Terms & Definitions

Question 1

What is “The CIA Triad”?

Answer 1

To define security, it has become common to use Confidentiality, Integrity and Availability, known as the CIA triad.

This describes security using relevant and meaningful words that make security more understandable to management and users and define its purpose

Question 2

What is “Confidentiality”?

Answer 2

Confidentiality relates to permitting authorized access to information, while at the same time protecting information from improper disclosure.

Question 3

What is “Integrity”?

Answer 3

Integrity is the property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.

Question 4

What is “Availability”?

Answer 4

Availability means that systems and data are accessible at the time users need them.

Question 5

What is “PII”?

Answer 5

Personally Identifiable Information (PII):

any
information that can be used to distinguish or trace an individual’s identity, such as name, Social
Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any
other information that is linked or linkable to an individual, such as medical, educational, financial
and employment information.”

Question 6

What is the NIST Definition of “Confidentiality”?

Answer 6

The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-
122 defines PII as “any information about an individual maintained by an agency, including (1)

Question 7

What is “Protected Health Information (PHI)”?

Answer 7

Information regarding health status, the provision of healthcare or payment for healthcare as de-
fined in HIPAA (Health Insurance Portability and Accountability Act).

Question 8

What is “Classified or Sensitive Information”?

Answer 8

Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.

Question 9

Integrity measures _____

Answer 9

…the degree to which something is whole and complete, internally consistent and correct. The concept of integrity applies to:

• information or data
• systems and processes for business * operations
• organizations
• people and their actions

Question 10

Data integrity is the assurance that _____

Answer 10

…data has not been altered in an unauthorized manner.

Question 11

What is “Data Integrity”?

Answer 11

The property that data has not been altered in an unauthorized manner. Data integrity covers data
in storage, during processing and while in transit.

Question 12

What is “System Integrity”?

Answer 12

The quality that a system has when it performs its intended function in an unimpaired manner, free
from unauthorized manipulation of the system, whether intentional or accidental.

Question 13

What is “state”?

Answer 13

The condition an entity is in at a point in time.

Question 14

What is “baseline”?

Answer 14

A documented, lowest level of security configuration allowed by a standard or organization.

Question 15

Availability can be defined as ____?

Answer 15

• (1) timely and reliable access to information and the ability to use it, and
• (2) for authorized users, timely and reliable access to data and information services.

Question 16

What is “criticality,”?

Answer 16

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Question 17

What is “authentication”?

Answer 17

Access control process validating that the identity being claimed by a user or entity is known to
the system, by comparing one (single-factor or SFA) or more (multi-factor authentication or MFA)
factors of identification.

Authentication is a process to prove the identity of the requestor.

Question 18

What is a “token”?

Answer 18

A physical object a user possesses and controls that is used to authenticate the user’s identity.

Question 19

What is “biometrics”?

Answer 19

Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris pat-
terns.

Question 20

What is “Multi-Factor Authentication”?

Answer 20

Using two or more distinct instances of the three factors of authentication (something you know,
something you have, something you are) for identity verification.

Question 21

What is “Single-Factor Authentication”?

Answer 21

Use of just one of the three available factors (something you know, something you have, some-
thing you are) to carry out the authentication process being requested.

Question 22

Three common techniques for authentication:

Answer 22

• Knowledge-based 
• Token-based 
• Characteristic-based 

Question 23

What is “Non-repudiation”?

Answer 23

The inability to deny taking an action such as creating information, approving information and
sending or receiving a message.

Question 24

What is “Privacy”?

Answer 24

The right of an individual to control the distribution of information about themselves.

Question 25

What is “General Data Protection Regulation (GDPR)”?

Answer 25

In 2016, the European Union passed comprehensive legislation that addresses personal privacy,
deeming it an individual human right.

Question 26

An asset is…

Answer 26

something in need of protection.

Question 27

A vulnerability is…

Answer 27

a gap or weakness in protection efforts.

Weakness in an information system, system security procedures, internal controls or implementa-
tion that could be exploited by a threat source.

Question 28

A threat is…

Answer 28

something or someone that aims to exploit a vulnerability to thwart protection efforts.

Question 29

What is a “Threat Vector”?

Answer 29

The means by which a threat actor carries out their objectives.

Question 30

What is a “Threat Actor”?

Answer 30

An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.

Question 31

What is “Risk Avoidance”?

Answer 31

Is the decision to attempt to eliminate the risk entirely.

Question 32

What is “Risk Acceptance”?

Answer 32

Is taking no action to reduce the likelihood of a risk occurring.

Question 33

What is “Risk Mitigation”?

Answer 33

Taking actions to prevent or reduce the possibility of a risk event or its impact

Question 34

What is “Risk Transference”?

Answer 34

Is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment.

Question 35

What are “security controls”?

Answer 35

The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the
system and its information.

Question 36

What are “physical controls?

Answer 36

Controls implemented through a tangible mechanism. Examples include walls, fences, guards,
locks, etc. In modern organizations, many physical control systems are linked to technical/logical
systems, such as badge readers connected to door locks.

Question 37

What are “technical controls”?

Answer 37

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

Question 38

What are “administrative controls”?

Answer 38

Controls implemented through policy and procedures.
Examples include access control processes
and requiring multiple personnel to conduct a specific operation. Administrative controls in mod-
ern environments are often enforced in conjunction with physical and/or technical controls, such as
an access-granting policy for new users that requires login and approval by the hiring manager.

Question 39

Regulations & Laws:

Question 40

Standards:

Question 41

Policies:

Question 42

Procedures: