Domain 1 - Security and Risk Management Flashcards Preview

CISSP > Domain 1 - Security and Risk Management > Flashcards

Flashcards in Domain 1 - Security and Risk Management Deck (105):
1

Which of the following contains the primary goals and objectives of security?
A. A network’s border perimeter
B. The CIA Triad
C. A stand-alone system
D. The Internet

B. The CIA Triad

2

Vulnerabilities and risks are evaluated based on their threats against which of the
following?
A. One or more of the CIA Triad principles
B. Data usefulness
C. Due care
D. Extent of liability

A. One or more of the CIA Triad principles

3

Which of the following is a principle of the CIA Triad that means authorized subjects are
granted timely and uninterrupted access to objects?
A. Identification
B. Availability
C. Encryption
D. Layering

B. Availability

4

Which of the following is not considered a violation of confidentiality?
A. Stealing passwords
B. Eavesdropping
C. Hardware destruction
D. Social engineering

C. Hardware destruction

5

Which of the following is not true?
A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.

C. Violations of confidentiality are limited to direct intentional attacks.

6

STRIDE is often used in relation to assessing threats against applications or operating
systems. Which of the following is not an element of STRIDE?
A. Spoofing
B. Elevation of privilege
C. Repudiation
D. Disclosure

D. Disclosure

7

If a security mechanism offers availability, then it offers a high level of assurance that
authorized subjects can _________________________ the data, objects, and resources.
A. Control
B. Audit
C. Access
D. Repudiate

C. Access

8

___________ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed.
A. Seclusion
B. Concealment
C. Privacy
D. Criticality

C. Privacy

9

All but which of the following items requires awareness for all individuals affected?
A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages

D. The backup mechanism used to retain email

10

What element of data categorization management can override all other forms of access control?
A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership

D. Taking ownership

11

What ensures that the subject of an activity or event cannot deny that the event occurred?
A. CIA Triad
B. Abstraction
C. Nonrepudiation
D. Hash totals

C. Nonrepudiation

12

Which of the following is the most important and distinctive concept in relation to layered security?
A. Multiple
B. Series
C. Parallel
D. Filter

B. Series

13

Which of the following is not considered t an example of data hiding?
A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being accessed by unauthorized visitors
C. Restricting a subject at a lower classification level from accessing data at a higher classification level
D. Preventing an application from accessing hardware directly

A. Preventing an authorized reader of an object from deleting that object

14

What is the primary goal of change management?
A. Maintaining documentation
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Preventing security compromises

D. Preventing security compromises

15

What is the primary objective of data classification schemes?
A. To control access to objects for authorized subjects
B. To formalize and stratify the process of securing data based on assigned labels of
importance and sensitivity
C. To establish a transaction trail for auditing ccountability
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality

B. To formalize and stratify the process of securing data based on assigned labels of

16

W hich of the following is typically not a characteristic considered when classifying data?
A. Value
B. Size of object
C. Useful lifetime
D. National security implications

B. Size of object

17

What are the two common data classification schemes?
A. Military and private sector
B. Personal and government
C. Private sector and unrestricted sector
D. Classified and unclassified

A. Military and private sector

18

Which of the following is the lowest military data classification for classified data?
A. Sensitive
B. Secret
C. Proprietary
D. Private

B. Secret

19

Which commercial business/private sector data classification is used to control information about individuals within an organization?
A. Confidential
B. Private
C. Sensitive
D. Proprietary

B. Private

20

Data classifications are used to focus security controls over all but which of the following?
A. Storage
B. Processing
C. Layering
D. Transfer

C. Layering

21

A threat categorization scheme developed by Microsoft. It is an acronym standing for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

STRIDE

22

To prevent unauthorized disclosure

Confidentiality

23

No unauthorized modifications, consistent data

Integrity

24

Reliable and timely access to resources

Availability

25

User claims identity. Used for user access control

Identification

26

Process of verifying a user's identity

Authentication

27

Linking actions to a user

Accountability

28

Granting rights and permissions to an authorized identity

Authorization

29

Recording a log of events and activities related to subjects and systems

Auditing

30

Ensures subject of activity or event cannot deny that they event happened

Nonrepudiation

31

A long-term plan that is fairly stable and not a lot of detail. It defines the organizations goals and objectives. It is part of Security Management Planning

Strategic

32

A midterm plan developed to provide more details on accomplishing the goals in the strategic plan. It is part of Security Management Planning.

Tactical

33

Plans that are short-term and highly detailed. Based on Strategic and Tactical plans.

Operational

34

The user of multiple security controls in a series.

Layering or Defense in Depth

35

Put similar elements into groups, classes or roles for efficiency. Used when classifying objects or assigning roles to subjects.

Abstraction

36

Preventing data from being discovered or accessed by a subject.

Data Hiding

37

The collection of practices related to supporting, defining, and directing the security efforts of an entire organization.

Security Governance

38

Document that defines the scope of security needed by the organization. It also discusses the assets that need protection and the extent which security solutions should go to provide protection. An overview of the organizations security needs. Part of a Security Policy Structure

Security Policy

39

Tactical documents that define steps or methods to accomplish the goals and direction defined by security policies. Part of a Security Policy Structure

Standards

40

Defines a minimum level of security that every system must meet. Part of a Security Policy Structure

Baselines

41

Offers recommendations on how standards and baselines are implemented and servers as an operational guide for both security professionals and users. Part of a Security Policy Structure

Guidelines

42

A detailed, step-by-step how to document that describes the exact actions necessary to implement a specific security solution. Part of a Security Policy Structure

Procedures

43

Also known as organizational manager. The person ultimately responsible for the security maintained by an organization and the protection of assets. They rarely implement security solutions.

Senior Manager

44

Responsible for following the directives mandated by senior management. They write security policies and implement them.

Security Professional

45

Person responsible for classifying information for placement and protection within the security solution.

Data Owner

46

User who performs all activities necessary to provide adequate protection of the CIA Triad of data and to fulfill the requirements delegated from upper management.

Data Custodian

47

Any person who accesses a secure system

User

48

Person responsible for reviewing and verifying the security policy is properly implemented.

Auditor

49

Change in a secure environment can introduce loopholes and oversights. Only way to manage security is to systematically manage change. The goal of ____ ________ is to ensure that any change does not reduce security.

Change Management

50

This is done to data to simplify the process of assigning security controls to groups of objects rather than to individual objects.

Data Classifications

51

Government Data Classifications

Top Secret, Secret, Confidential, Sensitive but unclassified, Unclassified

52

Private Sector Data Classifications

Confidential, Private, Sensitive, Public

53

This is required once an asset no longer warrants the protection of its currently assigned classification or sensitivity level.

Declassification

54

A security framework that is a documented set of best IT security practices crafted by ISACA. It encourages the mapping of IT security ideals to business objectives.

COBIT

55

The process when potential threats are identified, categorized and analyzed.

Threat modeling

56

Integrating security risk management with acquisition strategies is a means to ensure a successful security strategy across the organization.

Security-Minded acquisitions

57

Active prevention of unauthorized access to information that is personally identifiable

Privacy

58

A system of oversight that may be mandated by law, regulation, industry standards or licensing requirements.

Third-Party governance

59

The process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost and implementing cost effective solutions for reducing risk.

Risk Management

60

The process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred and which should be accepted. You must analyze assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks and breaches.

Risk Analysis

61

Potential danger to an asset

Threat

62

Focuses on hard numbers and percentages. The process involves asset valuation, threat identification, threat’s potential frequency and the resulting damage. The result is a cost/benefit analysis.

Quantitative Risk Analysis

63

The percentage of loss a company would experience if an asset were violated by a risk.

Exposure Factor (EF)

64

The cost associated with a single risk against a specific asset. SLE = AV*EF

Single Loss Expectancy (SLE)

65

The expected frequency a specific threat or risk will occur within a single year.

Annualized Rate of Occurrence (ARO)

66

The yearly cost of all instances of a specific threat against an asset. ALE = SLE*ARO

Annualized Loss Expectancy (ALE)

67

Determine the value of a safeguard to a company. Same as the ALE if the safeguard is implemented. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard = value of the safeguard to the company

Safeguard evaluation

68

An anonymous feedback-and-response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.

Delphi technique

69

Three ways of handling risk

Reducing risk, assigning risk or accepting risk

70

The implementation of safeguards and countermeasures.

Reducing risk or risk mitigation

71

Placing the cost of loss a risk represents onto another entity or organization like insurance

Assigning risk or transferring risk

72

Management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.

Accepting risk

73

The amount of risk an organization would face if no safeguards were implemented.

Total risk

74

Risk that management has chosen to accept rather than mitigate

Residual risk

75

Controls that prevent unauthorized users from gaining access to resources.

Access Controls

76

The seven Access control types

Preventive, Detective, Corrective, Deterrent, Recovery, Directive, Compensation

77

Security concept of dividing work tasks among several individuals.

Separation of Duties

78

Users should be granted the minimum amount of access necessary for them to complete their required work.

Principle of Least Privilege

79

Six steps of a Risk Management Framework

Categorize, Select, Implement, Assess, Authorize and Monitor

80

Project scope and planning, Business impact assessment, Continuity planning, Approval and implementation

Business Continuity Planning Process

81

Individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This process is used for BCP team selection.

Business Organization Analysis

82

Leaders must exercise due diligence to ensure shareholders’ interests are protected.

Legal or regulatory requirements

83

Identification of priorities, Risk identification, Likelihood assessment, Impact assessment and Resource prioritization

Business Impact assessment process

84

BCP team determines which risks will be mitigated, Solutions to mitigate the risks are designed, The plan must then be approved by senior management, and Personnel must receive training for their roles

Continuity Strategy

85

Committing the plan to writing provides a written record of the procedures to follow when disaster strikes.

BCP Documentation

86

Protects society against acts that violate the basic principles we believe in. They are prosecuted by federal and state governments.

Criminal Law

87

Provides the framework for the transaction of business between people and organizations. They are brought to the court and argued by the two parties.

Civil Law

88

Used by government agencies to effectively carry out their day to day business.

Administrative Law

89

Computer Crime Law - Protects computers used by the government or in interstate commerce

Computer Fraud and Abuse Act (CFAA)

90

Computer Crime Law - Outlines steps the government must take to protect its own systems from attack

Computer Security Act (CSA)

91

Computer Crime Law - Further develops the federal govt info security program. Maintaining the security and integrity of govt information and systems falls on individual agency leaders.

Government Information Security Reform Act (GISRA)

92

Computer Crime Law - Requires that federal agencies implement an information security program that covers the agencies operations.

Federal Information Security Management Act (FISMA)

93

Protect original works of authorship, such as books, poems and songs.

Copyrights

94

Names, slogans and logos that identify a company, product or service

Trademarks

95

Provide protection to the creators of new inventions

Patents

96

Protects the operating secrets of an organization

Trade Secrets

97

Prohibits the circumvention of copy right protection mechanisms placed in digital media. It also limits the liability of Internet service providers for the activities of their users

Digital Millennium Copyright Act (1998)

98

Provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the info will benefit a foreign govt.
Software License Agreements

Economic Espionage Act (1996)

99

Software license agreement that is a written agreement between a software vendor and a user

Contractual License agreements

100

Software license agreement that is written on software packaging and take effect when a user opens the package.

Shrink-wrap agreements

101

Software license agreement that are included in a package but require the user to accept the terms during the software installation process.

Click-wrap agreements

102

Provides a framework for the enforcement of shrink‐wrap and click‐wrap agreements by federal and state governments.

Uniform Computer Information Transactions Act

103

California’s SB 1386 implemented the first statewide requirement to notify individuals of a breach of their personal information. All but three states eventually followed suit with similar laws. Currently, federal law only requires the notification of individuals when a HIPAA‐covered entity breaches their protected health information.

Data Breach Requirements

104

Organizations may find themselves subject to a wide variety of laws and regulations imposed by regulatory agencies or contractual obligations. PCI DSS for credit card industry.

Compliance

105

Security professionals should conduct reviews of the security controls put in place by vendors, both during the initial vendor selection and evaluation process, and as part of ongoing vendor governance reviews.

Contracting and Procurement