Chapter 1

Question 1

These controls include the processes that we put in place to manage technology in a secure manner.

Answer 1

Operational Controls

Question 2

These controls are procedural mechanisms that focus on the mechanics of the risk management process.

Answer 2

Managerial Controls

Question 3

These controls are the security controls that impact the physical world.

Answer 3

Physical Controls

Question 4

These controls enforce the CIA Triad (Confidentiality, Integrity, and Availability) in the digital space.

Answer 4

Technical Controls

Question 5

These controls are intended to stop a security issue before it occurs.

Answer 5

Preventative Controls

Question 6

These controls remediate security issues that have already occurred.

Answer 6

Corrective Controls

Question 7

These controls are designed to mitigate the risk associated with exceptions made to a security policy.

Answer 7

Compensating Controls

Question 8

These controls inform employees and others what they should do to achieve security objectives.

Answer 8

Directive Controls

Question 9

These controls seek to prevent an attacker from attempting to violate security policies.

Answer 9

Deterrent Controls

Question 10

These controls identify security events that have already occurred.

Answer 10

Detective Controls

Question 11

These are specific measures that fulfill the security measures of an organization.

Answer 11

Security Controls

Question 12

PCI DSS criteria that must be met for compensating control to be satisfactory (3)

Answer 12

1. The control must meet the intent and rigor of the original requirement.
2. The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk of the original requirement.
3. The control must be above and beyond other PCI DSS requirements.

Question 13

This process reviews the control objectives for a particular organization, system, or service and then examines the controls designed to achieve those objectives.

Answer 13

Gap Analysis

Question 14

These are statements of a desired security state, but they do not by themselves carry out any actual security activities.

Answer 14

Control Objectives

Question 15

CIA Triad (3)

Answer 15

1. Confidentiality
2. Integrity
3. Availability

Question 16

This pillar ensures that unauthorized individuals are not able to gain access to sensitive information.

Answer 16

Confidentiality

Question 17

This pillar ensures that there are no unauthorized modifications to information or systems, either intentional or unintentional.

Answer 17

Integrity

Question 18

This pillar ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.

Answer 18

Availability

Question 19

DAD Triad (3)

Answer 19

1. Disclosure
2. Alteration
3. Denial

Question 20

This is the threat of exposure of sensitive information to unauthorized individuals, otherwise known as data loss (confidentiality violation).

Answer 20

Disclosure

Question 21

This is the threat of unauthorized modification of information (integrity violation).

Answer 21

Alteration

Question 22

This is the threat of a disruption to an authorized user’s legitimate access to information (availability violation).

Answer 22

Denial

Question 23

This process means that someone who performed some action, such as sending a message, cannot later deny having taken that action.

Answer 23

Nonrepudiation

Question 24

These occur when an organization experiences a breach of the CIA Triad (Confidentiality, Integrity, and Availability) of information and information systems.

Answer 24

Security Incidents

Question 25

This process involves transforming information into a format where the original cannot be retrieved.

Answer 25

Data Obfuscation

Question 26

Data obfuscation tools (3)

Answer 26

1. Tokenization 2. Hashing 3. Masking

Question 27

In this attack, the attacker computes the hashes of those candidate values and then checks to see if those hashes exist in our data file.

Answer 27

Rainbow Table Attack

Question 28

States of data (3)

Answer 28

1. Data at rest 2. Data in use 3. Data in transit

Question 29

This state is stored data that resides on hard drives, tapes, in the cloud, or on other storage media.

Answer 29

Data at rest

Question 30

This state is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place.

Answer 30

Data in use

Question 31

This state is data that is in motion over a network.

Answer 31

Data in transit

Question 32

This technology uses mathematical algorithms to protect information from unauthorized disclosure. It converts information from plain text into ciphertext.

Answer 32

Data Encryption

Question 33

This technology helps organizations enforce information handling policies and procedures to prevent data loss and theft.

Answer 33

Data Loss Prevention (DLP)

Question 34

Data Loss Prevention (DLP) works in different environments (2)

Answer 34

1. Agentless (network based) DLP 2. Agent based DLP

Question 35

These DLP systems are dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain any unencrypted sensitive information.

Answer 35

Agent based DLP

Question 36

These DLP systems have software agents installed on them that search those systems for the presence of sensitive information. It can also monitor system configurations and user actions, blocking undesirable actions.

Answer 36

Agentless (network based) DLP

Question 37

Data Loss Prevention (DLP) mechanisms of action (2)

Answer 37

1. Pattern matching 2. Watermarking

Question 38

This DLP mechanism of action is where they watch for telltale signs of sensitive information.

Answer 38

Pattern matching

Question 39

This DLP mechanism of action is where systems or administrators apply electronic tags to sensitive documents, and the DLP system can monitor systems and networks for unencrypted content containing those tags.

Answer 39

Watermarking

Question 40

These techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis.

Answer 40

Data Minimization

Question 41

This process removes the ability to link data back to an individual, reducing its sensitivity.

Answer 41

Deidentification

Question 42

These are security controls/measures that limit the ability of individuals or systems to access sensitive information or resources.

Answer 42

Access Restrictions

Question 43

Different types of access restrictions (2)

Answer 43

1. Geographic restriction 2. Permissions restriction

Question 44

These controls/measures limit access to resources based on a physical location of the user or system.

Answer 44

Geographic restriction

Question 45

These controls/measures limit access to resources based on the user’s role or level of authorization.

Answer 45

Permissions restriction

Question 46

This process places sensitive systems on separate networks where they may communicate with each other but have strict restrictions on their ability to communicate with systems on other networks.

Answer 46

Segmentation

Question 47

This process completely cuts a system off from access to or from outside networks.

Answer 47

Isolation

Question 48

Different types of Risks (5)

Answer 48

1. Reputational 2. Strategic 3. Operational 4. Compliance 5. Financial

Question 49

Security controls categorized based on their mechanism of action (4)

Answer 49

1. Operational Controls 2. Managerial Controls 3. Physical Controls 4. Technical Controls

Question 50

Security controls categorized based on their desired effect (6)

Answer 50

1. Preventative Controls 2. Corrective Controls 3. Compensating Controls 4. Directive Controls 5. Deterrent Controls 6. Detective Controls