Domain 1

Question 1

What does DAD Reference?

Answer 1

Disclosure, Altercation and Destruction

Question 2

What does AAA Reference?

Answer 2

Authentication, Authorization, Accountability

Question 3

What is the Difference between an Subject and an Object?

Answer 3

A subject is an active entity on a data system, users and programs. An object is any passive data within the system. Objects can range from documents on physical paper, to database tables to text files

Question 4

What is needed for Non-Repudiation?

Answer 4

Non-repudiation authenticates the identity of a user who performs a transaction, and ensures the integrity of that transaction. You must have both authentication and integrity to have non-repudiation.

Question 5

What is Due Care

Answer 5

Due care is doing what a reasonable person would do. It is sometimes called the “prudent man” rule. It is Due Care to patch your system.

Question 6

What is Due Diligence?

Answer 6

Due diligence is the management of due care. Due diligence follows a process and can be held legally liable if not followed.

Question 7

What is Gross Negligence?

Answer 7

Gross negligence is the opposite of due care. It is a legally important concept.

Question 8

What is Criminal Law?

Answer 8

Criminal law pertains to those laws where the victim can be seen as society itself. The goals of criminal law are to deter crime burden of proof in criminal cases is considerable. The crime must be proved beyond any reasonable doubt..

Question 9

What is Civil Law?

Answer 9

Civil law (tort law), which deals with injury (loosely defined), resulting from someone violating their responsibility to provide a duty of care. The goal of Civil Law is civil law is compensating the victim.

Question 10

What is Administrative Law

Answer 10

Administrative law or regulatory law is law enacted by government agencies. Government-mandated compliance measures are administrative laws.

Question 11

What type of evidence consists of tangible or physical objects.

Answer 11

Real Evidence.

Question 12

What type of evidence consists of testimony provided by a witness.

Answer 12

Direct Evidence.

Question 13

What type of evidence serves to establish the circumstances related to particular points or other evidence?

Answer 13

Circumstantial Evidence

Question 14

What type of evidence serves to strengthen a particular fact or element in a case?

Answer 14

Corroborative evidence

Question 15

What type of evidence constitutes as second hand evidence?

Answer 15

Hearsay evidence

Question 16

What is Entrapment

Answer 16

Entrapment is when law enforcement, or an agent of law enforcement, persuades someone to commit a crime when the person otherwise had no intention to commit a crime.

Question 17

What is Enticement?

Answer 17

Enticement could still involve agents of law enforcement making the conditions for commission of a crime favorable, but the difference is that the person is determined to have already broken a law or is intent on doing so.

Question 18

What are the 3 categories based upon the way in which computer systems relate to the wrongdoing?

Answer 18

Computer systems as the target - Crimes where the computer systems serve as a primary target.
Computer systems as a tool to perpetrate the crime - Crimes where the computer is a central component enabling the commission of the crime.
Computer systems involved but incidental

Question 19

What is Intellectual Property?

Answer 19

Intellectual property refers to intangible property that resulted from a creative act.

Question 20

Define a Trademark.

Answer 20

Trademarks are associated with marketing. A distinguishing name, logo, symbol, or image represents the most commonly trademarked items.

Question 21

Define a Patent.

Answer 21

Patents provide a monopoly to the patent holder on the right to use, make, or sell an invention for a period of time in exchange for the patent holder’s making the invention public. Valid for 20years.

Question 22

Define a Copyright.

Answer 22

Copyright represents a type of intellectual property that protects the form of expression in artistic, musical, or literary works.

Question 23

Define a trade Secret.

Answer 23

Trade secrets are business-proprietary information that is important to an organization’s ability to compete.

Question 24

What is Trademark Dilution?

Answer 24

Trademark dilution typically represents an unintentional attack in which the trademarked brand name is used to refer to the larger general class of products of which the brand is a specific instance.

Question 25

What is Cyber-squatting?

Answer 25

Cybersquatting refers to an individual or organization registering or using, in bad faith, a domain name that is associated with another person’s trademark.

Question 26

What is Typo-squatting?

Answer 26

Typosquatting refers to a specific type of cybersquatting in which the cybersquatter registers likely misspellings or mistyping of legitimate domain trademarks.

Question 27

What are the directives of the European Union Privacy act?

Answer 27

Notifying individuals how their personal data is collected and used. Allowing individuals to opt out of sharing their personal data with third parties. Requiring individuals to opt into sharing the most sensitive personal data. Providing reasonable protections for personal data.

Question 28

What is OECD?

Answer 28

Organization for Economic Cooperation and Development provides a forum in which countries can focus on issues that impact the global economy.

Question 29

What is the EU-US Safe Harbor?

Answer 29

The EU-US Safe Harbor was created to permit personal data of EU citizens to be shared with US organisations as long as the US organisations voluntarily consent to data privacy principles that are consistent with the EU Data Protection Directive.

Question 30

What is the US Privacy Act of 1974?

Answer 30

The Privacy Act of 1974 was created to codify protection of US citizens’ data that is being used by the federal government. The Privacy Act defined guidelines regarding how US citizens’ personally identifiable information would be used, collected, and distributed.

Question 31

What is HIPPA?

Answer 31

Health Insurance Portability and Accountability Act. HIPAA applies to covered entities that are typically healthcare providers, health plans, and clearinghouses.

Question 32

Explain the Computer Fraud and Abuse Act – Title 18 Section 1030.

Answer 32

One of the first US laws pertaining to computer crimes. Attacks on protected computers, which include government and financial computers as well as those engaged in foreign or interstate commerce, which resulted in $5,000 in damages during one year, were criminalized.

Question 33

What is ECPA?

Answer 33

Electronic Communications Privacy Act. CPA protected electronic communications from warrantless wiretapping. The PATRIOT Act weakened some of the ECPA restrictions.

Question 34

Explain the PATRIOT Act of 2001.

Answer 34

Passed in response to 9/11. Expanded law enforcement’s electronic monitoring capabilities. Provided broader coverage for wiretaps. Allowed for search and seizure without requiring immediate disclosure. Generally lessened the judicial oversight required of law enforcement as related to electronic monitoring.

Question 35

What is GLBA?

Answer 35

Gramm-Leach-Bliley Act requires financial institutions to protect the confidentiality and integrity of consumer financial information. Forced them to notify consumers of their privacy practices.

Question 36

What is SOX?

Answer 36

Sarbanes-Oxley Act of 2002. SOX created regulatory compliance mandates for publicly traded companies. The primary goal of SOX was to ensure adequate financial disclosure and financial auditor independence. SOX requires financial disclosure, auditor independence, and internal security controls such as a risk assessment. Intentional violation of SOX can result in criminal penalties.

Question 37

What is PCI-DSS?

Answer 37

Payment Card Industry Data Security Standard. By requiring merchants that process credit cards to adhere to the Payment Card Industry Data Security Standard (PCI-DSS), the major credit card companies seek to ensure better protection of cardholder data through mandating security policy, security devices, control techniques, and monitoring of systems and networks comprising cardholder data environments.

Question 38

Describe the US Computer Fraud and Abuse Act.

Answer 38

The goal of the Computer Fraud and Abuse Act was to develop a means of deterring and prosecuting acts that damaged federal interest computers. “Federal interest computer” includes government, critical infrastructure or financial processing systems; the definition also referenced computers engaging in interstate commerce. he Computer Fraud and Abuse Act criminalized actions involving intentional attacks against protected computers that resulted in aggregate damages of $ 5,000 in 1 year.

Question 39

What are the 3 primary contacts in place with 3rd Party Contractors?

Answer 39

SLA. Attestation. Right to Pen Test, Right to Audit.

Question 40

What is Attestation?

Answer 40

Information security attestation involves having a 3rd party organization review the practices of the service provider and make a statement about the security posture of the organization.

Question 41

What is a Policy?

Answer 41

Policies are high-level management directives. Policy is mandatory.

Question 42

What is a Procedure?

Answer 42

A procedure is a step-by-step guide for accomplishing a task. They are low level and specific. Like policies, procedures are mandatory.

Question 43

What is a Standard?

Answer 43

A standard describes the specific use of technology, often applied to hardware and software. Standards are mandatory.

Question 44

What is a Guideline?

Answer 44

Guidelines are recommendations (which are discretionary). A guideline can be a useful piece of advice.

Question 45

What is a Baseline?

Answer 45

Baselines are uniform ways of implementing a standard. Baselines are discretionary

Question 46

What are the 3 types of Polices?

Answer 46

Program policy - Establishes an organization’s information security program. Issue-specific policies - Listed in NIST SP 800-12 include email policy and email privacy policy. System-specific policies - Include a file server policy, or a Web server policy.

Question 47

Name the 6 Access Control Types?

Answer 47

``` Preventive Detective Corrective Recovery Deterrent Compensating ```

Question 48

What are the 3 categories of Access Control?

Answer 48

Administrative Technical Physical