CORRECT ANSWERS
CIA Triangle - CORRECT ANSWER-Cornerstone of infosec.
Confidentiality, Integrity, Availability
Confidentiality (CIA Triangle) - CORRECT ANSWER-
prevention of unauthorized disclosure of information; prevention
of unauthorized read access to data
Integrity (CIA Triangle) - CORRECT ANSWER-prevention of
unauthorized modification of data; prevention of unauthorized
write access to data
Availability (CIA Triangle) - CORRECT ANSWER-ensures data
is available when needed to authorized users
Opposing forces to CIA - CORRECT ANSWER-DAD:
disclosure, alteration, destruction
identification - CORRECT ANSWER-the process by which a
subject professes an identity and accountability is initiated; ex:
typing a username, swiping a smart card, waving a proximity
device (badging in), speaking a phrase, etc - always a two step
process with authenticating
authentication - CORRECT ANSWER-verification that a person
is who they say they are; ex: entering a password or PIN,
biometrics, etc - always a two step process with identifying
authorization - CORRECT ANSWER-verification of a person's
access or privileges to applicable data
,auditing (monitoring) - CORRECT ANSWER-recording a log of
the events and activities related to the system and subjects
accounting (accountability) - CORRECT ANSWER-reviewing
log files to check for compliance and violations in order to hold
subjects accountable for their actions
non-repudiation - CORRECT ANSWER-a user cannot deny
having performed a specific action
subject - CORRECT ANSWER-an entity that performs active
functions to a system; usually a person, but can also be script
or program designed to perform actions on data
object - CORRECT ANSWER-any passive data within the
system
ISC2 Code of Ethics Canons (4) - CORRECT ANSWER-1.
protect society, commonwealth, infrastructure
2. act honorably, justly, responsibly, legally
3. provide diligent and competent service
4. advance and protect the profession
strictly applied in order; exam questions in which multiple
canons could be the answer, choose the highest priority per
this order
policy - CORRECT ANSWER-mandatory high level
management directives; components of policy
1. purpose: describes the need for policy
2. scope: what systems, people, facilities, organizations are
covered
3. responsibilities: specific duties of involved parties
4. compliance: effectiveness of policy, violations of policy
,procedure - CORRECT ANSWER-low level step by step guide
for accomplishing a task
standard - CORRECT ANSWER-describes the specific use of
technology applied to hardware or software; mandatory
guideline - CORRECT ANSWER-discretionary
recommendations (e.g. not mandatory)
baseline - CORRECT ANSWER-a uniform way of implementing
a standard
3 access/security control categories - CORRECT ANSWER-1.
administrative: implemented by creating org policy, procedure,
regulation. user awareness/training also fall here
2. technical: implemented using hardware, software, firmware
that restricts logical access to a system
3. physical: locks, fences, walls, etc
preventive access control
(can be administrative, technical, physical) - CORRECT
ANSWER-prevents actions from occurring by applying
restrictions on what a user can do. example: privilege level
detective access control
(can be administrative, technical, physical) - CORRECT
ANSWER-controls that alert during or after a successful attack;
alarm systems, or closed circuit tv
corrective access control
(can be administrative, technical, physical) - CORRECT
ANSWER-repairing a damaged system; often works hand in
hand with detective controls (e.g. antivirus software)
recovery access control
, (can be administrative, technical, physical) - CORRECT
ANSWER-controls to restore a system after an incident has
occurred;
deterrent access control
(can be administrative, technical, physical) - CORRECT
ANSWER-deters users from performing actions on a system
compensating access control
(can be administrative, technical, physical) - CORRECT
ANSWER-additional control used to compensate for
weaknesses in other controls as needed
risk formula - CORRECT ANSWER-risk = threat x vulnerability
x impact
market approach (for calculating intangible assets) - CORRECT
ANSWER-assumes the fair value of an asset reflects the price
which comparable assets have been purchased in transactions
under similar circumstances
income approach (for calculating intangible assets) -
CORRECT ANSWER-the value of an asset is the present value
of the future earning capacity that an asset will generate over
the rest of its lifecycle
cost approach (for calculating intangible assets) - CORRECT
ANSWER-estimates the fair value based on cost of
replacement
exposure factor (EF) - CORRECT ANSWER-percentage of
value the asset lost due to incident
single loss expectancy (SLE) - CORRECT ANSWER-asset
value (AV) times exposure factor
AV x EF = SLE
expressed in a dollar value