Domain 1 - Chapter 1 - Security Governance Through Principles & Policies

Question 1

What are the primary goals and objectives of a security infrastructure?

Answer 1

Confidentiality, integrity, and availability.

Question 2

What is confidentiality?

Answer 2

Protection of the secrecy of data, objects, or resources.

Question 3

What are the concepts, conditions, and aspects of confidentiality?

Answer 3

Sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, & isolation.

Question 4

What is integrity?

Answer 4

Protecting the reliability and correctness of data.

Prevents unauthorized alterations of data.

Question 5

What is integrity is dependent on?

Answer 5

Confidentiality and access control

Question 6

What are the concepts, conditions, and aspects of integrity?

Answer 6

Accuracy, truthfulness, validity, accountability, responsibility, completeness, & comprehensiveness.

Question 7

What is availability?

Answer 7

Principles that authorized subjects are granted timely and uninterrupted access to objects.

Question 8

What is availability is dependent on?

Answer 8

Integrity and confidentiality

Question 9

What are the concepts, conditions, and aspects of availability?

Answer 9

Usability, accessibility, timeliness.

Question 10

What is the opposite of the CIA Triad?

Answer 10

DAD
Disclosure, alteration, & destruction
DAD triad represents the failures of security protections in the CIA Triade.

Question 11

Overprotecting confidentiality can result in?

Answer 11

Restriction of availability

Question 12

Overprotecting integrity can result in?

Answer 12

Restriction of availability

Question 13

Overproviding in availability can result in?

Answer 13

Loss of confidentiality and integrity

Question 14

What is the core security mechanisms for all security environments?

Answer 14

IAAAA
Identification - Claiming to be an identity when attempting access to a secured area or system

Authentication - Proving that you are that claimed identity

Authorization - Defining permissions of a resource and object access

Auditing - Recording log events and activities related to systems and objects

Accounting - Reviewing log files to check for compliance and violations.

Question 15

What are four types of protection mechanisms?

Answer 15

Defense in depth

Abstraction

Data Hiding

Encryption

Question 16

What is security governance?

Answer 16

Collection of practices related to supporting, evaluating, defining, and directing the security elements of a organization.

Question 17

Who is responsible for security management?

Answer 17

Upper Management

Question 18

What is the length of time for a strategic plan?

Answer 18

Long-term plan that is fairly stable. ~5 years

Question 19

What is the length of time for a tactical plan?

Answer 19

Mid-term plan developed to provide more details on a accomplishing the goals set forth in the strategic plan. ~1 year

Question 20

What is the length of time for an operational plan?

Answer 20

Short-term plan that is highly detailed based on strategic and tactical plans. ~Monthly or Quarterly

Question 21

Security governance should address ______ ?

Answer 21

every aspect of an organization, including the organizational processes of acquisitions, divestitures, and governance committees.

Question 22

What processes should be considered when evaluating a third party security integration?

Answer 22

On-site assessment
Document Exchange Review
Process/Policy Review
Third-Party Review

Question 23

What is a security role?

Answer 23

The part an individual plays in the overall scheme of security implementations and administration within an organization.

Question 24

List common security roles present in a typical secured environment?

Answer 24

Senior Manager -

Security Professional -

Asset Owner -

Custodian -

User -

Question 25

What is COBIT?

Answer 25

Control Objectives for Information and Related Technology (COBIT). A documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA).

Question 26

COBIT is based on how many key principles?

Answer 26

Six

Question 27

List the six principles that COBIT it based on?

Answer 27

``` Provide Stakeholder Value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-End Governance System ```

Question 28

List common frameworks for security?

Answer 28

NIST 800-53 Security and Privacy Controls for Information Systems and Organizations The Center for Internet Security NIST Risk Management Framework (RMF) NIST Cybersecurity Framework (CSF) International Organization for Standardization (ISO) Information Technology Infrastructure Library (ITIL)

Question 29

What is due care?

Answer 29

Continued application of security structure onto the IT infrastructure of an organization.

Question 30

What is due diligence?

Answer 30

Establishing a plan, policy, and the processes to protect the interests of an organization.

Question 31

What is a security policy?

Answer 31

A document that defines the scope of security needed by the organization and discusses the assets that require protection.

Question 32

What is a baseline?

Answer 32

Minimum level of security that every system throughout the organization must meet.

Question 33

What are guidelines as it relates to policy?

Answer 33

Guidelines offer recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.

Question 34

What is threat modeling?

Answer 34

Security process where potential threats are identified, categorized, and analyzed. Threat modeling identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.

Question 35

List common threat model guides.

Answer 35

Microsoft STRIDE PASTA VAST

Question 36

Microsoft threat model?

Answer 36

``` STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service (DoS) Elevation of privilege ```

Question 37

Seven-stage Threat Model? Risk centric model

Answer 37

PASTA - seven-stage threat model designed to be a risk-centric approach. Stage I - Definition of the Objectives (DO) for the Analysis (ADA) Stage II - Definition of Technical Scope (DTS) Stage III - Application Decomposition and Analysis (ADA) Stage IV - Threat Analysis (AT) Stage V - Weakness and Vulnerability Analysis (WVA) Stage VI - Attack Modeling & Simulation (AMS) Stage VII - Risk Analysis & Management (RAM)

Question 38

Threat Model - Agile

Answer 38

VAST Visual Agile Simple Threat

Question 39

Technique used to rank or rate threats?

Answer 39

``` DREAD Damage Potential Reproducibility Exploitability Affected Users Discoverability ```

Question 40

Explain how identification works

Answer 40

Process by which a subject professes an identity and accountability and accountability is initiated.

Question 41

What is a security boundary?

Answer 41

The line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Question 42

What is a business case?

Answer 42

A documented agreement or stated position in order to define a need to make a decision or take some form of action.

Question 43

Security management planning steps...

Answer 43

Strategic Tactical Operational

Question 44

What are the elements of a formalized security policy structure?

Answer 44

``` Security Policy Standards Baselines Guidelines Procedures ```