
  • provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

violation of confidentiality

A

These include capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

violation of integrity

A

These include viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Nonrepudiation

A
  • ensures that the subject of an activity or who caused an event cannot deny that the event occurred.
  • prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. It is made possible through identification, authentication, authorization, accountability, and auditing.
  • established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Availability

A

which means authorized subjects are granted timely and uninterrupted access to objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AAA services and identification

A

authentication - Proving that you are that identity
authorization - Defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity
accounting (or sometimes auditing) - Recording a log of the events and activities related to the system and subjects aka accountability): Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
identification - Claiming to be an identity when attempting to access a secured area or system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Layering

A

Performing security restrictions in a series means to perform one after the other in a linear fashion. Only through a series configuration will each attack be scanned, evaluated, or mitigated by every security control. In a series configuration, failure of a single security control does not render the entire solution ineffective. If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Abstraction

A

is used to define what types of data an object can contain, what types of functions can be performed on or by that object, and what capabilities that object has.
-simplifies security by enabling you to assign security controls to a group of objects collected by type or function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Data Hiding

A

the act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject, while security through obscurity is the idea of not informing a subject about an object being present and thus hoping that the subject will not discover the object.
-Security through obscurity does not actually implement any form of protection. It is instead an attempt to hope something important is not discovered by keeping knowledge of it a secret.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Strategic Plan

A
  • a long-term plan that is fairly stable.
  • defines the organization’s security purpose. It also helps to understand security function and align it to the goals, mission, and objectives of the organization
  • Long-term goals and visions for the future are discussed in a strategic plan.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Tactical Plan

A
  • a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events.
  • A tactical plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Operational Plan

A
  • short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time.
  • spell out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Data Classification

A
  • is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.
  • is used to provide security mechanisms for storing, processing, and transferring data. It also addresses how data is removed from a system and destroyed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Seven major steps of classification scheme

A
  1. Identify the custodian, and define their responsibilities.
  2. Specify the evaluation criteria of how the information will be classified and labeled.
  3. Classify and label each resource. (The owner conducts this step, but a supervisor should review it.)
  4. Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria.
  5. Select the security controls that will be applied to each classification level to provide the necessary level of protection.
  6. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity.
  7. Create an enterprise-wide awareness program to instruct all personnel about the classification system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Declassification

A
  • once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level.
  • if the asset were new, it would be assigned a lower sensitivity label than it currently is assigned.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Top Secret

A
  • highest level of classification. The unauthorized disclosure of data will have drastic effects and cause grave damage to national security.
  • compartmentalized on a need-to-know basis such that a user could have the clearance and have access to no data until the user has a need to know.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Secret

A

used for data of a restricted nature. The unauthorized disclosure of data classified as secret will have significant effects and cause critical damage to national security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Confidential

A
  • used for data of a sensitive, proprietary, or highly valuable nature.
  • The unauthorized disclosure of data classified as confidential will have noticeable effects and cause serious damage to national security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Sensitive But Unclassified

A
  • used for data that is for internal use or for office use only (FOUO).
  • is used to protect information that could violate the privacy rights of individuals. Not technically a classification label; instead, it is a marking or label used to indicate use or management.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Unclassified

A
  • used for data that is neither sensitive nor classified. The disclosure of unclassified data does not compromise confidentiality or cause any noticeable damage.
  • not technically a classification label; instead, it is a marking or label used to indicate use or management.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Confidential

A
  • highest level of classification, used for data that is extremely sensitive and for internal use only.
  • significant negative impact could occur for a company if confidential data is disclosed.
  • Sometimes proprietary data is considered a specific form of confidential information. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Private

A
  • is used for data that is of a private or personal nature and intended for internal use only.
  • significant negative impact could occur for the company or individuals if private data is disclosed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Sensitive

A
  • is used for data that is more classified than public data.

- negative impact could occur for the company if sensitive data is disclosed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Public

A
  • is the lowest level of classification.
  • is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Ownership

A

has full capabilities and privileges over the object they own.

  • the subject that creates a new object is by default the owner of that object.
  • the security policy mandates that when new objects are created, a formal change of ownership from end users to an administrator or management user is necessary.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Security role

A
  • will help in establishing a communications and support structure within an organization.
  • this structure will enable the deployment and enforcement of the security policy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Senior Manager

A
  • all activities must be approved by and signed off on by the senior manager before they can be carried out.
  • is the person who will be held liable for the overall success or failure of a security solution and is responsible for exercising due care and due diligence in establishing security for an organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Security Professional

A
  • is responsible for following the directives mandated by senior management.
  • has the functional responsibility for security, including writing the security policy and implementing it.
  • role is often filled by a team that is responsible for designing and implementing security solutions based on the approved security policy.
  • Security professionals are not decision makers; they are implementers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Data Owner

A
  • is assigned to the person who is responsible for classifying information for placement and protection within the security solution.
  • is typically a high-level manager who is ultimately responsible for data protection.
  • delegates the responsibility of the actual data management tasks to a data custodian
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Data Custodian

A
  • is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
  • performs all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management.
  • these activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification.
40
Q

User

A

is assigned to any person who has access to the secured system.

41
Q

Auditor

A
  • is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
  • produces compliance and effectiveness reports that are reviewed by the senior manager.
  • issues discovered through these reports are transformed into new directives assigned by the senior manager to security professionals or data custodians.
  • listed as the final role because the auditor needs a source of activity (that is, users or operators working in an environment) to audit or monitor.
42
Q

Control Objectives for Information and Related Technology (COBIT) 5

A

Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management

43
Q

Due Care and Due Diligence

A

Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization.

44
Q

Security Policies

A
  • defines the main security objectives and outlines the security framework of an organization.
  • identifies the major functional areas of data processing and clarifies and defines all relevant terminology.
  • a strategic plan for implementing security. It should broadly outline the security goals and practices that should be employed to protect the organization’s vital interests.
  • is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels.
45
Q

regulatory policy

A

is required whenever industry or legal standards are applicable to your organization. This policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance.

46
Q

advisory policy

A

discusses behaviors and activities that are acceptable and defines consequences of violations. It explains senior management’s desires for security and compliance within an organization. Most policies are advisory.

47
Q

informative policy

A

is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. Provides support, research, or background information relevant to the specific elements of the overall policy.

48
Q

Standards

A

provide a course of action by which technology and procedures are uniformly implemented throughout an organization. Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies.

49
Q

baseline

A
  • takes the goals of a security policy and the requirements of the standards and defines them specifically in the baseline as a rule against which to implement and compare IT systems.
  • all systems not complying with the baseline should be taken out of production until they can be brought up to the baseline.
  • establishes a common foundational secure state on which all additional and more stringent security measures can be built. Baselines are usually system specific and often refer to an industry or government standard, like the Trusted Computer System Evaluation Criteria (TCSEC) or Information Technology Security Evaluation and Criteria (ITSEC) or NIST (National Institute of Standards and Technology) standards.
50
Q

Guidelines

A

flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures. They state which security mechanisms should be deployed instead of prescribing a specific product or control and detailing configuration settings. They outline methodologies, include suggested actions, and are not compulsory.

51
Q

Procedures

A

could discuss the entire system deployment operation or focus on a single product or aspect, such as deploying a firewall or updating virus definitions

  • must be updated as the hardware and software of a system evolve.
  • ensures the integrity of business processes and help ensure standardization of security across all systems.
52
Q

Threat modeling

A

the process identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat. Threat modeling isn’t meant to be a single event. Instead it’s common for an organization to begin threat modeling early in the design process of a system and continue throughout its lifecycle.

53
Q

Proactive approach

A
  • defensive approach based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post-deployment updates and patches.
  • integrated security solutions are more cost effective and more successful than those shoehorned in later. Unfortunately, not all threats can be predicted during the design phase, so reactive approach threat modeling is still needed to address unforeseen issues.
54
Q

eactive approach

A

adversarial approach threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing.
-these processes are often useful in finding flaws and threats that need to be addressed, they unfortunately result in additional effort in coding to add in new countermeasures.
returning back to the design phase might produce better products in the long run, but starting over from scratch is massively expensive and causes significant time delays to product release.

55
Q

Fuzz testing

A
  • is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.
  • software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities.
  • monitors the performance of the application, watching for software crashes, buffer overflows, or other undesirable and/or unpredictable outcomes.
56
Q

Focused on Assets

A

This method uses asset valuation results and attempts to identify threats to the valuable assets. For example, a specific asset can be evaluated to determine if it is susceptible to an attack. If the asset hosts data, access controls can be evaluated to identify threats that can bypass authentication or authorization mechanisms.

57
Q

Focused on Attackers

A

Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker’s goals. For example, a government is often able to identify potential attackers and recognize what the attackers want to achieve. They can then use this knowledge to identify and protect their relevant assets. A challenge with this approach is that new attackers can appear that weren’t previously considered a threat.

58
Q

Focused on Software

A

If an organization develops software, it can consider potential threats against the software. Although organizations didn’t commonly develop their own software years ago, it’s common to do so today. Specifically, most organizations have a web presence, and many create their own web pages. Fancy web pages drive more traffic, but they also require more sophisticated programming and present additional threats.

59
Q

STRIDE threat model

A 
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service (DoS)
Elevation of privilege
60
Q

Spoofing

A

An attack with the goal of gaining access to a target system through the use of a falsified identity.

  • can be used against Internet Protocol (IP) addresses, MAC addresses, usernames, system names, wireless network service set identifiers (SSIDs), email addresses, and many other types of logical identification.
  • when an attacker spoofs their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access. Once a spoofing attack has successfully granted an attacker access to a target system, subsequent attacks of abuse, data theft, or privilege escalation can be initiated.
61
Q

Tampering

A

Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability.

62
Q

Information disclosure

A

The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. This could include customer identity information, financial information, or proprietary business operation details. Information disclosure can take advantage of system design and implementation mistakes, such as failing to remove debugging code, leaving sample applications and accounts, not sanitizing programming notes from client-visible content (such as comments in Hypertext Markup Language (HTML) documents), using hidden form fields, or allowing overly detailed error messages to be shown to users.

63
Q

Denial of service (DoS)

A

An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. A DoS attack does not necessarily result in full interruption to a resource; it could instead reduce throughput or introduce latency in order to hamper productive use of a resource. A permanent DoS attack might involve the destruction of a dataset, the replacement of software with malicious alternatives, or forcing a firmware flash operation that could be interrupted or that installs faulty firmware. Any of these DoS attacks would render a permanently damaged system that is not able to be restored to normal operation with a simple reboot or by waiting out the attackers. A full system repair and backup restoration would be required to recover from a permanent DoS attack.

64
Q

Elevation of privilege

A

An attack where a limited user account is transformed into an account with greater privileges, powers, and access. This might be accomplished through theft or exploitation of the credentials of a higher-level account, such as that of an administrator or root. It also might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account.

65
Q

Process for Attack Simulation and Threat Analysis (PASTA) 7 stages

A

Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM)

66
Q

Trike

A 
provides a method of performing a security audit in a reliable and repeatable procedure. It also provides a consistent framework for communication and collaboration among security workers. 
-is used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions.
67
Q

Visual, Agile, and Simple Threat (VAST)

A

is a threat modeling concept based on Agile project management and programming principles. The goal of VAST is to integrate threat and risk management into an Agile programming environment on a scalable basis.

68
Q

Diagramming

A

By crafting such a diagram for each environment or system, it is possible to more closely examine each point where a compromise could occur. Such data flow diagrams are useful in gaining a better understanding of the relationships of resources and movement of data through a visual representation. This process of diagramming is also known as crafting an architecture diagram.

69
Q

Reduction analysis

A

also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if you’re focusing on software, computers, or operating systems; they might be protocols if you’re focusing on systems or networks; or they might be departments, tasks, and networks if you’re focusing on an entire business infrastructure.

70
Q

Five key concepts of the decomposition process

A
  1. Trust Boundaries Any location where the level of trust or security changes
  2. Data Flow Paths The movement of data between locations
  3. Input Points Locations where external input is received
  4. Privileged Operations Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security
  5. Details about Security Stance and Approach The declaration of the security policy, security foundations, and security assumptions
71
Q

Probability × Damage Potential ranking

A

produces a risk severity number on a scale of 1 to 100, with 100 the most severe risk possible. Each of the two initial values can be assigned numbers between 1 and 10, with 1 being lowest and 10 being highest. These rankings can be somewhat arbitrary and subjective, but since the same person or team will be assigning the numbers for their own organization, it should still result in assessment values that are accurate on a relative basis.

72
Q

High/medium/low rating process

A

Each threat is assigned one of these three priority labels. Those given the high-priority label need to be addressed immediately. Those given the medium-priority label should be addressed eventually, but they don’t require immediate action. Those given the low-priority level might be addressed, but they could be deemed optional if they require too much effort or expense in comparison to the project as a whole.

73
Q

DREAD rating system

A

Damage potential: How severe is the damage likely to be if the threat is realized?
Reproducibility: How complicated is it for attackers to reproduce the exploit?
Exploitability: How hard is it to perform the attack?
Affected users: How many users are likely to be affected by the attack (as a percentage)?
Discoverability: How hard is it for an attacker to discover the weakness?

74
Q

Supply chain

A

A secure supply chain is one in which all of the vendors or links in the chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners (although not necessarily to the public). Each link in the chain is responsible and accountable to the next link in the chain. Each hand-off from raw materials to refined products to electronics parts to computer components to the finished product is properly organized, documented, managed, and audited. The goal of a secure supply chain is to ensure that the finished product is of sufficient quality, meets performance and operational goals, and provides stated security mechanisms, and that at no point in the process was any element counterfeited or subjected to unauthorized or malicious manipulation or sabotage.

75
Q

Third party for your security integration,

A

On-Site Assessment Visit the site of the organization to interview personnel and observe their operating habits.

Document Exchange and Review Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews.

Process/Policy Review Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review.

Third-Party Audit Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity’s security infrastructure, based on Service Organization Control (SOC) (SOC) reports. Statement on Standards for Attestation Engagements (SSAE) is a regulation that defines how service organizations report on their compliance using the various SOC reports

76
Q

Which of the following contains the primary goals and objectives of security?

A. A network’s border perimeter
B. The CIA Triad
C. A stand-alone system
D. The internet

A

B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.

77
Q

Vulnerabilities and risks are evaluated based on their threats against which of the following?

A. One or more of the CIA Triad principles
B. Data usefulness
C. Due care
D. Extent of liability

A

A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.

78
Q

Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?

A. Identification
B. Availability
C. Encryption
D. Layering

A

B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.

79
Q

Which of the following is not considered a violation of confidentiality?

A. Stealing passwords
B. Eavesdropping
C. Hardware destruction
D. Social engineering

A

C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.

80
Q

Which of the following is not true?

A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.

A

C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.

81
Q

STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE?

A. Spoofing
B. Elevation of privilege
C. Repudiation
D. Disclosure

A

D. Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

82
Q

If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _____________________ the data, objects, and resources.

A. Control
B. Audit
C. Access
D. Repudiate

A

C. Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.

83
Q

_______________ refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.

A. Seclusion
B. Concealment
C. Privacy
D. Criticality

A

C. Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out-of-the-way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality.

84
Q

All but which of the following items requires awareness for all individuals affected?

A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages

A

D. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.

85
Q

What element of data categorization management can override all other forms of access control?

A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership

A

D. Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.

86
Q

What ensures that the subject of an activity or event cannot deny that the event occurred?

A. CIA Triad
B. Abstraction
C. Nonrepudiation
D. Hash totals

A

C. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.

87
Q

Which of the following is the most important and distinctive concept in relation to layered security?

A. Multiple
B. Series
C. Parallel
D. Filter

A

B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.

88
Q

Which of the following is not considered an example of data hiding?

A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being accessed by unauthorized visitors
C. Restricting a subject at a lower classification level from accessing data at a higher classification level
D. Preventing an application from accessing hardware directly

A

A. Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.

89
Q

What is the primary goal of change management?

A. Maintaining documentation
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Preventing security compromises

A

D. The prevention of security compromises is the primary goal of change management.

90
Q

What is the primary objective of data classification schemes?

A. To control access to objects for authorized subjects
B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
C. To establish a transaction trail for auditing accountability
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality

A

B. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.

91
Q

Which of the following is typically not a characteristic considered when classifying data?

A. Value
B. Size of object
C. Useful lifetime
D. National security implications

A

B. Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.

92
Q

What are the two common data classification schemes?

A. Military and private sector
B. Personal and government
C. Private sector and unrestricted sector
D. Classified and unclassified

A

A. Military (or government) and private sector (or commercial business) are the two common data classification schemes.

93
Q

Which of the following is the lowest military data classification for classified data?

A. Sensitive
B. Secret
C. Proprietary
D. Private

A

B. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.

94
Q

Which commercial business/private sector data classification is used to control information about individuals within an organization?

A.Confidential
B. Private
C. Sensitive
D. Proprietary

A

B. The commercial business/private sector data classification of private is used to protect information about individuals.

95
Q

Data classifications are used to focus security controls over all but which of the following?

A. Storage
B. Processing
C. Layering
D. Transfer

A

C. Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.

CISSP (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions