Domain 1 - Security and Risk Management

Question 1

Which of the following contains the primary goals and objectives of security?
A. A network’s border perimeter
B. The CIA Triad
C. A stand-alone system
D. The Internet

Answer 1

B. The CIA Triad

Question 2

Vulnerabilities and risks are evaluated based on their threats against which of the
following?
A. One or more of the CIA Triad principles
B. Data usefulness
C. Due care
D. Extent of liability

Answer 2

A. One or more of the CIA Triad principles

Question 3

Which of the following is a principle of the CIA Triad that means authorized subjects are
granted timely and uninterrupted access to objects?
A. Identification
B. Availability
C. Encryption
D. Layering

Answer 3

B. Availability

Question 4

Which of the following is not considered a violation of confidentiality?
A. Stealing passwords
B. Eavesdropping
C. Hardware destruction
D. Social engineering

Answer 4

C. Hardware destruction

Question 5

Which of the following is not true?
A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.

Answer 5

C. Violations of confidentiality are limited to direct intentional attacks.

Question 6

STRIDE is often used in relation to assessing threats against applications or operating
systems. Which of the following is not an element of STRIDE?
A. Spoofing
B. Elevation of privilege
C. Repudiation
D. Disclosure

Answer 6

D. Disclosure

Question 7

If a security mechanism offers availability, then it offers a high level of assurance that
authorized subjects can _________________________ the data, objects, and resources.
A. Control
B. Audit
C. Access
D. Repudiate

Answer 7

C. Access

Question 8

\_\_\_\_\_\_\_\_\_\_\_ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed.
A. Seclusion
B. Concealment
C. Privacy
D. Criticality

Answer 8

C. Privacy

Question 9

All but which of the following items requires awareness for all individuals affected?
A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages

Answer 9

D. The backup mechanism used to retain email

Question 10

What element of data categorization management can override all other forms of access control?
A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership

Answer 10

D. Taking ownership

Question 11

What ensures that the subject of an activity or event cannot deny that the event occurred?
A. CIA Triad
B. Abstraction
C. Nonrepudiation
D. Hash totals

Answer 11

C. Nonrepudiation

Question 12

Which of the following is the most important and distinctive concept in relation to layered security?
A. Multiple
B. Series
C. Parallel
D. Filter

Answer 12

B. Series

Question 13

Which of the following is not considered t an example of data hiding?
A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being accessed by unauthorized visitors
C. Restricting a subject at a lower classification level from accessing data at a higher classification level
D. Preventing an application from accessing hardware directly

Answer 13

A. Preventing an authorized reader of an object from deleting that object

Question 14

What is the primary goal of change management?
A. Maintaining documentation
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Preventing security compromises

Answer 14

D. Preventing security compromises

Question 15

What is the primary objective of data classification schemes?
A. To control access to objects for authorized subjects
B. To formalize and stratify the process of securing data based on assigned labels of
importance and sensitivity
C. To establish a transaction trail for auditing ccountability
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality

Answer 15

B. To formalize and stratify the process of securing data based on assigned labels of

Question 16

W hich of the following is typically not a characteristic considered when classifying data?
A. Value
B. Size of object
C. Useful lifetime
D. National security implications

Answer 16

B. Size of object

Question 17

What are the two common data classification schemes?
A. Military and private sector
B. Personal and government
C. Private sector and unrestricted sector
D. Classified and unclassified

Answer 17

A. Military and private sector

Question 18

Which of the following is the lowest military data classification for classified data?
A. Sensitive
B. Secret
C. Proprietary
D. Private

Answer 18

B. Secret

Question 19

Which commercial business/private sector data classification is used to control information about individuals within an organization?
A. Confidential
B. Private
C. Sensitive
D. Proprietary

Answer 19

B. Private

Question 20

Data classifications are used to focus security controls over all but which of the following?
A. Storage
B. Processing
C. Layering
D. Transfer

Answer 20

C. Layering

Question 21

A threat categorization scheme developed by Microsoft. It is an acronym standing for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

Answer 21

STRIDE

Question 22

To prevent unauthorized disclosure

Answer 22

Confidentiality

Question 23

No unauthorized modifications, consistent data

Answer 23

Integrity

Question 24

Reliable and timely access to resources

Answer 24

Availability

Question 25

User claims identity. Used for user access control

Answer 25

Identification

Question 26

Process of verifying a user’s identity

Answer 26

Authentication

Question 27

Linking actions to a user

Answer 27

Accountability

Question 28

Granting rights and permissions to an authorized identity

Answer 28

Authorization

Question 29

Recording a log of events and activities related to subjects and systems

Answer 29

Auditing

Question 30

Ensures subject of activity or event cannot deny that they event happened

Answer 30

Nonrepudiation

Question 31

A long-term plan that is fairly stable and not a lot of detail. It defines the organizations goals and objectives. It is part of Security Management Planning

Answer 31

Strategic

Question 32

A midterm plan developed to provide more details on accomplishing the goals in the strategic plan. It is part of Security Management Planning.

Answer 32

Tactical

Question 33

Plans that are short-term and highly detailed. Based on Strategic and Tactical plans.

Answer 33

Operational

Question 34

The user of multiple security controls in a series.

Answer 34

Layering or Defense in Depth

Question 35

Put similar elements into groups, classes or roles for efficiency. Used when classifying objects or assigning roles to subjects.

Answer 35

Abstraction

Question 36

Preventing data from being discovered or accessed by a subject.

Answer 36

Data Hiding

Question 37

The collection of practices related to supporting, defining, and directing the security efforts of an entire organization.

Answer 37

Security Governance

Question 38

Document that defines the scope of security needed by the organization. It also discusses the assets that need protection and the extent which security solutions should go to provide protection. An overview of the organizations security needs. Part of a Security Policy Structure

Answer 38

Security Policy

Question 39

Tactical documents that define steps or methods to accomplish the goals and direction defined by security policies. Part of a Security Policy Structure

Answer 39

Standards

Question 40

Defines a minimum level of security that every system must meet. Part of a Security Policy Structure

Answer 40

Baselines

Question 41

Offers recommendations on how standards and baselines are implemented and servers as an operational guide for both security professionals and users. Part of a Security Policy Structure

Answer 41

Guidelines

Question 42

A detailed, step-by-step how to document that describes the exact actions necessary to implement a specific security solution. Part of a Security Policy Structure

Answer 42

Procedures

Question 43

Also known as organizational manager. The person ultimately responsible for the security maintained by an organization and the protection of assets. They rarely implement security solutions.

Answer 43

Senior Manager

Question 44

Responsible for following the directives mandated by senior management. They write security policies and implement them.

Answer 44

Security Professional

Question 45

Person responsible for classifying information for placement and protection within the security solution.

Answer 45

Data Owner

Question 46

User who performs all activities necessary to provide adequate protection of the CIA Triad of data and to fulfill the requirements delegated from upper management.

Answer 46

Data Custodian

Question 47

Any person who accesses a secure system

Answer 47

User

Question 48

Person responsible for reviewing and verifying the security policy is properly implemented.

Answer 48

Auditor

Question 49

Change in a secure environment can introduce loopholes and oversights. Only way to manage security is to systematically manage change. The goal of ____ ________ is to ensure that any change does not reduce security.

Answer 49

Change Management

Question 50

This is done to data to simplify the process of assigning security controls to groups of objects rather than to individual objects.

Answer 50

Data Classifications

Question 51

Government Data Classifications

Answer 51

Top Secret, Secret, Confidential, Sensitive but unclassified, Unclassified

Question 52

Private Sector Data Classifications

Answer 52

Confidential, Private, Sensitive, Public

Question 53

This is required once an asset no longer warrants the protection of its currently assigned classification or sensitivity level.

Answer 53

Declassification

Question 54

A security framework that is a documented set of best IT security practices crafted by ISACA. It encourages the mapping of IT security ideals to business objectives.

Answer 54

COBIT

Question 55

The process when potential threats are identified, categorized and analyzed.

Answer 55

Threat modeling

Question 56

Integrating security risk management with acquisition strategies is a means to ensure a successful security strategy across the organization.

Answer 56

Security-Minded acquisitions

Question 57

Active prevention of unauthorized access to information that is personally identifiable

Answer 57

Privacy

Question 58

A system of oversight that may be mandated by law, regulation, industry standards or licensing requirements.

Answer 58

Third-Party governance

Question 59

The process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost and implementing cost effective solutions for reducing risk.

Answer 59

Risk Management

Question 60

The process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred and which should be accepted. You must analyze assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks and breaches.

Answer 60

Risk Analysis

Question 61

Potential danger to an asset

Answer 61

Threat

Question 62

Focuses on hard numbers and percentages. The process involves asset valuation, threat identification, threat’s potential frequency and the resulting damage. The result is a cost/benefit analysis.

Answer 62

Quantitative Risk Analysis

Question 63

The percentage of loss a company would experience if an asset were violated by a risk.

Answer 63

Exposure Factor (EF)

Question 64

The cost associated with a single risk against a specific asset. SLE = AV*EF

Answer 64

Single Loss Expectancy (SLE)

Question 65

The expected frequency a specific threat or risk will occur within a single year.

Answer 65

Annualized Rate of Occurrence (ARO)

Question 66

The yearly cost of all instances of a specific threat against an asset. ALE = SLE*ARO

Answer 66

Annualized Loss Expectancy (ALE)

Question 67

Determine the value of a safeguard to a company. Same as the ALE if the safeguard is implemented. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard = value of the safeguard to the company

Answer 67

Safeguard evaluation

Question 68

An anonymous feedback-and-response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.

Answer 68

Delphi technique

Question 69

Three ways of handling risk

Answer 69

Reducing risk, assigning risk or accepting risk

Question 70

The implementation of safeguards and countermeasures.

Answer 70

Reducing risk or risk mitigation

Question 71

Placing the cost of loss a risk represents onto another entity or organization like insurance

Answer 71

Assigning risk or transferring risk

Question 72

Management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.

Answer 72

Accepting risk

Question 73

The amount of risk an organization would face if no safeguards were implemented.

Answer 73

Total risk

Question 74

Risk that management has chosen to accept rather than mitigate

Answer 74

Residual risk

Question 75

Controls that prevent unauthorized users from gaining access to resources.

Answer 75

Access Controls

Question 76

The seven Access control types

Answer 76

Preventive, Detective, Corrective, Deterrent, Recovery, Directive, Compensation

Question 77

Security concept of dividing work tasks among several individuals.

Answer 77

Separation of Duties

Question 78

Users should be granted the minimum amount of access necessary for them to complete their required work.

Answer 78

Principle of Least Privilege

Question 79

Six steps of a Risk Management Framework

Answer 79

Categorize, Select, Implement, Assess, Authorize and Monitor

Question 80

Project scope and planning, Business impact assessment, Continuity planning, Approval and implementation

Answer 80

Business Continuity Planning Process

Question 81

Individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This process is used for BCP team selection.

Answer 81

Business Organization Analysis

Question 82

Leaders must exercise due diligence to ensure shareholders’ interests are protected.

Answer 82

Legal or regulatory requirements

Question 83

Identification of priorities, Risk identification, Likelihood assessment, Impact assessment and Resource prioritization

Answer 83

Business Impact assessment process

Question 84

BCP team determines which risks will be mitigated, Solutions to mitigate the risks are designed, The plan must then be approved by senior management, and Personnel must receive training for their roles

Answer 84

Continuity Strategy

Question 85

Committing the plan to writing provides a written record of the procedures to follow when disaster strikes.

Answer 85

BCP Documentation

Question 86

Protects society against acts that violate the basic principles we believe in. They are prosecuted by federal and state governments.

Answer 86

Criminal Law

Question 87

Provides the framework for the transaction of business between people and organizations. They are brought to the court and argued by the two parties.

Answer 87

Civil Law

Question 88

Used by government agencies to effectively carry out their day to day business.

Answer 88

Administrative Law

Question 89

Computer Crime Law - Protects computers used by the government or in interstate commerce

Answer 89

Computer Fraud and Abuse Act (CFAA)

Question 90

Computer Crime Law - Outlines steps the government must take to protect its own systems from attack

Answer 90

Computer Security Act (CSA)

Question 91

Computer Crime Law - Further develops the federal govt info security program. Maintaining the security and integrity of govt information and systems falls on individual agency leaders.

Answer 91

Government Information Security Reform Act (GISRA)

Question 92

Computer Crime Law - Requires that federal agencies implement an information security program that covers the agencies operations.

Answer 92

Federal Information Security Management Act (FISMA)

Question 93

Protect original works of authorship, such as books, poems and songs.

Answer 93

Copyrights

Question 94

Names, slogans and logos that identify a company, product or service

Answer 94

Trademarks

Question 95

Provide protection to the creators of new inventions

Answer 95

Patents

Question 96

Protects the operating secrets of an organization

Answer 96

Trade Secrets

Question 97

Prohibits the circumvention of copy right protection mechanisms placed in digital media. It also limits the liability of Internet service providers for the activities of their users

Answer 97

Digital Millennium Copyright Act (1998)

Question 98

Provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the info will benefit a foreign govt.
Software License Agreements

Answer 98

Economic Espionage Act (1996)

Question 99

Software license agreement that is a written agreement between a software vendor and a user

Answer 99

Contractual License agreements

Question 100

Software license agreement that is written on software packaging and take effect when a user opens the package.

Answer 100

Shrink-wrap agreements

Question 101

Software license agreement that are included in a package but require the user to accept the terms during the software installation process.

Answer 101

Click-wrap agreements

Question 102

Provides a framework for the enforcement of shrink‐wrap and click‐wrap agreements by federal and state governments.

Answer 102

Uniform Computer Information Transactions Act

Question 103

California’s SB 1386 implemented the first statewide requirement to notify individuals of a breach of their personal information. All but three states eventually followed suit with similar laws. Currently, federal law only requires the notification of individuals when a HIPAA‐covered entity breaches their protected health information.

Answer 103

Data Breach Requirements

Question 104

Organizations may find themselves subject to a wide variety of laws and regulations imposed by regulatory agencies or contractual obligations. PCI DSS for credit card industry.

Answer 104

Compliance

Question 105

Security professionals should conduct reviews of the security controls put in place by vendors, both during the initial vendor selection and evaluation process, and as part of ongoing vendor governance reviews.

Answer 105

Contracting and Procurement