Governance

Question 1

What is defense in depth?

Answer 1

Layering of security measures to provide “overlapped” security.

Question 2

What is the difference in series and parallel when layering?

Answer 2

Parallel leaves gaps that can be exploited.

Question 3

What is abstraction when securing data?

Answer 3

Grouping things together for efficiency.

Question 4

What is used when hiding data?

Answer 4

Preventing discovery by unauthorized subjects. Can be done by positioning data in containers not accessible by certain subjects.

Question 5

What is the definition of encryption?

Answer 5

Art or Science of hiding the meaning or intent of an Object from unintended Subjects.

Question 6

Name some elements of Privacy.

Answer 6

Prevention of unauthorized access to information that is PII.
Freedom from unauthorized access to information deemed personal or confidential.
Freedom from being observed, monitored, or examined without consent/ knowledge.

Question 7

What does COBIT stand for?

Answer 7

Control Objectives for

Information and Related Technology

Question 8

What are the 5 elements of COBIT?

Answer 8

1. Meet stakeholder needs
2. Covering Enterprise E2E
3. Apply single, integrated framework
4. Enable holistic approach & principle.
5. Separate governance from management.

Question 9

What is Due Care?

Answer 9

Use of reasonable care to protect interests.

Question 10

What is Due Diligence?

Answer 10

The practices required to maintain Due Care.

Question 11

What is the CIA Triad?

Answer 11

Confidentiality
Integrity
Accountability

Question 12

What does Confidentiality mean?

Answer 12

High level of assurance that objects and/ or resources are restricted from unauthorized Subjects.

Question 13

What can cause a loss of confidentiality?

Answer 13

Failure to encrypt transmissions
Failure to properly authenticate Subjects.
Failure of an end user or administrator.

Question 14

What is Integrity?

Answer 14

The ability to ensure that only authorized Subjects can intentionally modify and Object

Question 15

What can be done to ensure integrity?

Answer 15

Logging & Monitoring

Question 16

What are some risks to integrity?

Answer 16

Viruses, worms, and back doors.

Question 17

What is the definition of availability?

Answer 17

Availability means that authorized Subjects can access an Object in a timely and uninterrupted manner.

Question 18

What are some example of a loss of availability?

Answer 18

hardware failure, power loss, or DDOS attack.

Question 19

Name other security concepts (non CIA Triad)

Answer 19

Identification - Subject professing identity
Authentication - Validating claimed identity
Authorization - allowing a Subject to access an Object.
Auditing - Holding a Subject accountable.
Accountability - Proof of identity

Question 20

What is non repudiation?

Answer 20

Ensures the Subject cannot deny an event or the occurrence of an event.

Question 21

What is essential for accountability?

Answer 21

non repudiation

Question 22

What is a security policy?

Answer 22

Document(s) that define the scope of security needed by an organization.

Question 23

What should be included in a security policy?

Answer 23

Assign responsibilities, define roles, specify audit requirements, and outline enforcement processes.

Question 24

What are some different security “sub” policies?

Answer 24

Organizational - Org centric
Issue - lower level areas (networks, servers…)
Regulatory - Legal, statutory
Advisory - What is acceptable and unacceptable.

Question 25

What is a security baseline?

Answer 25

basic level of compliance.

Question 26

What is the ITSEC

Answer 26

Information
Technology
Security 
Evaluation
Criteria

Question 27

What is a security procedure?

Answer 27

Step by step guide to implement a security policy.

Question 28

What is the objective of change management?

Answer 28

Ensure that a change does not reduce or compromise security.

Question 29

What are some elements of change control?

Answer 29

• Implement changes in a controlled and monitored fashion.
• Formalized testing.
• Changes can be reversed
• Users are informed of changes in advance.
• Effects of changes are analyzed.
• Minimize negative effects.

Question 30

What is data classification?

Answer 30

Protection of data based on its sensitivity, secrecy, or confidentiality.

Question 31

What are some criteria used to classify data?

Answer 31

Usefulness, timeliness, value or cost, maturity, lifespan, data disclosure damage, national security.

Question 32

What are the major steps to implement data classification?

Answer 32

1. Identify custodian.
2. Specify evaluation criteria.
3. Classify and label each element
4. Document exceptions
5. Select controls to implement
6. Specify the de-classification process
7. Create an enterprise wide awareness

Question 33

What are the 5 levels of government/ military data classification from highest to lowest.

Answer 33

1. Top Secret
2. Secret
3. Confidential
4. Sensitive but unclassified
5. unclassified

Question 34

What are the levels of commercial data privacy from highest to lowest?

Answer 34

1. Confidential
2. Private
3. Sensitive
4. Public