D1 - App FC Flashcards
(207 cards)
1
Q
Name the three types of subjects and their roles in a security environment.
A
- The user accesses objects on a system to perform a work task,
- The owner is liable for protection of the data,
- The data custodian is assigned to classify and protect data.
2
Q
Explain why separation of duties and responsibilities is a common security practice.
A
It prevents and single subject from being able to circumvent or disable security mechanisms,
3
Q
What is the principle of least privilege?
A
Subjects should be granted only the amount of access to objects that is required to accomplish their assigned work tasks.
4
Q
Name the four key principles upon which access control relies.
A
Identification,
Authentication,
Authorisation,
Accountability.
5
Q
What is privacy?
A
Prevention of unauthorised intrusion, knowledge that information deemed personal or confidential won’t be shared with unauthorised entities, and freedom from being observed without consent.
6
Q
What are the requirements for accountability?
A
Identification,
Authentication,
Authorisation,
Auditing.
7
Q
What is nonrepudation?
A
Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.
8
Q
What is layering?
A
Layering is the use of multiple controls in series. The use of a multi-layered solution allows for numerous controls to be brought to bear against whatever threats occur.
9
Q
How is abstraction used?
A
Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions.
10
Q
What is data hiding?
A
Data hiding is preventing data from being known to a subject. Keeping a database from being accessed by unauthorised visitors is a form of data hiding.
11
Q
What is change control or change management?
A
A mechanism used to systematically manage change. Typically, it involves extensive logging, auditing, and monitoring of activities related to security controls and security solutions.
12
Q
What are the goals of change management?
A
- Implementation of changes in an orderly manner,
- Formalised testing, ability to reverse changes,
- Ability to inform users of changes,
- Systematic analysis of changes,
- Minimisation of negative impact of changes.
13
Q
What is data classification?
A
Data classification is the primary means
- By which data is protected based on categories of
- Secrecy,
- Sensitivity,
- or Confidentiality.
14
Q
What criteria are used to classify data?
A
- Usefulness,
- Timeliness,
- Value or cost,
- Maturity or age,
- Lifetime or Expiration period,
- Disclosure damage assessment,
- Modification damage assessment,
- National or business security implications,
- Storage.
15
Q
What is the government/military data classification scheme?
A
- Top secret,
- Confidential,
- Sensitive,
- Unclassified.
16
Q
What is the commercial business/private sector classification scheme?
A
- Confidential,
- Private,
- Sensitive,
- Public.
17
Q
Name at least seven security management concepts and principles.
A
- CIA triad,
- Confidentiality,
- Integrity,
- Availability,
- Privacy,
- Identification,
- Authentication,
- Authorisation,
- Auditing,
- Accountability,
- Nonrepudiation.
18
Q
What are the elements of a termination procedure policy?
A
- Have at least one witness,
- escort terminated employees off the premises immediately,
- collect identification, access, or security devices;
- perform an exit interview;
- and disable the network account.
19
Q
What is the function of the data owner security role?
A
The data owner is responsible for classifying informaiton for protection within the security solution.
20
Q
What is the data custodian security role?
A
The data custodian is assigned the tasks of implementing the prescribed protection defined by the security policy and upper management.
21
Q
What is the function of the auditor security role?
A
The auditor is responsible for testing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
22
Q
What should the documents that make up a formalised security structure include?
A
Policies, standards, baselines, guidelines, and procedures.
23
Q
What is generally involved in the process of risk management?
A
Analysing an environment for risks, evaluating each risk as to its likelihood and damage, assessing the cost of countermeasures, and creating a cost/benefit report to present to upper management.
24
Q
What should be considered when establishing the value of an asset?
A
- Cost of purchase, development, maintenance, acquisition, and protection;
- value to owners/users/competitors;
- equity value;
- market valuation;
- liability of asset loss;
- and usefulness.
25
Name at least five possible threats that should be evaluated when performing a risk analysis.
- Viruses;
- Buffer overflows;
- User errors;
- Intruders (physical and logical);
- Natural disasters;
- Equipment failure;
- Misuse of data, resources, or services;
- Loss of data;
- Physical theft;
- Denial of service.
26
What is a singles loss expectancy, and how is it calculated?
The cost associated with a single realised risk against a specific asset.
SLE = asset value (AV) * exposure factor (EF).
The SLE is expressed in a dollar value.
27
What is annualised loss expectancy, and how is it calculated?
The possible yearly cost of all instances of a specific realised threat against a specific asset.
ALE = single loss expectancy (SLE) * annualised rate of occurrence (ARO).
28
What are the possible valid responses by upper/senior management to risk?
- Reducing/mitigating risk,
- Assigning/transferring a risk,
- Risk deterrence,
- Risk avoidance,
- Accepting risk.
29
What is a residual risk?
Once countermeasures are implemented, the risk that remains is known as residual risk. Residual risk is the risk that management has chosen to accept rather than mitigate.
30
What is total risk?
The amount of risk an organisation would face if no safeguards were implemented. A formula for total risk is
Threats * vulnerabilities * asset value = total risk.
31
What is controls gap?
The difference between total risk and residual risk. The control gap is the amount of risk that is reduced by implementing safeguards.
32
What are the three learning levels of security?
- Awareness,
- Training,
- and education.
33
What are the three types of plans employed in security management planning?
- A strategic plan is a long-term plan that is fairly stable.
- The tactical plan is a midterm plan that provides more details.
- Operational plans are short term and highly detailed.
34
What are the important factors in personnel management?
- Hiring practices,
- Ongoing job performance reviews,
- and termination procedures.
35
What security mechanisms are countermeasures to collusion?
- Job rotation,
- Separation of duties,
- Mandatory vacations,
- Workstation change.
36
Why is antivirus protection important?
Malware is the most common form of security breach in the IT world. Any communications pathway can be and is being exploited as a delivery mechanism for a virus or other malicious code.
37
What is need to know?
Need to know is the requirement to have access to, knowledge of, or possession of data or resources in order to perform specific work tasks.
38
What are due care and due diligence?
- Due diligence is establishing a plan, policy, and process to protect the interests of an organisation.
- Due care is practising the individual activities that maintain the due diligence effort.
- Due diligence is knowing what should be done and planning for it;
- Due care is taking the right actions at the right time.
39
How are security and illegal activities related?
A secure environment should provide mechanisms to prevent illegal activities, which are actions that violate a legal restriction, regulation, or requirement.
40
What are the classifications of security control types?
- Preventive,
- Deterrent,
- Detective,
- Corrective,
- Recovery,
- Compensation,
- Directive.
41
What is the purpose of compliance testing?
To ensure that all of the necessary and required elements of a security solution are properly deployed and functioning as expected.
42
What are some ways to keep inappropriate content to a minimum?
- Address the issue in the security policy,
- Perform awareness training,
- and use content filtering tools to filter source or word content.
43
What countermeasures are moderately effective against errors and omissions?
Input validators and user training.
44
How can you protect data against fraud and theft?
By using access controls (auditing and monitoring, for example)
45
What are some safeguards against sabotage?
- Intensive auditing,
- Monitoring for abnormal or unauthorised activity,
- Keeping lines of communication open between employees and managers,
- Compensating and recognising for excellence.
46
Why isn't there an effective direct countermeasure against the threat of malicious hackers?
Most safeguards and countermeasures protect against one specific threat or another, but it is not possible to protect against all possible threats that malicious hackers represent.
47
True or false? Senior management should be included in the BCP process from the beginning.
TRUE
48
What resource is in greatest demand during the BCP testing, training, and maintenance process?
Personnel time and attention.
49
What type of decision making is mainly concerned with metrics suchh as dollar values and downtime?
Quantitative
50
What business impact analysis/assessment variable is used to describe the longest period of time a resource can be unavailable without causing irreparable harm to the business?
MTD ( Maximum tolerable downtime)
51
What is the formula for computing singles loss expectancy?
SLE = AV * EF
52
What is the formula for computing annualised loss expectancy?
ALE = SLE * ARO
53
What are some of the qualitative factors that must be taken into account when assessing the cost of a disaster?
Loss of goodwill among client base, loss of employees after prolonged downtime, social/ethical responsibilities to the community, negative publicity.
54
What is the first thing you should do when a disaster strikes?
Ensure that people are safe.
55
What are the two possible responses to a risk?
Acceptance and mitigation
56
Provide two examples of devices that might be used to harden a system.
- Computer-safe fire suppression systems,
- and uninterruptible power supplies.
57
What is the goal of business continuity planning (BCP)?
To ensure the continuous operation of a business in the face of an emergency situation.
58
What are some of the elements that should be included in emergency response guidelines?
Immediate response procedures, notification procedures, secondary response procedures.
59
What are the five steps of the business impact assessment process?
- Identification of priorities,
- Risk identification,
- Likelihood assessment,
- Impact assessment,
- Resource prioritisation
60
What process brings order to the chaotic events surrounding the interruption of an organisation's normal activities by an emergency?
Disaster recovery planning (DRP)
61
What are the two requirements for acceptance of a trademark application?
The trademark must not be confusingly similar to another trademark, and it must not be descriptive.
62
What are the three requirements for acceptance of a patent application?
The invention must be new, useful, and nonobvious.
63
How long does trade secret protection last?
Indefinetly.
64
What amendment to the U.S. Constitution forms the basis for privacy rights?
Fourth Amendment.
65
What law requires that websites provide parents with the opportunity to review any information collected from their children?
Children's Online Privacy Protection Act.
66
What law grants privacy rights to students enrolled in educational institutions that accept government funding?
Family Educational Rights and Privacy Act.
67
What is the form of new system deployment testing called when the new system and the old system are run simultaneously?
Parallel run.
68
When an asset no longer needs or warrants a high security sensitivity label, what should occur?
Declassification.
69
What is the name of the security management approach in which senior management calls the shots?
Top-down approach.
70
What is the cost/benefit analysis equation for countermeasures?
(ALE before safeguard - ALE after implementing the safeguard) - annual cost of safeguard = value of the safeguard to the company.
71
What law requires all communications carriers to make wiretaps possible for law enforcement with an appropiate court order regardless of the technology in use?
Communications Assistance for Law Enforcement Act (CALEA) of 1994.
72
What law extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage?
Economic and Protection of Proprietary Information Act of 1996.
73
What is Control Objectives for Information and Related Technology (COBIT)?
COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principles.
74
What kinds of items qualify as access controls?
Any hardware, software, or organisational administrative policy or procedure that maintains confidentiality, integrity, and/or accountability also counts as an access control.
75
What is the proper term for ensuring that information is accessible only to authorised parties?
Confidentiality.
76
What is the proper term for the assurance that information and security controls used to protect information are accessible and usable when needed?
Availability.
77
What is it called when an authorised party indicated its intention to fulfil some contractual obligation and forgoes its right to dispute that fulfilment after the fact?
Nonrepudiation.
78
Items of information used to establish or prove authorised identities are known as what kind of factors?
Authentication.
79
What kind of access control enforces access policy determined by the owner of the object to which the control applies?
DAC (Discretionary Access Control)
80
What kind of access control is determined by the system in which the object resides rather than its owner?
MAC (Mandatory Access Control)
81
Which access control scheme requires organisational roles to be defined along with various task requirements and applicable object permissions?
RBAC (role-based access control)
82
What kind of control does any security tool provide when it's used to guide the security implementation within an organisation?
Directive control.
83
What kind of control does any mechanism, tool, or practice provide if it deters or mitigates undesirable actions or events?
Preventive control.
84
What kind of control should be used to verify the effectiveness of other security controls?
Detective control.
85
What kind of check should be applied to ensure that all necessary elements of a security solution are properly deployed and functioning as expected?
Compliance checking.
86
What does BCP stand for, and what does it mean?
Business continuity planning (BCP) is the preventive practice of establishing and planning for threats to business flow, including natural and unnatural risks and threats to daily operations.
87
What types of organisations need to comply with PCI DSS?
Those that store, process, or transmit credit card account information.
88
What trend makes it especially important to incorporate an assessment of security controls in contracting and procurement reviews?
The increased use of third-party and cloud services.
89
What process identifies and categorises potential threats?
Threat modelling.
90
What process is used to identify weaknesses?
Vulnerability analysis.
91
When evaluating access control attacks, what are three primary elements that must be identified?
- Assets,
- Threats,
- and Vulnerabilities.
92
A group of attackers is sponsored by a government. They are highly motivated, skilled, and patient and focused on a single target to gain and retain access over long periods of time. What is this group called?
Advanced persistent threat (APT)
93
What is security management planning?
Security management planning ensures proper creation, implementation, and enforcement of a security policy. Security management is a responsibility of upper management, not of the IT staff, and is considered a business operations issue rather than an IT administration issue.
94
What is security governance?
Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organisation. A common goal of organisational governance is to ensure that the organisation will continue to exist and will grow or expand over time.
95
What is third-party governance?
Third-party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements. The actual method of governance may vary, but generally involves an outside investigator or auditor.
96
What is documentation review?
Documentation review is the process of not just reading the exchange materials but verifying it against standards and expectations. The documentation review is typically performed before any outside inspection is performed.
97
Define the aspect of confidentiality known as sensitivity.
Sensitivity refers to the quality of information that could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.
98
Define the aspect of confidentiality known as discretion.
Discretion is an act of decision whereby an operator can influence or control disclosure in order to minimise or damage.
99
Define the aspect of confidentiality known as criticality.
The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organisation.
100
Define the aspect of confidentiality knows as concealment.
Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction.
101
Define the aspect of confidentiality known as secrecy.
Secrecy is the activity of keeping something a secret or preventing the disclosure of information.
102
Define the aspect of confidentiality known as privacy.
Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
103
Define the aspect of confidentiality known as seclusion.
Seclusion refers to storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforce confidentiality protections.
104
Define the aspect of confidentiality known as isolation.
Isolation is the act of keeping something separated from others. Isolation can be used to prevent co-mingling of information or disclosure of information.
105
What is business case?
A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security. It is also important to consider the budget that can be allocated to a business-need-based security project.
106
What is a threat modelling?
Threat modelling is the security process whereby potential threats are identified, categorised, and analysed. Threat modelling can be performed as proactive measure during design and development or as a reactive measure once a product has been deployed.
107
What are the two goals of SD3+C?
To reduce the number of security-related design and coding defects. To reduce the severity of any remining defects.
108
Define proactive and reactive threat modeling?
A proactive approach (aka defensive approach) is based on predicting threats and designing in specific defences during the coding and crafting process.
A reactive approach (aka adversarial approach) is a reaction to issues/problems and is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing.
109
Name the three common approaches to identifying threats.
- Focused on assets,
- Focused on attackers,
- Focused on software.
110
What is STRIDE?
Microsoft developed a threat categorisation scheme known as STRIDE. STRIDE is often used in relation to assessing threats against applications or operating systems. However, it can also be used in other contexts as well. STRIDE is an acronym standing for Spoofing, Tampering Reputation, Information disclosure, Denial of Service, and Elevation privilege.
111
What is reduction analysis?
Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interaction with external elements.
Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments.
112
Name three methods to rank and prioritise threats.
Probability * Damage Potential, high/medium/low, or DREAD.
113
What is DREAD?
DREAD is a threat rating system. Its elements are:
- Damage potential,
- Reproducibility,
- Exploitability,
-Affected users,
- and Discoverability.
114
What is cross-training?
Cross-training is often discussed as an alternative to job rotation. In both cases, workers learn the responsibilities and tasks of multiple job positions. However, in cross-training, the workers are just prepared to perform the other job positions; they are not rotated through them on a regular basis.
Cross-training enables existing personnel to fill the work gap when the proper employee is unavailable as a type of emergency response procedure.
115
What is compliance?
Compliance is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements. Compliance is an important concern for security governance. On a personnel level, compliance is related to whether individual employees follow company policy and perform their job tasks in accordance with defined procedures.
116
What is risk framework?
A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored.
117
What is FISMA?
The Federal Information Security Management Act (FISMA), passed in 2002, requires that federal agencies implement an information security program that covers the agency's operations. FISMA also requires that government agencies include the activties of contractors in their security management programs.
118
What is HITECH?
In 2009, Congress amended HIPAA by passing the Health Information Technology for Economic and Clinical Health (HITECH) Act. This law updated many of HIPAA's privacy and security requirements and was implemented Through the HIPPA Omnibus Rule in 2013.
119
What are the parameters of the HITECH data breach notification requirements?
Under the HITECH Breach Notification Rule, HIPAA-covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals.
120
What is GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) replaced the EU Data Protection Directive, and it regulates the transfer of personal data in and out of EU.
121
What are the five elements of an AAA service?
- Identification,
- Authentication,
- Authorisation,
- Auditing,
- and Accounting.
122
What are the seven elements of PASTA (Process for Attack Simulation and Threat analysis)?
Stage I is Definition the Objects (DO) for the Analysis of Risks,
Stage II is Definition of the Technical Scope (DTS),
Stage III is Application Decomposition and Analysis (ADA),
Stage IV is Threat Analysis (TA),
Stage V is Weakness and Vulnerability Analysis (WVA),
Stage VI is Attack Modeling & Simulation (AMS),
and Stage VII is Risk Analysis & Management (RAM).
123
What is VAST?
VAST (Visual, Agile, and Simple Threat) is a threat modeling concept based on Agile project management and programming principles. The goal of VAST is to integrate threat and risk management into an Agile programming environment.
124
What is onboarding?
Onboarding is the process of adding new employees to the identity and access management (IAM) system of an organisation. The onboarding process is also used when an employee's role or position changes or when that person is awarded additional levels of privilege or access.
125
What is offboarding?
Offboarding is the reverse of this process. It is the removal of an employee's identity from the identity and access management (IAM) system once that person has left the organisation.
126
What is risk deterrence?
Risk deterrence is the process of implementing deterrents to would-be violators of security and policy. Examples include implementation of auditing, security cameras, security guards, instructional signage, warning banners, motion detectors, strong authentication, and making it known that the organisation is willing to cooperate with authorities and prosecute these who participate in cybercrime.
127
What is risk avoidance?
Risk avoidance is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving is a form of risk avoidance. Another example is to locate a business in Arizona instead of Florida to avoid hurricanes.
128
Define Security Control Assessment (SCA).
A Security Control Assessment (SCA) is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation. The SCA can be performed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment.
129
How does identification work?
Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication. authorisation, and accountability.
130
What is the process of authentication?
Authentication is the process of verifying or testing that a claimed identity is valid. Authentication requires information (i.e., authentication factors) from the subject that must exactly correspond to the identity indicated.
131
What is the function of authorisation?
Once a subject is authenticated, its access must be authorised. The process of authorisation ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.
132
What is auditing (related to AAA services)?
Auditing is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities.
133
What is the importance of accountability?
Security can be maintained only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject's identity and track their activities.
134
What is the concept of abstraction?
Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.
135
What is security boundary?
A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.
136
What is the purpose of alignment of security function to business strategy, goals, misison, and objectives?
Security management planning ensures proper creation, implementation, and enforcement of a security policy. Security management planning aligns the security function to the strategy, goals, mission, and objectives of the organisation. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources.
137
What are the six key principles for governance and management of enterprise IT according to COBIT?
COBIT is based on six key principles for governance and management of enterprise IT:
- Provide Stakeholder Value,
Holistic Approach,
- Dynamic Governance System,
- Governance Distinct from Management,
- Tailored to Enterprise Needs,
- and End-to-end Governance System.
138
What is supply chain risk management (SCRM)?
SCRM is means to ensure that all the vendor or links in the supply chain are reliable, trustworthy, reputable organisations that disclose their practices and security requirements to their business partners. SCRM includes evaluating risks associated with hardware, software, and services; performing third-party assessment and monitoring; establishing minimum security requirements; and enforcing service-level.
139
What role do humans play as a key element in security?
Humans are often considered the weakest element in any security solution. No matter what physical or logical controls are deployed, humans can discover ways to avoid them, circumvent or subvert them, or disable them. However, people can also become a key security asset when they are properly trained and are motivated to protect not only themselves but also the security of the organisation as well.
140
What is the importance of job descriptions?
Without a job description, there is no consensus on what type of individual should be hired. Thus, crafting job descriptions is the first step in defining security needs related to personnel and being able to seek out new hires.
141
What are the security implications of hiring new employees?
To properly plan for security, you must have standards in place for job descriptions, job classifications, work tasks, job responsibilities, prevention of collusion, candidate screening, background checks, security clearances, employment agreements, and nondisclosure agreements. By deploying such mechanisms, you ensure that new hires are aware of the required security standards, thus protecting your organisation's assets.
142
What is the need for nondisclosure agreement (NDA)?
An NDA is used to protect the confidential information within an organisation from being disclosed by a former employee. When a person signs an NDA, they agree not to disclose any information that is defined as confidential to anyone outside the organisation.
143
What are the common elements of employee oversight?
Throughout the employment lifetime of personnel, management should regularly review or audit the job descriptions, work tasks, privileges, and responsibilities for every staff member.
144
What are user behaviour analytics (UBA) and user and entity behaviour analytics (UEBA)?
User behaviour analytics (UBA) er and entity behaviour analytics (UEBA) are the concepts of analysing the behaviour of users, subjects, visitors, customers, etc. for some specific purpose.
Information collected from UBA/UEBA monitoring can be used to improve personnel security policies, procedures, training and related security oversight programs.
145
How should an organisation handle employee transfers?
Personnel transfers may be treated as a ire/rehire rather than a personnel move. Some of the elements that go into making the decision as to which procedure to use include whether the same user account will be retained, if their new work responsibilities are similar to the previous position, and if a "clean slate" account is required for auditing purposes in the new job position.
146
What is the purpose of vendor, consultant, and contractor controls?
Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organisation that are external to the primary organisation. Often these controls are defined in a document or policy known as a service-level agreement (SLA).
147
Define the concept of risk management?
Risk management is the process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk is known as risk management. By performing risk management, you lay the foundation for reducing risk overall.
148
What are the key elements of risk analysis
Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. To fully evaluate risks and subsequently take the proper precautions, you must analyse the following: assets, asset valuation, threats, vulnerability, exposure, risk, realised risk, safeguards, countermeasures, attacks, and breaches.
149
What are key concerns related to threat evaluation?
Threats can originate from numerous sources, including IT, humans, and nature. Threat assessment should be performed as a team effort to provide the widest range of perspectives. By fully evaluating risks from all angles, you reduce your system's vulnerability.
150
What is Delphi technique?
The Delphi technique is simply an anonymous feedback and-response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.
151
What is exposure factor (EF)?
An EF is an element of quantitative risk analysis that represents the percentage of loss that an organisation would experience if a specific asset were violated by a realised risk. By calculating exposure factors, you are able to implement a sound risk management policy.
152
What is annualized rate of occurrence (ARO)?
ARO is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur (in other words, become realised) within a single year. Understanding AROs further enables you to calculate the risk and take proper precautions.
153
What is the purpose of security monitoring and measurement?
Security controls should provide benefits that can be monitored and measured. If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security.
154
What is risk reporting?
Risk reporting involves the production of a risk report and a presentation of that report to the interested/relevant parties. A risk report should be accurate, timely, comprehensive of the entire organisation, clear and precise to support decision making, and updated on a regular basis.
155
Why is continuous improvement necessary?
Security is always changing. Thus, any implemented security solution requires updates and change over time. If a continuous improvement path is not provided by a selected countermeasure, then it should be replaced with one that offers scalable improvements to security.
156
What is the Risk Maturity Model (RMM)?
The Risk Maturity Model (RMM) is a means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process. The RMM levels are ad hoc, preliminary, defined, integrated, and optimised.
157
What should be known about legacy system security risk?
Legacy systems are often a threat because they may not be receiving security updates from their vendors. End-of-life (EOL) is the point at which a manufacture no longer produces a product. End-of-service-life (EOSL) or end-of-support (EOS) are those that are not longer receiving updates and support from the vendor.
158
Name several risk frameworks?
- Risk Management Framework (RMF) defined by NIST,
- NIST Cybersecurity Framework (CSF),
- Control Objectives for Information and Related Technology (COBIT),
- Sherwood Applied Business Security Architecture (SABSA),
- Federal Risk and Authorisation Management Program (FedRAMP),
- Information Technology Infrastructure Library (ITIL),
- Payment Card Industry (PCI).
159
Define social engineering and name several examples of types of social engineering attacks?
Social engineering is a form of attack that exploits human and human behaviour.
The attack principles are authority, intimidation, consensus, scarcity, familiarity, trust, and urgency.
Social engineering attacks include eliciting information, pretexting, prepending, phishing, spear phishing, business email compromise (BEC). whaling, smishing, dumpster diving, identity fraud, and influence campaigns.
160
Why should an organisation implement security awareness training and education?
Awareness establishes a baseline of general security understanding. Training teaches employees to perform their work tasks in compliance with the security policy, standards, guidelines, and procedures mandated by the organisation. Education is a more detailed endeavour in which students/users learn much more than they actually need to know to perform their work tasks.
161
What is a security champion?
Often a security champion is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. Security champions are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviours.
162
What is gamification as it applies to personnel security management?
Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behaviour change.
163
What is the need for periodic content reviews and effectiveness evaluations?
It is important to perform periodic content reviews of all training materials. This is to ensure that the training materials and presentation stays in line with business goals, organisational mission, and security objectives. Some means of verification should be used to measure whether the training is beneficial or a waste of time and resources.
164
What are the fours steps of the business continuity/planning process?
Business continuity planning involved four distinct phases:
- Project scope and planning,
- Business impact analysis,
- Continuity planning,
- Approval and implementation.
Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency.
165
What is business organisation analysis?
In the business organisation analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis serves as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.
166
Who are the necessary members of the business continuity planning team?
The BCP team should contain, at minimum, representatives from each of the operational and support departments:
-Technical experts from the IT department,
-Physical and IT security personnel with BCP skills,
-Legal representatives familiar with corporate legal, regulatory and contractual responsibilities,
-Representatives from senior management.
Additional team members depend on the structure and nature of the organisation.
167
What are the legal and regulatory requirements that face business continuity planners?
Business leaders must exercise due diligence to ensure that shareholders' interest are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that they must meet before, during and after a disaster.
168
What are the steps of business impact analysis process?
The five stages of the business impact analysis process are the:
- Identification of priorities,
- Risk identification,
- Likelihood assessment,
- Impact analysis,
- Resource prioritization.
169
What is the process used to develop a continuity strategy in relation to BCP?
During the strategy development phase, the BCP team determines which risks they will mitigate. In the provisions and processes phase, the team designs mechanisms and procedures that will mitigate identified risks. The plan must then be approved by senior management and implements. Personnel must also receive training on their roles in the BCP process.
170
What is the importance of comprehensively documenting an organisation's business continuity plan?
Committing the plan to writing provides the organisation with a written record of the procedures to follow when disaster strikes. It prevents the "it's in my head" syndrome and ensures the orderly progress of events in an emergency.
171
What are the differences between criminal law, civil law, and administrative law?
- Criminal law protects society against acts that violate the basic principles we believe in. Violations of criminal law are prosecuted by federal and state governments.
- Civil law provides the framework for the transaction of business between people and organisations. Violations of civil law are brought to the court and argued by the two affected parties. Administrative law is used by government agencies to effectively carry out their day-to-day business.
172
Name the two primary laws that are designed to protect society against computer crime and their basic provisions?
The Computer Fraud and Abuse Act (as amended) protects computers used by the government or in interstate commerce from a variety of abuses. The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual.
173
What are the differences among copyrights, trademarks, patents, and trade secrets?
- Copyrights protect original works of authorship, such as books, articles, poems, and songs.
- Trademarks are names, slogans, and logos that identify a company, product, or service.
- Patents provide protection to the creators of new inventions.
- Trade secret law protects the operating secrets of a firm.
174
What are the basic provisions of the Digital Millennium Copyright Act of 1998?
The Digital Millennium Act prohibits the circumvention of copy protection mechanism placed in digital media and limits the liability of internet service providers for the activities of their users.
175
What are the basic provisions of the Economic Espionage Act of 1996?
The Economic Espionage Act provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government.
176
Define the various types of software license agreements.
Perpetual licenses, subscription licenses, open source licenses, freeware, enterprise license agreements (ELAs), end-user license agreements (EULAs), concurrent use license, named user licenses, and cloud services license agreements.
177
What are the terms of the notification requirements placed on organisations that experience a data breach within the US?
California's SB 1386 implemented the first state-wide requirements to notify individuals of breach of their personal information. All other states eventually followed suit with similar laws. Currently, federal law only requires the notification of individuals when a HIPAA-covered entity breaches their protected health information.
178
What are the major laws that govern privacy of personal information in the United Stated, the European Union, and Canada?
The United States has a number of privacy laws that affect the government's use of information as well as the use of information by specific industries, such as financial services companies and healthcare organisations that handle sensitive information. The EU has a more comprehensive General Data Protection Regulation that governs the use and exchange of personal information. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the use of personal information.
179
What is the importance of a well-rounded compliance program?
Most organisations are subject to a wide variety of legal and regulatory requirements related to information security. Building a compliance program ensures that you become and remain compliant with these often overlapping requirements.
180
How should an organisation incorporate security into the procurement and vendor governance process?
The expanded use of cloud services by many organisations requires added attention to conducting review of information security controls during the vendor selection process and as apart of ongoing vendor governance.
181
What are the legal responsibilities of a cybersecurity professional?
Cybersecurity professionals must be able to analyse a situation and determine what jurisdictions and laws apply. They mist be able to identify relevant contractual, legal, regulatory, and industry standards and interpret them for their given situaiton.
182
What is the importance of ethics to security of ethics to security personnel?
Security practitioners are granted a very high level of authority and responsibility to execute their job functions. The potential for abuse exists, and without a strict code of personal behaviour, security practitioners could be regarded as having unchecked power. Adherence to a code of ethics helps ensure that such power is not abused. Security professionals must subscribe to both their own organisation's code of ethics and well as the ISC2 Code of Ethics.
183
What are the characteristics of qualitative risk analysis?
Qualitative risk analysis assigns subjective and intangible values to loss of an asset. Qualitative risk analysis is based more on scenarios than calculations. Exact dollar figures are not assigned to possible losses; instead, threats are ranked on a scale to evaluate their risks, costs, and effects. Such an analysis assists those responsible for creating proper risk management policies.
184
What are the characteristics of quantitative risk analysis?
Quantitative risk analysis assigns real dollar figures to the loss of an asset. Quantitative risk analysis focuses on hard values and percentages. A complete quantitative analysis is not possible because of intangible aspects of risk. The process involves valuing assets and identifying threats and then determining a threat's potential frequency and the resulting damage, which leads to the risk response tasks of the cost/benefit analysis of safeguards.
185
What is silicon root of trust (RoT)?
A silicon root of trust (RoT), also known as a Hardware Root of Trust, is a foundational and tamper-resistant component within a computer's hardware that provides a secure starting point for establishing trust and security in a system. The primary purpose of a silicon RoT is to ensure the integrity, authenticity, and confidentiality of the system's boot process and software.
186
What is a physically unclonable function (PUF)?
A physically unclonable function (PUF) is a specialised physical electronic component or function that generates a unique, unpredictable digital identifier based on the inherent physical properties of the component. PUFs are used to provide a hardware-based security feature by creating a unique fingerprint for electronic devices or integrated circuits.
187
What is a software bill of materials (SBOM)?
A Software bill of materials (SBOM) is a structured and comprehensive inventory or list of all the software components and dependencies that make up a software application or system. An SBOM provides detailed information about the various software components used in a system, including their version, sources, and relationships. The primary purpose of an SBOM is to enhance software transparency, security, compliance, and management.
188
What are the 5 Pillars of Information Security?
The 5 Pillars of Information Security are:
- Confidentiality,
- Integrity,
- Availability,
- Authenticity,
- Nonrepudiation.
189
What are the types and purposes of NDAs?
A unilateral NDA (aka one-way NDA) is used when one party needs to share sensitive data with another party while retaining control and protection over that data. A bilateral NDA (aka mutual NDA or two-way NDA) is a legally binding contract between two parties where both parties agree to protect each other's confidential information. A multilateral NDA is a legal contract involving three or more parties, each of whom agrees to protect and keep confidential the sensitive information shared by the other parties.
190
In relation to risk, what is a hazard?
Refers to a potential source or situation that has the capability to cause harm, loss, damage, injury, or adverse consequences to an organisation, its assets, individuals, or the environment.
191
What are risk perspectives?
Risk perspectives (aka risk management perspectives or approaches) are different lenses through which organisations and individuals can view and address risks. Each perspective emphasizes certain aspects of risk and an guide decision-making, risk assessment, and mitigation strategies. There are innumerable options of risk perspective, including asset, outcome, vulnerability, threat, financial, strategic, operational, compliance, legal, reputational, supply chain, third-party, and workforce.
192
In legal an ethical contexts to describe different standards of behaviour or decision-making, especially related to risk management, what are prudent actions?
Prudent actions refer to action or decisions that are marked by high degree of caution, care, and foresight. They are characterized by careful consideration of potential risks, a focus on preventing harm, and a commitment to acting in a manner that is consistent with established best practices or industry standards.
193
In legal and ethical contexts to describe different standards of behaviour or decision-making, especially related to risk management, what are reasonable actions?
Reasonable actions refer to actions or decisions that are in line with what person of ordinary prudence and judgement would do in similar circumstances. These actions are based on the idea of acting in a manner that is sensible, rational, and consistent with societal norm and expectations. Reasonable actions are a standard often used in legal and ethical context to assess whether an individual's behaviour or decision meet a minimum threshold of acceptability.
194
In the context of a risk management process, what is scope?
Scope refers to the extent our boundaries of a risk management process, project, or assessment. It defines what is included and what is excluded in the risk management efforts. Determining the scope is a critical step in effectively managing and addressing risks, as it helps organisations focus their resources and efforts on the most relevant areas.
195
What is cybersecurity insurance (aka cyber insurance or cyber-risk insurance)?
Cybersecurity insurance is a type of insurance policy that provides coverage and financial protection to organisations or individuals in the event of cyber-treated incidents, data breaches, or cyberattacks. This form of insurance is designed to help mitigate the financial and legal consequences of cybersecurity breaches, which can result in data loss, financial loss, legal liabilities, and reputational damage.
196
Influence campaigns are linked to the distribution of false or misleading content. What types of misleading content are there?
Disinformation,
Misinformation,
Propaganda,
False information,
Fake news,
Doxing is the act of revealing identifying information about someone online without their permission.
197
What is disinformation?
Intentionally false or misleading information spread with the purpose of deceiving or manipulating people; often used as a tool for political, ideological, or malicious agendas.
198
What is misinformaiton?
Inaccurate or misleading information that is spread without malicious intent; can be the results of errors, misunderstandings, or the unintentional sharing of false information.
199
What is propaganda?
A systematic effort to spread ideas, information, or opinion, often biased or misleading nature, to promote a particular cause, political viewpoint, or ideology; aims to shape public perception and behaviour.
200
What is false information?
Any information that is factually incorrect or inaccurate; can be created or spread unintentionally or intentionally and may or may not have a specific agenda.
201
What is fake news?
A term used to describe deliberately fabricated news stories or hoaxes presented as genuine journalism. It can also be used to label genuine, factual, and accurate journalism as false. It often serves to misinform or deceive readers/viewers, and it my be politically motivated or created for profit.
202
What is doxing?
Doxing, short for document tracing or dropping documents, involves researching and publishing private or personally identifiable information bout an individual, such as harassment or public shaming. Doxing can also refer to the release of false and fabricated information. Doxing can also be used against organisations.
203
What is micro training?
Micro training involves delivering short, focused, and bite-size learning modules or content to learners. These brief learning units are typically designed to be highly specific, addressing a single learning objective or a small set of related objectives in a concise and easily digestible format. Micro training is characterised by its brevity and effectiveness in conveying information, making it well suited for the fast-paces and attention-challenged digital age. Often, micro training is delivered via mobile apps.
204
What is data localisation?
Data localisation refers to storing and processing data withing a specific country's region's physical borders of geographical boundaries. This concept is often driven by regulatory requirements or government policies that mandate certain data, especially sensitive or personal information, to be kept within the jurisdiction's borders where it was generated or where the data subject resides.
205
What is the Clarifying Lawful Overseas Use of Data (CLOUD) Act?
This act established procedures that governs access to data held by technology companies across national borders. This piece of legislation was introduced as a way to improve law enforcement's ability to gather digital evidence stored on servers regardless of where the servers are located, provided that the company is based within the United States or subject to U.S. jurisdiction.
206
What is the name of the data protection and privacy law of China?
Personal Information Protection Law (PIPL), which came into effect in 2021, is China's first comprehensive national standard in data privacy law, somewhat analogous to the GDPR in the EU, and it imposes stringent regulation on personal data processing activities.
207
What is South Africa's primary legislation governing data protection?
The Protection of Personal Information Act (POPIA), which went into effect in 2020, promotes the protection of personal information processed by public and private bodies and introduces specific conditions for the lawful processing of persona information, closely mirroring principles seen in the GDPR.
