Domain 2: Asset Security

Question 1

Labels

Answer 1

defines the information sensitivity of an object

Question 2

Clearance

Answer 2

Subjects have clearance assigned to then. formal determination of whether a user can be trusted with a specific level of information.

Defines if a subject can have access to an object.

Question 3

Compartmentalization

Answer 3

giving clearance to a user, but only in a specific area - not to all objects of the same level.

Question 4

Formal access approval

Answer 4

Documented approval from a data owner for a subject to access cerain objects

Question 5

Need to Know

Answer 5

Giving access to a subject, only for those objects that they ‘need to know.’

Question 6

Sensitive information retention

Answer 6

Sensitive information only has a useful life of so long. IT should not be kept longer than necessary

Question 7

Data owner

Answer 7

Manager responsible for ensuring specific data is protected. Determin sensitivity labels and frequency of data backup.

Question 8

System owner

Answer 8

Manager responsible for the actual computers which house data.

Question 9

Custodian

Answer 9

Performs hands-on protections of assets such as data.

Question 10

Data Controller

Answer 10

Create and Manage sensitive data within an org. HR employees are often data controllers.

Question 11

Data Processor

Answer 11

manage data on behalf of data controllers. Outsourced payroll company is an example of this.

Question 12

Data collection limitation

Answer 12

Orgs should collect the minimum amount of sensitive information required.

Question 13

Data Remanence

Answer 13

Data that persists beyond non-invasive means to delete.

Question 14

Memory

Answer 14

Series of on/off switches representing 1s or 0s

Question 15

RAM

Answer 15

Random Access Memory - Means CPU can jump to any physical location in memory, not limited by what’s available. Volatile

Question 16

Volatile Memory

Answer 16

Loses integrity after power loss

Question 17

Non-volatile memory

Answer 17

doesn’t lose integrity after power loss.

Question 18

Real/Primary Memory

Answer 18

Directly accessible by the CPU. Used to hold instructions and data for currently running processes.

Question 19

Cache Memory

Answer 19

Fastest Memory, required to keep up with CPU.

Question 20

Register File

Answer 20

Fastest portion of the fastest memory (Cache Memory). Contains multiple registers for storing instructions/data.

Question 21

ROM

Answer 21

Non-volatile Read Only Memory. Some types of ROM can be written by flashing.

Question 22

DRAM

Answer 22

Dynamic Random Access Memory - Stores bits in capacitors (electric charge). Leaks charge so must be constantly recharged every few milliseconds. Slower and cheaper than SRAM.

Question 23

SRAM

Answer 23

Uses small latches called ‘flip flops’ to store information. Does not leak charge. Faster and more expensive than DRAM.

Question 24

Firmware

Answer 24

Stores programs that do not change often. Such as BIOS or router OS.

Question 25

Flash Memory

Answer 25

such as USB thumb drive, SSD

Question 26

PROM

Answer 26

Programmable read-only memory. Can be written only once. Usually in factory.

Question 27

EPROM

Answer 27

Erasable Programmable Read-only memory. Can be flashed.

Question 28

EEPROM

Answer 28

Electronically Erasable Programmable Read Only Memory

Question 29

UVEPROM

Answer 29

Ultra-violet erasable programmable read only memory.

Question 30

SSD

Answer 30

Combination of EEPROM and DRAM. Degaussing has no effect on ssds. Blocks are logical, not physical - and organized by mapping. Does not overwrite used blocks until disk is full. Risk of data remnance.

Question 31

SSD Garbage Collection

Answer 31

Systematically identifies which memory cells contain un-needed data, and clears the blocks.

Question 32

ATA Secure Erase

Answer 32

One of two ways to securely remove data from SSD

Question 33

Degaussing

Answer 33

Destroys the integrity of a magnetic medium (HHD or Tape), by exposing to a strong magnetic field.

Question 34

Overwriting

Answer 34

Reformats a disk by writing all bits as 1s or 0s, then marking as 'unallocated' Usually some data remnance still remains.

Question 35

Destruction

Answer 35

Physically destroys integrity of the media. Shredding (disks or papers), Cinerization, pulverization.

Question 36

Shredding

Answer 36

paper, HHDs, floppy disks

Question 37

System Certification

Answer 37

Means system has been certified to meet minimum requirements of Data Owner. Considers system, sec measures, and residual risk.

Question 38

Accreditation

Answer 38

Data Owners Acceptance of the Certification and of the Residual Risk. Required before production use begins.

Question 39

PCI DSS

Answer 39

Payment Card Industry Data Security Standard. Protect Credit Cards by requiring vendors who use them to take specific security precautions.

Question 40

PCI DSS Principles

Answer 40

- Build and Maintain a secure network and systems - Protect Cardholder data - Maintain a vulnerability management program. - Implement strong access control measures - regularly monitor and test network - maintain an information security policy.

Question 41

OCTAVE

Answer 41

Operationality Critical Threat, Asset, and Vulnerability Evaluation. Three phase risk management process from Carnegie Mellon Uni.

Question 42

OCTAVE Phases

Answer 42

1. Identifies staff knowldge, assets, and threats. 2. identifies vulnerabilities and evaluates safeguards 3. conducts risk analysis and develops risk mitigation strategy.

Question 43

International Common Criteria

Answer 43

internationally agreed upon criteria/hierarchy of requirements for testing sec. of information technology systems.

Question 44

ICC ToE

Answer 44

Target of evaluation - system/product being eval.

Question 45

ICC Sec Target

Answer 45

Documentation describing ToE. Including sec requirements and operational environment.

Question 46

ICC Protection Profile

Answer 46

Protection profile - set of sec requirements and objectives for a specific category of products, such as firewalls or IDS/IPS

Question 47

ICC Evaluation Assurance Level (EAL)

Answer 47

Evaluation score of tested product or system.

Question 48

ICC EAL1

Answer 48

International Common Criteria Evaluation Assurance Level 1 Functionally tested

Question 49

ICC EAL2

Answer 49

International Common Criteria Evaluation Assurance Level 2 Structurally Tested

Question 50

ICC EAL3

Answer 50

International Common Criteria Evaluation Assurance Level 3 Methodically tested and checked

Question 51

ICC EAL4

Answer 51

International Common Criteria Evaluation Assurance Level 4 Methodically designed, tested, and reviewed

Question 52

ICC EAL5

Answer 52

International Common Criteria Evaluation Assurance Level 5 Semi-formally designed, and tested

Question 53

ICC EAL6

Answer 53

International Common Criteria Evaluation Assurance Level 6 Semi formally verified, designed, and tested

Question 54

ICC EAL7

Answer 54

International Common Criteria Evaluation Assurance Level 7 Formally verified, designed, and tested.

Question 55

ISO 17799 Renumbered to ______

Answer 55

ISP 27002

Question 56

ISO 17799/ ISP 27002

Answer 56

Approach for the info security code of practice by the International Org of Standardization. Based on ISO 17799

Question 57

ISO 27001

Answer 57

Based on BS7799. Security techniques, info sec management systems.

Question 58

COBIT

Answer 58

Framework for employing information security governance best practices within an organization. Developed by ISACA

Question 59

ITIL

Answer 59

Framework for providing best services in IT Management.

Question 60

COBIT # of domains

Answer 60

4

Question 61

COBIT # of processes

Answer 61

34

Question 62

ITIL # of Service MGMT Practices

Answer 62

5

Question 63

Scoping

Answer 63

process of determining which portions of a standard will be employed by an org.

Question 64

Tailoring

Answer 64

customizing standard for an organization.

Question 65

NIST SP-800-18

Answer 65

Outlines responsibilities for the information owner role.

Question 66

Sanitization

Answer 66

Removal of info from a storage medium

Question 67

Clearing

Answer 67

Sanitization method used to overwrite data. Data can be recovered in a laboratory.

Question 68

Purging

Answer 68

More thorough version of clearing.

Question 69

CASB Acronym (Cloud)

Answer 69

Cloud Access Security Broker Software placed between user and cloud environments. Monitors all activity.