2022 Paper

Question 1

What are the three tiers of Risk Management Hierarchy?

Answer 1

Tiers 1 and 2 describe systemic information security risks while tier 3 is used to support the implementation of a framework. Tier 1 is ‘Organisational’, Tier 2 is ‘Mission/Business Process Level’ and Tier 3 is ‘Information System Level’

Question 2

What types of Threat Source are there?

Answer 2

Adversarial (Individuals, groups or organisations seeking to exploit), Accidental (Error by individuals), Structural (Failures of equipment or controls), Environmental (Natural Disasters)

Question 3

In John Adams’s book, what are the three types of risk?

Answer 3

Risks perceived directly (e.g. climbing a tree, riding a bike), Risks perceived through science (e.g. cholera, you need a microscope to see or understand) and Virtual Risks (Scientists don’t know or don’t agree e.g. pesticide)

Question 4

What is the difference between a threat source and a threat event?

Answer 4

A threat source is a situation that could lead to the exploitation of a vulnerability or the intent to, while a threat event is the actual situation happening

Question 5

What is MDM?

Answer 5

Mobile Device Management, a software which, when installed on a device, allows the organisation a certain level of control over the device such as monitoring and supervision

Question 6

What is MAM?

Answer 6

Mobile Application Management, a software which, when installed on a device, allows the organisation to control what software is on the device, allowing updates, installs, and deletion of software

Question 7

What is Biographical Identity?

Answer 7

Education, Qualifications, Where you lived, employment, any information that can be combined to identify someone

Question 8

What are the five components of Identity Management Systems?

Answer 8

Data Repository components, Security Components, Lifecycle Components, Consumable Value Components, Management Components

Question 9

What are Data Repository Components?

Answer 9

Storage and Management of identity information

Question 10

What are Security Components?

Answer 10

Authentication Providers, Authorisation Providers and Auditing Providers

Question 11

What are Lifecycle Components?

Answer 11

Provisioning, the automation of all procedures and tools to manage the lifecycle of an identity, and Longevity, the creation of a historical record of an identity

Question 12

What are Consumable Value Components?

Answer 12

Single Sign-On, reducing number of usernames and passwords, Personalisation, preference management, and Self Service, enable users to self register for access to business services

Question 13

What are Management Components?

Answer 13

User Management, managing user profile and preference, Access Control Management, managing authentication and authorisation, Privacy Management, implements privacy, and Federation Management, establishment of trusted relationships

Question 14

What is Federated Identity Management?

Answer 14

Federated Identity Management systems support multiple identity providers and a distributed storage, allows multiple organisations to use identity storage, and use certain providers

Question 15

What are the issues with Federated Identity Management?

Answer 15

Identities can change, there could be a difference between federated identity and local identity to a company

Question 16

What are the 3 Service Models for Cloud Computing?

Answer 16

Software as a Service (SaaS), the consumer uses an application which runs under the provider’s infrastructure, Platform as a Service (PaaS), the consumer can create their own applications on the infrastructure, and Infrastructure as a Service (IaaS), complete freedom by being given their own infrastructure to make

Question 17

What are the 4 Deployment Models for Cloud Computing?

Answer 17

Private Cloud, exclusive use for a single organisation, Community Cloud, exclusive use for a community of users, Public Cloud, open use by the general public, and Hybrid Cloud, a mixture of previous models

Question 18

What are the two key components of a supply chain?

Answer 18

Physical, the network of organisations, the linkages, the different processes and activities that produce value and goods, and Information, the full set of elements necessary to collect information, transform this information into data, and distribute this information

Question 19

What are the three main deployment models for Identity Management Systems?

Answer 19

Silos, Walled Gardens, Federations

Question 20

What is the Silos deployment model for Identity Management Systems?

Answer 20

Identity Management Environment is put in place by a single entity for a fixed user and resource community

Question 21

What is the Walled Gardens deployment model for Identity Management Systems?

Answer 21

A closed community of organisations with a single identity management system deployed to serve the common user community of a collection of businesses.

Question 22

What is the Federations deployment model for Identity Management Systems

Answer 22

A truly distributed model with the main difference from Walled Gardens being that there is no single entity governing the system, and instead having multiple Identity Providers (IdP)

Question 23

If Remote Working is considered, what should be added?

Answer 23

Data Access should be more closely watched as the organisation might have legal obligations for data stored remotely; a VPN might be considered to prevent misdirected traffic; Single Sign On (SSO) should be considered to prevent laziness

Question 24

What are the steps of risk assessment for cloud computing?

Answer 24

Identify the Asset, Evaluate the Asset, Map Assets to Deployment Methods, Evaluate Cloud Service Models, Map Out Data Flow

Question 25

What does it mean to evaluate the asset in cloud computing?

Answer 25

Check what is required for that asset's security; confidentiality, integrity and/or availability

Question 26

What does it mean to map assets to deployment methods in cloud computing?

Answer 26

Determine if you are willing to make the asset public, private but internal, private but external, community, or hybrid

Question 27

What does it mean to evaluate cloud service models in cloud computing?

Answer 27

Focus on how much control you have with which service you'll pick and if you have any specific requirements for a service model

Question 28

What does it mean to map out the data flow in cloud computing?

Answer 28

Map out the data flow between your organisation, the cloud service, and any customers or clients. It also important you understand whether and how data can move in and out of the cloud

Question 29

Name 5 of the Egregious 11 from the Cloud Security Alliance

Answer 29

Any 5 from: Insufficient Identity, Credential, Access Control Insecure Interfaces and API Misconfiguration and Inadequate Change Control Lack of Cloud Security Architecture and Strategy Insecure Software Development Unsecure Third-Party Resources System Vulnerabilities Accidental Cloud Data Disclosure Misconfiguration and Exploitation of Serverless and Container Workloads Organised Crime, Hackers and APT Cloud Storage Data Exfiltration

Question 30

What are the 3 types of risk in the supply chain?

Answer 30

Supplier Focused, Internal Focused, Customer Focused

Question 31

What is included in Supplier Focused Risk?

Answer 31

Relationship, HR, Market Dynamics, Disaster

Question 32

What is included in Internal Focused Risk?

Answer 32

Operational, Technical and Financial risks

Question 33

What is included in Customer Focused Risk

Answer 33

Distribution, Market, Brand/Reputation

Question 34

What does the Cloud Security Alliance break risk management into?

Answer 34

The Cloud Security Alliance breaks down risk management into 14 different domains

Question 35

Name 5 of the 14 different domains from the Cloud Security Alliance

Answer 35

Any 5 from: Cloud Computing Concepts and Architectures Governance and Enterprise Risk Management Legal Issues, Contracts and Electronic Discovery Compliance and Audit Management Information Governance Management Plane and Business Continuity Infrastructure Security Virtualisation and Containers Incident Response Application Security Data Security and Encryption Identity, Entitlement and Access Management Security as a Service Related Technologies

Question 36

Name 5 Security Challenges for BYOD

Answer 36

Any 5 from: Lost Devices Personal use = Riskier Use Multiple Device Types and OSes Jailbroken/Modded Devices Applications, Social Media Lack of control over device, data and security Network Attacks Malware Intrusions Phishing Attacks Ineffective Management Employee Privacy

Question 37

What are the 7 steps to a BYOD security plan?

Answer 37

Identify the risks; form a committee to understand the risks; decide how to enforce policies; build a project plan; evaluate solutions; implement solutions; periodically reassess solutions

Question 38

What are the 2 key categories of BYOD risks?

Answer 38

Device Risks, technology with no control, and App Risks, employees installing third party apps

Question 39

What are the 10 steps to a BYOD security policy?

Answer 39

Review current policy; determine which devices are supported; set expectations; write policies; make a PIN mandatory; enforce encryption at rest; determine apps allowed; provide training; look for apps that allow things like reporting; consider MDM

Question 40

What is Requirements Analysis in the Secure Software Development Lifecycle (SSDLC)?

Answer 40

Determine what security measures need to be put in place

Question 41

What is Specification in the Secure Software Development Lifecycle (SSDLC)?

Answer 41

Determine the main objectives of the system (Not security)

Question 42

What is Implementation in the Secure Software Development Lifecycle (SSDLC)?

Answer 42

Getting the necessary components to implement the system

Question 43

What does an ineffective Identity Management System cause?

Answer 43

Increased costs; inability to carry out function; reduced security; placement of liability; inability to charge for services

Question 44

Where are the feedback loops in the Secure Software Development Lifecycle?

Answer 44

They always return to just after Scope and Policy. The first is after Requirement Analysis, then after Specification, then after Implementation, and finally after Management and Audit

Question 45

What are three security benefits of Cloud Computing?

Answer 45

Any 3 from: Cheaper when implemented at a larger scale Security puts the cloud provider further in the market and is a motivator Standardised interfaces for managed security structures Rapid, smart scaling of resources for security purposes On demand audit and evidence gathering More timely, effective and efficient updates Audits force better risk management Resources are concentrated

Question 46

When is an organisation forced to comply with the Payment Card Industry Data Security Standard (PCIDSS)?

Answer 46

Any entity that uses payment card processing is required to comply with PCIDSS

Question 47

What is the scope of assessment for PCIDSS?

Answer 47

The PCI DSS security requirements apply to all system components, including all systems that provide security services, and virtualisation components such as virtual machines

Question 48

What does the Cardholder Data Environment comprise of?

Answer 48

Technology that stores, processes or transmits cardholder data, network components, server types such as the web, and applications such as purchased ones

Question 49

How do you determine the scope of review for assessment for PCIDSS?

Answer 49

Identify all locations and flows of cardholder data

Question 50

What is network segmentation for PCIDSS?

Answer 50

Isolating the cardholder data environment from the remainder of the network. This can limit the scope of assessment

Question 51

If using third parties, what do you need to do for PCIDSS?

Answer 51

The Report on Compliance must document the role of every service provider

Question 52

What are the six key parts to the PCIDSS Report on Compliance?

Answer 52

Executive Summary Description of Scope Details about Reviewed Environment Contact Information and Report Date Quarterly Scan Results Findings and Observations

Question 53

What is De-Identification?

Answer 53

Removing or altering data that could be used to identify a patient

Question 54

Give 3 reasons why De-Identification is hard

Answer 54

Any 3 from: Personal Identifiers Removed Record Order Scrambling Dates Reduced Not Restricted to Medical Data

Question 55

Why should there be different roles when doing the Secure Software Development Lifecycle?

Answer 55

Auditing and Operation is separate so that there is separation of duties, not giving too much power to one person to prevent a break if that person is unable to do their job or they seek harm