Information Assurance Quiz

Questions and Answers

The right or a permission that is granted to a system entity to access a system resource.

• Availability
• Authorization (correct)
• Authentication
• Privacy

The property that data has not been altered in an unauthorized manner.

• Integrity (correct)
• Confidentiality
• Availability
• Privacy

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.

• Non-repudiation
• Confidentiality (correct)
• Authorization
• Authentication

The right of an individual to control the distribution of information about themselves.

Privacy (B)

Ensuring timely and reliable access to and use of information by authorized users.

Availability (B)

Access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system.

Authentication (D)

The inability to deny taking an action, such as sending an email message.

Non-repudiation (A)

Taking action to prevent or reduce the impact of an event.

Mitigation (C)

Ignoring the risks and continuing risky activities.

Acceptance (A)

Ceasing the risky activity to remove the likelihood that an event will occur.

Avoidance (A)

An inherent weakness or flaw.

Vulnerability (A)

Something of value that is owned by an organization, including physical hardware and intellectual property.

Asset (A)

A person or entity that deliberately takes action to exploit a target.

Threat (B)

Passing risk to a third party.

Transference (C)

A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a:

Management/Administrative control (C)

Is it possible to avoid risk?

No (D)

What is meant by non-repudiation?

If a user does something, they can't later claim that they didn't do it. (D)

Which of the following is NOT one of the four typical ways of managing risk?

Conflate (B)

What kind of risk management approach did Siobhan make?

Avoidance (D)

Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a

procedure (C)

Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow?

the law (D)

Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)² Code of Ethics, to whom does Kristal ultimately owe a duty in this situation?

the users (C)

While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do?

Report the candidate to (ISC)². (A)

The concept of "secrecy" is most related to which foundational aspect of security?

Confidentiality (D)

Flashcards

CIA Triad

A model for discussing security: Confidentiality, Integrity, and Availability.

Confidentiality

Protection of data from unauthorized access.

Integrity

Ensuring data remains unaltered and accurate.

Availability

Ensuring data is accessible to authorized users when needed.

Non-repudiation

Guarantee that a person cannot deny the validity of their actions.

Authentication

Process of verifying the identity of a user or entity.

Multi-Factor Authentication (MFA)

Using two or more factors to verify identity.

Risk Management

Process of identifying, assessing, and mitigating risks.

Vulnerabilities

Weaknesses that can be exploited to cause harm.

Threats

Potential causes of unwanted incidents that may result in harm.

Asset

Anything of value owned by an organization.

Risk Appetite

The amount of risk an organization is willing to take.

Mitigation

Actions taken to reduce the impact or likelihood of a risk.

Acceptance

Deciding to take no action against a risk.

Avoidance

Choosing to eliminate a risk entirely.

Transference

Passing risk to another party, often through insurance.

Physical Controls

Security mechanisms implemented physically to protect assets.

Technical Controls

Automated mechanisms for safeguarding information systems.

Administrative Controls

Policies and procedures for managing security in an organization.

Compliance

Following laws and regulations within an organization.

Standards

Recommended best practices that organizations follow.

Policies

General guidelines that govern operations in an organization.

Procedures

Step-by-step instructions for specific tasks.

(ISC)² Code of Ethics

A set of ethical guidelines members must adhere to.

Civil Liability

Legal responsibility for harm caused to another party.

Privacy

The right of individuals to control their information.

Risk Assessment

Process of identifying and evaluating risks.

Residual Risk

Risk remaining after security controls have been applied.

Governance

Framework for making decisions to achieve an organization's objectives.

Study Notes

Chapter Agenda

• Module 1: Information Assurance
• Module 2: Risk Management Process
• Module 3: Security Controls
• Module 4: Governance
• Module 5: (ISC)² Code of Ethics
• Module 6: Chapter Review

Module 1: Information Assurance

• Foundation Concepts
• CIA Triad
• Authentication
• Multi-Factor Authentication
• Non-Repudiation
• Privacy

The CIA Triad

• Concepts to shape thinking
• Span both logical and physical environments
• Confidentiality
• Integrity
• Availability

Confidentiality

• Protect data from unauthorized individuals
• Protect data that needs protection

Integrity

• Ensure data hasn't been altered
• Ensure data is complete, accurate, internally consistent and useful for a stated purpose.

Availability

• Ensure data accessible to authorized users
• Data accessible when and where needed and in the required format

Identification

• Process for asserting an identity and having it confirmed

Multi-Factor Authentication

• Something you know (Username and Password, PIN)
• Something you have (Code, ID Badge)
• Something you are (Finger-print, Facial recognition, Iris/Retinal Scanning)

Authentication

• Validating the rightful owners of an identity
• Process to prove the identity of the requestor
• Three common methods:
  • Something you know (passwords, paraphrases)
  • Something you have (tokens, memory cards, smart cards)
  • Something you are (biometrics, measurable characteristics)

Multi-factor Authentication or Single Factor?

• Single factor authentication (SFA): All items come from the same factor (e.g., something you know).
• Example: a bank asking for username, passcode and password; they all come from “something you know." This is SFA, not MFA.

Multi-Factor Authentication (MFA)

• Two-factor authentication (2FA)
• Multi-Factor authentication (MFA)
• One-time passwords (OTP) – single use credential used with MFA
• Considerations:
  • Throughput
  • Acceptability
  • Accuracy

Non-Repudiation

• Repudiate = Deny
• Non-Repudiation = Non-Deniability
• Transactions
• Email

Privacy

• Right to control the distribution of information about themselves

• United Nations Declaration of Human Rights (UDHR) 1948, Article 12:

  • Protection from arbitrary interference with privacy, family, home, correspondence, honor and reputation

• Personally Identifiable Information (PII)

  • Name, photo, passport number

• Balancing society's needs against individual needs protection.

Methods of Authentication

• Single-factor authentication (SFA): Using only one method.
• Multi-factor authentication (MFA): Using two or more methods.
• Common Techniques for authentication:
  • Knowledge-based
  • Token-based
  • Characteristic-based

Non-repudiation

• Protection against denying an action
• Used in e-commerce and electronic transactions to ensure accountability.

Privacy

• The right of an individual to control information about themselves.
• Global implications due to growing digital data collection and storage.
• Legislation and regulations on privacy and data protection. Legal considerations (GDPR).

Risk Management Terminology

• Asset: Something needing protection
• Vulnerability: A gap or weakness in protection.
• Threat: Something that aims to exploit a vulnerability.
• Risk: The intersection of threats, vulnerabilities, and assets.

Threats

• Insider threats: Deliberate, unintentional error or incompetence.
• External threats: Planned, opportunistic groups or individuals
• Formal entities: Competitors, cybercriminals, terrorists, nation-states
• Intelligence gatherers
• Technology: Bots, AI

Vulnerabilities

• Weakness in systems or components
• Security teams assess likelihood and impact of threat to decrease vulnerability

Likelihood

• Probability of an exploited vulnerability
• Weighted subjective analysis of probability of a threat exploiting a vulnerability

Risk Assessment

• Asset Management: Physical/tangible assets (computers, servers) and logical/intangible assets (information, network configuration)
• Threat Management: Environmental, accidental, and intentional threats
• Vulnerability Management: Estimating likelihood

Risk Management

• Risk appetite/tolerance
• Risk management responses: Accept, Avoid, Reduce (mitigate), Share(transfer), Insurance
• The role of security in risk management

Risk Management Context

• Assessing risk at home: Value of assets (i.e. high value vs. low value)
• Environmental risk: Local conditions impacting risk.

Risk Identification

• Organizational risk analysis
• Identifying different risks

Risk Assessment

• Identifying, estimating, and prioritizing risks to an organization's operations
• Aligning risk with organization's goals and objectives
• Risk of fire to a building — mitigation strategies such as fire alarms and sprinklers

Risk Treatment

• Avoidance: Eliminating the risk entirely
• Acceptance: No action to reduce risk
• Mitigation: Measures to prevent or reduce risk events.
• Transferring: Passing risk to another party (e.g., insurance)

Risk Priorities

• Prioritizing risks through quantitative or qualitative analysis.
• Understanding organization's mission and functions to contextualize risks.
• Prioritizing risk responses based on likelihood and impact.

Risk Tolerance

• Managing the quantity of risk an entity is willing to take.
• Varies across organizations and within departments.
• Geographical locations and threats influence risk tolerances.

Security Controls

• Something that affects outcomes
• Administrative controls (directive, physical control)
• Physical controls (e.g., door entry systems)
• Technical/logical controls (e.g., encryption, firewall)

Governance Elements:

• What are considered Regulations: Laws, Policies, Procedures, Standards, Guidelines
• Standards: ISO27007, ISO27032, NIST SP 800-53, NIST Cyber Security Framework.
• Policies, Procedures and Practices

(ISC)² Code of Ethics

• Safety and welfare of society
• Duty to principles, and to each other
• Highest Ethical standards
• Condition of certification

Chapter 1 Review

• Confidentiality, Integrity, Availability (CIA), and privacy (foundation concepts)
• Authentication (various factors, implementation)
• Risk management (threats, vulnerabilities, likelihood)

Course Summary

• Information Assurance Principles
• CIA Triad (confidentiality, integrity, availability)
• Importance of Risk Management
• Types of Security Controls (physical, technical, administrative)
• Governance and its relation to policies, procedures, and standards.
• Compliance with laws and regulations
• (ISC)² Code of Ethics compliance requirements

Terms and Definitions

• List of terms with their corresponding definitions
• Important concepts and examples to understand the function of each

Security Principles Quiz

• Answer keys to quiz