Information Security and Assurance - C725-WGU: Qs
And As
Two of the tools security specialists use to protect information systems
Right Ans - cryptography and firewalls
Security is synonymous with Right Ans - Protection, Armor, Shield terms
that impact people.
best represents the three objectives of information security Right Ans -
Confidentiality, integrity, and availability
Information Network Institute (INI) Right Ans - One major educational
institution, Carnegie Mellon, established the Information Network Institute
(INI) in 1989 as a leading research and education center in the field of
information networking.
The formal study of information security has accelerated primarily for what
reason? Right Ans - Increasingly interconnected global networks
Security administrators Right Ans - Security administrators work alongside
system administrators and database administrators to ensure that an
appropriate separation of duties can prevent abuse of privilege when new
computer systems are implemented and users begin to access these systems.
The security administrators help to establish new user accounts, ensure that
auditing mechanisms are present and operating as needed, ensure that
communications between systems are securely implemented, and assist in
troubleshooting problems and responding to incidents that could compromise
confidentiality, integrity, or availability of the systems.
Access coordinators Right Ans - are delegated the authority on behalf of a
system owner to establish and maintain the user base that is permitted to
access and use the system in the normal course of their job duties.
Security architects and network engineers Right Ans - design and
implement network infrastructures that are built with security in mind. Skills
needed here include understanding firewall designs, designing and developing
intrusion detection/prevention systems and processes, and determining how
,to configure servers, desktop computers, and mobile devices to comply with
security policies.
Security consultants Right Ans - work with project-development teams to
perform risk analysis of new systems by balancing the needs of business with
the threats that stem from opening up access to data or managing new
information that could compromise the business if it fell into the wrong hands.
Security consultants are usually internal personnel who are assigned to
project-development teams and remain with the project from inception to
implementation.
Security testers Right Ans - are the white-hat hackers paid to test the
security of newly acquired and newly developed or redeveloped systems.
Testers who can mimic the activities of outside hackers are hired to find
software problems and bugs before the system is made available. Their work
reduces the likelihood that the system will be compromised when it's in day-
to-day operating mode.
Policymakers and standards developers Right Ans - are the people who
look to outside regulators and executive management to set the tone and
establish the specific rules of the road when interacting with or managing
information systems. Policymakers formally encode the policies or
management intentions in how information will be secured.
Compliance officers Right Ans - check to see that employees remain in
compliance with security policies and standards as they use information
systems in their daily work. Compliance officers usually work with outside
regulators when audits are conducted and are often charged with employee
security training and awareness programs to help maintain compliance.
Incident response team members Right Ans - are alerted when an intrusion
or security incident occurs. They decide how to stop the attack or limit the
damage as they collect and analyze forensics data while interacting with law
enforcement personnel and executive management.
Governance and vendor managers Right Ans - are needed to ensure that
outsourced functions are operating within security policies and standards.
The IT industry continues to rely on off-shore developers, managed security
,services, and outsourced computer operations, so the growth of governance
personnel is assured.
Confidentiality Right Ans - is sometimes referred to as the principle of least
privilege, meaning that users should be given only enough privilege to
perform their duties, and no more. Some other synonyms for confidentiality
you might encounter include privacy, secrecy, and discretion.
Confidentiality models are primarily intended to ensure that no unauthorized
access to information is permitted and that accidental disclosure of sensitive
information is not possible. Common confidentiality controls are user IDs and
passwords.
The Three Security Goals Are Right Ans - Confidentiality, Integrity, and
Availability
CIA Triad Right Ans - these goals form the confidentiality, integrity,
availability (CIA) triad, the basis of all security programs.
Confidentiality is the concept of the measures used to ensure the protection of
the secrecy of data, objects, or resources. The goal of confidentiality
protection is to prevent or minimize unauthorized access to data.
Confidentiality focuses security measures on ensuring that no one other than
the intended recipient of a message receives it or is able to read it
Integrity is the concept of protecting the reliability and correctness of data.
Integrity protection prevents unauthorized alterations of data. It ensures that
data remains correct, unaltered, and preserved. Properly implemented
integrity protection provides a means for authorized changes while protecting
against intended and malicious unauthorized activities (such as viruses and
intrusions) as well as mistakes made by authorized users (such as mistakes or
oversights).
Availability means authorized subjects are granted timely and uninterrupted
access to objects. Often, availability protection controls support sufficient
bandwidth and timeliness of processing as deemed necessary by the
organization or situation. If a security mechanism offers availability, it offers a
high level of assurance that the data, objects, and resources are accessible to
, authorized subjects. Availability includes efficient uninterrupted access to
objects and prevention of denial-of-service (DoS) attacks. Availability also
implies that the supporting infrastructure—including network services,
communications, and access control mechanisms—is functional and allows
authorized users to gain authorized access.
Availability depends on both integrity and confidentiality. Without integrity
and confidentiality, availability cannot be maintained.
Defense in depth is needed to ensure that which three mandatory activities
are present in a security system? Right Ans - is implemented in
overlapping layers that provide the three elements needed to secure assets:
prevention, detection, and response.
Computer Security Depends on Two Types of Requirements Right Ans -
Functional requirements describe what a system should do.
Assurance requirements describe how functional requirements should be
implemented and tested.
Both sets of requirements are needed to answer the following questions:
Does the system do the right things (behave as promised)?
Does the system do the right things in the right way?
degree of a risk Right Ans - Extreme risk: Immediate
action is required.
High risk: Senior management's attention is needed.
Moderate risk: Management responsibility must be specified.
Low risk: Management is handled by routine procedures.
Determining the likelihood of a risk Right Ans - Vulnerability refers to a
known problem within a system or program. A common example in InfoSec is
called the buffer overflow or buffer overrun vulnerability.
Programmers tend to be trusting and not worry about who will attack their
programs, but instead worry about who will use their programs legitimately.
And As
Two of the tools security specialists use to protect information systems
Right Ans - cryptography and firewalls
Security is synonymous with Right Ans - Protection, Armor, Shield terms
that impact people.
best represents the three objectives of information security Right Ans -
Confidentiality, integrity, and availability
Information Network Institute (INI) Right Ans - One major educational
institution, Carnegie Mellon, established the Information Network Institute
(INI) in 1989 as a leading research and education center in the field of
information networking.
The formal study of information security has accelerated primarily for what
reason? Right Ans - Increasingly interconnected global networks
Security administrators Right Ans - Security administrators work alongside
system administrators and database administrators to ensure that an
appropriate separation of duties can prevent abuse of privilege when new
computer systems are implemented and users begin to access these systems.
The security administrators help to establish new user accounts, ensure that
auditing mechanisms are present and operating as needed, ensure that
communications between systems are securely implemented, and assist in
troubleshooting problems and responding to incidents that could compromise
confidentiality, integrity, or availability of the systems.
Access coordinators Right Ans - are delegated the authority on behalf of a
system owner to establish and maintain the user base that is permitted to
access and use the system in the normal course of their job duties.
Security architects and network engineers Right Ans - design and
implement network infrastructures that are built with security in mind. Skills
needed here include understanding firewall designs, designing and developing
intrusion detection/prevention systems and processes, and determining how
,to configure servers, desktop computers, and mobile devices to comply with
security policies.
Security consultants Right Ans - work with project-development teams to
perform risk analysis of new systems by balancing the needs of business with
the threats that stem from opening up access to data or managing new
information that could compromise the business if it fell into the wrong hands.
Security consultants are usually internal personnel who are assigned to
project-development teams and remain with the project from inception to
implementation.
Security testers Right Ans - are the white-hat hackers paid to test the
security of newly acquired and newly developed or redeveloped systems.
Testers who can mimic the activities of outside hackers are hired to find
software problems and bugs before the system is made available. Their work
reduces the likelihood that the system will be compromised when it's in day-
to-day operating mode.
Policymakers and standards developers Right Ans - are the people who
look to outside regulators and executive management to set the tone and
establish the specific rules of the road when interacting with or managing
information systems. Policymakers formally encode the policies or
management intentions in how information will be secured.
Compliance officers Right Ans - check to see that employees remain in
compliance with security policies and standards as they use information
systems in their daily work. Compliance officers usually work with outside
regulators when audits are conducted and are often charged with employee
security training and awareness programs to help maintain compliance.
Incident response team members Right Ans - are alerted when an intrusion
or security incident occurs. They decide how to stop the attack or limit the
damage as they collect and analyze forensics data while interacting with law
enforcement personnel and executive management.
Governance and vendor managers Right Ans - are needed to ensure that
outsourced functions are operating within security policies and standards.
The IT industry continues to rely on off-shore developers, managed security
,services, and outsourced computer operations, so the growth of governance
personnel is assured.
Confidentiality Right Ans - is sometimes referred to as the principle of least
privilege, meaning that users should be given only enough privilege to
perform their duties, and no more. Some other synonyms for confidentiality
you might encounter include privacy, secrecy, and discretion.
Confidentiality models are primarily intended to ensure that no unauthorized
access to information is permitted and that accidental disclosure of sensitive
information is not possible. Common confidentiality controls are user IDs and
passwords.
The Three Security Goals Are Right Ans - Confidentiality, Integrity, and
Availability
CIA Triad Right Ans - these goals form the confidentiality, integrity,
availability (CIA) triad, the basis of all security programs.
Confidentiality is the concept of the measures used to ensure the protection of
the secrecy of data, objects, or resources. The goal of confidentiality
protection is to prevent or minimize unauthorized access to data.
Confidentiality focuses security measures on ensuring that no one other than
the intended recipient of a message receives it or is able to read it
Integrity is the concept of protecting the reliability and correctness of data.
Integrity protection prevents unauthorized alterations of data. It ensures that
data remains correct, unaltered, and preserved. Properly implemented
integrity protection provides a means for authorized changes while protecting
against intended and malicious unauthorized activities (such as viruses and
intrusions) as well as mistakes made by authorized users (such as mistakes or
oversights).
Availability means authorized subjects are granted timely and uninterrupted
access to objects. Often, availability protection controls support sufficient
bandwidth and timeliness of processing as deemed necessary by the
organization or situation. If a security mechanism offers availability, it offers a
high level of assurance that the data, objects, and resources are accessible to
, authorized subjects. Availability includes efficient uninterrupted access to
objects and prevention of denial-of-service (DoS) attacks. Availability also
implies that the supporting infrastructure—including network services,
communications, and access control mechanisms—is functional and allows
authorized users to gain authorized access.
Availability depends on both integrity and confidentiality. Without integrity
and confidentiality, availability cannot be maintained.
Defense in depth is needed to ensure that which three mandatory activities
are present in a security system? Right Ans - is implemented in
overlapping layers that provide the three elements needed to secure assets:
prevention, detection, and response.
Computer Security Depends on Two Types of Requirements Right Ans -
Functional requirements describe what a system should do.
Assurance requirements describe how functional requirements should be
implemented and tested.
Both sets of requirements are needed to answer the following questions:
Does the system do the right things (behave as promised)?
Does the system do the right things in the right way?
degree of a risk Right Ans - Extreme risk: Immediate
action is required.
High risk: Senior management's attention is needed.
Moderate risk: Management responsibility must be specified.
Low risk: Management is handled by routine procedures.
Determining the likelihood of a risk Right Ans - Vulnerability refers to a
known problem within a system or program. A common example in InfoSec is
called the buffer overflow or buffer overrun vulnerability.
Programmers tend to be trusting and not worry about who will attack their
programs, but instead worry about who will use their programs legitimately.
