Study Guide Ch 2

Question 1

The six steps of the risk management

framework

Answer 1

Categorize, 
Select, 
Implement, 
Assess, 
Authorize, 
Monitor

Question 2

Separation of duties

Answer 2

the security concept in which critical, significant,

and sensitive work tasks are divided among personnel

Question 3

Job responsibilities

Answer 3

the specific work tasks an employee is required

to perform on a regular basis

Question 4

Job rotation serves two functions

Answer 4

First, it provides a type of knowledge redundancy

Second, moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information

Question 5

Collusion

Answer 5

When several people work together to perpetrate a crime

Question 6

NDA

Answer 6

nondisclosure agreement

Question 7

What is the purpose of a NDA?

Answer 7

An NDA is used to protect the confidential information within an organization from being disclosed by a former employee

Question 8

NCA

Answer 8

non-compete agreement

Question 9

What purpose does a NCA serve?

Answer 9

NCAs attempt to prevent an employee with special knowledge of secrets from one organization from working in a competing organization

NCAs are also used to prevent workers from jumping from one company to another competing company just because of salary increases or other incentives

Question 10

the best time to terminate an employee…

Answer 10

at the end of their shift midweek

Question 11

The primary purpose of the exit interview…

Answer 11

To review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement, and any other security-related documentation

Question 12

Compliance

Answer 12

the act of conforming to or adhering to rules, policies, regulations, standards, or requirements

Question 13

Pll

Answer 13

personally identifiable information = any data item that can be easily and/or obviously traced back to the person of origin or concern

Question 14

Security governance

Answer 14

the collection of practices related to supporting, defining, and directing the security efforts of an organization

Question 15

Third-party governance

Answer 15

the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements

Question 16

Documentation review

Answer 16

the process of reading the exchanged materials and verifying them against standards and expectations

Question 17

ATO

Answer 17

authorization to operate

Question 18

Risk

Answer 18

The possibility that something could happen to damage, destroy, or disclose data or other resources

Question 19

What is the primary goal of risk management?

Answer 19

To reduce risk to an acceptable level

Question 20

Risk analysis

Answer 20

The process by which the goals of risk management are achieved

Question 21

Asset

Answer 21

An asset is anything within an environment that should be protected

Question 22

Asset valuation

Answer 22

A dollar value assigned to an asset based on actual

cost and non-monetary expenses

Question 23

Threats

Answer 23

Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat

Question 24

Vulnerability

Answer 24

The weakness in an asset or the absence or the weakness of a safeguard or countermeasure

Question 25

Exposure

Answer 25

Being susceptible to asset loss because of a threat

Question 26

Risk formula

Answer 26

risk = threat * vulnerability

Question 27

Safeguard

Answer 27

A countermeasure | Anything that removes or reduces a vulnerability or protects against one or more specific threats

Question 28

Attack

Answer 28

the exploitation of a vulnerability by a threat agent

Question 29

Breach

Answer 29

the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Question 30

How does quantitative analysis function?

Answer 30

To assign real dollar figures to the loss of an asset

Question 31

How does qualitative analysis function?

Answer 31

To assign subjective and intangible values to the loss of an asset

Question 32

The six major steps or phases in quantitative risk analysis

Answer 32

Inventory assets, and assign a value For each listed threat, calculate exposure factor (EF) and single loss expectancy (SLE) Assess the annualized rate of occurrence (ARO) Derive the annualized loss expectancy (ALE) Perform cost/benefit analysis of countermeasures

Question 33

EF (exposure factor)

Answer 33

The EF simply indicates the expected overall asset value loss because of a single realized risk. The EF is expressed as a percentage.

Question 34

Single Loss Expectancy (SLE)

Answer 34

SLE = asset value (AV) * exposure factor (EF) The SLE is expressed in a dollar value

Question 35

Annualized Rate of Occurrence (ARO)

Answer 35

The expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.

Question 36

Annualized Loss Expectancy

Answer 36

The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset ALE= single loss expectancy (SLE) * annualized rate of occurrence (ARO)

Question 37

How should a safeguard function?

Answer 37

To reduce the ARO for any asset

Question 38

Safeguard cost/benefit formula

Answer 38

(pre-countermeasure ALE - post-countermeasure ALE) -ACS (ALEl - ALE2) - ACS

Question 39

scenario

Answer 39

a written description of a single major threat

Question 40

The Delphi technique

Answer 40

an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus

Question 41

Risk Mitigation

Answer 41

the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats

Question 42

Risk Assignment

Answer 42

the placement of the cost of loss a | risk represents onto another entity or organization

Question 43

Risk Rejection

Answer 43

Denying that a risk exists and hoping that it will never be realized

Question 44

Risk Acceptance

Answer 44

accepting the consequences and the loss if the risk is realized

Question 45

Total risk formula

Answer 45

threats * vulnerabilities * asset value = total risk the * does not imply multiplication, but a combination function; this is not a true mathematical formula

Question 46

Residual risk formula

Answer 46

total risk - controls gap = residual risk

Question 47

controls gap

Answer 47

the amount of risk that is reduced by implementing | safeguards.

Question 48

three categories of security controls implementation include:

Answer 48

Administrative Logical/technical Physical

Question 49

Technical access control mechanisms

Answer 49

involves the hardware or software mechanisms used to manage access and to provide protection

Question 50

Administrative access control mechanisms

Answer 50

the policies and procedures defined by an organization's security policy and other regulations or requirements

Question 51

Physical access control mechanisms

Answer 51

items you can physically touch

Question 52

Types of access controls

Answer 52

``` Deterrent Preventive Detective Compensating Corrective Recovery Directive ```

Question 53

Difference between deterrent and preventive access controls

Answer 53

Deterrent controls often depend on individuals deciding not to take an unwanted action In contrast, a preventive control actually blocks the action

Question 54

Compensating access control

Answer 54

can be any control used in addition to, or in place of, another control

Question 55

What is the goal of asset valuation?

Answer 55

To assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones

Question 56

What is a risk framework?

Answer 56

A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored

Question 57

What are the six steps of the NIST SP 800-37 RMF?

Answer 57

``` Categorize the information system Select an initial set of baseline security controls Implement the security controls Assess the security controls Authorize information system operation Monitor the security controls ```

Question 58

What is the goal of security awareness?

Answer 58

The goal of creating awareness is to bring security to the forefront and make it a recognized entity for users

Question 59

Define "training"

Answer 59

Training is teaching employees to perform their work tasks and to comply with the security policy

Question 60

True or false: Training is typically hosted by an organization and is targeted to groups of employees with similar job functions

Answer 60

True

Question 61

Some partial definitions of privacy

Answer 61

Active prevention of unauthorized access to PII Freedom from unauthorized access to PII Freedom from being observed, monitored, or examined without consent or knowledge

Question 62

When addressing privacy, what two issues must be balanced?

Answer 62

there is usually a balancing act between individual rights and the rights or activities of an organization