Chapter 1

Question 1

Risk Assessment

Answer 1

Deals with threats, vulnerabilities, and impacts of a loss of information processing capability or a loss of information itself

Question 2

Vulnerability

Answer 2

weakness that can be exploited by a threat

Question 3

Key components of the risk assessment process

Answer 3

Risks to which the organization is exposed
Risks that need addressing
Coordination with BIA

Question 4

Risks to which the organization is exposed

Answer 4

Develop scenarios that can help deal with risks as they occur

Question 5

Risks that need addressing

Answer 5

Deciding which risks are likely and unlikely

Question 6

Coordination with BIA

Answer 6

Business impact analysis provides an accurate picture of the threats facing the organization

Question 7

ALE

Answer 7

Annual Loss Expectancy - expected monetary loss per year

Question 8

SLE

Answer 8

Single Loss Expectancy - monetary amount lost at one time.

Question 9

Two components of SLE

Answer 9

AV - Asset Value

EF - Exposure Factor

Question 10

ARO

Answer 10

Annual Risk of Occurence - Likelihood of an event occuring within a year. Often drawn from historical data

Question 11

What is the formula used for Risk Assessment?

Answer 11

SLE * ARO = ALE

Question 12

Threat Vector

Answer 12

Method used by attacker to compromise assets

Question 13

MTBF

Answer 13

Mean Time Between Failures - Anticipated lifetime of a component. Used for items that can be repaired

Question 14

MTTF

Answer 14

Mean time to failure - Used for components that cannot be repaired

Question 15

MTTR

Answer 15

Mean time to restore (or repair) - average downtime for a component

Question 16

RTO

Answer 16

Recovery Time Objective - the maximum acceptable amount of time that a component can be down.
Beyond this time, outage negatively affects business.
Agreed upon in BIA

Question 17

RPO

Answer 17

Recovery Point Objective - What point (time or version) of the system will be recovered? The more recent the more expensive

Question 18

Five approaches to identified risks

Answer 18

Risk Avoidance
Risk Transference
Risk Mitigation
Risk Deterrence
Risk Acceptance

Question 19

Risk Avoidance

Answer 19

Not engaging in the risky activity

Question 20

Risk Transference

Answer 20

Insurance policy (sharing risk)

Question 21

Risk Mitigation

Answer 21

Taking measures to decrease the likelihood of an adverse event (antivirus programs)

Question 22

Risk deterrence

Answer 22

Posting warnings, setting up and publicizing negative consequences for the attacker

Question 23

CompTIA Risk Mitigation specifics

Answer 23

Audits of user rights and permissions
change management
incident management
DLP systems

Question 24

DLP system

Answer 24

Data Loss Prevention

Question 25

Platform as a service

Answer 25

vendors allow apps to be created and run on their infrastructure

Question 26

Software as a service

Answer 26

Applications run over the web

Question 27

Infrastructure as a service

Answer 27

Virtualization

Question 28

Risks of cloud computing

Answer 28

Regulatory Compliance User Privileges Data Integration/Separation

Question 29

Hypervisor

Answer 29

Software that hosts the virtual machines

Question 30

Risks associated with Virtualization

Answer 30

Breaking out of the VM | Network and Security Controls intermingle

Question 31

A good policy has a ______ that outlines what the policy intends to accomplish

Answer 31

Scope Statement (sentence)

Question 32

Policy Overview Statement

Answer 32

Provides the goal of the policy, why it is important and how to comply with it. (paragraph, checklist, bulleted list)

Question 33

Accountability Statement

Answer 33

Addresses who is responsible (by their position) for enforcement

Question 34

Exception Statement in a policy

Answer 34

Addresses how to deviate from the policy, e.g. who to contact for authorization

Question 35

Standard

Answer 35

Derived from policies, more specific than policies

Question 36

Scope and purpose of a standards document

Answer 36

Describes the intention of the standards document

Question 37

Key points of a standards document

Answer 37

``` Scope and Purpose Roles and Responsibilities Reference Documents Performance Criteria Maintenance and Administrative Requirements ```

Question 38

Roles and Responsibilities (Standards Document)

Answer 38

Who is responsible for implementing, monitoring and maintaining the standard

Question 39

Reference Documents (standards Doc)

Answer 39

Explains how the standard relates to different policies

Question 40

Performance Criteria (standards document)

Answer 40

Outlines how to accomplish the task

Question 41

Maintenance and Administrative Reqs (standards document)

Answer 41

manage and administer systems and networks. Example: how often to change passwords

Question 42

Guidelines

Answer 42

Less formal than Policies or Standards, helps to follow policies and standards

Question 43

Guideline Document sections

Answer 43

Scope and Purpose Roles and Responsibilities Guideline Statements Operational Considerations

Question 44

Scope of a guideline or standard

Answer 44

Which employees it applies to

Question 45

Guideline statements

Answer 45

step by step instructions

Question 46

Operational Considerations (guidelines document)

Answer 46

what duties are required and at what intervals e.g. backups

Question 47

Acceptable Use Policies

Answer 47

How employees can use systems and resources, with consequences for misuse

Question 48

pod slurping

Answer 48

getting files from a network through USB or cloud drives

Question 49

Type I error

Answer 49

False Positive - False Alarm (positive is preferable)

Question 50

Type II error

Answer 50

False Negative - missed a threat