107 Cyber Security

Question 1

Define Information Assurance (IA)

Answer 1

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.

Question 2

Define Defensive Cyberspace Operations (DCO)

Answer 2

Missions are executed to defend the DODIN, or other cyberspace DOD cyberspace forces have been ordered to defend, from active threats in cyberspace

Question 3

Define Offensive Cyberspace Operations (OCO)

Answer 3

Missions intended to project power in and through foreign cyberspace through actions taken in support of CCDR or national objectives.

Question 4

107.2 Define Certification

Answer 4

comprehensive evaluation of the technical and non-technical security safeguards of an information system that establishes the extent to which a particular design and implementation meets a set of specific security requirements.

Question 5

107.2 Define Accreditation

Answer 5

a process in which certification of competency, authority, or credibility is presented.

Question 6

107.2 Define DAA

Answer 6

the Designated Approving Authority, is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

Question 7

107.2 Define System Security Plan

Answer 7

the purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned responsibilities and expected behavior of all individuals who access the system.

Question 8

107.2 Define ATO

Answer 8

Authorization to Operate, the official management decision issued by a DAA or authorize operation of an information system and to explicitly accept the residual risk to agency operations.

Question 9

107.2 Define IATO

Answer 9

an Interim Authorization to Operate (IATO), is the temporary authorization granted by a DAA for an information system to process information based on preliminary results of a security evaluation of the system.

Question 10

107.2 Define Configuration Management

Answer 10

management of security features and assurances through control of changes made to hardware, software, firmware, and documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.

Question 11

107.3 Discuss security procedures involved when performing cross-domain transfers.

Answer 11

In addition to command specified required training, transferring of files from a lower classification to a higher classification requires malware scanning of the source files, but is not limited to the type of file being transferred. From higher classification down however, the files MUST be converted to a .txt document and ran through a buster tool designed to look for key words to enable the user to safely transfer information without leaking potentially classified documents. Also, the user and a subject matter expert need to go through any document being transferred down to ensure that no potentially dangerous material is spilled onto an unclassified host.

Question 12

107.4 Discuss Risk Management

Answer 12

Process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.

Question 13

107.5 Define the five attributes of IA

Answer 13

a. Confidentiality: is assurance that information is not disclosed to unauthorized individuals, processes, or devices.
b. Integrity: is assurance that information is not modified by unauthorized parties or in an unauthorized manner.
c. Availability: is assurance of timely, reliable access to data and Information Systems by authorized users. Availability-focused IA controls protect against degraded capabilities and denial of service conditions.
d. Non-repudiation: is assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.
e. Authentication: is assurance of the identity of an e-mail message sender or receiver is who they claim they are.

Question 14

107.7 Describe the DON World Wide Web Security Policy.

Answer 14

Provides primary governing policy for all unclassified DOD WWW sites to prevent the release of classified information.

Question 15

Define: Information Assurance Vulnerability Alerts (IAVA)

Answer 15

address severe network vulnerabilities resulting in immediate and potentially severe threats to DON systems and information.

Question 16

Define: Information Assurance Vulnerability Bulletins (IAVB)

Answer 16

address new vulnerabilities that do not pose an immediate risk to DON systems but are significant enough that noncompliance with the corrective action could increase the risk.

Question 17

Define: Computer Tasking Order (CTO)

Answer 17

a formal tasking order that contains detailed guidance and missions for each component to accomplish.

Question 18

Define: NTD (Navy Telecommunications Directive)

Answer 18

a formal tasking order that contains guidance for official Navy communication circuits.

Question 19

Define: NIA/NIB/OIA/OIB

Answer 19

NMCI Information Advisory, NMCI Information Bulletin, Overseas Navy Enterprise Network Advisory, Overseas Navy Enterprise Network Bulletin

Question 20

Define: Patch

Answer 20

Updates, fixes and/or enhancements to a software program delivered in the form of a single installable package.

Question 21

107.9 Define vulnerability assessment

Answer 21

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Question 22

107.10 Explain the difference between vulnerability and threat

Answer 22

1. Vulnerability: Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited.
2. Threat: Any circumstance or event with the potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

Question 23

107.11 State the duties and responsibilities of the ISSM and ISSO.

Answer 23

The Information Systems Security Manager/Officer: Is the individual responsible to the Commanding Officer for the proper execution of an effective IA program for their system or site. The ISSM is designated in writing by the CO and is overall in charge of and responsible for the network, its security, as well as any training requirements to ensure the safety of the network, its systems, and its users.

Question 24

107.12 Explain CSWF Specialty Codes and responsibilities

Answer 24

Personnel must meet and maintain the minimum qualification standards of their assigned Specialty Area/Work Role and proficiency level.

Question 25

107.13 Discuss the role and responsibilities of Navy Blue Team

Answer 25

a. Blue Team Operations: uses a team specifically constructed for the Inter-Deployment Training Cycle charged with assisting in the protection of the targeted assets and conducting training to local personnel.

Question 26

107.13 Discuss the role and responsibilities of Navy Red Team

Answer 26

b. Red Team Operation: is an independent and threat-based effort by an interdisciplinary, simulated opposing force, which after proper safeguards are established, uses both active and passive capabilities on a formal, time-bounded tasking to expose and exploit IA vulnerabilities of friendly forces.

Question 27

107.14 Define CCRI and NAVIFOR role during the process (NOW CORA) (Command Operational Readiness Assessment)

Answer 27

Command Cyber Readiness Inspection (CCRI) – quick look methodology for compliance validations for COCOMs. NAVIFOR is the Office of the Designator Approving Authority and is the overall authority for operating a network.

Question 28

107.15 Explain what constitutes PII

Answer 28

1. PII is any information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Question 29

Explain the importance of Safeguarding

Answer 29

2. Safeguarding is protective measures to prevent compromise or unauthorized disclosure of personally identifiable information (PII) The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information.

Question 30

107.16 Explain why the U.S. Navy only uses “.mil” email addresses on government systems.

Answer 30

Official government email system restricts access to official users providing CIANA requirements as well as meeting IA and accreditation requirements.