CSF 4003 Security and Risk Management Chapter 5 Quiz
30 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What should drive the selection and implementation of security controls in EISA?

  • Business requirements (correct)
  • Technology
  • Compliance regulations
  • Industry-wide standards

    • What is a key component for achieving secure application development according to the text?

  • Penetration testing (correct)
  • Hardware specifications
  • Regular system updates
  • Software complexity

    • At what stage does EISA guidance become essential in a system's lifecycle?

  • Implementation stage
  • Maintenance stage
  • Testing stage
  • Design stage (correct)

    • What is a fundamental principle that EISA should be based on?

    <p>Risk-based approach</p> Signup and view all the answers

    Which factor should determine the security levels applied to data and resources according to the text?

    <p>Business value</p> Signup and view all the answers

    What is an often neglected aspect of achieving secure application development according to the text?

    <p>Architectural risk analysis</p> Signup and view all the answers

    What is the main purpose of an Enterprise Information Security Architecture (EISA)?

    <p>To establish the strategy for protecting sensitive data and critical resources</p> Signup and view all the answers

    Which is a key component of the modern approach to security architecture mentioned in the text?

    <p>Separating internal environment based on sensitivity</p> Signup and view all the answers

    What is the traditional approach to security architecture mostly focused on?

    <p>Protecting the internal from the external environment</p> Signup and view all the answers

    Why must an EISA be driven by business requirements?

    <p>To maintain required levels of Confidentiality, Integrity, Availability, and Accountability (CIAA)</p> Signup and view all the answers

    Which of the following does NOT represent a key feature of Enterprise Information Security Architecture?

    <p>Installing point solutions for each security need</p> Signup and view all the answers

    How does the modern approach to security architecture differ from the traditional approach?

    <p>By separating portions of the internal environment based on sensitivity</p> Signup and view all the answers

    What is a security zone in the context of auditing?

    <p>A grouping of resources sharing the same risk profile and business function.</p> Signup and view all the answers

    Why are boundaries between security zones implemented using security controls?

    <p>To filter inbound or outbound communications and control access to sensitive resources.</p> Signup and view all the answers

    What guides the decision to place a resource into a security zone?

    <p>The need to avoid risk exposure.</p> Signup and view all the answers

    How should data move between resources or components in different security zones?

    <p>Via a security control or service, even if they remain within the same security zone.</p> Signup and view all the answers

    What is a key factor in determining the placement of security zone boundaries and controls?

    <p>The risk profile of shared resources.</p> Signup and view all the answers

    Why are resources often grouped based on zones?

    <p>To simplify risk management as resources sharing the same risk profile are together.</p> Signup and view all the answers

    What is the main purpose of patterns and baselines in guiding risk architecture decisions?

    <p>Provide guidance in making risk architecture decisions</p> Signup and view all the answers

    Which of the following is an example of 'Infrastructure Common Services' based on the text?

    <p>LDAP directory services</p> Signup and view all the answers

    What is the significance of distinguishing between External vs. Internal Traffic according to the text?

    <p>To establish logical controls for risk management</p> Signup and view all the answers

    What does 'Transitive Risk' refer to according to the text?

    <p>Risk from neighboring or related resources</p> Signup and view all the answers

    Why is it important to consider differing risk sensitivity levels when systems communicate in an enterprise environment?

    <p>To manage the risks associated with systems of differing sensitivity levels</p> Signup and view all the answers

    'Services may have different interfaces to the outside world, and therefore different risk exposures' implies using which security strategy according to the text?

    <p>Least privilege principle</p> Signup and view all the answers

    What must be done if a security zone boundary is traversed during data movement?

    <p>Enforce security controls to preserve C-I-A-A needs</p> Signup and view all the answers

    In the context of data movement rules, what does Rule 3 state about the initiator and recipient of communication?

    <p>Both parties can impose security constraints on each other</p> Signup and view all the answers

    What is one of the threats that trust relationships in information flow may present to a certain resource?

    <p>Mismatch in privilege levels</p> Signup and view all the answers

    What do patterns and baselines provide in the context of data management?

    <p>Patterns represent recurring themes in data movement</p> Signup and view all the answers

    When a new application tries to make changes to a system within the 'local' Windows zone, what should the user do?

    <p>Deny authorization for changes</p> Signup and view all the answers

    What should be done if secure communication is imposed on the client's browser by a website?

    <p>Retrieve and verify the website's digital certificate from the CA</p> Signup and view all the answers

    More Like This

    Use Quizgecko on...
    Browser
    Open
    Browser
    Browser