Security Principles

Question 1

To define security, it has become common to use Confidentiality, Integrity and Availability. The purpose of these terms is to describe security using relevant and meaningful words that make security more understandable to management and users and define its purpose.

Answer 1

The CIA Triad

Question 2

Relates to permitting authorized access to information, while at the same time protecting information from improper disclosure.

Answer 2

Confidentiality

Question 3

The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.

Answer 3

Integrity

Question 4

Means that systems and data are accessible at the time users need them.

Answer 4

Availability

Question 5

A difficult balance to achieve when many system users are guests or customers, and it is not known if they are accessing the system from a compromised machine or vulnerable mobile application. So, the security professional’s obligation is to regulate access—protect the data that needs protection, yet permit access to authorized individuals.

Answer 5

Confidentiality

Question 6

A term related to the area of confidentiality. It pertains to any data about an individual that could be used to identify them. 

Answer 6

Personally Identifiable Information (PII)

Question 7

Information regarding one’s health status.

Answer 7

Protected Health Information (PHI)

Question 8

Includes trade secrets, research, business plans and intellectual property. If improperly disclosed (confidentiality) or modified (integrity) would harm an organization or individual.

Answer 8

Classified or Sensitive Information

Question 9

A  measure of the importance assigned to information by its owner, or the purpose of denoting its need for protection. It is related to the harm to external stakeholders; that is, people or organizations that may not be a part of the organization that processes or uses the information

Answer 9

 Sensitivity

Question 10

The assurance that data has not been altered in an unauthorized manner. This requires the protection of the data in systems and during processing to ensure that it is free from improper modification, errors or loss of information and is recorded, used and maintained in a way that ensures its completeness. It covers data in storage, during processing and while in transit.

Information must be accurate, internally consistent and useful for a stated purpose. The internal consistency of information ensures that information is correct on all related systems so that it is displayed and stored in the same way on all systems.

Answer 10

Data integrity

Question 11

As part of data integrity, requires that all instances of the data be identical in form, content and meaning.

Answer 11

Consistency

Question 12

Refers to the maintenance of a known good configuration and expected operational function as the system processes the information.

Answer 12

System integrity

Question 13

Ensuring integrity begins with an awareness which concerns the ability to document and understand the current condition or a system at a certain point, creating a baseline.

Answer 13

State

Question 14

Can refer to the current state of the information—whether it is protected. Then, to preserve that state, the information must always continue to be protected through a transaction.

Going forward from this, the integrity of the data or the system can always be ascertained by comparing the baseline with the current state. If the two match, then the integrity of the data or the system is intact; if the two do not match, then the integrity of the data or the system has been compromised. Integrity is a primary factor in the reliability of information and systems.

The need to safeguard information and system integrity may be dictated by laws and regulations. Often, it is dictated by the needs of the organization to access and use reliable, accurate information.

Answer 14

Baseline

Question 15

Can be defined as (1) timely and reliable access to information and the ability to use it, and (2) for authorized users, timely and reliable access to data and information services.

The core concept of this is that data is accessible to authorized users when and where it is needed and in the form and format required. This does not mean that data or systems are available 100% of the time. Instead, the systems and data meet the requirements of the business for timely and reliable access.

Answer 15

Availability

Question 16

Some systems and data are far more critical than others, so the security professional must ensure that the appropriate levels of availability are provided. This requires consultation with the involved business to ensure that critical systems are identified and available. Availability is often associated with the term, because it represents the importance an organization gives to data or an information system in performing its operations or achieving its mission.

Answer 16

Criticality

Question 17

When users have stated their identity, it is necessary to validate that they are the rightful owners of that identity. This process of verifying or proving the user’s identification. Simply put, it is a process to prove the identity of the requestor.

There are three common methods of this:

Something you know: Passwords or paraphrases
Something you have: Tokens, memory cards, smart cards
Something you are: Biometrics , measurable characteristics

Answer 17

Authentication

Question 18

Using only one of the methods of authentication.

Answer 18

Single-Factor Authentication (SFA)

Question 19

Granting users access only after successfully demonstrating or displaying two or more of these methods.

Answer 19

Multi-Factor Authentication (MFA)

Question 20

Uses a passphrase or secret code to differentiate between an authorized and unauthorized user. If you have selected a personal identification number (PIN), created a password or some other secret value that only you know, then you have experienced this. The problem with using this type of authentication alone is that it is often vulnerable to a variety of attacks. For example, the help desk might receive a call to reset a user’s password. The challenge is ensuring that the password is reset only for the correct user and not someone else pretending to be that user. For better security, a second or third form of authentication that is based on a token or characteristic would be required prior to resetting the password. The combined use of a user ID and a password consists of two things that are known, and because it does not meet the requirement of using two or more of the authentication methods stated, it is not considered MFA.

Answer 20

Knowledge-based authentication

Question 21

A legal term and is defined as the protection against an individual falsely denying having performed a particular action. It provides the capability to determine whether a given individual took a particular action, such as created information, approved information or sent or received a message.

In today’s world of e-commerce and electronic transactions, there are opportunities for the impersonation of others or denial of an action, such as making a purchase online and later denying it. It is important that all participants trust online transactions. Its methodologies ensure that people are held responsible for transactions they conducted.

Answer 21

Non-repudiation

Question 22

Privacy is the right of an individual to control the distribution of information about themselves. While security and privacy both focus on the protection of personal and sensitive data, there is a difference between them. With the increasing rate at which data is collected and digitally stored across all industries, the push for privacy legislation and compliance with existing policies steadily grows. In today’s global economy, privacy legislation and regulations on privacy and data protection can impact corporations and industries regardless of physical location. Global privacy is an especially crucial issue when considering requirements regarding the collection and security of personal information. There are several laws that define privacy and data protection, which periodically change. Ensuring that protective security measures are in place is not enough to meet privacy regulations or to protect a company from incurring penalties or fines from mishandling, misuse, or improper protection of personal or private information.

Question 23

The right of an individual to control the distribution of information about themselves. While security and privacy both focus on the protection of personal and sensitive data, there is a difference between them. With the increasing rate at which data is collected and digitally stored across all industries, the push for privacy legislation and compliance with existing policies steadily grows. In today’s global economy, privacy legislation and regulations on privacy and data protection can impact corporations and industries regardless of physical location. Global privacy is an especially crucial issue when considering requirements regarding the collection and security of personal information. There are several laws that define privacy and data protection, which periodically change. Ensuring that protective security measures are in place is not enough to meet privacy regulations or to protect a company from incurring penalties or fines from mishandling, misuse, or improper protection of personal or private information.

Answer 23

Privacy

Question 24

An example of a law with multinational implications is the European Union’s which applies to all organizations, foreign or domestic, doing business in the EU or any persons in the EU. Companies operating or doing business within the United States may also fall under several state legislations that regulate the collection and use of consumer data and privacy. Likewise, member nations of the EU enact laws to put this into practice and sometimes add more stringent requirements. These laws, including national- and state-level laws, dictate that any entity anywhere in the world handling the private data of people in a particular legal jurisdiction must abide by its privacy requirements. As a member of an organization’s data protection team, you will not be required to interpret these laws, but you will need an understanding of how they apply to your organization.

Answer 24

General Data Protection Regulation (GDPR)

Question 25

A measure of the extent to which an entity is threatened by a potential circumstance or event. It is often expressed as a combination of the adverse impacts that would arise if the circumstance or event occurs,  and the likelihood of occurrence. 

Answer 25

Risk 

Question 26

Reflects the potential adverse impacts that result from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems. This definition represents that risk is associated with threats, impact and likelihood, and it also indicates that IT risk is a subset of business risk.

Answer 26

Information security risk

Question 27

Something in need of protection.

Answer 27

Asset

Question 28

A gap or weakness in those protection efforts.

Answer 28

Vulnerability

Question 29

Something or someone that aims to exploit a vulnerability to thwart protection efforts.

Answer 29

Threat

Question 30

Not a one-and-done activity. It’s a recurring process of characterizing different possible risks and then estimating their potential for disrupting the organization. 

Takeaways to remember about this:

Communicate it clearly.
Employees at all levels of the organization are responsible for it.
Protect against it.

Answer 30

Risk Identification

Question 31

Assist in risk assessment at a system level, focusing on process, control, monitoring or incident response and recovery activities. In a smaller organization, or one that lacks any kind of risk management and mitigation plan and program, help fill that planning void.

Answer 31

Security professional

Question 32

Defined as the process of identifying, estimating and prioritizing risks to an organization’s operations (including its mission, functions, image and reputation), assets, individuals, other organizations and even the nation. It should result in aligning (or associating) each identified risk resulting from the operation of an information system with the goals, objectives, assets or processes that the organization uses, which in turn aligns with or directly supports achieving the organization’s goals and objectives.

The result of this process is often documented as a report or presentation given to management for their use in prioritizing the identified risk(s). This report is provided to management for review and approval. In some cases, management may indicate a need for a more in-depth or detailed risk assessment performed by internal or external resources. 

Answer 32

Risk assessment

Question 33

A common risk assessment activity identifies the risk of fire to a building. While there are many ways to mitigate that risk, the primary goal of a risk assessment is

Answer 33

To estimate and prioritize

Question 34

Fire alarms are the lowest cost and can alert personnel to evacuate and reduce the risk of personal injury, but they won’t keep a fire from spreading or causing more damage. Sprinkler systems won’t prevent a fire but can minimize the amount of damage done. However, while sprinklers in a data center limit the fire’s spread, it is likely they will destroy all the systems and data on them. A gas-based system may be the best solution to protect the systems, but it might be cost-prohibitive. A risk assessment can prioritize these items for management

Answer 34

To determine the method of mitigation that best suits the assets being protected.

Question 35

Relates to making decisions about the best actions to take regarding the identified and prioritized risk. The decisions made are dependent on the attitude of management toward risk and the availability — and cost — of risk mitigation.

Answer 35

Risk treatment

Question 36

The decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose this when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great.

Answer 36

Risk avoidance

Question 37

Taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk.

Answer 37

Risk acceptance

Question 38

The most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. This can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be reduced, but safety measures should always be in place.

Answer 38

Risk mitigation

Question 39

The practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy.

Answer 39

Risk transference

Question 40

When risks have been identified, it is necessary to determine root cause and narrow down apparent risks and core risks. Security professionals work with their teams to conduct both qualitative and quantitative analysis.

Answer 40

Prioritize and analyze core risks

Question 41

Understanding the organization’s overall mission and the functions that support the mission helps to place risks in context, determine the root causes and prioritize the assessment and analysis of these items. In most cases, management will provide direction for using the findings of the risk assessment to determine a prioritized set of risk-response actions.

One effective method to prioritize risk helps identify priority as the intersection of likelihood of occurrence and impact. It also gives the team a common language to use with management when determining the final priorities. For example, a low likelihood and a low impact might result in a low priority, while an incident with a high likelihood and high impact will result in a high priority. Assignment of priority may relate to business priorities, the cost of mitigating a risk or the potential for loss if an incident occurs.

Answer 41

Risk matrix

Question 42

Organizations must evaluate the likelihood and impact of the risk as well as their tolerance for different sorts of risk. A company in Hawaii is more concerned about the risk of volcanic eruptions than a company in Chicago, but the Chicago company will have to plan for blizzards. In those cases, determining risk tolerance is up to the executive management and board of directors. If a company chooses to ignore or accept risk, exposing workers to asbestos, for example, it puts the company in a position of tremendous liability.

Answer 42

Decision Making Based on Risk Priorities

Question 43

Varies across organizations, and even internally: Different departments may have different attitudes toward what is acceptable or unacceptable risk.

Often, this is dictated by geographic location. For example, companies in Iceland plan for the risks that nearby volcanoes impose on their business. Companies that are outside the projected path of a lava flow will be at a lower risk than those directly in the path’s flow. Similarly, the likelihood of a power outage affecting the data center is a real threat in all areas of the world. In areas where thunderstorms are common, power outages may occur more than once a month, while other areas may only experience one or two power outages annually. Calculating the downtime that is likely to occur with varying lengths of downtime will help to define this. If a company has a low tolerance of the risk of downtime, they are more likely to invest in a generator to power critical systems. A company with an even lower tolerance for downtime will invest in multiple generators with multiple fuel sources to provide a higher level of assurance that the power will not fail.

Answer 43

Risk tolerance

Question 44

Usually the starting point for getting management to take action regarding risks.

Answer 44

Understanding the organization and senior management’s attitude toward risk

Question 45

Determines what is an acceptable level of risk for the organization.

Answer 45

Executive management and/or the Board of Directors

Question 46

Aim to maintain the levels of risk within management’s limit of risk tolerance.

Answer 46

Security professionals

Question 47

Pertain to the physical, technical and administrative mechanisms that act as safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. The implementation of this should reduce risk, hopefully to an acceptable level.

Answer 47

Security controls

Question 48

Address process-based security needs using physical hardware devices, such as badge readers, architectural features of buildings and facilities, and specific security actions to be taken by people. They typically provide ways of controlling, directing or preventing the movement of people and equipment throughout a specific physical location, such as an office suite, factory or other facility. These also provide protection and control over entry onto the land surrounding the buildings, parking lots or other areas that are within the organization’s control. In most situations, they are are supported by technical controls as a means of incorporating them into an overall security system.

Visitors and guests accessing a workplace, for example, must often enter the facility through a designated entrance and exit, where they can be identified, their visit’s purpose assessed, and then allowed or denied entry. Employees would enter, perhaps through other entrances, using company-issued badges or other tokens to assert their identity and gain access. These require technical controls to integrate the badge or token readers, the door release mechanisms and the identity management and access control systems into a more seamless security system.

Answer 48

Physical controls

Question 49

Also called logical controls are security controls that computer systems and networks directly implement. These controls can provide automated protection from unauthorized access or misuse, facilitate detection of security violations and support security requirements for applications and data. They can be configuration settings or parameters stored as data, managed through a software graphical user interface (GUI), or they can be hardware settings done with switches, jumper plugs or other means. However, the implementation of these always requires significant operational considerations and should be consistent with the management of security within the organization.

Answer 49

Technical controls

Question 50

Also known as managerial controls are directives, guidelines or advisories aimed at the people within the organization. They provide frameworks, constraints and standards for human behavior, and should cover the entire scope of the organization’s activities and its interactions with external parties and stakeholders.

It is vitally important to realize that these can and should be powerful, effective tools for achieving information security. Even the simplest security awareness policies can be an effective control, if you can help the organization fully implement them through systematic training and practice.

Many organizations are improving their overall security posture by integrating them into the task-level activities and operational decision processes that their workforce uses throughout the day. This can be done by providing them as in-context ready reference and advisory resources, or by linking them directly into training activities. These and other techniques bring the policies to a more neutral level and away from the decision-making of only the senior executives. It also makes them immediate, useful and operational on a daily and per-task basis.

Answer 50

Administrative controls

Question 51

Acceptable Use Policy
Emergency Operations Procedure
Employee Awareness Training

Answer 51

Administrative controls

Question 52

Badge Reader
Stop Sign in Parking Lot
Door Lock

Answer 52

Physical controls

Question 53

Access Control List

Answer 53

Technical controls

Question 54

This can protect information in a file cabinet from being viewed by unauthorized persons (confidentiality) as well as keeping any documents from being modified (integrity).

Answer 54

Door Lock

Question 55

This one is abstract but could be linked to availability, because the sooner it works, the more data remains available.

Answer 55

Fire Extinguisher

Question 56

This can provide confidentiality by protecting data from unauthorized access and integrity from unauthorized changes. It could even be stretched to provide availability if shared emergency access to information is needed by more than one person.

Answer 56

Password Policy

Question 57

This is usually associated with integrity, to protect files from tampering or to provide non-repudiation. It is also commonly used to protect data in transit from prying eyes, so it could be aiding confidentiality as well.

Answer 57

Encryption

Question 58

This protects availability by ensuring continued access to systems during a power outage.

Answer 58

Generator

Question 59

This would most generally be associated with confidentiality and identity management, but could be argued for all three, the same as a password policy.  

Answer 59

Biometrics

Question 60

Requires that decisions are made, rules and practices are defined, and policies and procedures are in place to guide the organization in its pursuit of achieving its goals and mission.

When leaders and management implement the systems and structures that the organization will use to achieve its goals, they are guided by laws and regulations created by governments to enact public policy. Laws and regulations guide the development of standards, which cultivate policies, which result in procedures.

Answer 60

To complete the objective

Question 61

The detailed steps to complete a task that support departmental or organizational policies.

Answer 61

Procedures

Question 62

Put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.

Answer 62

Policies

Question 63

Often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.

Answer 63

Standards

Question 64

Commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for noncompliance.

Answer 64

Regulations

Question 65

An example of a law that governs the use of protected health information (PHI) in the United States. Violation of the this rule carries the possibility of fines and/or imprisonment for both individuals and companies.

Answer 65

The Health Insurance Portability and Accountability Act (HIPAA) of 1996

Question 66

Enacted by the European Union (EU) to control use of Personally Identifiable Information (PII) of its citizens and those in the EU. It includes provisions that apply financial penalties to companies who handle data of EU citizens and those living in the EU even if the company does not have a physical presence in the EU, giving this regulation an international reach.

Answer 66

General Data Protection Regulation (GDPR)

Question 67

Multinational organizations are subject to regulations in more than one nation in addition to multiple regions and municipalities.

Answer 67

Organizations need to consider the regulations that apply to their business at all levels—national, regional and local—and ensure they are compliant with the most restrictive regulation.

Question 68

Organizations use multiple of these as part of their information systems security programs, both as compliance documents and as advisories or guidelines. They cover a broad range of issues and ideas and may provide assurance that an organization is operating with policies and procedures that support regulations and are widely accepted best practices.

Answer 68

Standards

Question 69

Develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards. It solicits input from the international community of experts to provide input on its standards prior to publishing. Documents outlining this standards may be purchased online.

Answer 69

International Organization for Standardization (ISO)

Question 70

A United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standards. Many of the standards issued by it are requirements for U.S. government agencies and are considered recommended standards by industries worldwide. This standards solicit and integrate input from industry and are free to download from the their website.

Answer 70

National Institute of Standards and Technology (NIST)

Question 71

There are standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language.

Answer 71

Internet Engineering Task Force (IETF)

Question 72

Also sets standards for telecommunications, computer engineering and similar disciplines.

Answer 72

Institute of Electrical and Electronics Engineers (IEEE)

Question 73

This is informed by applicable law(s) and specifies which standards and guidelines the organization will follow. It is broad, but not detailed; it establishes context and sets out strategic direction and priorities.

These are implemented, or carried out, by people; for that, someone must expand the policies from statements of intent and direction into step-by-step instructions, or procedures.

Answer 73

Policies

Question 74

Used to moderate and control decision-making, to ensure compliance when necessary and to guide the creation and implementation of other policies.

Answer 74

Governance policies

Question 75

Policies are often written at many levels across the organization. These are used by senior executives to shape and control decision-making processes. Other s direct the behavior and activity of the entire organization as it moves toward specific or general goals and objectives. Functional areas such as human resources management, finance and accounting, and security and asset protection usually have their own sets of policies. Whether imposed by laws and regulations or by contracts, the need for compliance might also require the development of these that are documented and assessed for their effective use by the organization.

Answer 75

High-level governance policies

Question 76

Define the explicit, repeatable activities necessary to accomplish a specific task or set of tasks. They provide supporting data, decision criteria or other explicit knowledge needed to perform each task. These can address one-time or infrequent actions or common, regular occurrences. In addition, they establish the measurement criteria and methods to use to determine whether a task has been successfully completed. Properly documenting these and training personnel on how to locate and follow them is necessary for deriving the maximum organizational benefits from procedures.

Answer 76

Procedures

Question 77

All information security professionals who are certified by (ISC)²  recognize that certification is a privilege that must be both earned and maintained. Every (ISC)² member is required

Answer 77

To commit to fully support the (ISC)² Code of Ethics.

Question 78

States the purpose and intent of the (ISC)2 Code of Ethics.

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

Answer 78

Preamble

Question 79

Represent the important beliefs held in common by the members of (ISC)2. Cybersecurity professionals who are members of (ISC)2 have a duty to the following four entities in these.

Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

Answer 79

Canons