Domain 1 Flashcards

Question

Corporate Governance.

Answer 1

Is the system by which organizations are directed and controlled. Governance structures are principles identify the distribution of rights and responsibilities.

Answer 2

- Strategic Alignment. - Risk Management. - Value Delivery. - Resource Management. - Performance Measurements. - Process Integration.

Answer 3

Aligning departmental strategies with business strategy to support organizational goals.

Answer 4

Mitigate risk to acceptable level.

Answer 5

Optimize investments in support of business objectives.

Answer 6

Efficient and effective use of resources.

Answer 7

Monitoring and reporting on achievements.

Answer 8

Achieve operational synergies and efficiencies.

Answer 9

Generally have the authority to interpret strategic direction and are held accountable for the success of failure of their area. ISM personnel should report as high as possible to maintain visibility, limit distortion, and minimize conflict of interest.

Answer 10

- Chief Risk Officer (CRO) - Chief Information Security Officer (CISO) - Information Security Officer (ISO) - Information Assurance Officer (IAO) or manager (IAM) - Privacy Officer - Compliance Officer. - Physical Security Officer. - Internal Audit.

Answer 11

- Being a subject matter expert and security champion. - Managing the information security program. - Communicating with executive management. - Coordinating the budget for information security activities. - Ensuring the development and upkeep of governance documents.

Answer 12

Functional roles are tactical and relate to specific data-sets, information systems, assets, or processes.

Answer 13

Owners are members of management responsible for protection of a subset of information.

Answer 14

Custodians are responsible for implementing, managing, and monitoring the protection mechanisms.

Answer 15

Users are expected to follow operational security procedures.

Answer 16

Is the power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory. Jurisdiction considerations include: - Privacy and security regulations (or lack of). - Access of local governments to stored or transmitted data. - Attitudes toward "foreigners" - Law Enforcement.

Answer 17

The Safeguards Rule requires financial institutions to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the safeguards rules are responsible for taking steps to ensure that their affiliates and service providers safeguards customer information in their care.

Answer 18

The Security Rule requires covered entities implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information in their care and shared with business partners.

Answer 19

FISMA requires federal agencies to implement a program to provide security for their information and information systems including those provided by or managed by another agency.

Answer 20

Data protection for all individuals within the European Union. EU Data Protection Directive (EU DPD) and it's successor the GDPR (General Data Protection Regulations) is based upon the Organization for Economic Cooperation and Development (OECD) Privacy Principles.

Answer 21

Web cookies inform and consent requirements.

Answer 22

Payment Card Industry Data Security Standard (PCI DSS) is a contractual obligation between merchants and the the payment card brands. - The PCI DSS framework includes stipulations regarding storage, transmissions, and processing of payment card data. - Six core principles require technical and operational security controls, testing, requirements, and attestation process.

Answer 23

Group ultimately responsible for the actions of the organization from a fiduciary perspective.

Answer 24

Group responsible for interacting with information systems in accordance with organizational policies and standards.

Answer 25

Privacy is the right of an individual to control the use of their personal information.

Answer 26

Information Security is the process by which we safeguard information and systems and ensure confidential, integrity, and availability.

Answer 27

Collection of data for "later use" to be determined.

Answer 28

Data Warehousing combines data from multiple sources into a large database with the purpose of extensive retrieval and trend analysis

Answer 29

Process of analyzing data with tools that look for trends, correlations, or anomalies resulting in metadata.

Answer 30

individual pieces of data are combined to create a bigger picture that may have greater sensitivity thank individual parts.

Answer 31

Ability to derive information that is not explicitly available.

Answer 32

Student educational records.

Answer 33

Data Collected by the Government.

Answer 34

Citizen data privacy protection.

Answer 35

- Clearly state what information may be collected, how the information will be used, who the information may be shared with and why, how a third-party may use the information, and how to opt out. - Codify the organization's commitment to data quality and to data security.

Answer 36

Computer Crime is a term broadly applied when a computer is used in the act of computing a crime. Computer crimes are often divided into two categories: - Computer as the target of a crime. - Computer as a tool (weapon) used to commit a crime.

Answer 37

Unauthorized access to federal government, financial institution system, or any system used for interstate or foreign commerce.

Answer 38

Primary federal anti-hacking statute.

Answer 39

Unauthorized interception of digital communications.

Answer 40

Unauthorized access or damage to electronic messages in storage.

Answer 41

Is a broad term given to criminal activity that involves the Internet, a computer system, a computer network, or technology.

Answer 42

- Hackers / Script Kiddies. - Organized Crime. - Hacktivist . - Nation-State founded. - Insiders. - Competitors.

Answer 43

An incident that is classified as a confirmed or high probability breach may trigger disclosure and notification requirements.

Answer 44

Intellectual Property (IP) describes a wide variety of property created by musicians, authors, artists, designers, and inventors. - Intellectual property can be used in commerce or can be artistic or literary works. - Intellectual property laws protect use and misuse including compensation. - Intellectual Property law includes patents, trademarks, copyrights, trade secrets and software licensing.

Answer 45

Patents are designed to protect an invention. - The invention must be novel, not obvious, and provide some utility. - A patentable invention must be something that can be produced. - A patent is good for 20 years.

Answer 46

A trademark is intended to protect recognizable names, icons, shape, color, sound, or any combination used to represent a brand, product, service, or company. - Law creates exclusive rights.

Answer 47

A copyright covers the expression of an idea rather than the idea itself (which is protected by the patent). - The intent is not protect artistic property such as a writing, recording, or a computer program. - The protections are intended to allow the creator to benefit from being credited for the work and to control the distribution, duplication, and use of the work. - A trademark or service mark can be renewed every 10 years.

Answer 48

Trade Secrets refer to proprietary business and technical information, processes, designs, or practices that are confidential and critical to a business. - Trade Secrets don't require any registration.

Answer 49

It is defined as the "unauthorized copying or distribution of copyrighted software". - Piracy includes copying, downloading, sharing, selling, or installing, or installing multiple copies onto personal or work computers. - The Digital Millennium Copyright Act (DMCA) makes it illegal to create products that circumvent copyright protections such as a license key.

Answer 50

Legally enforceable software use agreement.

Answer 51

The right of an individual to control the use of their personal information.

Answer 52

The primary motivation of this threat actor us making a political statement.

Answer 53

- Protect society, the common good, necessary public trust and confidence, and the infrastructure. - Act honorably, honestly, justly, responsibly, and legally. - Provide diligent and competent service to principles. - Advance and protect the profession.

Answer 54

Policies are high-level statements (governance communications) intended to communicate rules and expectations and to provide direction. - Standards, baselines, guidelines, and procedures support the implementation of a policy. - Policies must be approved by executive management.

Answer 55

The Information Security policies codify the high-level requirements for protection information and information assets and ensuring Confidentiality, Integrity, and Availability. - Written information security policies may be a regulatory or contractual compliance requirement. - Each aspect of the information security program should have a corresponding policy documents.

Answer 56

- Endorsed - Relevant - Realistic - Attainable - Adaptable - Enforceable - Inclusive

Answer 57

- Plan - Write - Approved - Publish (Communicate, Disseminate, Educate) - Adopt (Implement, Monitor, Enforce) - Review (Solicit Feedback, Reauthorize or Retire)

Answer 58

Standards serve as specifications for the implementation of policy and dictate MANDATORY requirements.

Answer 59

Baselines are aggregate of standards for a specific category or grouping such as a platform, device type, ownership, or location.

Answer 60

Guidelines help people understand and conform to a standard. Guidelines are customized to the intended audience and are NOT mandatory

Answer 61

``` Procedures are instructions for how a policy, standard, baseline, or guideline is carried out in a given situation. Procedures focus on discrete actions or steps, with a specific starting and ending point. Four commonly used formats: - Simple - Hierarchy - Graphic - Flowchart. ```

Answer 62

Business continuity is the ability for a business to operate in adverse conditions. - Business continuity may be a contractual obligation. - Business continuity may be a regulatory requirement.

Answer 63

The objective of business continuity planning is to prepare for continued operation of ESSENTIAL functions and services during disruption of normal operating conditions. To support this objective: - Threat scenarios are evaluated. - Essential services and processes are identified. - Response, recovery, and contingency plans are developed - Strategies, plans, and procedures are tested.

Answer 64

- Board of Directors (or equivalent) approval of Business Continuity policies. - Board of Directors (or equivalent) oversight of BCP strategies, plans and testing. - Management oversight of BCP preparedness including external parties.

Answer 65

- Project initiation and assignments. - Business Impact Analysis - Threat Analysis - Strategy Development - Plan Development - Execution / Procurement - Training - Testing - Auditing - Monitoring - Maintenance Review & Update.

Answer 66

- ISO 22301:2012 | - SP 800-34 R1

Answer 67

Business unit plan and procedures for operational activities.

Answer 68

Plan and procedures for internal and external communications.

Answer 69

Plan and procedures for recovering technology and facilities.

Answer 70

Plan and procedures for minimizing loss of life and property.

Answer 71

Plan and procedures for mitigating a cyber attack

Answer 72

U.S Federal Agency responsible for responding to and coordinating the response to a disaster that has occurred in the USA

Answer 73

The Objective of Business Impact Analysis (BIA) is to identify the impact of a disruption on mission-essential services, systems, and infrastructure.

Answer 74

- Understand organizational continuity requirements. - Make investment decisions. - Guide the development of incidents response, disaster recovery, and business contingency (continuity) plans

Answer 75

Maximum time a process/service can be unavailable without causing significant harm to the business.

Answer 76

Amount of time allocated for system recovery. Must be less than the maximum amount of time a system resource can be unavailable before there is an unacceptable impact on other system resources or business processes.

Answer 77

Acceptable data loss. The point in time prior to a disruption or system outage that data can be recovered.

Answer 78

- Identify Essential Services & Dependencies. - Determine Maximum Tolerable Downtime (MTD). - Determine Recovery Point Objective (RPO). - Identify Infrastructure and Dependencies. - Determine Current RTO & RPO. - Gap Analysis. - Report to Management.

Answer 79

A Background Check is an investigative report. It may include criminal, financial, credit and/or education history, workers compensation claims, and public records. - The depth and breath of a background check should specifically be related to job roles and responsibilities and level of access. - The applicant has a right to privacy. Consent should always be requested.

Answer 80

Onbarding is the process of integrating a new employee with a company and culture as well as getting the tools and information they need to be successful. - User orientation is the initial task on completing paperwork.

Answer 81

User Provisioning is the process of creating user accounts and credentials, assigning access rights and permissions.

Answer 82

Protects Data from unauthorized disclosure: - Establish data ownership - Protect information from disclosure. - Prevent forfeiture of patent rights - Define handling standards including disposal.

Answer 83

Sets forth proper use if information systems, handling standards, monitoring and privacy expectations. - An AUP should be written in languages that can be easily and unequivocally understood. - By signing the associated agreement, the user acknowledges, understands, and agrees to the stated rules.

Answer 84

- Data Classifications and handling standards - Login requirements including password standards and use of tokens an/or biometrics - Procurement, installation, and licensing - Written and verbal communication use and limitations (including personal email) - Use, activity, and engagement (including social media) - Use, configuration, activity, and device protection Use, configuration, activity, and physical security Instructions on how to spot and report suspicius activity.

Answer 85

Rotating assignments (fraud deterrent and detection)

Answer 86

Require employees to take a set amount of vacation time (fraud deterrent and detection)

Answer 87

Breaking a process into tasks so tat no one subject is in complete control. (fraud prevention/deterrent - would require collusion)

Answer 88

Requiring to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel.

Answer 89

Termination ends employment. How termination is handled depends upon the specific circumstances (friendly/unfriendly) and transition arrangements that have been made with the employee. - Tasks include recovering physical and access control assets, deleting or disabling local an remote access, deleting or disabling user accounts and access permissions, archiving documents and email, and reassigning file folder permissions. - All these tasks should be documented.

Answer 90

Off-boarding is the process for transitioning employees out of an organization. Tasks include: - Documenting separation details Tasks and responsibilities prior to departure - Knowledge transfer - Exit Interview.

Answer 91

(ISC)2 Boards of Directors

Answer 92

Business Unit

Answer 93

Acceptable Use Policy Agreement.

Answer 94

- Strategic aliment with the organizatnio's objectives. - Legal, regulatory, or contractual requirements. - Level of risk

Answer 95

Potential danger.

Answer 96

Individual or group that can manifest a threat.

Answer 97

Specific instance of a threat

Answer 98

When a threat agent successfully takes advantage of a vulnerability.

Answer 99

Magnitude of harm caused by a threat source.

Answer 100

A weighted factor that a given threat agent is capable of exploiting a giving vulnerability.

Answer 101

Risk is the measurement of likelihood and impact of a threat event. Risk is inherently neither good nor bad.

Answer 102

Risk appetite is the level of risk that an entity will accept in pursuit of its mission and objectives. - Risk appetite can vary by category of risk - Risk Tolerance is acceptable variation in outcomes related to specific performance measures.

Answer 103

Managing Risk implies that the level of risk is understood, and is either accepted or being actively controlled (treated) and in either case, monitored.

Answer 104

Information Security Risk Management Framework should complement the organization's risk management framework and be in conformance with regulatory requirements.

Answer 105

A Risk Assessment is used to identify the level of risk: - Risk is assessed by evaluating, and the impact if the circumstance or event occurs. - The target of a risk assessment can be internal systems/process or external supply chain. - The target of a risk assessment can be internal system/process or external supply chain relationships.

Answer 106

Risk Treatment is how an organization responds to identified risks - generally defined as actions taken to either accepted the level of risk or mitigate the impact of the undesirable or unfavorable outcome and-or enhance the likelihood of a positive outcome. - Inherent risk is the level of risk before treatment. - Residual risk is the level of risk after treatment.

Answer 107

Act if the risk doesn't exist.

Answer 108

Eliminate the cause or terminate the associated activity.

Answer 109

Reduce the impact or likelihood by implementing controls or safeguards.

Answer 110

Discourage the threat action or adversary from taking action.

Answer 111

Spread the risk among multiple parties.

Answer 112

Assign the risk to another party via insurance or contractual agreement (subject to legal and regulatory constraints)

Answer 113

Acknowledge the risk and monitor it.

Answer 114

The objective of Risk Monitoring is to track known risks, evaluate treatment effectiveness, identify new risks, and schedule ongoing assessments.

Answer 115

A Risk Register is a tool used to document organization risks and ancillary details such as owner, treatment, measures, and monitoring tasks.

Answer 116

A Risk Assessment is used to identify the level of risk./ - Determining the scope and scheduling of risk assessments is a risk management function; however, it is common for this process to be managed by the audit department.

Answer 117

- Qualitative Risk Assessment. - Quantitative Risk Assessment. - Semi-Qualitative Risk Assessment.

Answer 118

Qualitative Risk Assessment use descriptive terminology such as high, medium, and low or normal, elevated, and severe.

Answer 119

Quantitative Risk Assessment assign a numeric and monetary values to all elements of the assessment.

Answer 120

Semi-Qualitative Risk Assessments assign a numeric weighted scale to the descriptive values (e.g. high=5, medium=3, low=1) and incorporates deterministic formulas.

Answer 121

- NIST SP 800-30 - Facilitated Risk Analysis Process (FRAP) - The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Answer 122

Federal Government Standard | - Used extensively in the private sector.

Answer 123

Used to analyze one system at a time | - Stresses screening activities

Answer 124

Can be used to large scopes - Facilitated workshops involving business process teams - Developed at the Carnigie Mellon University Software Engineering Institute (CM SEI)

Answer 125

Supports the requirements of an ISO 27000 information security management system - Does not specify a specific methodology but does detail a structured sequence of iterative processes.

Answer 126

- Asset value (AV) expressed in $ - Exposure factor (EF) expressed as a % - Single Loss expectancy (SLE) expressed in $ - Annualized rate of occurrence (ARO) expressed as a # - Annualized loss expectancy (ALE) expressed in $ - Cost/Benefit analysis (CBA) expressed in $

Answer 127

SLE ($) = AV($) x EF(%)

Answer 128

ALE($) = SLE($) x ARO (#)

Answer 129

Level of Risk after Controls are applied

Answer 130

A control (sometimes called the countermeasure or safeguard) is a tactic, mechanism, or strategy that accomplished one or more of the following: - Reduces or eliminates a vulnerability - Reduces or eliminates the likelihood that a threat agent will be able to exploit a vulnerability - Reduces or eliminates the impact of an exploit

Answer 131

- Deterrent - Preventive - Detective - Corrective - Compensating

Answer 132

Deterrent Controls discourage a threat agent from acting.

Answer 133

Preventive controls stop a threat agent from being successful.

Answer 134

Detective controls identify and report a threat agent, action, or incident.

Answer 135

Corrective controls minimize the impact of a threat agent, or modify or fix a situation (recovery)

Answer 136

Compensating controls are alternate controls designed to accomplish the intent of the original controls as closely as possible, when the originally designed controls cannot be used due to limitations of the environment or financial constraints.

Answer 137

Controls relating to oversight, laws, rules, regulations, and policies. -Policies, procedures, training, audits, compliance reporting

Answer 138

Controls that can have a material structure (seen, heard, touched). - gate, alarm, guard, barricade, door, lock, CCTV, ID card.

Answer 139

Controls provided through the use of technology and/or a digital device. - Encryption, ACLs, firewall rules, anti-virus software, bio-metric authentication.

Answer 140

- Attacker- Centric. - Architecture-Centric - Asset Centric.

Answer 141

Attacket-Centric threat models start with identifying an attacker and the evaluate the attacket's goals and potential techniques.

Answer 142

Architecture-Centric threat models focus on system design and potential attacks against each component.

Answer 143

Asset-Centric Threat Modeling threat models begin by identifying asset value and motivation of threat agents.

Answer 144

Motivation is the driving force behind any attack

Answer 145

Workfactor is the time, effort, and resources needed for an attacker to successfully achieve their objective.

Answer 146

Threat Intelligence is evidence-based knowledge about an emerging threat that can be used to inform control decisions. The true value of threat intelligence is in its application.

Answer 147

Open Source threat intelligence (OSINT) is a term used to refer to the data collected from publicly available sources to be used in an intelligence context.

Answer 148

Information Sharing and Analysis Centers (ISACs) collect, analyze and disseminate actionable sector specific threat information to their members and provide members with tools to mitigate risks and enhance resiliency.

Answer 149

Threat detection is the process of identifying artifacts (e.g. virus signatures, IP address, malicious URL, command and control connection, file changes, unexpected activity, behavioral anomalies) that are indicative of an attack (IOA) or an active exploit (IOC).

Answer 150

Indicator of an Attack (IOA) is a proactive early warning sign that an attack may be imminent or already underway underway.

Answer 151

Indicator of Compromise (IOC) is a reactive substantive or corroborating evidence that a system or network has been exploited.

Answer 152

Resiliency is the capability to continue operating even when there has been a fault, incident, or abnormal operating conditions.

Answer 153

Attacker Chooses a target for a specific objective

Answer 154

Attacker takes advantage of a vulnerable target (not previously known to them)

Answer 155

Attacker uses an amplification factor to multiply its power.

Answer 156

Attacker focuses on obtaining elevated access to resources that are normally protected from an application or user.

Answer 157

A sophisticated attack in which an attacker gains access to a network and stays there undetected for a long period of time.

Answer 158

A threat that is exploited and was unknown before it was detected.

Answer 159

- Digital Infrastructure. - Human - Physical Infrastructure.

Answer 160

- Spoofing - Poisoning - Hijacking - Denial of Service (DOS) - Code.

Answer 161

Impersonation an address, system or person. | - Enables an attacker to act as the trusted source and redirect/manipulate actions

Answer 162

Manipulating trusted source of data (e.g. DNS) | - Enables an attacker to act as the trusted source and redirect/manipulate actions.

Answer 163

Intercepting communication between two systems | - Enables an attacker to eavesdrop, capture, manipulate, and or reuse data packets

Answer 164

Overwhelming communication between two systems | - Enables an attacker to take control

Answer 165

Exploiting weaknesses in a server or client side code, applications or hardware. - Enables an attacker to take control.

Answer 166

A supply chain is a ecosystem of organizations, process, people and resources involved in providing a product or service. - The supply chain represents the steps it takes to get the product or service to the consumer. - The supply chain includes outsourced operations. - The supply chain includes external providers.

Answer 167

Insourcing is when functions are performed by internal personnel

Answer 168

Outsourcing is when functions are performed by third parties.

Answer 169

Supply Chain Risk Management (SCRM) is the implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure continuity.

Answer 170

Statement on Standards for Attestation Agreements #18 (SSAE18) Service Organization Control (SOC) Reports are internal control report on the services provided by a service organization.

Answer 171

- Security Education (Long term) - Training (Intermediate) - Awareness (Short-term)

Answer 172

Employee Awareness Programs should include: - On-boarding (initial and at 3 months) which includes polices, best practices, social engineering, duress, and reporting suspicious activity. - Annual compliance and 'hot topic' training (instructor-led, recorded, online) - Ongoing Awareness program. - As needed, situational awareness communications.

Answer 173

Social Engineering (SE) describes a class of techniques used to manipulate people by deception, into divulging information or performing an action.

Answer 174

- Authority - Intimidation - Consensus / Social Proof - Scarcity - Urgency - Familiarity / liking - Trust

Answer 175

Pretexting using email.

Answer 176

Targeted version of phishing.

Answer 177

High profile phishing target

Answer 178

Pretexting using voice (phone)

Answer 179

Warning f a non-existent threat or offer-designed to defraud.

Answer 180

Compromising a website or social media application frequented by the target.

Answer 181

- Impersonation. - Shoulder Surfing. - Piggybacking | Tailgating. - Dumpster Diving.

Answer 182

Impersonation a "trusted" source in order to gain access.

Answer 183

Covert Observation.

Answer 184

When an unauthorized person enters a checkpoint close behind, or in concert with authorized personnel.

Answer 185

Rummaging through trash and recycling in search of information.

Answer 186

User education, including general awareness and understanding of the importance of following security procedures and reporting suspicious activity. Supported by: - Published policies and procedures (caller/visitor identification, document disposal) - Technical Controls ( SPAM and content filtering) - Physical Controls (surveillance, mantraps, anti-skimming).

Domain 1 Flashcards

Study