Security Principles

Question 1

CIA Triad

Answer 1

Confidentiality, Integrity and Availability

Question 2

Confidentiality

Answer 2

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.

Question 3

Personal Identifiable Information (PII)

Answer 3

Any information that can be used to distinguish or trace an individual’s identity and any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.

Question 4

Classified or Sensitive Information

Answer 4

Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.

Question 5

Sensitivity

Answer 5

A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.

Question 6

Integrity

Answer 6

The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.

Question 7

Data Integrity

Answer 7

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit.

Question 8

System Integrity

Answer 8

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.

Question 9

State

Answer 9

The condition an entity is in at a point in time.

Question 10

Baseline

Answer 10

A documented, lowest level of security configuration allowed by a standard or organization.

Question 11

Authentication

Answer 11

Access control process validating that the identity being claimed by a user or entity is known to the system, by comparing one (single-factor or SFA) or more (multi-factor authentication or MFA) factors of identification.

Question 12

Thee common methods of authentication:

Answer 12

Something you know (Knowledge-based), Something you have (Token-based), Something you are(Carachteristic-based).

Question 13

Example of a something you know authentiction method

Answer 13

Passwords or paraprhrases.

Question 14

Example of a something you have authentication method

Answer 14

Tokens, memory cards, smart cards

Question 15

Example of a something you are authentication method

Answer 15

Biometrics, measurable characteristics

Question 16

Token

Answer 16

A physical object a user possesses and controls that is used to authenticate the user’s identity.

Question 17

Biometrics

Answer 17

Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.

Question 18

Non-repudiation

Answer 18

The inability to deny taking an action such as creating information, approving information and sending or receiving a message.

Question 19

Privacy

Answer 19

The right of an individual to control the distribution of information about themselves.

Question 20

Asset

Answer 20

Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

Question 21

Vulnerability

Answer 21

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.

Question 22

Threat

Answer 22

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Question 23

Risk Treatment (Deifinition)

Answer 23

The determination of the best way to address an identified risk.

Question 24

Types of Risk Treatment

Answer 24

Avoidance, Acceptance, Mitigation and Transfer

Question 25

Risk Avoidance

Answer 25

The decision to attempt to eliminate the risk entirely.

Question 26

Risk Acceptance

Answer 26

Taking no action to reduce the likelihood of a risk occurring.

Question 27

Risk Mitigation

Answer 27

Taking actions to prevent or reduce the possibility of a risk event or its impact.

Question 28

Risk Transference

Answer 28

The practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment.

Question 29

Qualitative Risk Analysis

Answer 29

A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high.

Question 30

Quantitative Risk Analysis

Answer 30

A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.

Question 31

Risk Tolerance

Answer 31

The level of risk an entity is willing to assume in order to achieve a potential desired result. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance.

Question 32

Security Controls

Answer 32

The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information.

Question 33

Types of security controls

Answer 33

Physical, Administrative and Technical

Question 34

Physical Controls

Answer 34

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

Question 35

Technical Controls

Answer 35

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

Question 36

Administrative Controls

Answer 36

Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.

Question 37

Adequate Security

Answer 37

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information.

Question 38

Artificial Intelligence

Answer 38

The ability of computers and robots to simulate human intelligence and behavior.

Question 39

Authorization

Answer 39

The right or a permission that is granted to a system entity to access a system resource.

Question 40

Bot

Answer 40

Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.

Question 41

Criticality

Answer 41

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Question 42

Encryption

Answer 42

The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.

Question 43

Governance

Answer 43

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.

Question 44

Impact

Answer 44

The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.

Question 45

Information Security Risk

Answer 45

The potential adverse impacts to an organization’s operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.

Question 46

Likelyhood

Answer 46

The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

Question 47

Likelihood of Occurrence

Answer 47

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.

Question 48

Probability

Answer 48

The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.

Question 49

Risk

Answer 49

A possible event which can have a negative impact upon the organization.

Question 50

Risk Management Framework

Answer 50

A structured approach used to oversee and manage risk for an enterprise.

Question 51

Threat Actor

Answer 51

An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.

Question 52

Threat Vector

Answer 52

The means by which a threat actor carries out their objectives.