Domain 1: Security and Risk Management Flashcards

Question 1

Q

What does the term annualized loss expectancy (ALE) mean as it relates to a risk management program?

Answer

A

The ALE is a dollar amount that estimates the loss potential from a risk in the span of one year. The ALE is calculated by multiplying the ARO (annual rate of occurrence) multiplied by the SLE (single loss expectancy).

For example, if the SLE = $100 and the ARO = 0.1, the ALE is $100 × 0.1 = $10. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.

Question 2

Q

What is copyright?

Answer

A

Copyright is a form of intellectual property that gives the creator of an original work exclusive rights for a certain time period in relation to that work, including its publication, distribution, and adaptation, after which time the work enters the public domain. Copyright applies to any expressible form of an idea or information that is substantive and discrete.

Question 3

Q

Why should organizational assets be classified?

Answer

A

Classifying organizational assets ensures that they receive the appropriate level of protection, and classifications indicate the priority of that security protection.

The primary purpose of data classification is to indicate the level of confidentiality, integrity, and availability protection that is required for each type of data set.

Classifying data allows a company to organize it according to its sensitivity to loss, disclosure, or unavailability. Once data is segmented according to its sensitivity level, the company can decide what security controls are necessary to protect different types of data.

Question 4

Q

Evidence can be categorized into several types. Among these are:

best evidence
secondary evidence
direct evidence
conclusive evidence
opinions
circumstantial evidence
hearsay evidence

Define opinion evidence.

Answer

A

When a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts. This is slightly different from when an expert witness is used, because an expert is used primarily for his educated opinion. Most lawyers call in expert witnesses to testify and help the defending or prosecuting sides better understand the subject matter so that they can help the judge and jury better understand the matters of the case.

Question 5

Q

What is maximum tolerable downtime (MTD)?

Answer

A

MTD is the longest outage time that can be endured by a company. The business impact analysis (BIA) identifies which of the company’s critical systems are needed for survival and estimates the outage time that can be tolerated by the company as a result of various unfortunate events.

Common MTD timeframes include the following:

Nonessential: 30 days
Normal: 7 days
Important: 72 hours
Urgent: 24 hours
Critical: Minutes to hours

Question 6

Q

What are the four objectives of a disaster recovery plan (DRP)?

Answer

A

The objectives of the disaster recovery plan (DRP) usually include the following:

Protecting an organization from major computer services failure
Minimizing the risk to the organization from delays in providing services
Guaranteeing the reliability of standby systems through testing and simulation
Minimizing the decision making required by personnel during a disaster

The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the resources, personnel, and business processes resume operation in a timely manner.

Question 7

Q

What are the three primary components of information security that make up the security triad?

Answer

A

Availability
Integrity
Confidentiality

These three components comprise the AIC triad The level of security required to accomplish these principles differs per company, because each has its own unique combination of business and security goals and requirements. All security controls, mechanisms, and safeguards are implemented to provide one or more of these principles, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.

Question 8

Q

What occurs during the plan design and development phase of the creating a business continuity plan (BCP)?

Answer

A

The team prepares and documents the detailed recovery plan, formulating methods to ensure systems and critical functions can be brought online quickly. They document procedures, recovery solutions, roles and tasks, and emergency responses.

Question 9

Q

What is a trade secret?

Answer

A

A trade secret is a confidential design, practice, or method that is proprietary. For a trade secret to remain valid, the owner must take certain security precautions. Trade secrets are deemed proprietary to a company and often include information that provides a competitive edge. The information is protected as long as the owner takes the necessary protective actions.

Question 10

Q

Evidence can be categorized into several types. Among these are:

best evidence
secondary evidence
direct evidence
conclusive evidence
opinions
circumstantial evidence
hearsay evidence

Please define conclusive evidence.

Answer

A

Conclusive evidence is introduced to prove a fact that is supposed to be so conclusive that there can be no other truth as to the matter—evidence so strong it overpowers contrary evidence, directing a fact-finder to a specific and certain conclusion. Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is strong and does not require corroboration.

Question 11

Q

What are the roles in a data classification system that a person might take?

Answer

A

Data owner
Data custodian
Data user
Information systems auditor

The data owner is responsible for the protection of the data. The owner is typically a manager or executive in an organization and is responsible for the following:

Making the original classification determination
Reviewing the classification levels periodically
Delegating the responsibility of the data protection duties to the data custodian

The data custodian is the technical caretaker of the data. Duties include:

making backups
restoring data
implementing and maintaining countermeasures
administering the access controls.

The data user refers to anyone who uses the data. Users must use “due care” when accessing data. They must ensure that the data is used only in accordance with allowed policy and abide by the rules set for the classification of the data. -

An Information systems auditor is responsible for providing reports to the senior management on the effectiveness of the security controls by conducting regular, independent audits.

Question 12

Q

What is the difference between quantitative risk analysis and qualitative risk analysis?

Answer

A

Quantitative risk analysis attempts to assign monetary values to assets and the impact of given risks to arrive at a quantifiable dollar value for each risk.

Qualitative risk analysis addresses more intangible values of a data loss and focuses on measures other than the pure hard costs.

Qualitative analysis does not assign numbers and monetary values to components and losses. Quantitative risk analysis attempts to assign real and meaningful numbers to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks. Qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions.

Question 13

Q

There are three primary options for backing up data to tape:

full
incremental
differential

Define the incremental backup option.

Answer

A

Incremental backup backs up all the files that have changed since the last full or incremental backup and sets the archive bit to 0. When the data needs to be restored, the full backup data is laid down and then each incremental backup is laid down on top of it in the proper order. If a company experiences a disaster and uses the incremental process, it first needs to restore the full backup on its hard drives and lay down every incremental backup that was carried out before the disaster took place. So, if the full backup was done six months ago and the operations department carried out an incremental backup each month, the restoration team would restore the full backup and start with the older incremental backups and restore each one of them until they were all restored.

Question 14

Q

What constitutes qualitative criteria evaluated in the vulnerability assessment component of the business impact analysis (BIA)?

Answer

A

Qualitative loss criteria can consist of the following:

The loss of competitive advantage or market share
The loss of public confidence or credibility, or incurring public embarrassment
Employees unable to report to work due to damage to their personal assets (house, car, and so on)

Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. The goal is to see exactly how a business will be affected by different threats. The effects can be financial, operational, or both.

Question 15

Q

In the (ISC)2 model, what step follows after the business impact analysis (BIA)?

Answer

A

Creating a recovery strategy.

The recovery strategy is a process for how to rescue the company after a disaster takes place. Recovery strategy processes integrate mechanisms such as establishing alternate sites for facilities, implementing emergency response procedures, and possibly activating the preventive mechanisms that have already been implemented.

Question 16

Q

According to the Internet Architecture Board’s (IAB) document “Ethics and the Internet” (RFC 1087), what activities are defined as unacceptable and unethical?

Answer

A

Any activity is defined as unacceptable and unethical that purposely:

Seeks to gain unauthorized access to the resources of the Internet
Disrupts the intended use of the Internet
Wastes resources (people, capacity, computer) through such actions
Destroys the integrity of computer-based information
Compromises the privacy of users

Question 17

Q

A business continuity plan (BCP) needs to be part of all organizations’ security programs. Please describe a BCP and why it is important.

Answer

A

A BCP is a plan an organization develops to respond to unforeseen incidents, accidents, and disasters that can affect the normal operation of the organization’s critical functions. The critical processes of an organization need to be identified, protected, and redundant. The goal of a business continuity plan is to ensure that the organization can survive no matter what happens to it. The plan also involves dealing with customers, partners, and stakeholders through different channels until everything returns to normal.

Question 18

Q

After a business continuity plan (BCP) is in place, the plan must be continually maintained for it to be effective. What is the best way to maintain a BCP?

Answer

A

One of the simplest and most cost-effective and process-efficient ways to keep a plan up-to-date is to incorporate it within the change management process of the organization. The change management process should be updated to incorporate fields and triggers that alert the BCP team when a significant change will occur and should provide a means to update the recovery documentation. The BCP should also be tested periodically to ensure it still meets the needs of a changing business and technology environment.

Question 19

Q

Why is digital evidence commonly referred to as hearsay evidence?

Answer

A

It can be very difficult to determine if computer-generated material has been modified before it is presented in court. Since this type of evidence can be altered without being detected, the court cannot put a lot of weight on this evidence. Many times, computer-generated evidence is considered hearsay in that there is no firsthand proof backing it up.

Question 20

Q

Evidence can be categorized into several types. Among these are

best evidence
secondary evidence
direct evidence
conclusive evidence
opinions
circumstantial evidence
hearsay evidence

Define direct evidence and show how it differs from circumstantial evidence.

Answer

A

Direct evidence is testimony and other types of proof that expressly or straightforwardly prove the existence of a fact. It is different from circumstantial evidence, which is evidence that, without going directly to prove the existence of a fact, gives rise to a logical inference that such a fact does exist. Direct evidence is evidence which, if believed, proves the existence of the fact in issue without inference or presumption. It is evidence that comes from one who speaks directly of his own knowledge on the main or ultimate fact to be proved, or who saw or heard the factual matters that are the subject of the testimony.

Question 21

Q

Extranets, VANs, and shared networks with external entities create what type of legal concern?

Answer

A

Downstream liability

Downstream liability can take place when companies that share network access, or other resources, with outside parties does not provide the necessary level of protection. If the company’s negligence affects the other company it is working with, the affected company can sue the upstream company.

Question 22

Q

What is a BIA?

Answer

A

The business impact analysis (BIA) describes what impact a disaster could potentially have on critical business functions, as well as evaluating the threats to these functions and the costs of a potential outage. Conducting a BIA is a functional analysis in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level.

Question 23

Q

How does ISO 17799 relate to British Standard 7799?

Answer

A

ISO 17799 was derived from the British Standard 7799 (BS7799) The most commonly used standard for security program development and maintenance is ISO 17799, which was derived from the de facto standard, British Standard 7799 (BS7799). It is an internationally recognized information security management standard that provides high-level conceptual recommendations on enterprise security.

Question 24

Q

What are three possible factors that determine the value of an asset?

Answer

A

Initial and outgoing cost of purchasing, licensing, and supporting the asset
Value to the organization’s production operations
Value in the external marketplace

The initial and ongoing cost of purchasing, licensing, and supporting the asset also includes the cost to acquire or develop the asset.

The asset’s value to the organization’s production operations is the determination of cost to an organization if the asset is not available for a certain period of time.

The asset’s value as established in the external marketplace includes the value the asset might have to competitors or what others will to pay for a given asset.

Question 25

Q

You can categorize evidence by several types. These categories basically determine the strength and usability of a particular piece of evidence. Name all 7 types of evidence.

Answer

A

Best evidence
Secondary evidence
Direct evidence
Conclusive evidence
Opinions
Circumstantial evidence
Hearsay evidence

Question 26

Q

Name at least five areas of critical business functionality that must be taken into account when developing a business continuity plan.

Answer

A

The development of a business continuity plan should include all areas that are critical for running the business, which could include (but is not limited to) the following:

Networks and computer equipment
Voice and data communications resources
Human resources and personnel security issues
Transportation of equipment and personnel
Environment issues (such as HVAC)
Data, software, and applications
Supplies (paper, forms, cabling, and so on)
Documentation and media

The organization’s current technical environment must be understood. This means the planners have to know the intimate details of the network, communications technologies, computers, network equipment, and software requirements that are necessary to get the critical functions up and running.

Question 27

Q

One common technique that disrupts access to computer systems is the denial-of-service (DoS) attack. Describe DoS.

Answer

A

Denial of service (DoS) is the act of using so much of the resources of a target system that the system’s services are no longer available to other clients. An example of a DoS attack is flooding a website with so many requests that either the bandwidth is consumed or the maximum number of connections is reached. DoS attacks are commonly initiated through the use of botnets: an army of compromised PCs controlled by the attacker to launch the attack.

Question 28

Q

Evidence can be categorized as to how good or useful it will be as a tool in a criminal prosecution. What would be considered best evidence?

Answer

A

Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents.

Question 29

Q

The Computer Ethics Institute has developed a “Ten Commandments of Computer Ethics.” Name the ten commandments.

Answer

A

Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people’s computer work.
Thou shalt not snoop around in other people’s computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people’s computer resources without authorization or proper compensation.
Thou shalt not appropriate other people’s intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Question 30

Q

If a computer crime is investigated by law enforcement agents, what should be done to ensure that the evidence that is confiscated does not hurt the company’s production activities and productivity?

Answer

A

Critical systems and data should be identified and a request should be made to copy all data for future use. Backup copies will not be acceptable to the agents for investigation. In most cases, law enforcement agents will work with a company that reported a computer crime so that the investigation does not negatively affect the company.

Question 31

Q

What constitutes quantitative criteria evaluated in the vulnerability assessment component of the business impact analysis (BIA)?

Answer

A

Quantitative loss criteria can consist of the following:

Financial losses from loss of revenue, capital expenditure, or personal liability resolution
Additional operational expenses due to the disruptive event
Expenses due to loss of specific number of buildings, equipment, or other assets
Financial loss from resolution of violation of regulatory or compliance requirements

Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. The goal is to see exactly how a business will be affected by different threats. The effects can be financial, operational, or both.

Question 32

Q

What are the seven prescribed steps to develop a business continuity plan?

Answer

A

Develop the continuity planning policy statement.
Conduct the business impact analysis (BIA).
Identify preventive controls.
Develop recovery strategies.
Develop the contingency plan.
Test the plan and conduct training and exercises.
Maintain the plan.

Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP and that assigns authority to the necessary roles to carry out their tasks.

Conduct the business impact analysis (BIA). Identify critical functions and systems and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and calculate risks.

Identify preventive controls. After threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner.

Develop recovery strategies. Formulate methods to ensure systems and critical functions can be brought back to normal or near normal condition quickly.

Develop the contingency plan. Write procedures and guidelines for how the organization can stay functional in a crippled state.

Test the plan and conduct training and exercises. Test the plan to identify deficiencies in the BCP and conduct training to properly prepare individuals on their expected tasks.

Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.

Question 33

Q

Software and data backup are important operations. Backups enable you to recover data when the systems that normally house the data have been destroyed or otherwise made unavailable. Please name the three most common types of data backup.

Answer

A

Full backup
Incremental backup
Differential backup

Full backup is just what it sounds like; all data is backed up and saved to some type of storage media. During a full backup, the archive bit is clear, which means that it is set to 0.

Incremental backup backs up all the files that have changed since the last full or incremental backup and sets the archive bit to 0. When the data needs to be restored, the full backup data is laid down and then each incremental backup is laid down on top of it in the proper order.

Differential backup backs up the files that have been modified since the last full backup. When the data needs to be restored, the full backup is laid down first and then the differential backup is put down on top of it. The differential process does not change the archive bit value.

Question 34

Q

At times, classified information might be released as authorized. What are instances in which this might occur?

Answer

A

Management approval: The data owner with appropriate authorizations might approve the release if deemed necessary to carry out approved organizational tasks.
Contractual requirement: The release of classified data might be required pursuant to a signed contract.
Court order: Classified information might be released to satisfy a court order.
Modification in requirements: Data no longer holds the level of protection required in the past.

Data can change in its level of protection requirements based on organizational decisions. It is important to periodically review the classification of data and other organizational assets. The classification level may need to increase or decrease depending upon organizational needs or circumstances. For example, if a government agency classifies a data set as Secret and then the information is announced on a TV news station, it no longer needs to be protected at that level of protection—it has been released and is now Unclassified.

Question 35

Q

With respect to a risk management program, what is the single loss expectancy (SLE)?

Answer

A

Single loss expectancy (SLE) is a dollar amount assigned to a single occurrence of an event that represents the company’s potential loss amount if a specific threat were to take place. The SLE is calculated by multiplying the EF times the asset value. For example, an asset valued at $1,000 that has an EF of 10 percent would have an SLE of $1,000 × 10 percent = $100.

Question 36

Q

After a business continuity plan (BCP) is developed and implemented, it is important to test it on a regular basis. Name at least three different types of drills or exercises that can be used.

Answer

A

Checklist
Structured walk-through
Simulation testing
Parallel testing
Full-interruption testing

A checklist is usually a paper-based review of the steps in the BCP by management. In this type of test, copies of the BCP are distributed to the different departments and functional areas for review. This is done so each functional manager can review the plan and indicate if anything has been left out or if some approaches should be modified or deleted.

A structured walk-through is a walk-though of the steps of the BCP that introduces disruptive events in an exercise format where key business management discusses the steps taken to remediate the disruption.

A simulation is a test that takes a lot more planning and people. In this situation, all employees who participate in operational and support functions, or their representatives, come together to practice executing the disaster recovery plan based on a specific scenario. The scenario tests the reaction of each operational and support representative. Again, this is done to ensure specific steps were not left out and certain threats were not overlooked. It acts as a catalyst to raise the awareness of the people involved.

A parallel test is done to ensure that the specific systems can actually perform adequately at the alternative offsite facility. Some systems are moved to the alternative site and processing takes place. The results are compared with the regular processing that is done at the original site. This test points out any necessary tweaking, reconfiguring, or steps that need to take place.

Full-interruption testing is the most intrusive to regular operations and business productivity. The original site is actually shut down and processing takes place at the alternative site. The recovery team fulfills its obligations in preparing the systems and environment for the alternative site. All processing is done only on devices at the alternative offsite facility.

Question 37

Q

What is a patent?

Answer

A

A patent grants the owner a legally enforceable right to exclude others from practicing or using the invention’s design for a defined period of time.

Question 38

Q

One technique an attacker might use that does not involve a direct attack on a computer system is social engineering. Define social engineering.

Answer

A

Social engineering is much like an old-fashioned con game, in that the attacker uses the art of manipulation to trick a victim into providing private information or improper access. Social engineering predates the computer era. Today it uses many techniques, including phishing emails and website links to get a user to reveal personal or corporate data.

Question 39

Q

A type of attack a person might employ to collect information that does not involve compromising a computer system directly is dumpster diving. What is dumpster diving?

Answer

A

Dumpster diving involves searching discarded material (trash) for items with important information (documents, CDs, and such). Although not technically a computer crime, dumpster diving can provide the data required to complete a computer crime.

Question 40

Q

One way an attacker can gain access to sensitive information is through the use of keystroke logging. What is keystroke logging?

Answer

A

Keystroke logging is an attack that is accomplished with software or hardware devices. These devices or software components can record everything a person types, including usernames, passwords, and account information. The hardware version of these devices is usually installed while users are away from their desks. Hardware keystroke loggers are completely undetectable except for their physical presence. Software versions use programming to hook into kernel-level processes to record keyboard-specific data.

Question 41

Q

An attack in which attackers try to fool a person or system into believing they are something they are not is referred to as spoofing. List some common spoofing techniques.

Answer

A

There are several techniques for spoofing:

Internet Protocol (IP) address spoofing
Domain Name System (DNS) spoofing
Address Resolution Protocol (ARP) spoofing

The term “IP address spoofing” refers to the creation of IP packets with a forged (spoofed) source IP address for the purpose of concealing the identity of the sender or impersonating another computing system.

DNS spoofing is the act of returning the wrong IP address as the result of a DNS query.

ARP spoofing is the act of returning an incorrect MAC address in response to an ARP request.

Question 42

Q

What is the relationship between a damage assessment and an activation phase?

Answer

A

The damage assessment determines what if any phase of the business continuity plan (BCP) needs to be activated. After a disaster, the coordinator or another identified leader must carry out a disaster assessment so the team can know which phase to go into next. If the damage is extreme and threatens the survivability of the company, then it goes into the first phases of BCP. If the event was smaller and mainly IT related, the team moves into DRP phases.

The damage assessment will indicate what phase to activate, which is formally called the activation phase. After this information is collected and assessed, it will also indicate what teams need to be called to action and whether the BCP actually needs to be activated.

Question 43

Q

If there is proof that damage was caused and that the damage was a company’s fault, what does this indicate?

Answer

A

Proximate causation. If proximate causation is proved, then a company may be found liable. Conversely, for a company to be found liable, proximate causation must be proven. This means that it can be proven that the company was actually at fault and responsible for a negative activity that took place.

Question 44

Q

Many things can be lost during a disaster. What is the most devastating resource to production if lost?

Answer

A

Data loss needs to be addressed as a top priority. Today data and information are considered gold to many companies, the loss of which could be devastating. Although this may seem insensitive and one would guess the loss of human life to be the most devastating, a company’s survival is dependent upon critical processes that need to continue. Once the processes are implemented, it is the data that must be restored to ensure that the business functions can continue.

Question 45

Q

What is the definition of authentication within information security management?

Answer

A

Authentication is a process to verify the identity of a subject requesting the use of a system and access to network resources. Combined with identification and authorization, authentication is one of the three steps necessary for granting a subject access to an object.

Question 46

Q

To understand the “whys” in crime, it is necessary to understand the MOM. What does MOM stand for?

Answer

A

MOM stands for motive, opportunity, and means.

Motive is the “who” and “why” of a crime. A person might be driven by the excitement, challenge, and adrenaline of committing a crime. Understanding the motive for a crime is an important piece in figuring out who would engage in such an activity.

Opportunity is the “where” and “when” of a crime. Opportunities usually arise when certain vulnerabilities or weaknesses are present. Here’s an example of opportunity: If a company does not have a firewall, hackers and attackers have all types of opportunities within that network.

Means pertains to the abilities a criminal would need to be successful. Suppose a crime fighter was asked to investigate a complex embezzlement that took place within a financial institution. If the suspects were three people who knew how to use a mouse, keyboard, and word processing application, but only one of them was a programmer and system analyst, the crime fighter would realize that this person might have the means to commit this crime much more successfully than the other two individuals.

Question 47

Q

What is risk analysis (RA)?

Answer

A

A risk analysis identifies assets, discovers the threats that put them at risk, and estimates the possible damage and potential loss a company could endure if any of these threats becomes real. The results of the risk analysis help management construct a budget with the necessary funds to protect the recognized assets from their identified threats and develop applicable security policies that provide direction for security activities.

Question 48

Q

With respect to a risk management program, what is a safeguard?

Answer

A

A safeguard is a software configuration, hardware, or procedure that eliminates a vulnerability or reduces the risk of a threat agent from exploiting a vulnerability. Safeguards are also called countermeasures or security controls.

Question 49

Q

Describe the two BS7799 parts and contrast them.

Answer

A

The British Standard has two parts:

BS7799 Part I, which outlines control objectives and a range of controls that can be used to meet those objectives
BS7799 Part II, which outlines how a security program can be set up and maintained.

BS7799 Part II also served as a baseline that organizations could be certified against. An organization would choose to be certified against the ISO 17799 standard to provide confidence to their customer base and partners and be used as a marketing tool. To become certified, an authorized third party would evaluate the organization against the requirements in ISO 17799 Part II. The organization could be certified against all of ISO 17799 Part II or just a portion of the standard.

Question 50

Q

With respect to due diligence, list at least five procedures managers of an organization should implement.

Answer

A

Means to prevent the organization’s computer resources from being used as a source of attack on another organization’s computer system

Backups
Scans for malicious code
Business continuity and disaster recovery plans
Local and remote access control
Elimination of unauthorized and unsecured modems
Organizational security policies, procedures, and guidelines
Personnel screening procedure

Question 51

Q

To be admissible, evidence must be sufficient, reliable, and relevant to the case at hand. What does it mean for evidence to be relevant?

Answer

A

For evidence to be relevant, it must have a reasonable and sensible relationship to the findings.

The evidence is related to the crime in that it shows that the crime has been committed; it can provide information describing the crime; it can provide information as to the perpetrator’s motives; it can verify what had occurred; and it can fix the crime’s time of occurrence. For example, if a judge rules that a person’s past traffic tickets cannot be brought up in a murder trial, this means the judge has ruled that the traffic tickets are not relevant to the case at hand. Thus, the prosecuting lawyer cannot even mention them in court.

Question 52

Q

What is the goal of awareness and training with respect to the BCP?

Answer

A

Training users and making them aware of BCP procedures helps to make sure all employees know what to do and how to do it in case of an emergency. Employees assigned to specific tasks must be trained to carry out needed procedures. Plan for cross-training of teams if possible, so those team members are familiar with a variety of recovery roles and responsibilities.

Question 53

Q

What is the definition of ARO (annualized rate of occurrence)?

Answer

A

The ARO is a number that represents the estimated possibility of a specific threat taking place within a one-year timeframe. For example, a lightning strike that might occur in a given location once a year would have an ARO of 1 year × 1 event = 1. An area where lightning strikes occur only once every 10 years would have an ARO of 0.1.

Question 54

Q

When understanding the potential business impact of an outage by conducting a business impact analysis (BIA), the company’s team should try to reduce this impact and mitigate these risks by implementing preventive measures. List at least 8 types of preventive measures that can be taken.

Answer

A

Preventive mechanisms might include some of the following components:
Fortification of the facility in its construction materials
Redundant servers and communications links
Power lines coming in through different transformers
Redundant vendor support
Purchasing of insurance
Purchasing of UPSs and generators with fuel backup
Data backup technologies
Media protection safeguards
Increased inventory of critical equipment
Fire detection and suppression systems
Preparing and testing a calling-tree
Awareness trainings

Performing various types of tests to identify additional vulnerabilities Instead of just waiting for a disaster to hit to see how the company holds up, countermeasures should be integrated to better fortify the company from the impacts that were recognized. Appropriate and cost-effective preventive methods and proactive measures are more preferable than reactionary methods. Which types of preventive mechanisms need to be put in place depends upon the results of the BIA.

Question 55

Q

A part of the evidence lifecycle is proper preservation of evidence. What are some recommended procedures for preserving evidence?

Answer

A

To be properly preserved, the evidence must not be subject to damage or destruction. To preserve evidence, it is recommended that one:

Does not prematurely remove power.
Backs up the hard disk image using disk imaging hardware or software.
Avoids placing magnetic media in the proximity of sources of magnetic fields.
Stores media in a dust- and smoke-free environment at proper temperature and humidity.
Write-protects media

Authenticate the file system by creating a digital signature based on the contents of a file or disk sector. Preserving the original evidence also prevents inadvertent alteration of original evidence during examination.

Question 56

Q

Although illegal in the United States without approval from a judge (in most cases), wiretapping is used both legally and illegally. Define wiretapping.

Answer

A

Wiretapping is the monitoring of telephone and Internet conversations by a third party, often by covert means. The wiretap is so named because, historically, the monitoring connection was applied to the wires of the telephone line being monitored and drew off, or tapped, a small amount of the electrical signal carrying the conversation. Wiretapping is illegal in the United States without a court order. Legalized wiretapping by police or other recognized governmental authority is otherwise known as lawful interception.

Question 57

Q

There are different plans that should be developed for business continuity and disaster recovery. Describe business resumption and continuity of operations plans individually.

Answer

A

The business resumption plan focuses on how to re-create the necessary business processes that need to be reestablished instead of focusing on just IT components.

The continuity of operations plan (COOP) establishes senior management and a headquarters after a disaster. The business resumption plan is process-oriented instead of procedural-oriented. The continuity of operations plan (COOP) outlines the roles, authorities, orders of succession, and individual tasks.

Question 58

Q

With respect to the business continuity plan (BCP), what is the difference between salvage and recovery?

Answer

A

In a salvage effort, an organization attempts to collect resources that can still be used post-disaster.

In a recovery operation, the focus is on moving services or functions to an alternative location to restore a business process.

Salvage efforts can include the following:
Irreplaceable items and related documentation
Vital information such as employee and accounting records, succession lists, inventories, and data
Other items that directly support your mission
Items that are unique, most used, most vital for research, most representative of subject areas, and least replaceable or most valuable
Items most prone to continued damage

Question 59

Q

There are three primary options for backing up data to tape:

full
incremental
differential

Define the full backup option.

Answer

A

A full backup option is just what it sounds like: all data is backed up and saved to some type of storage media. During a full backup, the archive bit is clear, which means that it is set to 0. A company can choose to do full backups only, in which case the restoration process is just one step, but the backup and restore processes could take a long time.

Question 60

Q

If an employee is a suspect in a crime, what group within the organization must be involved?

Answer

A

It is imperative that the company gets human resources involved if an employee is considered a suspect in a computer crime.

The human resources department knows the laws and regulations pertaining to employee treatment and can work to protect the employee and the company at the same time.

Question 61

Q

What are the four methods for addressing a risk?

Answer

A

Risk reduction
Risk transference
Risk acceptance
Risk avoidance

Risk reduction involves modifying processes or altering an environment to reduce the risk, or implementing safeguards and security controls to mitigate the risk to an acceptable level.

Risk transference involves assigning or transferring the potential impact of a potential loss to another party (such as an insurance company).

Risk acceptance refers to accepting the risk as it is without attempting to reduce it, with the intent of simply absorbing the loss if there is impact to an asset.

Risk avoidance entails eliminating the vulnerability (application, system, process, technology, etc.) or otherwise discontinuing the activity that is causing the risk.

Question 62

Q

How does an organization determine what safeguards or controls to implement when using quantitative risk analysis?

Answer

A

When the risk analysis has been completed and the ALE has been computed, the organization must determine the cost of implementing appropriate controls (purchase cost, installation costs, maintenance, and development). The ALE then needs to be computed again given the new control. If the new ALE is less than the old ALE plus the costs of the control, the control is worth implanting from a pure dollar assessment.

Question 63

Q

In the context of information security, what is a control?

Answer

A

Controls are security features that control how users and systems communicate and interact with other systems and resources.

They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. The following controls are examples of the three categories of controls as they pertain to information security to achieve management’s security directives:

Administrative controls: These include the developing and publishing of policies, standards, procedures, and guidelines; risk management; the screening of personnel; conducting security awareness training; and implementing change control procedures.

Technical controls (also called logical controls): These consist of implementing and maintaining access control mechanisms; password and resource management, identification and authentication methods; security devices; and the configuration of the infrastructure.

Physical controls: These entail controlling individual access into the facility and different departments; locking systems and removing unnecessary floppy or CD-ROM drives; protecting the perimeter of the facility; monitoring for intrusion; and environmental controls.

Question 64

Q

When performing a risk assessment, what is the exposure factor (EF)?

Answer

A

Exposure factor is the percentage of loss a realized threat can have on a certain asset. EF is a subjective value used to assign an impact on an asset for risk assessment purposes. For example, a threat that makes FTP unavailable on a given server might be assessed an exposure factor of 15 percent. The EF value is used in calculating SLE:asset value × exposure factor (EF) = SLE

Answer 65

A

Disasters are difficult to predict, let alone affects that will take place after the disaster. The effects of a disruptive event might impact the partner as well.

Additionally, the agreements are difficult to enforce. Reciprocal agreements have been known to work well in specific businesses, such as newspaper printing. These businesses require specific technology and equipment that isn’t available through any subscription service. These agreements follow a “you scratch my back and I’ll scratch yours” mentality. For most other organizations, they are generally, at best, a secondary option for disaster protection.

Answer 66

A

Threat
Risk
Frequency
Certainty

The identification of risk to an organization entails defining four basic elements: threat, risk, frequency, and certainty. Team members must ask the following:

What event could occur? (threat)
What could be the potential impact? (risk)
How often could it happen? (frequency)
What level of confidence do we have in the answers to the first three questions? (certainty)

Much of this information is gathered through internal surveys, interviews, or workshops.

Answer 67

A

The senior and executive management in an organization sets the overall organization emphasis on security. It must be clear to employees that directives come from senior management and that the entire management staff supports the security policies.

Computers and the information processed on them usually have a direct relationship with a company’s critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible.

Answer 68

A

Software piracy is a copyright infringement that involves the unauthorized copying of computer software.

Copyright infringement of this kind is extremely common in several parts of the world. Most countries have copyright laws that apply to software, but they are better enforced in some countries than others. In the United States, copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work.

Answer 69

A

Conducting a vulnerability assessment enables the BIA team to identify the types and severity of vulnerabilities present for a given asset, which can then be used to determine the overall risk to that asset.

A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system or environment. The business impact analysis (BIA) seeks to identify the potential impact of given events on business functions.

Answer 70

A

Accountability is a security principle indicating that individuals need to be identifiable and must be held responsible for their actions.

Accountability provides the capability to attribute any action on a given system back to the source that initiated that action. Audit trails, logs, and physical security devices like closed-circuit television (CCTV) support accountability.

Answer 71

A

The prudent man rule “requires officers to perform duties with diligence and care that ordinary, prudent people would exercise under similar circumstances.”

Management has the obligation to protect the organization from losses due to natural disasters, malicious code, compromise of proprietary information, and damage to reputation, violation of the law, employee privacy suits, and stockholder suits. Management must follow the prudent man rule, and officers of an organization must exercise due care or reasonable care to carry out their responsibilities to the organization.

Answer 72

A

Collection
Identification
Storage
Preservation and/or transportation
Presentation in court
Return to owner.

Collection involves the following:

Collect all relevant storage media
Make image of hard disk before removing power
Print out screen
Avoid degaussing equipment
Identification involves tagging and marking all evidence
Storage in a proper environment protects media from erasure or damage.

Answer 73

A

Many options are available to planners, and they vary in cost, reliability, and effectiveness. These options include the following:

A reciprocal agreement where a business enters into a cooperative arrangement with another business to leverage existing excess capacity to support the other’s operations in an emergency
Hot, warm, or cold sites
Multiple service locations
Hosted services

Answer 74

A

Cold site
Warm site
Hot site

Cold site: An empty room with only rudimentary electrical power and computing capability. It might have a raised floor and some racks, but it is not ready for use. It might take several weeks to get the site operational.

Warm site: An improvement over a cold site; this facility has data equipment and cables and is partially configured. It could be made operational in anywhere from a few hours to a few days.

Hot site: This facility is ready to go. It is fully configured and equipped with the same system as the production network. Although it is capable of taking over operations at a moment’s notice, it is the most expensive option discussed.

Answer 75

A

Advisory: Strongly advises employees as to which types of behaviors and activities should and should not take place within the organization
Informative: Informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company
Regulatory: Ensures that the organization is following standards set by specific industry regulations or legislative requirements. It is detailed and specific to a type of industry.

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. It is through these policies that security programs can be set up with a strong foundation and an organized method of response to security issues, as well as expectations for personnel within the organization as to who is in charge during certain kinds of incidents.

Different types of security policies can be implemented in an organization. These policies can be adapted to fit the specific needs of their environment.

Answer 76

A

Failure Modes and Effects Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and its effects through a structured process. The application of this process to a chronic failure enables the determination of where exactly the failure is most likely to occur. This is very helpful in pinpointing where a vulnerability exists, as well as determining exactly what kind of scope the vulnerability entails—meaning, what would be the secondary ramifications of its exploitation?

Answer 77

A

The age of data
The level of damage that could be caused if the data were disclosed
The level of damage that could be caused if the data were modified or corrupted
Legal, regulatory, or contractual responsibility to protect the data
Effects the data has on national security
Who should be able to access the data
Who should maintain the data
Where the data should be kept
Who should be able to reproduce the data
Which data requires labels and special marking
The usefulness of the data
Whether encryption is required for the data
Whether separation of duties is required
Lost opportunity costs that could be incurred if the data were not available or were corrupted

Once the classification scheme is decided upon, the company or government agency must develop the criteria it will use to decide what information goes into which classification.

Answer 78

A

The most common types of computer crimes today include:

Denial of service
Password theft
Network intrusion
Wiretapping
Social engineering
Illegal content
Fraud
Dumpster diving
Software piracy
Malicious code
Spoofing attacks
Information warfare
Masquerading
Keystroke logging
Man-in-the-middle
War driving
Shoulder surfing
Identity theft
Phishing
Spam
Hacking

Answer 79

A

A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.

Answer 80

A

When a company needs to move back into its original site or a new site after a disaster, the company is ready to enter into the reconstitution phase. The company is always vulnerable while operating in a backup facility, and is not out of an emergency state until it is back in operation at the original primary site or a new site that was constructed to replace the primary site. Many logistical issues need to be considered as to when a company must return from the alternate site to the original site

Answer 81

A

Authorization is the granting of access to a given object when a subject has been properly identified and authenticated.

Authorization is also the collection of rights and privileges an entity (user or process) has on a given system.

Answer 82

A

Select individuals to interview for data gathering.
Create data-gathering techniques (surveys, questionnaires, and so on).
Identify the company’s critical business functions.
Identify the resources these functions depend upon.
Calculate how long these functions can survive without these resources.
Identify vulnerabilities and threats to these functions.
Calculate the risk for each different business function.
Document findings and report them to management.

Answer 83

A

Security governance is the set of responsibilities and practices exercised by the board and executive management of a company or organization with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.

Security governance is all of the tools, personnel, and business processes necessary to ensure that the security implemented meets the organization’s specific needs. It requires organizational structure, roles and responsibilities, performance measurement, defined tasks, and oversight mechanisms.

Answer 84

A

Due diligence means that the company properly investigated all its possible weaknesses and vulnerabilities.

With respect to due diligence, managers should implement the following procedures:

Means to prevent the organization’s computer resources from being used as a source of attack on another organization’s computer system
Backups
Scans for malicious code
Business continuity and disaster recovery plans
Local and remote access control
Elimination of unauthorized and unsecured modems
Organizational security policies, procedures, and guidelines
Personnel screening procedure

Answer 85

A

A disaster recovery plan (DRP) is carried out when everything is still in emergency mode and everyone is scrambling to get all critical systems back online.

Continuity planning provides methods and procedures for dealing with longer-term outages and disasters and is information technology (IT) focused.

The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the resources, personnel, and business processes can resume operation in a timely manner. This is different from continuity planning, which provides methods and procedures for dealing with longer-term outages and disasters.

Answer 86

A

A differential backup operation backs up only every modified data element since the last time a full backup was completed. This means that if full backups are done every Sunday and differential backups are done nightly, a file modified on Monday will be backed up every day of the week until the next full backup (the following Sunday).

Answer 87

A

A vulnerability is the existence of a flaw or condition that can be exploited in the absence or weakness of sufficient security controls.

Answer 88

A

Military organizations are more concerned than most private-sector businesses about not disclosing confidential information. Government classifications, which range from unclassified to top-secret, are determined according to the sensitivity of the data and its potential to damage national security were it to became public.

Private-sector businesses are usually more interested in the integrity and availability of data. These different perspectives affect data classification.

The following are government classifications:

Unclassified: Designated as neither sensitive nor classified.
Sensitive but Unclassified (SBU): Designated organizationally important but might not create serious damage if disclosed. Answers to tests are an example of this kind of information. Health care information is another example of SBU data.
Confidential: Designated to be of a confidential nature. The unauthorized disclosure of this information could cause some damage to the country’s national security
Secret: Designated to be of a secret nature. The unauthorized disclosure of this information could cause serious damage to the country’s national security
Top Secret: The highest level of information classification in most governments. The unauthorized disclosure of Top Secret information can cause damage to the country’s national security.

A commonly used classification set employed in the commercial sector is:

For official use only: Financially sensitive
Proprietary: Protects competitive edge
Privileged: Ensures conformance with business standards and laws
Private: Contains records about individuals

Answer 89

A

Senior management has the ultimate responsibility for all phases of the plan.

Senior management is responsible not only for initiation of the plan process, but also monitoring and management of the plan during testing, supervision, and execution of the plan during a disruptive event. Executives might be held responsible and liable under various laws and regulations. They could be sued by stockholders and customers if they do not practice due diligence and due care and fulfill all of their responsibilities when it comes to disaster recovery and business continuity.

Answer 90

A

The Control Objectives for Information and related Technology (CobiT) is a framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).

It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.

CobiT is broken down into four domains:

Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate.

Answer 91

A

To be admissible, evidence must be:

relevant
legally permissible
reliable
properly identified
properly preserved

The foundation of admissibility is based on the following items:

Procedures for collecting and maintaining evidence
Proof of how errors were avoided
Identification of custodian and skill set
Reasonable explanations for why certain actions were taken and certain procedures bypassed

Answer 92

A

The primary purpose of risk management is to identify, assess, and reduce risk to an acceptable level, and to implement the right mechanisms to maintain that level of risk.

Threats must be identified, classified by category, and evaluated to calculate their damage potential to the company. Real risk is hard to measure, but prioritizing the potential risks in order of which ones must be addressed first is possible.

Answer 93

A

A threat is any potential danger that a vulnerability will be exploited to compromise one of the security triad components (availability, integrity, confidentiality) resulting in an impact to an asset.

Answer 94

A

The business continuity process is not integrated into the change management process.

Infrastructure and environment changes occur.
Reorganization of the company, layoffs, or mergers occur.
Changes in hardware, software, and applications occur.
After the plan is constructed, people feel their job is done.
Personnel turns over.
Large plans take a lot of work to maintain.
These plans do not have a direct line to profitability.

Answer 95

A

Identification is the first step of the authentication process, which requires a subject to provide some type of data to an authentication service to verify the subject’s identity.

For example, an ID card is a form of identification. Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token. These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated.

Answer 96

A

Administrative
Technical
Physical

Administrative controls include:

Developing and publishing of policies, standards, procedures, and guidelines
Risk management
Screening of personnel
Conducting security awareness training
Implementing change control procedures.

Technical controls (also called logical controls) consist of:

Implementing and maintaining access control mechanisms
Password and resource management, identification and authentication methods
Security devices
Configuration of the infrastructure

Physical controls entail:

Controlling individual access into the facility and different departments
Locking systems and removing unnecessary floppy or CD-ROM drives
Protecting the perimeter of the facility
Monitoring for intrusion
Environmental controls.

Answer 97

A

Major legal systems in use worldwide include civil (code) law, common law, customary law, and religious law.

Civil (code) law evolved in Europe and is based on a comprehensive system of written rules of law. Civil law is rule-based law, not precedence-based.

Common law is practiced in the United States, Canada, the United Kingdom, Australia, and New Zealand. It is based on the rule of reasonable doubt and the premise that you are innocent until proven guilty. Before there was a written set of laws, laws were based on custom and precedent.

Customary law is usually found combined with another legal system; it is based on the concept of what is customary and considered normal conduct. Customary law is based on traditions and customs of the region, and emerged when cooperation of individuals became necessary as communities merged. Mainly used in regions of the world that have mixed legal systems (e.g., China, India). -

Religious law is based on religious beliefs in a given region. In Islamic countries, the law is based on the rules of the Koran.

Answer 98

A

Administrative, or regulatory, law covers standards of performance or conduct expected by government agencies from companies, industries, and certain officials.

Answer 99

A

Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE)

Answer 100

A

Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.

Answer 101

A

A baseline is a minimum level of security.

Answer 102

A

A business case must be presented to gain executive support. This is done by explaining regulatory and legal requirements, exposing vulnerabilities, and providing solutions.

Answer 103

A

Business continuity management (BCM) is the overarching approach to managing all aspects of BCP and DRP.

Answer 104

A

The business impact analysis (BIA) is one of the most important first steps in the planning development.

Qualitative and quantitative data on the business impact of a disaster need to be gathered, analyzed, interpreted, and presented to management.

Answer 105

A

Uses prewritten rules and is not based on precedent
Is different from civil (tort) laws, which work under a common law system

Answer 106

A

CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.

Answer 107

A

Made up of criminal, civil, and administrative laws.

Criminal law deals with an individual’s conduct that violates government laws developed to protect the public.

Civil law deals with wrongs committed against individuals or companies that result in injury or damages. Civil law does not use prison time as a punishment, but usually requires financial restitution.

Answer 108

A

A compensating control is an alternative control that is put into place because of financial or business functionality reasons.

Answer 109

A

A control can be:

Administrative
Technical
Physical

and can provide

Deterrent
Preventive
Detective
Corrective
Recovery protection

Answer 110

A

Copyright protects the expression of ideas rather than the ideas themselves.

Answer 111

A

COSO Internal Control—Integrated Framework is a governance model used to help prevent fraud within a corporate environment.

Answer 112

A

A countermeasure, also called a safeguard or control, mitigates the risk.

Answer 113

A

Addresses mainly personal conduct and uses regional traditions and customs as the foundations of the laws.
Is usually mixed with another type of listed legal system rather than being the sole legal system used in a region.

Answer 114

A

The Delphi technique is a group decision method where each group member can communicate anonymously.

Answer 115

A

Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers.

Answer 116

A

Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.

Answer 117

A

A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.

Answer 118

A

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.

Answer 119

A

Guidelines are recommendations and general approaches that provide advice and flexibility.

Answer 120

A

An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO/IEC 27001.

Answer 121

A

ISO/IEC 22301 is the standard for business continuity management (BCM).

Answer 122

A

Overview and vocabulary

Answer 123

A

ISMS requirements

Answer 124

A

Code of practice for information security controls

Answer 125

A

ISMS implementation

Answer 126

A

ISMS measurement

Answer 127

A

Risk management

Answer 128

A

Certification body requirements

Answer 129

A

ISMS auditing

Answer 130

A

Guidance for auditors

Answer 131

A

Telecommunications organizations

Answer 132

A

Information security governance

Answer 133

A

Financial sector

Answer 134

A

Business continuity

Answer 135

A

Cybersecurity

Answer 136

A

Network security

Answer 137

A

Application security

Answer 138

A

Incident management

Answer 139

A

Digital evidence collection and preservation

Answer 140

A

Health organizations

Answer 141

A

ITIL is a set of best practices for IT service management.

Answer 142

A

Job rotation is a detective administrative control to detect fraud.

Answer 143

A

Mandatory vacations are a detective administrative control type that can help detect fraudulent activities.

Answer 144

A

Uses two or more legal systems.

Answer 145

A

NIST SP 800-53 uses the following control categories: technical, management, and operational.

Answer 146

A

NIST SP 800-55 is a standard for performance measurement for information security.

Answer 147

A

OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.

Answer 148

A

Risk can be:

Transferred
Avoided
Reduced
Accepted.

Answer 149

A

A patent grants ownership and enables that owner to legally enforce his rights to exclude others from using the invention covered by the patent.

Answer 150

A

Privacy laws dictate that data collected by government agencies must be collected fairly and lawfully, must be used only for the purpose for which it was collected, must only be held for a reasonable amount of time, and must be accurate and timely.

Answer 151

A

Procedures are detailed step-by-step actions that should be followed to achieve a certain task.

Answer 152

A

Initiating the project
Performing business impact analyses
Developing a recovery strategy
Developing a recovery plan
Implementing, testing, and maintaining the plan.

Answer 153

A

Laws are derived from religious beliefs and address an individual’s religious responsibilities; commonly used in Muslim countries or regions.

Answer 154

A

(Threats × vulnerability × asset value) × controls gap = residual risk

Answer 155

A

A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.

Answer 156

A

Identify assets and assign values to them
Identify vulnerabilities and threats
Quantify the impact of potential threats
Provide an economic balance between the impact of the risk and the cost of the safeguards.

Answer 157

A

Sherwood Applied Business Security Architecture (SABSA), is a security enterprise architecture framework

Answer 158

A

Security enterprise architecture should tie in:

Strategic alignment
Business enablement
Process enhancement
Security effectiveness

Answer 159

A

Security governance is a framework that provides:

Oversight
Accountability
Compliance

Answer 160

A

A security policy is a statement by management dictating the role security plays in the organization.

Answer 161

A

Separation of duties ensures no single person has total control over a critical activity or task.

It is a preventive administrative control. Split knowledge and dual control are two aspects of separation of duties.

Answer 162

A

A service level agreement (SLA) is a contractual agreement that states that a service provider guarantees a certain level of service.

Answer 163

A

Six Sigma is used to identify defects in processes so that the processes can be improved upon.

Answer 164

A

Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.

Answer 165

A

Standards are documents that outline rules that are compulsory in nature and support the organization’s security policies.

Answer 166

A

A supply chain is a sequence of suppliers involved in delivering some product.

Answer 167

A

A threat is the possibility that someone or something would exploit a vulnerability, either intentionally or accidentally, and cause harm to an asset.

Also, a potential cause of an unwanted incident, which may result in harm to a system.

Answer 168

A

Threats × vulnerability × asset value = total risk

Answer 169

A

Trade secrets are deemed proprietary to a company and often include information that provides a competitive edge. The information is protected as long as the owner takes the necessary protective actions.

Answer 170

A

Trademarks protect words, names, product shapes, symbols, colors, or a combination of these used to identify products or a company.

These items are used to distinguish products from the competitors’ products.

Answer 171

A

A vulnerability is a weakness in a system that allows a threat source to compromise its security.

Answer 172

A

Zachman Framework is a two-dimensional enterprise architecture framework

Answer 173

A

Protect society, the common good, necessary public trust and confidence, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession

Answer 174

A

Administrative controls are more management oriented

Security documentation
Risk management
Personnel security
Training

Answer 175

A

A group of attackers is not in a hurry to launch an attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed.

Answer 176

A

SLE × Annualized Rate of Occurrence (ARO)

Answer 177

A

The value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe.

Answer 178

A

Baselines refer to a point in time that is used as a comparison for future changes.

Answer 179

A

A control, or countermeasure, is put into place to mitigate (reduce) the potential risk.

Answer 180

A

A commonly used cost/ benefit calculation for a given safeguard (control) is:

(ALE before implementing safeguard) –(ALE after implementing safeguard) –(annual cost of safeguard) = value of safeguard to the company

Answer 181

A

Due care, on the other hand, means taking the precautions that a reasonable and competent person would take in the same situation.

Answer 182

A

Due diligence can be defined as doing everything within one’s power to prevent a bad thing from happening. Examples

Answer 183

A

TOGAF - Model and methodology for the development of enterprise architectures developed by The Open Group
DoDAF - U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals
MODAF - Architecture framework used mainly in military support missions developed by the British Ministry of Defence
SABSA model - Model and methodology for the development of information security enterprise architectures

Answer 184

A

An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.

Answer 185

A

The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset.

Answer 186

A

The crux of this qualitative methodology is to focus only on the systems that really need assessing

Answer 187

A

Data subject - The individual to whom the data pertains
Data controller - Any organization that collects data on EU residents
Data processor - Any organization that processes data for a data controller

Answer 188

A

Gramm-Leach-Bliley Act of 1999 - upon identification of an incident of unauthorized access to sensitive customer information, the institution determine the likelihood that the information has or will be misused.

Answer 189

A

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply.

Answer 190

A

Health Insurance Portability and Accountability Act

Answer 191

A

Health Information Technology for Economic and Clinical Health Act directs the U.S. Secretary of Health and Human Services (HHS) to publish annual guidance to affected corporations on effective technical controls to protect data.

Answer 192

A

International Electrotechnical Commission

Answer 193

A

ISMS outlines the controls that need to be put into place, enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment.

Answer 194

A

International Organization for Standardization

Answer 195

A

Maximum period time of disruption

Answer 196

A

Maximum tolerable downtime

Answer 197

A

a guide for conducting risk assessments

Answer 198

A

NIST SP 800-39 defines three tiers to risk management:

Organizational tier - Concerned with risk to the business as a whole, which means it frames the rest of the conversation and sets important parameters such as the risk tolerance level.

Business process tier - Deals with the risk to the major functions of the organization, such as defining the criticality of the information flows between the organization and its partners or customers. The bottom tier.

Information systems tier - Addresses risk from an information systems perspective. Though this is where we will focus our discussion, it is important to understand that it exists within the context of (and must be consistent with) other, more encompassing risk management efforts.

Answer 199

A

patent trolls

Answer 200

A

Physical controls are items put into place to protect facilities, personnel, and resources.

Security guards
Locks
Fencing
Lighting

Answer 201

A

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.

Answer 202

A

(threats × vulnerability × asset value) × controls gap total risk – countermeasures

Answer 203

A

Risk management (RM) is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.

Answer 204

A

A structured process that allows an organization to identify and assess risk, reduce it to an acceptable level, and ensure that it remains at that level.

Examples:

NIST RMF (SP 800-37r1)
ISO 31000: 2018
ISACA Risk IT

Answer 205

A

Intended to avoid an incident from occurring

Answer 206

A

Helps identify an incident’s activities and potentially an intruder

Answer 207

A

Fixes components or systems after an incident has occurred

Answer 208

A

Intended to discourage a potential attacker

Answer 209

A

Intended to bring the environment back to regular operations

Answer 210

A

Provide an alternative measure of control

Answer 211

A

The SLE is a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place.

Asset Value × Exposure Factor (EF) = SLE

Answer 212

A

Standards refer to mandatory activities, actions, or rules.

Answer 213

A

SWOT stands for Strengths/Weaknesses/Opportunities/Threats,

Answer 214

A

Technical controls (also called logical controls) are software or hardware components

Firewalls
IDS
Encryption
Identification and authentication mechanisms

Answer 215

A

the entity that takes advantage of a vulnerability

Answer 216

A

The process of describing feasible adverse effects on our assets caused by threat sources.

Answer 217

A

threats × vulnerability × asset value

Answer 218

A

Vulnerability assessment just finds the vulnerabilities (the holes).

A risk assessment calculates the probability of the vulnerabilities being exploited

Brainscape's Knowledge GenomeTM

Domain 1: Security and Risk Management Flashcards

Brainscape's Knowledge Genome^TM