Study 2

Question 1

What is the CIA Triad?

Answer 1

Confidentiality, Integrity, Availability

Question 2

What is due care?

Answer 2

Taking reasonable actions to prevent harm

Question 3

What does ISO 27001 specify?

Answer 3

Information security management system (ISMS) requirements

Question 4

Who is responsible for data classification?

Answer 4

The data owner

Question 5

What is data remanence?

Answer 5

Residual representation of data that remains after attempts to remove or erase it

Question 6

What is defense in depth?

Answer 6

Layered security approach to protect assets

Question 7

What does a firewall do?

Answer 7

Filters network traffic based on predefined rules

Question 8

What is the purpose of IPSec?

Answer 8

Provides secure network communications using authentication and encryption

Question 9

What is multifactor authentication (MFA)?

Answer 9

Authentication using two or more factors from different categories

Question 10

What does RBAC stand for?

Answer 10

Role-Based Access Control

Question 11

What is a vulnerability assessment?

Answer 11

Identifying and quantifying vulnerabilities in a system

Question 12

What is the purpose of a security audit?

Answer 12

Evaluate compliance with security policies and standards

Question 13

What is an incident response plan?

Answer 13

A set of procedures for detecting, responding to, and recovering from incidents

Question 14

What does SIEM stand for?

Answer 14

Security Information and Event Management

Question 15

What is the main goal of secure coding practices?

Answer 15

Prevent common vulnerabilities such as buffer overflows and injection attacks

Question 16

What is the purpose of the OWASP Top 10?

Answer 16

Highlight the most critical security risks to web applications

Question 17

What is confidentiality in the CIA triad?

Answer 17

Ensuring information is accessible only to those authorized.

Question 18

What is integrity in the CIA triad?

Answer 18

Assurance that information is accurate and has not been altered.

Question 19

What is availability in the CIA triad?

Answer 19

Ensuring timely and reliable access to information.

Question 20

What is due diligence?

Answer 20

Ongoing activities to ensure due care is being applied.

Question 21

What is the primary purpose of security governance?

Answer 21

To align security with business objectives.

Question 22

What are administrative controls?

Answer 22

Policies, procedures, and guidelines that define roles and responsibilities.

Question 23

What is risk appetite?

Answer 23

The level of risk an organization is willing to accept.

Question 24

What is data classification?

Answer 24

Process of categorizing data based on sensitivity and impact.

Question 25

What is the role of the data custodian?

Answer 25

Responsible for implementing and maintaining controls.

Question 26

What is data owner responsible for?

Answer 26

Classifying data and determining access.

Question 27

What is media sanitization?

Answer 27

Removing data from storage media to prevent data recovery.

Question 28

What is a security perimeter?

Answer 28

Boundary where security controls are enforced.

Question 29

What is the Bell-LaPadula model used for?

Answer 29

Maintaining data confidentiality.

Question 30

What is the Biba model used for?

Answer 30

Ensuring data integrity.

Question 31

What is a TPM (Trusted Platform Module)?

Answer 31

Hardware chip used for secure crypto operations.

Question 32

What are symmetric encryption algorithms?

Answer 32

AES, DES, 3DES — use the same key for encryption and decryption.

Question 33

What is a DMZ?

Answer 33

Demilitarized zone — adds a layer of protection between external and internal networks.

Question 34

What is the difference between TCP and UDP?

Answer 34

TCP is connection-oriented; UDP is connectionless.

Question 35

What does a proxy server do?

Answer 35

Intermediary between user and the internet for security and anonymity.

Question 36

What is port 443 used for?

Answer 36

HTTPS (secure web traffic)

Question 37

What is SSO?

Answer 37

Single Sign-On — allows user to log in once to access multiple systems.

Question 38

What is LDAP?

Answer 38

Lightweight Directory Access Protocol — used for accessing and maintaining distributed directory info.

Question 39

What are the three types of access control models?

Answer 39

Discretionary (DAC), Mandatory (MAC), Role-Based (RBAC)

Question 40

What is identity federation?

Answer 40

Linking a user's identity across multiple systems or organizations.

Question 41

What is penetration testing?

Answer 41

Simulated attack to identify exploitable vulnerabilities.

Question 42

What is the difference between white-box and black-box testing?

Answer 42

White-box: internal knowledge; Black-box: no prior knowledge.

Question 43

What is a security audit?

Answer 43

Formal evaluation of an organization's adherence to policies and regulations.

Question 44

What is business continuity planning (BCP)?

Answer 44

Ensures critical functions continue during a disaster.

Question 45

What is DRP (Disaster Recovery Planning)?

Answer 45

Strategies to restore IT systems after a disruption.

Question 46

What is MTTR?

Answer 46

Mean Time to Repair — average time to recover from a failure.

Question 47

What is separation of duties?

Answer 47

Dividing tasks among different people to reduce risk of fraud.

Question 48

What is job rotation?

Answer 48

Moving employees between roles to reduce fraud and improve flexibility.

Question 49

What is the SDLC?

Answer 49

Software Development Life Cycle — process of planning, creating, testing, and deploying software.

Question 50

What is input validation?

Answer 50

Ensuring user input is safe and expected to prevent attacks.

Question 51

What is buffer overflow?

Answer 51

Anomaly where a program writes data beyond buffer memory.

Question 52

What is threat modeling?

Answer 52

Identifying and evaluating potential security threats to a system.

Question 53

What is the STRIDE model?

Answer 53

Threat model: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.