Domain 1 - Security and Risk Management

Question 1

What is the NIST Risk Management Publication?

Answer 1

NIST 800-30

Question 2

What is the ISO standard for risk management?

Answer 2

ISO 27005

Question 3

What is water holing?

Answer 3

Creating a bunch of websites with similar names, or an attacker infecting websites that are frequented by members of the group being attacked

Question 4

What is data diddling?

Answer 4

act of modifying info, programs or documents to commit fraud. tampering with input data

Question 5

What is COSO?

Answer 5

develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. these are goals for the entire organization

Question 6

What is COBIT?

Answer 6

Created by ISACA, COBIT allows practitioners to govern and manage IT holistically, bridging gap between business requirements, control needs and technical issues. TLDR - IT Governance

Question 7

What is OCTAVE?

Answer 7

Self Directed Risk Management.

Question 8

What is ISO 27799?

Answer 8

Directives on how to protect PHI (Protected Health Information)

Question 9

What are the PCI-DSS principles?

Answer 9

1. Build and Maintain a Secure Network and Systems
2. Protect Account Data (stored data and cryptography of data in transit)
3. Maintain a Vulnerability Management program
4. Implement Strong Access Control Measures
5. Regularly monitor and test networks
6. Maintain an info sec policy

Question 10

Which CSA Star Level requires 3rd party certification?

Answer 10

Star Level 2

Question 11

Which CSA Star Level has continuous auditing?

Answer 11

Star Level 3

Question 12

Which CSA Star Level(s) have continuous self assessment?

Answer 12

Star Level 1 Continuous and Star Level 2 Continuous

Question 13

Which CSA Star Level is only self-assessment?

Answer 13

Star Level 1

Question 14

What does the Computer Security Act (CSA) focus on?

Answer 14

Creating computer security plans and ensuring adequate training of system users and owners where the systems would hold sensitive information.

Question 15

What is the purpose of CALEA?

Answer 15

This is a communication assistance law to aid lawful interception of communications

Question 16

What is COPPA?

Answer 16

Children online privacy protection act. For those collecting information on those under 13 years of age. Restrictions against marking, must receive consent and display privacy policy.

Question 17

What law protects against espionage?

Answer 17

The Economic Espionage Act (EEA) 1996.

Question 18

Who are exempted from the DMCA?

Answer 18

nonprofit organisations such as libraries and schools

Question 19

What are the requirements of FISMA?

Answer 19

• Deployment of risk assessments
• Development and maintenance of an information assurance program. with IT security architecture and framework
• Security training conduction
• Periodic testing and evaluation
• Security awareness programs

Question 20

The following example would be what kind of security document:
“All users must choose a long passphrase that will be changed annually”

Answer 20

This would exist in a high level policy.

Question 21

The following example would be what kind of security document:
“SoE must be Windows 11 and use AES 128bit key encryption”

Answer 21

This would exist in a standard.

Question 22

The following example would be what kind of security document:
“Use AES for encryption”

Answer 22

This would be a baseline as it does not define what key length is required. Leaving it somewhat discretionary for users.

Question 23

What is the NIST 800-53?

Answer 23

This is security and privacy controls for Information Systems and Organizations that provides detailed security controls for US FEDERAL systems. Rev 5 also provides privacy controls, supply chain and insider threat.

Question 24

What is the NIST 800-37

Answer 24

This is the Risk Management Framework for Info Systems and Organizations

Question 25

What are the steps in the NIST Cyber Security Framework?

Answer 25

1. Identify
2. Protect
3. Detect
4. Respond
5. Recovery

Question 26

What is another name of a bot?

Answer 26

Zombie

Question 27

Who can complain about Canon I and II?

Answer 27

Any member of the general public may file a complaint for canon I or II

Question 28

Who can complain about Canon III?

Answer 28

Any principal that has a employer/contractor relationship with the certificate holder

Question 29

Who can complain about Canon IV?

Answer 29

any other profession and also subscribed to a code of ethics

Question 30

What may be compromised if we over subscribe in confidentiality?

Answer 30

Availability may be impacted

Question 31

What may happen if we overprotect integrity

Answer 31

Availability may be impacted as well.

Question 32

What are the three types of plans that a security planning team develop?

Answer 32

1. Strategic Plan (3-5 years)
2. Tactical Plan (1 year plan)
3. Operational Plain (updated frequently)

Question 33

What types of entities does HIPAA regulate?

Answer 33

HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

Question 34

What 3 rules does the HIPAA have?

Answer 34

1. Privacy Rule
2. Security Rule
3. Breach notification rule

Question 35

What are the controls of Crime Prevention Through Environmental Design (CPTED)?

Answer 35

1. Natural access control
2. Natural Surveillance
3. Territorial Reinforcement