SRM

Question 1

specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system within the context of the organization’s overall business risks

Answer 1

27001

Question 2

A standard that defines information’s confidentiality, integrity, and availability controls in a comprehensive information security management system

Answer 2

27002

Question 3

telecommunications organization guidelines

Answer 3

ISO/IEC 27011

Question 4

financial organization guidelines

Answer 4

ISO/IEC 27015

Question 5

Digital evidence guidelines

Answer 5

ISO/IEC 27037

Question 6

health organization guidelines

Answer 6

ISO/IEC 27799

Question 7

concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls

Answer 7

acceptable risk

Question 8

A policy that establishes an agreement between users and the organization and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet

Answer 8

acceptable use policy

Question 9

Permissions or privileges granted to users, programs, or workstations to create, change, delete or view data and files within a system as defined by rules established by data owners and the information security policy

Answer 9

access rights

Question 10

The ability to map a given activity or event back to the responsible party

Answer 10

accountablity

Question 11

The rules, procedures, and practices dealing with operational effectiveness, efficiency, and adherence to regulations and management policies

Answer 11

administrative controls

Question 12

an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities

Answer 12

advanced threat

Question 13

Manual or programmed activities intended to ensure the completeness and accuracy of records and the validity of entries made. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from manual and programmed processing

Answer 13

application controls

Question 14

Grounds for confidence that the other four security controls (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.

Answer 14

Assurance

Question 15

A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source

Answer 15

audit trail

Question 16

Uptime, ready, in a condition to be used

Answer 16

Availability

Question 17

An executive position charged with responsibility for managing and protecting information assets

Answer 17

Chief information security officer

Question 18

CFAA of 1986

Answer 18

Computer Fraud and Abuse Act (CFAA)

Affects any entities that may engage in hacking of “protected computers” as defined in the Act

Question 19

Computer Security Act of 1987

Answer 19

Was the first law written to require a formal computer security plan

Question 20

An organization’s protection of data in storage, during processing, and in transit for use by the subjects that are specifically intended to have access to the data or resource

Answer 20

Confidentiality

Question 21

A complete, internationally accepted process framework for IT that supports business and IT executives and IT management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities, and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-related practices.

Answer 21

Control Objectives for Information and related Technology

Question 22

The system by which organizations are directed and controlled. Boards of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.

Answer 22

Corporate governance

Question 23

The pattern of decisions in a company that determines and reveals its objectives, purposes or goals; produces the principal policies and plans for achieving those goals; and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities.

Answer 23

Corporate strategy

Question 24

a control after attack

Answer 24

Countermeasure

Question 25

to know more than one job

Answer 25

Cross training

Question 26

the guardian of asset(s), a maintenance activity

Answer 26

Custodian

Question 27

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.

Answer 27

Data classification

Question 28

Data is transferred from high network users to low network users

Answer 28

Data regrade

Question 29

The process of distributing computer processing to different locations within an organization

Answer 29

Decentralization

Question 30

The prevention of authorized access to resources or the delaying of time critical operations

Answer 30

Denial of Service

Question 31

A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource such that no single entity acting alone can access that resource

Answer 31

Dual control

Question 32

Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed. Doing the right action at the right time.

Answer 32

Due care

Question 33

Establishing a plan, policy, and process to protect the interests of an organization. For example, developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Knowing what should be done and planning for it.

Answer 33

Due diligence

Question 34

ECPA of 1986

Answer 34

Electronic Communications Privacy Act

Extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications

Question 35

long term knowledge building

Answer 35

Education

Question 36

the principles a person sets for themselves to follow

Answer 36

Ethics

Question 37

an opportunity for a threat to cause loss. (terminology that encompasses many recent risk terms)

Answer 37

Exposure

Question 38

Federal Privacy Act of 1974

Answer 38

Affects any computer that contains records used by a federal agency

Question 39

FISA of 1978

Answer 39

Federal Intelligence Surveillance Act (FISA)

Affects law enforcement and intelligence agencies

Question 40

Executive responsibilities of goal setting, delegation, and verification, based upon the mission.

Answer 40

Governance

Question 41

written suggestions that direct choice to a few alternatives

Answer 41

Guidelines

Question 42

the one person responsible for data, its classification and control setting

Answer 42

Information owner

Question 43

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly

Answer 43

Information security governance

Question 44

The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis

Answer 44

Information security program

Question 45

The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to these 4 items: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.

Answer 45

IT-Related Risk

Question 46

to move from location to location, keeping the same function

Answer 46

job rotation

Question 47

employment education done one per position or at significant change of function

Answer 47

job training

Question 48

A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users’ programs acting on their behalf

Answer 48

mandatory access control

Question 49

requirement to take time off

Answer 49

mandatory vacations

Question 50

a choice in risk management, to implement a control that limits or lessens negative effects

Answer 50

mitigate

Question 51

The rules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured

Answer 51

monitoring policy

Question 52

Data or systems, passive

Answer 52

objects

Question 53

intermediate level, pertaining to planning

Answer 53

operational

Question 54

written core statements that rarely change

Answer 54

policy

Question 55

Freedom from unauthorized intrusion or disclosure of information about individuals

Answer 55

privacy

Question 56

Individual owned or ownership

Answer 56

private/privacy

Question 57

written step-by-step actions

Answer 57

procedure

Question 58

The portion of a security policy that states the general process that will be performed to accomplish a security goal

Answer 58

procedures

Question 59

a risk assessment method, intrinsic value

Answer 59

qualitative

Question 60

a risk assessment method, measurable real money cost

Answer 60

quantitative

Question 61

quantity of risk remaining after a control is applied
total risks - controls gap

Answer 61

residual risk

Question 62

the chance that something negative will occur

Answer 62

risk

Question 63

the collection and summation of risk data relating to a particular asset and controls for that asset

Answer 63

risk assessment

Question 64

The total process of identifying, controlling, and mitigating information system-related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.

Answer 64

risk management

Question 65

risk management phases

Answer 65

Framing
Assessing
Responding
Alternatives
Monitoring

Question 66

a control before attack

Answer 66

safeguard

Question 67

the level and label given to an individual for the purpose of compartmentalization

Answer 67

security clearance

Question 68

The five security goals are integrity, availability, confidentiality, accountability, and assurance

Answer 68

security goals

Question 69

Any form of measurement used to determine any aspect of the operation of any security-related activity

Answer 69

security metrics

Question 70

to break a business process into separate functions and assign to different people

Answer 70

separation of duties

Question 71

written internalized or nationalized norms that are internal to an organization

Answer 71

standard

Question 72

A management committee assembled to sponsor and manage various projects, such as an information security program

Answer 72

steering committee

Question 73

high level, pertaining to planning

Answer 73

strategic

Question 74

people or groups, active

Answer 74

subjects

Question 75

low level, pertaining to planning

Answer 75

tactical

Question 76

The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability

Answer 76

threat

Question 77

those who initiate the attack

Answer 77

threat agent

Question 78

The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment

Answer 78

threat analysis

Question 79

vehicle or tool that exploits a weakness

Answer 79

threats

Question 80

Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

Answer 80

threat-source

Question 81

calculation encompassing threats, vulnerabilities and assets
threats * vulnerabilities * assets

Answer 81

total risk

Question 82

a choice in risk management, to convince another to assume risk, typically by payment

Answer 82

transfer

Question 83

people who interact with assets

Answer 83

user

Question 84

weakness or flaw in an asset

Answer 84

vulnerability

Question 85

Framing Phase

Answer 85

Tactical/System
Operational/Business Process
Strategic/Whole business

Question 86

Assessing Phase

Answer 86

Set scope (Tactical/System, Operational/Business Process, Strategic/Whole business from Framing Phase)
Identify threat sources
Identify threat events
Identify vulnerabilities
Determine likelihood
Determine impacts
Determine risks

Question 87

Responding Phase

Answer 87

Developing alternatives
Evaluating alternatives (Avoid, Accept, Transfer from Alternatives Phase)
Determining course of action
Implementing (Mitigate = Control from Alternatives Phase)

Question 88

Alternatives Phase

Answer 88

Avoid = Stop Doing,
Accept = Do Nothing,
Transfer = Buy Insurance,
Mitigate = Control

Question 89

Monitoring Phase

Answer 89

Determining effectiveness of responses,
Identifying risk-impacting changes,
Verifying controls/compliance