Security Governance Through Principles and Policies

Question 1

Understand the CIA Triad elements of confidentiality, integrity, and availability

Answer 1

Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified only by authorized subjects. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

Question 2

Know the elements of AAA services

Answer 2

AAA is composed of identification, authentication, authorization, auditing, and accountability.

Question 3

Be able to explain how identification works

Answer 3

Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability.

Question 4

Understand the process of authentication

Answer 4

Authentication is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated.

Question 5

Know how authorization fits into a security plan

Answer 5

Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.

Question 6

Be able to explain the auditing process

Answer 6

Auditing is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities.

Question 7

Understand the importance of accountability

Answer 7

Security can be maintained only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject’s identity and track their activities.

Question 8

Be able to explain nonrepudiation

Answer 8

Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Question 9

Know about defense in depth

Answer 9

Defense in depth, also known as layering, is simply the use of multiple controls in a series. Using a multilayered solution allows for numerous different controls to guard against whatever threats come to pass.

Question 10

Be able to explain the concept of abstraction

Answer 10

Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

Question 11

Understand data hiding

Answer 11

Data hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject. It is often a key element in security controls as well as in programming.

Question 12

Know about security boundaries

Answer 12

A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Question 13

Understand security governance

Answer 13

Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization.

Question 14

Know about third-party governance

Answer 14

Third-party governance is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor.

Question 15

Understand documentation review

Answer 15

Documentation review is the process of reading the exchanged materials and verifying them against standards and expectations. In many situations, especially related to government or military agencies or contractors, failing to provide sufficient documentation to meet requirements of third-party governance can result in a loss of or a voiding of authorization to operate (ATO).

Question 16

Understand alignment of security function to business strategy, goals, mission, and objectives

Answer 16

Security management planning ensures proper creation, implementation, and enforcement of a security policy. Security management planning aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources.

Question 17

Know what a business case is

Answer 17

A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security.

Question 18

Understand security management planning

Answer 18

Security management is based on three types of plans: strategic, tactical, and operational. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

Question 19

Know the elements of a formalized security policy structure

Answer 19

To create a comprehensive security plan, you need the following items in place: security policy, standards, baselines, guidelines, and procedures.

Question 20

Understand organizational process

Answer 20

Security governance needs to address every aspect of an organization. This includes the organizational processes of acquisitions, divestitures, and governance committees.

Question 21

Understand key security roles

Answer 21

The primary security roles are senior manager, security professional, asset owner, custodian, user, and auditor.

Question 22

Know the basics of COBIT

Answer 22

Control Objectives for Information and Related Technology (COBIT) is a security concept infrastructure used to organize the complex security solutions of companies.

Question 23

Understand due diligence and due care

Answer 23

Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time.

Question 24

Know the basics of threat modeling

Answer 24

Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. Key concepts include assets/attackers/software, STRIDE, PASTA, VAST, diagramming, reduction/decomposing, and DREAD.

Question 25

Understand supply chain risk management (SCRM) concepts

Answer 25

SCRM is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners. SCRM includes evaluating risks associated with hardware, software, and services; performing thirdparty assessment and monitoring; establishing minimum security requirements; and enforcing service-level requirements.