Udemy-Domain 1

Question 1

the opposite of CIA is ___

Answer 1

Disclosure, Destruction and Alteration

Question 2

Type 1 authentication is \_\_\_, 
type 2 is \_\_\_, 
type 3 is \_\_\_, 
type 4 is \_\_\_, 
type 5 is \_\_\_

Answer 2

• something you know
• something you have
• something you are (inherent)
• somewhere you are
• something you do

Question 3

a cookie on your PC could be a type ___ authentication

Answer 3

2 (something you have)

Question 4

the IP/Mac address of your computer could serve as a type ___ authentication

Answer 4

4 (somewhere you are)

Question 5

a pattern unlock on a cellphone could serve as a type ___ authentication

Answer 5

5 (something you do)

Question 6

the risk appetite of an organization could be ___, ___ or ___

Answer 6

aggressive; neutral; adverse

Question 7

OCTAVE

Answer 7

Self Directed risk management (Operationally Critical Threat, Asset and Vulnerability Evaluation)

Question 8

COBIT

Answer 8

Goals for IT - stakeholder needs are mapped down to IT related goals (Control Objectives for Information and related Technologies)

Question 9

COSO

Answer 9

Goals for an entire organization (Committee Of Sponsoring Organizations)

Question 10

ITIL

Answer 10

IT service management (Information Technology Infrastructure Library)

Question 11

FRAP

Answer 11

Analyses one business unit/application/system at a time in a roundtable with Internal employees. Impact analyzed, threats and risks prioritized (Facilitated Risk Analysis Process)

Question 12

PCI-DSS

Answer 12

Payment Card Industry Data Security Standard

Question 13

ISO 27001

Answer 13

framework of Requirements for establishing, implementing and improving an information security management system (Plan, Do, Check, Act)

Question 14

ISO 27002

Answer 14

framework of practical advise on implementing security controls in 10 domains

Question 15

ISO 27004

Answer 15

framework of metrics of success for an information security management system

Question 16

ISO 27005

Answer 16

framework for a Standards based approach to risk management

Question 17

ISO 27799

Answer 17

framework of directives on how to protect PHI

Question 18

Criminal standard of proof is ___,
the victim is ___
and possible punishments include ___
for the purpose of ___

Answer 18

• “beyond a reasonable doubt”
• society
• incarceration, death or fines
• deterrence

Question 19

Civil/tort standard of proof is ___,
possible punishments include ___
for the purpose of ___

Answer 19

• majority of the proof (“preponderance of the evidence”)
• financial fines
• compensating the victims

Question 20

Administrative/regulatory standard of proof is ___

Answer 20

“more likely than not”

Question 21

Due Diligence is satisfied by ___, but Due Care is satisfied by ___

Answer 21

research; action (what would a prudent person do?)

Question 22

negligence is the opposite of ___

Answer 22

Due Care

Question 23

___ determines your liability for an event

Answer 23

Due Care

Question 24

Real evidence is ___,

Direct evidence is ___,

Answer 24

• physical objects

- first-hand witness testimony

Question 25

the Basic Evidence rule says that evidence should be ___ (5)

Answer 25

1. accurate
2. relevant
3. convincing
4. complete
5. authentic

Question 26

logs and documents from systems are considered ___ evidence

Answer 26

secondary

Question 27

the ___ protects against unreasonable search and seizure

Answer 27

fourth amendment

Question 28

___ circumstances may allow certain searches and seizures if there is immediate threat to human life or destruction of evidence

Answer 28

exigent

Question 29

(illegal) entrapment is ___ but (legal) enticement is ___

Answer 29

persuading someone to commit a crime (creating intent/motive); making a crime easier (presenting means/opportunity)

Question 30

copyrights are granted ___ for ___ years,

trademarks are granted ___ for ___ years

Answer 30

• automatically; 70/95

- after registration; 10

Question 31

trade secrets are protected by ___

Answer 31

company security only

Question 32

using a cryptographic algorithm without permission could be a ___ infringement

Answer 32

patent

Question 33

using software without a license could be a ___ infringement

Answer 33

copyright

Question 34

HIPAA laws apply to ___, ___ and ___

Answer 34

health care providers; insurers; clearinghouses (claims handlers)

Question 35

HIPAA has 3 rules:

Answer 35

Privacy rule, Security rule and Breach Notification rule

Question 36

HIPAA requires security controls in the following layers:

Answer 36

administrative, technical and physical

Question 37

general Breach Notification laws belong to the ___ jurisdiction, and often contain exclusions if the data is ___

Answer 37

state (none exist in Alabama or South Dakota); encrypted

Question 38

the ___ (act) protects electronic communications against warrantless wiretapping in the US, but was weakened by the Patriot act

Answer 38

ECPA (Electronic Communications Privacy Act)

Question 39

most computer crimes are prosecuted under the ___ (act)

Answer 39

CFAA (Computer Fraud and Abuse Act)

Question 40

consumer financial information is protected by the ___ (act)

Answer 40

GLBA (Gramm-Leach-Bliley Act)

Question 41

the GLBA, which protects consumer financial data, is driven by the ___ (council)

Answer 41

FFIEC (Federal Financial Institutions Examination Council)

Question 42

the ___ (act) regulates the financial reporting of publicly traded companies in the financial services industry

Answer 42

SOX (Sarbanes-Oxley act)

Question 43

the ___ provides international guidelines for data privacy

Answer 43

OECD (Organization for Economic Cooperation and Development)

Question 44

the OECD guidelines for data protection have 8 driving principles:

1. ___
2. ___
3. purpose specification
4. use limitation
5. security safeguards
6. openness
7. ___
8. ___

Answer 44

1. collection limitation
2. data quality
   …
3. individual participation
4. accountability

Question 45

the ___ agreement has import/export control for arms and dual-use (commercial and wartime application) technologies including cryptography, for 41 countries

Answer 45

Wassenaar

Question 46

the OECD guidelines for data protection have 8 driving principles:

1. collection limitation
2. data quality
3. ___
4. ___
5. ___
6. ___
7. individual participation
8. accountability

Answer 46

3. purpose specification
4. use limitation
5. security safeguards
6. openness

Question 47

an SLA with a vendor often includes your right to ___ and ___ their IT systems

Answer 47

audit; penetration test

Question 48

having a customer in Europe automatically makes you subject to the ___

Answer 48

GDPR (General Data Protection Regulation)

Question 49

violation of a GDPR regulation could mean a fine of ___

Answer 49

20 million pounds or up to 4% of annual worldwide turnover, whichever is greater

Question 50

GDPR provisions:

1. Restrictions (police/military can still unmask)
2. Right to access
3. Right to erasure (“to be forgotten”)
4. ___
5. ___
6. ___
7. ___

Answer 50

4. Data portability (electronic format)
5. Breach notification (72 hrs)
6. Privacy by design (and “need to know” for completion of duties retained only)
7. Data protection officers appointed

Question 51

GDPR provisions:

1. ___
2. ___
3. ___
4. Data portability (electronic format)
5. Breach notification (72 hrs)
6. Privacy by design (and “need to know” for completion of duties retained only)
7. Data protection officers appointed

Answer 51

1. Restrictions (police/military can still unmask)
2. Right to access
3. Right to erasure (“to be forgotten”)

Question 52

ICS2 Code of Ethics Preamble:

Answer 52

1. Safety and welfare of Society and the Common Good
2. Duty to our Principles, and to each other
3. Requires that we Adhere, and be seen to Adhere to the Highest ethical standards of behavior

Question 53

ICS2 Code of Ethics Canons:

Answer 53

1. Protect Society, the common good, necessary public trust and confidence, and the infrastructure
2. Act honorably, honestly, justly, responsibly and legally.
3. Provide diligent and competent service to principles
4. Advance and protect the profession

Question 54

Ten Commandments of the Computer Ethics Institute:

1. ___
2. ___
3. ___
4. ___
5. Thou shalt not us a computer to bear false witness
6. Thou shalt not copy or use proprietary software for which you have not paid
7. Thou shalt not use other people’s computer resources without authorization or proper compensation
8. Thou shalt not appropriate other people’s intellectual output
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans

Answer 54

1. Thou shalt not use a computer to harm other people
2. Thou shalt not interfere with other people’s computer work
3. Thou shalt not snoop around in other people’s computer files
4. Thou shalt not use a computer to steal

Question 55

Ten Commandments of the Computer Ethics Institute:

1. Thou shalt not use a computer to harm other people
2. Thou shalt not interfere with other people’s computer work
3. Thou shalt not snoop around in other people’s computer files
4. Thou shalt not use a computer to steal
5. ___
6. ___
7. ___
8. Thou shalt not appropriate other people’s intellectual output
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans

Answer 55

5. Thou shalt not us a computer to bear false witness
6. Thou shalt not copy or use proprietary software for which you have not paid
7. Thou shalt not use other people’s computer resources without authorization or proper compensation

Question 56

Ten Commandments of the Computer Ethics Institute:

1. Thou shalt not use a computer to harm other people
2. Thou shalt not interfere with other people’s computer work
3. Thou shalt not snoop around in other people’s computer files
4. Thou shalt not use a computer to steal
5. Thou shalt not us a computer to bear false witness
6. Thou shalt not copy or use proprietary software for which you have not paid
7. Thou shalt not use other people’s computer resources without authorization or proper compensation
8. ___
9. ___
10. ___

Answer 56

8. Thou shalt not appropriate other people’s intellectual output
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans

Question 57

IAB’s Unethical Behavior:

1. Seeks to gain unauthorized access to the resources of the Internet
2. Disrupts the intended use of the internet
3. ___ by:
   a) ___
   b) ___

Answer 57

3. Wastes resources (people, capacity, computer) by:
   a) destroying the integrity of computer-based information
   b) compromising the privacy of users

Question 58

The 5 levels of (internal) Information Security Governance are:

1. Policies (Mandatory, high level, non-specific)
2. Standards (Mandatory, specific use of technology)
3. Guidelines (non-Mandatory recommendations)
4. ___
5. ___

Answer 58

4. Procedures (Mandatory step-by-step guides)

5. Baseline/Benchmarks (non-Mandatory minimums)

Question 59

Personnel Security Principles:

1. ___
2. ___
3. ___
4. Employee Termination Practices (warnings, and deprovisioning)
5. Vendors, Consultants and Contractor Security (ensure they have training and meet our standards)
6. Outsourcing and Offshoring

Answer 59

1. Awareness (necessary to change behavior)
2. Training (create a skillset)
3. Hiring Practices (Background check, NDA)

Question 60

Personnel Security Principles:

1. Awareness (necessary to change behavior)
2. Training (create a skillset)
3. Hiring Practices (Background check, NDA)
4. ___
5. ___
6. ___

Answer 60

4. Employee Termination Practices (warnings, and deprovisioning)
5. Vendors, Consultants and Contractor Security (ensure they have training and meet our standards)
6. Outsourcing and Offshoring

Question 61

6 Types of Access Control:

Answer 61

1. Preventative
2. Detective
3. Corrective
4. Recovery (backups, alternate sites..)
5. Deterrent
6. Compensating

Question 62

AV

Answer 62

Asset Value

Question 63

EF

Answer 63

Exposure Factor (% of Asset Value)

Question 64

SLE

Answer 64

Single Loss Expectancy (AV x EF = cost of one incident)

Question 65

ARO

Answer 65

Annual Rate of Occurrence

Question 66

ALE

Answer 66

Annualized Loss Expectancy

Question 67

TCO

Answer 67

Total Cost of Ownership (mitigated cost upfront + normally operational)

Question 68

US framework publication for risk analysis

Answer 68

NIST 800-30 (National Institute of Standards and Technology)

Question 69

NIST 800-30 Risk Management 9 step process

1. ___
2. ___
3. ___
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis (loss of CIA)
7. Risk Determination (from 5 and 6)
8. Control Recommendations (consider all types and categories of controls)
9. Results Documentation

Answer 69

1. System Characteristics (scope, boundaries, sensitivity)
2. Threat Identification
3. Vulnerability Identification

Question 70

NIST 800-30 Risk Management 9 step process

1. System Characteristics (scope, boundaries, sensitivity)
2. Threat Identification
3. Vulnerability Identification
4. ___
5. ___
6. ___
7. Risk Determination (from 5 and 6)
8. Control Recommendations (consider all types and categories of controls)
9. Results Documentation

Answer 70

4. Control Analysis
5. Likelihood Determination
6. Impact Analysis (loss of CIA)

Question 71

NIST 800-30 Risk Management 9 step process

1. System Characteristics (scope, boundaries, sensitivity)
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis (loss of CIA)
7. ___
8. ___
9. ___

Answer 71

7. Risk Determination (from 5 and 6)
8. Control Recommendations (consider all types and categories of controls)
9. Results Documentation

Question 72

Circumstantial evidence is ___,
Corroborative evidence is ___
and heresay is ___

Answer 72

• facts supporting an assertion or other evidence
• support for facts or elements of a case
• testimony by one without first-hand knowledge (not admissible)

Question 73

Patents are granted ___ for ___ years, and must be ___, ___ and ___

Answer 73

• after application; 20; novel, useful, non-obvious

Question 74

IAB’s Unethical Behavior:

1. ___
2. ___
3. Wastes resources (people, capacity, computer) by:
   a) destroying the integrity of computer-based information
   b) compromising the privacy of users

Answer 74

1. Seeks to gain unauthorized access to the resources of the Internet
2. Disrupts the intended use of the internet

Question 75

The 5 levels of (internal) Information Security Governance are:

1. ___
2. ___
3. ___
4. Procedures (Mandatory step-by-step guides)
5. Baseline/Benchmarks (non-Mandatory minimums)

Answer 75

1. Policies (Mandatory, high level, non-specific)
2. Standards (Mandatory, specific use of technology)
3. Guidelines (non-Mandatory recommendations)