Exam Essentials Chapter 1

Question 1

Confidentiality is the principle that objects are not disclosed to unauthorized subjects.

Integrity is the principle that objects retain their veracity and are intentionally modified only by authorized subjects.

Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

As a group what is this commonly known as?

Answer 1

CIA Triad

Question 2

__________ is composed of identification, authentication, authorization, auditing, and accountability?

Answer 2

AAA Services

Question 3

_________ is the process by which a subject professes an identity and accountability is initiated.

Answer 3

Identification

Question 4

__________ must provide an identity to a system to start the process of authentication, authorization, and accountability.

Answer 4

A subject

Question 5

___________ is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated.

Answer 5

Authentication

Question 6

__________ is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities.

Answer 6

Auditing

Question 7

Security can be maintained only if subjects are held accountable for their actions.

What is the term used for this?

Answer 7

Accountability

Question 8

______________ ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Answer 8

Nonrepudiation

Question 9

___________ is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

Answer 9

Abstraction

Question 10

Preventing data from being discovered or accessed by a subject. It is often a key element in security controls as well as in programming.

What does this define?

Answer 10

data hiding

Question 11

_____________ is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Answer 11

security boundary

Question 12

_____________ is the collection of practices related to supporting, defining, and directing the security efforts of an organization.

Answer 12

Security governance

Question 13

______________ is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor.

Answer 13

Third-party governance

Question 14

_________________ is the process of reading the exchanged materials and verifying them against standards and expectations. In many situations, especially related to government or military agencies or contractors, failing to provide sufficient documentation to meet requirements of third-party governance can result in a loss of or a voiding of authorization to operate (ATO).

Answer 14

Documentation review

Question 15

_____________ is planning ensures proper creation, implementation, and enforcement of a security policy.

________________ aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources.

Answer 15

Security management

Security management planning

Question 16

___________ is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.

Answer 16

A business case

Question 17

____________ demonstrates a business-specific need to alter an existing process or choose an approach to a business task.

Answer 17

A business case

Question 18

_________________ is based on three types of plans: strategic, tactical, and operational.

Answer 18

Security management

Question 19

____________ is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives.

Answer 19

strategic plan

Question 20

__________ is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

Answer 20

The tactical plan

Question 21

List the elements of a security policy that is formalized. (there are 5)

Answer 21

security policy
standards,
baselines,
guidelines,
procedures.

Question 22

Security governance needs to address every aspect of an organization.

What are those areas? (there are 3)

Answer 22

organizational processes of acquisitions, divestitures,
governance committees.

Question 23

List the Key Security Roles (there are 5)

Answer 23

senior manager,
security professional,
asset owner, custodian,
user, and
auditor.

Question 24

______________ is a security concept infrastructure used to organize the complex security solutions of companies.

Answer 24

Control Objectives for Information and Related Technology (COBIT)

Question 25

____________ is establishing a plan, policy, and process to protect the interests of an organization.

Answer 25

Due diligence

Question 26

_________ is knowing what should be done and planning for it; due care is doing the right action at the right time.

Answer 26

Due diligence

Question 27

_____________ is practicing the individual activities that maintain the due diligence effort.

Answer 27

Due care

Question 28

_____________ is the security process where potential threats are identified, categorized, and analyzed.

Answer 28

Threat modeling

Question 29

____________ can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed.

Answer 29

Threat modeling

Question 30

STRIDE, PASTA, VAST, diagramming, reduction/decomposing, and DREAD.

Are key concepts of what?

Answer 30

Threat modeling

Question 31

____________ is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners.

Answer 31

Supply Chain Risk Management (SCRM)

Question 32

_____________ includes evaluating risks associated with hardware, software, and services; performing third-party assessment and monitoring; establishing minimum security requirements; and enforcing service-level requirements.

Answer 32

SCRM (Supply Chain Risk Management)