General

Question 1

What is the CIA Triad?

Answer 1

Confidentiality
Integrity
Availability

Question 2

What is Integrity?

Answer 2

Property of Information: maintained in a way that ensures completeness, accuracy, internal consistency, and usefulness for a stated purpose.

Question 3

What is Confidentiality?

Answer 3

Permitting authorized access while at the same time protecting information from improper disclosure.

Question 4

What is PII?

Answer 4

Personally Identifiable Information

Question 5

Sensitivity

Answer 5

Measure of importance of information / reason for need to protect.

Question 6

Data Integrity

Answer 6

Assurance that data has not been altered in an unauthorized manner.

Question 7

Availability

Answer 7

(1) timely and reliable access & ability to use for authorized users.

Question 8

Authentication Types

Answer 8

(1) Something you know: password (knowledge based)
(2) Something you have: e.g., token device (token based)
(3) Something you are: biometrics (characteristic based)

Question 9

Non-Repudiation

Answer 9

Protection against an individual falsely denying having performed a particular action. Capability to determine if an action was taken.

Question 10

Risk

Answer 10

Measure of the extent to which an entity is threatened by a potential circumstance or event.
Probability vs. Impact

Question 11

Risk Management: Asset

Answer 11

Something that needs protection.

Question 12

Risk Management: Vulnerability

Answer 12

Gap or Weakness in Protection

Question 13

Risk Management: Threat

Answer 13

Something or someone that can exploit a vulnerability.

Question 14

Risk Matrix

Answer 14

Probability vs. Impact

Question 15

Risk Treatment

Answer 15

(1) Avoidance
(2) Mitigation
(3) Acceptance
(4) Transfer

Question 16

Risk Priorities

Answer 16

Qualitative
Quantitative
Semi-Quantitative (critical, high, medium, low)

Question 17

Security Controls

Answer 17

Physical
Administrative
Technical (or: Logical)

Question 18

Governance Elements

Answer 18

Regulations and Laws
Standards
Policies
Procedures

Question 19

Standards (in Governance)

Answer 19

ISO, NIST, IETF, IEEE – usually set by professional organizations or governing bodies.

Question 20

Laws vs. Standars vs. Policies

Answer 20

Policy is informed by applicable laws and specifies which standards (may be external + internal standards) the organization follows.

Question 21

ISC2 Code of Ethics Canon

Answer 21

(1) Protect society, common good, necessary public trust and confidence, and infrastructure
(2) Act honorably, honestly, justly, responsibly, and legally.
(3) Provide diligent and competent service to principals.
(4) Advance and protect the profession.

Don’t have to report to law enforcement or ISC2.

Question 22

ISC Code of Ethics Preamble

Answer 22

Purpose and Intent of Code of Ethics
(1) The safety and welfare of society and commmon good, duty to principals and each others -> adhere to highest ethical standards of behavior
(2) strict adherance to the code is condition of certification.

Question 23

Breach

Answer 23

Loss of control, compromise, unauthorized disclsoure/acquisition

Question 24

Event

Answer 24

Obserable occurrence in a network or system.

Question 25

Exploit

Answer 25

A particular attack (vector)

Question 26

Incident

Answer 26

An event that actually or potentially jeopardizes CIA of a system.

Question 27

Intrusion

Answer 27

Security event in which an intruder gains access without authorization.

Question 28

Threat

Answer 28

Circumstance or event with potential to impact operations, functions, or CIA

Question 29

Vulnerability

Answer 29

Weakness or Flaw

Question 30

Zero Day

Answer 30

Previously unknown system vulnerability with the potential of exploitation.

Question 31

Incident Response Plan

Answer 31

Preparation Detection and Analysis Containment, Eradication, Recovery Post-Incident Activity

Question 32

Business Continuity Plan Components

Answer 32

Procedures/Plans/Checklists Contact Info Comms Plan

Question 33

Disaster Recovery Plan

Answer 33

Detailed Plan of how to recover. Including checklists of how to bring up alternative sites and load backups and recover data. Activated in case Incident Response and Business Continuity plans fail.

Question 34

Business Impact Analysis

Answer 34

Analysis of the impact that loss of a component or of an entire system will have on the business.

Question 35

Security Control Elements

Answer 35

Objects, Subjects, Rules

Question 36

Layered Defense / Defense in Depth

Answer 36

Multiple layers of access controls, e.g., MFA

Question 37

Principle of Least Privilege

Answer 37

Permitting minimum access necessary

Question 38

Segregation of Duties

Answer 38

Multiple persons should be involved in enabling high-risk transactions.

Question 39

Discretionary Access Control

Answer 39

Direct mapping of objects <> subjects with level of access. Up to the discretion of the object owner.

Question 40

Mandatory Access Control

Answer 40

Only security administrators control security rules.