107 Information Assurance

Question 1

Define IA

Answer 1

IA: Information Assurance; information operations that protect/defend data and information systems by ensuring their availability, integrity, authentication, confidentially, and non-repudation

Question 2

Define Certification

Answer 2

Comprehensive evaluation of the technical and non-technical security features

Question 3

Define Accreditation

Answer 3

Official management decision to operate an IS in a specified environment

Question 4

Define DAO (Designated Approving Official)

Answer 4

Official with authority to formally assume responsibility for operating a system at an acceptable level of risk

Question 5

What is a System Security Plan?

Answer 5

Formal document that fully describes planned security tasks

Question 6

Deinfe ATO

Answer 6

ATO: Authority to Operate; formal declaration by DAO that information system is approved to operate

Question 7

Definte IATO

Answer 7

IATO: Interim Authority to Operate; temporary authorization granted by DAA or SCO

Question 8

What is Configuration Management?

Answer 8

Identifies, controls, accounts for, and audits all changes to site or IS during its design, development & operational lifecycle

Question 9

Discuss security procedures involved when performing cross-domain transfers

Answer 9

Scan all info storage media and e-mail attachments introduced prior to its use on any SCI system

Question 10

What is Risk Management?

Answer 10

Process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions

Question 11

Define the 5 attributes of IA

Answer 11

• Confidentiality: assurance that info isn’t disclosed to unauthorized persons, process, or devices
• Integrity: assurance that info is not modified by unauthorized parties or in an unauthorized manner
• Availability: assurance of timely, reliable access to data and info systems by authorized users
• Non-repudiation: assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data
• Authentication: assurance of identify of a message sender or receiver

Question 12

List and define 9 categories of computer incidents

Answer 12

• Root level intrusion: Unauthorized (administrative) privileged access to a DoD system
• User level intrusion: Unauthorized non-privileged access to a DoD system
• Denial of service: Denies, degrades, or disrupts normal functionality of a system/network
• Malicious logic: Installation of software designed and/or deployed by adversaries with malicious intentions of gaining access to resources or info w/o consent/knowledge of user
• Unsuccessful activity attempt: Deliberate attempts to gain unauthorized access to DoD system, defeated by normal defensive mechanisms. Attacker FAILS to gain access to system
• Non-compliance activity: Potentially exposes DoD systems to increased risk as a result of action/inaction of authorized users
• Reconnaissance: Seeks to gather info used to characterize DoD systems, apps, networks, and users that may be useful in formulating an attack
• Investigating: Events that are potentially malicious or anomalous activity deemed suspicious and warrant/are undergoing further review
• Explained Anomaly: Suspicious events that are determined to be non-malicious activity and do not fit criteria for any other categories (MISC)

Question 13

Describe the DoN World Wide Web Security Policy

Answer 13

All DoN sites must have a clearly articulated purpose, approved by commander, and support command’s core competency mission

Question 14

Define IAVA

Answer 14

IAVA: Information Assurance Vulnerability Alert; an announcement of high risk computer software

Question 15

Define IAVB

Answer 15

IAVB: Information Assurance Vulnerability Bulletin; announcement of a medium risk computer

Question 16

Define CTO

Answer 16

CTO: Communications Tasking Order; DoD-wide instruction that promulgates mandatory changes and how communications are handled

Question 17

Define NTD

Answer 17

NTD: Navy Telecommunications Directive; widely disseminated naval message giving an order/direction about a certain IT function that needs to be complied with

Question 18

Define Service Pack

Answer 18

A collection of updates, fixes and/or enhancements

Question 19

Define vulnerability assessment

Answer 19

Testing process to identify weakness

Question 20

Explain the difference between vulnerability and threat

Answer 20

Vulnerability: Actual weakness in an information system
Threat: Malicious actor, circumstance or event with potential to adversely impact organizational operations

Question 21

State the duties/responsibilities of the IAM (Information Assurance Manager)

Answer 21

• Responsible for establishing, implementing & maintaining DoD info system IA program
• Must be designated in writing
• Should not be a collateral duty
• U.S. Citizen
• Hold highest clearance of highest classification of IS responsible for
• Attend DAA training

Question 22

Define CCRI

Answer 22

Command Cyber Readiness Inspection: formal inspection process that holds commanders accountable for respective security posture

Question 23

State NAVYCYBERFOR’s role in a CCRI

Answer 23

Implementing rigorous grading criteria