Domain 1 - part 3

Question 1

Controls implemented with or by automated or electronic systems. firewalls, electronic badge readers, access control list. Example would be routers

Answer 1

technical/logical controls

Question 2

Controls implemented through a tangible mechanism. walls, fence, guards, locks. Physical controls systems are linked to technical/logical systems, such as badge readers connected to door locks.

Answer 2

Physical controls

Question 3

Controls implemented through policy and procedure. includes access control processes and requiring multiple to conduct a specific operation. often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new user that requires login and approval by the hiring manager

Answer 3

Administrative controls

Question 4

often performed with automated tools that reviews the org IT env for know vulnerabilities cataloging and often sending alerts for any detection. This method detect only detect know vulnerabilities.

Answer 4

Vulnerability assessment

Question 5

external, person has no access, and its not safe

simulate external attack and test orgs security defenses

Answer 5

Penetration testing

Question 6

financial fraud

Answer 6

Coso

Question 7

Publishes the Risk it framework as connecting risk management from a strategic perspective with risk related it management

Answer 7

isaca

Question 8

SP 800-37 extremely influential and important on how US federal government agencies address risk.

Answer 8

nist

Question 9

Both discuss risk from a holistic org perspective and specifically related to IT security is also endorsed by Europeoan union agency for network and information security as a means of managing risk

Answer 9

iso -Risk framework

standard 27001 ENISA

Question 10

created by Microsoft a threat classification system used to inform software developers during the dev process

Answer 10

STRIDE

Question 11

threat where attacker poses as entity other than the attacker, often as an authorized user

Answer 11

spoofing identify

Question 12

attacker attempts to modify the target date in an unauthorized way

Answer 12

tampering with data

Question 13

attacker as a participant of a transaction can deny or conceal the attacker’s participation in that transaction.

Answer 13

repudiation

Question 14

can include both inadvertent release of data (authorized user gives it to attacker accidentally) or malicious access to data is where the attacker gets unauthorized access

Answer 14

information disclosure

Question 15

an attack on the availability aspect of the CIA triad; creating a situation in the target where authorized users cannot get access to the system/app/data

Answer 15

Denial of Service DoS

Question 16

when an attacker not only gains access to the target but can attain a level of control with which to completely disable/destroy the entire target system

Answer 16

elevation of privilege

Question 17

Applicable list of security and privacy controls. one series only requires to be followed by federal agencies in the US. It can be applied to any kind of org as the methods and concepts are universal.

Answer 17

ISO 27001/27002

Question 18

Created by ISACA maintain and document enterprise IT security functions for an org. Uses a governance and process perspective for resource management and its intended to address IT performance security operations risk management and regulatory compliance.

Answer 18

COBIT

Question 19

Can generally be rated according to three factors: impact, likelihood, and exposure

Answer 19

risk assessment

Question 20

the damage/harm/seriousness caused if the risk is realized. can be measured monetarily as an effect to health and human safety, and/or the criticality of the affected asset to the org. The BIA is an excellent tool for use of impact.

Answer 20

impact

Question 21

probability or the measure of the possibility the risk will be realized. This is a form of prediction.

Answer 21

likelihood

Question 22

establishing the realistic potential for the org to face certain types of threats.

Answer 22

exposure

Question 23

typically split into two categories candidate should understand these for the purpose of adhering to the CBK

Answer 23

Risk analysis

Question 24

when the org does not have a sufficient availability of time, budget, or personnel trained in this to put toward the effort. High-Med-Low

Answer 24

Qualitative

Question 25

should produce objective, discrete numeric values. org should opt for this when they have sufficient time, budget, and personnel trained to put toward the effort

Answer 25

Quantitative

Question 26

remains after the security controls are put into place

Answer 26

residual risk

Question 27

parties must establish a mutual understanding of exactly what will be provided under which terms and at what times includes detailed description of both performance and security function. Defines the minimum requirements and codifies prevision. Include a discrete objective

Answer 27

SLA

Question 28

adherence to a mandate regardless of the source. The action on the part of the org to fulfill the mandate and the tools, processes, and documentation that demonstrates adherence.

Answer 28

compliance

Question 29

the right of a human being to control the manner and extent to which information about him or her is distributed. mandates take all forms: contractual, regulatory, and customary.

Answer 29

privacy

Question 30

tools, processes, and activities used to perform compliance reviews

Answer 30

audits

Question 31

legal concept pertaining to the duty owed by a provider to a customer.

Answer 31

due care

Question 32

activity used to demonstrate or provide due care. reviewing vendors and suppliers for adequate provision of security measure proper review of personnel before granting access to the org data or before hiring

Answer 32

due diligence

Question 33

Is publishing a policy insufficient form of due diligence

Answer 33

True- to meet the legal duty an org must also have a documented monitoring and enforcement capability in place and active to ensure the org is adhering to the policy

Question 34

contract between entities that issue credit cards in the US and the entity which is the merchant that accepts the cards as payment.

Answer 34

PCI-DSS

Question 35

are set by government bodies

Answer 35

regulations

Question 36

EU addressed personal privacy, deeming it individual human right. Associated with IT and data security in the world, influencing laws in many other countries and regions.

Answer 36

general data protection regulations - GDPR

Question 37

American federal law that affects medical providers and includes stipulations regarding the collection and dissemination of the health-related personal info, referred to in the Act and the industry as electronic protected health information. -ePHI

Answer 37

HIPPA - Health insurance portability and accountability act

Question 38

Federal us law that allowed banks to merge with insurance providers and includes protection, collection, and dissemination requirements for the personal information of individual account holders.

Answer 38

Graham-Leach-Bliley Act - GLBA

Question 39

created by us congress as a reponse to a series of dramatic frauds committed by publicly traded corps in the 1990s. Contains security, privacy, and availability requirements of great interest to IT security practitioners as resulting industry standards (SSAE 16) created for a mechanism for SOX audits have been accepted

Answer 39

SOX

Question 40

severely restrictive of privacy data collection and dissemination and requires intense security for such data

Answer 40

Canada's personal info protection and electronic documents act - PIPEDA

Question 41

US national law applicable only to federal gov agencies, requires all covered entities to comply with NIST guidance and standards for securing IT env under those agencies control FedRAMP- Federal Risk and Authorization management program

Answer 41

Federal info systems management act - Fisma

Question 42

intangible asests can include proprietary material such as software owed by the org. proprietary software between the vendor and the customer through the use of a license, an agreement codifying the terms price duration number of copies that govern the use of the software

Answer 42

intellectual property - IP

Question 43

tools often create an additional layer of access control within the org for those files/data sets that contain proprietary material.

Answer 43

DRM

Question 44

access controls follow the product material wherever the material goes

Answer 44

persistency

Question 45

solution subject to a centralized administrative function that allows the owner of the ip to update and modify permissions as necessary

Answer 45

dynamic policy control

Question 46

solution should recognize a time limit on permissions for specific data sets/files.

Answer 46

automatic expiration

Question 47

solution should ensure that every protected element each file or data set is able to recognize and annotate access events open/view/running/copying, etc on itself and maintain that record

Answer 47

continuous audit trail

Question 48

solution should function properly within the env of whoever is running the DRM and work in concert with that org existing access control methodologies and tools. The DRM solution can integrate with the orgs file structure, email, etc

Answer 48

interoperability

Question 49

a multilateral export control restriction program involving 41 participating countries agree not to distribute export certain technologies, including both weapons and of more concern to our field cryptographic tools, to regions where an accumulation of these materials might disturb the local balance of power between nation-states.

Answer 49

Wassenaar agreement

Question 50

expressively intended to prevent the personal data of EU citizens from going to any country that does not have a national personal privacy law that is in accordance with EU law in terms of breadth and individual protection. The US does not adhere to this

Answer 50

GDPR-

Question 51

voluntary US program for American companies that want to do business that involves processing privacy data of EU citizens. Voluntary mechanism for US companies to agree to follow EU data protection law

Answer 51

Privacy Shield

Question 52

any data about a human being that could be used to identify that person such as name, tax id number, ssn, home address, mobile telephone number, specific computer data mac address ip of machine, credit card number, bank acct number, facial photo

Answer 52

PII - personally identifiable information

Question 53

creates or collects the data, is legally responsible for the protection of the data in their control and liable for any unauthorized release of the data.

Answer 53

data owner/controller

Question 54

person/role within the org who usually manages the data on a day-to-day basis on behalf of the data owner./controller. Could be a dba or system admin or anyone with priv access to the system or data set.

Answer 54

data custodian

Question 55

employee signs a formal agreement not to make any unauthorized disclosure of any of the orgs proprietary/sensitive info both during and after the term of employment

Answer 55

Non-disclosure agreement - NDA

Question 56

actions processes and tools ensuring an org can continue critical operations during a contingency

Answer 56

Business continuity - BC

Question 57

efforts are those tasks and activities required to bring an org back from contingency operations and reinstate needs of the org.

Answer 57

Disaster recovery -DR

Question 58

measure of how long an org can survive an interruption of critical functions, if exceeded the org will no longer be a viable unit

Answer 58

Max allowable downtime MAD

Question 59

target time set for recovering from any interruption must necessarily be less than MAD. SEnior management sets this based on their knowledgeable needs of the org. A goal for recovering availability of the critical path. This is a temporary state the org will endure until it can return to normal

Answer 59

Recovery time objective - RTO

Question 60

how much data an org can lose before it is no longer viable Senior management sets this

Answer 60

Recovery point objective - RPO

Question 61

effort to detemine the value of each asset belonging to the org as well as potential risk of losing assets, the threats likely to affect the org, and potential common threats to be realized.

Answer 61

Business impact analysis -BIA