Chapter 1: Security Governance Through Principles and Policies

Question 1

The CIA Triad

Answer 1

Confidentiality, Integrity, Availability

Question 2

The elements of AAA services

Answer 2

Identification
Authentication
Authorization
Auditing
Accountability

Question 3

The DAD Triad

Answer 3

Disclosure
Alteration
Destruction

Question 4

Nonrepudiation

Answer 4

Ensures that the subject of an activity or who caused an event cannot deny that the event occurred.
Prevents a subject from claiming not to have sent a message, performed an action, or been the cause of an event

Question 5

Authentication vs Authorization

Answer 5

Authentication is verifying identity is valid
Authorization is verifying a user is allowed to perform a specific action

Question 6

Abstraction

Answer 6

Used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective
Adds efficiency to carrying out a security plan

Question 7

Data Hiding

Answer 7

Preventing data from being discovered or accessed by a subject

Question 8

Security Boundary

Answer 8

Line of intersection between any two areas, subnets, or environments that have different security requirements or needs

Question 9

Security Governance

Answer 9

Collection of practices related to supporting, defining, and directing the security efforts of an organization

Question 10

Strategic Plan

Answer 10

Long term plan that is fairly stable, defines org’s goals, mission, and objectives

Question 11

Tactical Plan

Answer 11

Mid term plan developed to provide more details on accomplishing the goals set forth in the strategic plan

Question 12

Operational Plan

Answer 12

Short term, highly detailed, based on strategic and operational plans

Question 13

To create a comprehensive security plan, you need these items in place

Answer 13

Security Policy
Standards
Baselines
Guidelines
Procedures

Question 14

COBIT

Answer 14

Control Objectives for Information and Related Technology
Goals for IT- stakeholder needs are mapped down to IT related goals.

Question 15

Six Key Principles of COBIT

Answer 15

Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System

Question 16

Due Diligence

Answer 16

Establishing a plan, policy, and process to protect the interests of an organization
Knowing what should be done and planning for it

Question 17

Due Care

Answer 17

Practicing the individual activities that maintain the due diligence effort
Doing the right action at the right time

Question 18

Threat Modeling

Answer 18

Security process where potential threats are identified, categorized, and analyzed
Can be done proactively during design and development or reactively once a product has been deployed

Question 19

NIST 800-53

Answer 19

Security and Privacy Controls for Information Systems and Organizations
Contains US Government sourced recommendations for security

Question 20

CIS

Answer 20

Center for Internet Security
Provides OS, application, and hardware configuration guides

Question 21

NIST RMF

Answer 21

Risk Management Framework
Mandatory requirements for federal agencies

Question 22

The six phases of NIST RMF

Answer 22

Categorize
Select
Implement
Assess
Authorize
Monitor

Question 23

NIST CSF

Answer 23

Cybersecurity Framework
Designed for critical infrastructure and commercial organizations.
Operational activities that are to be performed on an ongoing basis for the support and improvement of security over time

Question 24

The five functions of NIST CSF

Answer 24

Identify
Protect
Detect
Respond
Recover

Question 25

ISO 27001

Answer 25

International framework for establishment, implementation, control, and improvement of the Information Security Management System (ISMS)
Uses PDCA- Plan, Do, Check, Act

Question 26

ITIL

Answer 26

Information Technology Infrastructure Library
Set of recommended best practices
Focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization
Often used as a starting point for the crafting of a customized security solution within an established infrastructure

Question 27

STRIDE

Answer 27

Microsoft developed threat categorization scheme
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 28

PASTA

Answer 28

Process for Attack Simulation and Threat Analysis
Threat modeling methodology

Question 29

VAST

Answer 29

Visual, Agile, and Simple Threat
Threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis

Question 30

Threat modeling steps

Answer 30

Identify threats
Determine and diagram potential attacks
Perform reduction analysis
Document the means, target, and consequences of a threat
Prioritization and Response

Question 31

Reduction Analysis/Decomposition

Answer 31

Breaking down a system into individual components to fully understand inputs, processing, security, data management, storage, and outputs

Question 32

Five Key Concepts of Reduction Analysis

Answer 32

Trust Boundaries
Dataflow Paths
Input Points
Privileged Operations
Details about security stance and approach

Question 33

SCRM

Answer 33

Supply Chain Risk Management
Means to ensure all vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners

Question 34

OCTAVE

Answer 34

Operationally Critical Threat, Asset, and Vulnerability Evaluation
Self-directed risk management

Question 35

COSO

Answer 35

Committee of Sponsoring Organizations
Goals for the entire organization