Risk Management Flashcards
What is the CIA triad of security?
A. Confidentiality, integrity, and availability
B. Censorship, information, and accessibility
C. Correlation, information, and availability
D. Confidentiality, information, and auditing
A. Confidentiality, integrity, and availability
Confidentiality, integrity, and availability is correct. The CIA triad involves keeping data secret (confidentiality), securing data and systems from unauthorized changes (integrity), and ensuring systems and data are accessible when needed (availability).
Which of the following threat actors is motivated by intent to make a public social statement?
A. Script Kiddie
B. Organized Crime
C. Nation States
D. Hacktivist
D. Hacktivist
A hacktivist is motivated by intent to make a public social statement, whereas a script kiddie is motivated by the act of successfully coding an event or the experience of hacking. Organized crime works to gain access for profit or ability to manipulate data to lead to profit. A nation state plays along the lines of espionage to gain information or to manipulate other states or governments politically.
What is the process of having an outside or 3rd party assess an organization’s security vulnerabilities?
A. Nessus
B. Penetration (pen) testing
C. Adversarial
D. Accidental
B. Penetration (pen) testing
Penetration (pen) testing is correct. Nessus is a self-diagnosing tool and the other options are types of threat.
Manufacturer and vendor guides can provide which of the following?
A. Setup suggestions
B. All known security controls
C. All pertinent information for installing the device in a network configuration
D. Most recent virus/malware associated with a device
A. Setup suggestions
Manufacturers and vendors provide guides for basic setup information and some security controls options that are configurable for the device. To get the additional network configuration, other security control options, and recent security information, you will need to visit Web sites, blogs, and user groups.
Which one of the following is a category of security control?
A. Malware installation
B. Installing locks
C. Training users
D. Administrative (managerial)
D. Administrative (managerial)
Administrative (managerial) is correct. The other choices are just actions that fall under the various broad security control categories.
A self-directed combination of administrative, physical, and technical controls is an example of:
A. Defense in depth
B. Vendor diversity
C. IT governance
D. AAA
A. Defense in depth
A self-directed security plan that includes administrative, physical, and technical controls is referred to as defense in depth. Vendor diversity, IT governance, and AAA are all forms of controls used in a defense in depth plan, but by themselves don’t represent the defense in depth concept. Any of the controls should be used in a good security plan.
What describes the set of overarching rules that defines how an organization and its employees conduct themselves?
A. Common sense
B. Governance
C. Best practices
D. Laws and regulations
B. Governance
Governance is correct. Governance is an overarching set of conduct rules that includes laws and regulations, best practices, and common sense.
Which term defines how people get access to data and other resources?
A. Acceptable use policy
B. Data classification policy
C. Access control policy
D. Password policy
C. Access control policy
Access control policy is correct. Access control policies dictate whether you can access resources. Password policies govern password quality and update frequency, while the remaining options explain what you can do with accessible resources.
Framework sources can come from which of the following?
A. Regulatory bodies B. Industry standards C. National standards D. Non-regulatory bodies E. All of the above
E. All of the above
Frameworks are directives that provide overall guidance solutions or methods to achieve an intended outcome. All of the above are examples of frameworks, each coming from a different source, and can be used within a security plan based on governance and standards for the industry.
True or false: when calculating asset value, you only need to be worried about the cost to replace the item itself.
A. True
B. False
B. False
False. You also need to consider the cost of labor to replace the item and revenue lost while the asset is out of commission.
What is the purpose of a privacy threshold assessment (PTA)?
A. To monitor compliance, which is only necessary for HIPAA information
B. To measure how much damage a company can handle and still maintain business operations
C. To analyze how personal information is consumed, transferred, and transmitted within an information system
D. It’s a made-up term not found in Security+
C. To analyze how personal information is consumed, transferred, and transmitted within an information system
A privacy threshold assessment (PTA) is a process that a company uses to analyze how personal information is protected within an IT system. This process reviews how the information is collected, manipulated, transferred, or transmitted. This is not only related to HIPPA information, although HIPPA governance will be involved for any medical information requiring compliance with those regulations. It is not used directly to determine how to mitigate loss, although it is likely that some of the outcomes of this analysis would be considered in a loss prevention assessment.
When defining users’ roles, which users have the legal responsibility and liability for the data?
A. User
B. Privileged user
C. System administrator
D. Owner
D. Owner
The owner is legally responsible for the data, has complete control of the data element, and decides access rules. A privacy officer, as custodian, has the technical control over the information asset but is not legally responsible for the data. System administrators are also custodians of the data and their primary job is to manage the physical access to the data and equipment on which the data resides. Users and privileged users receive rights (read, write, etc) to data based on the owner’s determination.
Which personnel management control allows for cross-training?
A. Job rotation
B. Mandatory vacation
C. Separation of duties
D. System owner
A. Job rotation
Job rotation is correct. Mandatory vacation helps prevent collusion and fraud. Separation of duties ensures no one person performs sensitive functions. The system owner is a data management role, not a control.
Which type of agreement is needed when two private-sector people or organizations wish to work together?
A. Service level agreement (SLA)
B. Business partners agreement (BPA)
C. Interconnections security agreement (ISA)
D. Memorandum
B. Business partners agreement (BPA)
Business partners agreement (BPA) is correct. A service level agreement (SLA) and an interconnections security agreement (ISA) are both used in the public sector (government). A memorandum is a notice.
