Domain 5

Question 1

Security Policy

Answer 1

Sets overall vision and goals for Information Security. Defines Why behind security measures. General statements. Policies are major input to standards

Question 2

Security Standards

Answer 2

Translate the Policy into specific technical requirements and best practices. What and When for security goals. Mandatory

Question 3

Security Procedure

Answer 3

Provide detailed instructions on how to implement standards. Defines How

Question 4

Security Guidelines

Answer 4

Offer additional recommendations and best practices that can be adopted to further enhance security. They are not mandatory. Least specific.

Question 5

Acceptable Use Policy (AUP)

Answer 5

Allowed/Appropriate Uses of the organisations IT resources

Question 6

Information Security Policy

Answer 6

Sets overall direction for information security

Question 7

Business Continuity Policy

Answer 7

Defines organisations overall strategy for business continuity

Question 8

Disaster Recover Policy

Answer 8

Focuses on recover from disasters

Question 9

Incident Response Policy

Answer 9

Sets high-level direction for how organisations will identify, contain, eradicate and recover from security incidents

Question 10

Software Development Lifecycle (SDLC)

Answer 10

Guidance that Software development teams must follow in creating software

Question 11

FIPS 140-2/3

Answer 11

Mandatory standard for protection of sensitive data within federal systems

Question 12

Board

Answer 12

Highest level of authority

Question 13

Committees

Answer 13

Subgroups that focus on specific areas or tasks, reporting to the Board

Question 14

Government Entities

Answer 14

Eg NIST - These entities issue security regulations, standards and Best practices that organisations must comply

Question 15

Centralized

Answer 15

Decisions are managed by central security team

Question 16

Decentralized

Answer 16

Delegates security decisions and controls to some extent to business units and departments

Question 17

Data Owner

Answer 17

Legal rights and complete control over a single piece of data. Member of senior Management. Can delegate day-to-day activities. Cannot delegate total responsibility

Question 18

Data Custodian

Answer 18

Responsible for safe custody, transport, and storage of data. IT Department

Question 19

Data Processor

Answer 19

Legal person, public authority, agency or other body which processes personal data solely on behalf of data controller

Question 20

Data Controller

Answer 20

Person or entity that controls that controls processing of the data

Question 21

Data Subject

Answer 21

Person who can be identified

Question 22

Data Steward

Answer 22

Data’s context and meaning are understood and business rules governing the data usage are known and followed

Question 23

Risk Identification

Answer 23

Process of identifying the threats and vulnerabilities that exist in operating environment

Question 24

Risk Assessment

Answer 24

Process of Identifying, analysing, evaluating and prioritizing potential risks

Question 25

Ad hoc Risk Assessment

Answer 25

One time assessments in response to a specific event

Question 26

Recurring Risk Assessment

Answer 26

Assessments conducted periodically

Question 27

One-Time Risk Assessment

Answer 27

One time assessment - In response to security incident or management request

Question 28

Continuous Risk Assessment

Answer 28

Automated such as recurring system scan integrated into daily operations

Question 29

Quantitative Risk Analysis

Answer 29

Assigns dollar Value to evaluate effectiveness of countermeasures

Question 30

Qualitative Risk Analysis

Answer 30

Scoring System to rank effectiveness of countermeasures. Low/Medium/high

Question 31

Impact

Answer 31

Potential consequences or negative effects that could occur if the risk materializes

Question 32

Asset Value

Answer 32

Monetary value of the asset

Question 33

Exposure Factor (EF)

Answer 33

Percentage of loss if a specific asset were violated by a realised risk

Question 34

Single Loss Expectancy (SLE)

Answer 34

Cost associated with a single realized risk against a specific asset. SLE == Asset Value X Exposure Factor (%)

Question 35

Annualized Rate of Occurrence (ARO)

Answer 35

Expected frequency with which a specific threat or risk will occur within a single year. Example risk occurs every 5 years = 1/5 =0.2

Question 36

Annualized Loss Expectancy

Answer 36

SLE XARO = ALE - How much will you loose per year. ALE = Asset value X Exposure Factor X ARO

Question 37

Risk Register

Answer 37

Track Potential Issues

Question 38

Risk Matrix

Answer 38

Heat map . Visual Representation of risks affecting a company

Question 39

Key Risk Indicators (KRIs)

Answer 39

Measurable metrics that signal potential changes

Question 40

Risk Owner

Answer 40

Assigned designated owner

Question 41

Risk Threshold

Answer 41

Level of risk tolerance established by the organisation

Question 42

Risk Appetite

Answer 42

Risk an organisation is willing to accept without mitigating

Question 43

Risk Tolerance

Answer 43

Ability to take on risk

Question 44

Risk Exception

Answer 44

Temporary deviation for a defined period

Question 45

Risk Exemption

Answer 45

Permanent deviation

Question 46

Risk Reporting

Answer 46

Risk discovered and includes recommendations as well

Question 47

Business Impact Analysis (BIA)

Answer 47

Includes 2 benefits Cost Benefit Analysis and Return on Investment

Question 48

Recovery Point Objective (RPO)

Answer 48

Max tolerable data loss between last backup and disaster

Question 49

Recovery Time Objective (RTO)

Answer 49

Duration or time within which a business process must be restored

Question 50

Mean time between Fails (MTBF)

Answer 50

Time for how long IT infrastructure will continue to work before it fails

Question 51

Mean time to Repair (MTTR)

Answer 51

Time how long it will take to get hardware/software back online

Question 52

Right to Audit Clause

Answer 52

Written into supply chain contracts allow auditor can visit the premises to inspect

Question 53

Service Level Agreements

Answer 53

Stipulate Performance Expectation

Question 54

Memorandum of Understanding

Answer 54

Formal agreement between 2 parties intention to work together towards common goal. Lacks binding contract

Question 55

Memorandum of Agreement

Answer 55

Serves as a legal document and describes terms and details of the agreement. MOA is legal contract

Question 56

Master Service Agreement

Answer 56

Agreement for vendors that you will work with repeatedly. Has compliance and process requirements

Question 57

Statement of Work

Answer 57

SOW is legal document created after MSA . SOW has requirements, expectations and deliverables

Question 58

Business Partner Agreement

Answer 58

2 companies or individual who want to participate in a business venture to make a profit

Question 59

Right to be forgotten

Answer 59

Deletion of their personal data

Question 60

Attestation

Answer 60

Independent Verification of an organisation adherence to specific controls or standards

Question 61

Penetration Testing

Answer 61

Actively assesses deployed security controls, trying to exploit vulnerabilities by simulating or performing an attack

Question 62

Offensive Pentest

Answer 62

Focuses on technical security of computer systems and networks attempting to exploit vulnerabilities to gain unauthorised access

Question 63

Defensive Pentest

Answer 63

Focuses on evaluating the effectiveness of existing security controls to withstand attacks

Question 64

Integrated Pentest

Answer 64

Combines Physical, Offensive and Defensive techniques

Question 65

Known Environment

Answer 65

White box test - Substantial/ Full Information

Question 66

Unknown Environment

Answer 66

Black box test - Completely Blind

Question 67

Partially Known Environment

Answer 67

Grey Box Test - Limited Information

Question 68

Rules of Engagement

Answer 68

Purpose and Scope of Pentesting

Question 69

Passive Reconnaissance

Answer 69

Not interacting with the target - Involves gathering data from publicly available sources ( Searching Internet, Reviewing Media, Analysing DNS records, Using Search Engines) - Google Dorking

Question 70

Active Reconnaissance

Answer 70

Interacts Directly with Target (Using Port Scanners, Sending Ping sweeps, Utilizing vulnerability scanners, Employing social engineering techniques)

Question 71

Authority

Answer 71

Position, Responsibility or Affiliation that grants the attacker the authority to make the request

Question 72

Intimidation

Answer 72

Suggesting you may face negative outcomes

Question 73

Scarcity

Answer 73

Similar to Urgency - Limited Opportunity, diminishing Availability

Question 74

Consensus

Answer 74

Claiming that someone in a similar position or peer has carried out the same task

Question 75

Familiarity

Answer 75

Liking - Attempting to establish a personal connection

Question 76

Urgency -

Answer 76

Time Sensitivity to demand action

Question 77

Trust

Answer 77

Citing Knowledge and experience

Question 78

SPAM

Answer 78

Unsolicited Email

Question 79

SPIM

Answer 79

SPAM over Instant Messaging

Question 80

Dumpster Diving

Answer 80

Gathering important details (Intelligence ) from things people have thrown in the Trash

Question 81

Tailgaiting

Answer 81

Unauthorised individual follow you without badging in themselves

Question 82

Eliciting Information

Answer 82

Casual Conversation to extract information

Question 83

Shoulder Surfing

Answer 83

Criminal Practice steal your personal data by spying over your shoulder

Question 84

Pharming

Answer 84

Online Scan where website traffic is manipulated thru DNS, redirects a user to different website