Chapter 11 - Controls: Information Security

Question 1

for imformation to be useful, it must be

Answer 1

reliable

Question 2

in order to provide useful information, it must be reliable, what are the 3 criteria to be classified as reliable

Answer 2

1. Information is an accurate, complete, and timely picture of the companies activities
2. Information must be available when needed
3. Information and the system that generates it must bc safeguarded

Question 3

5 principles system reliability is based on
(trust services framework)

Answer 3

1. security
2. Confidentiality
3. Privacy
4. Processing Integrity
5. Availability

Question 4

(which of the 5 principles system reliability is based on is this)
access to the system and its data is controlled

Answer 4

Security
(most important part)

Question 5

(which of the 5 principles system reliability is based on is this)
sensitive company information is protected from unauthorized disclosure

Answer 5

Confidentiality

Question 6

(which of the 5 principles system reliability is based on is this)
confidential information about third parties collected, used, and stored in an appropriate manner and is protected from unauthorized disclosure

Answer 6

Privacy
(etc: customers, employees)

Question 7

(which of the 5 principles system reliability is based on is this)
data is processed accurately, timely, and based on proper authorization

Answer 7

Processing Integrity

Question 8

collected, used, and stored in an appropriate manner and is protected from unauthorized disclosure
system is available when needed

Answer 8

Availability

Question 9

focuses on identifying a collection of preventive, detective, and corrective controls that allows assets to be protected long enough for the company to discover an attack is underway and respond to that attack

Answer 9

Time Based Model of Security

Question 10

3 variables the time based model of security

Answer 10

1. P (time it takes an attacker to break through preventive controls
2. D (time it takes the company to realize an attack is underway
3. R = time it takes the company to respond to and stop the attack

Question 11

if P > D + R then ?

Answer 11

security procedures are effective

Question 12

employ multiple controls to prevent a single point of failure

Answer 12

defense in depth

Question 13

defense in depth is related to what

Answer 13

the 3 variables of the time based model of security

Question 14

(which one would you choose) (P > D =R)
- Control #1: increase P bt 9 minutes & decrease by 3 minutes
- Control #2: decrease D by 14 minutes
- Control #3: increase R by 8 minutes & increase P by 7 minutes

Answer 14

Control #2

Question 15

whats an advantage with the Time based model of security

Answer 15

allows to identify the most cost effective set of controls

Question 16

what are the 2 disadvantages with the Time based model of security

Answer 16

1. very difficult to assign reasonably accurate values to P,D, and R
2. I.T. changes would render the values of P, D, and R inadequate very quickly

Question 17

prevent security issues from happening

Answer 17

preventive controls

Question 18

process of identifying the identity of the person or device attemption to access system

Answer 18

authentication

Question 19

restricts the access to authenticated users to specific portions of the system and identifies actions the user can take

Answer 19

authorization

Question 20

how many examples of controls for authentication

Answer 20

4

Question 21

4 examples of controls of authentication

Answer 21

1. passwords
2. biometric identifiers (very costly & storage of data has privacy issues)
3. ID badge/card
4. multi-factor authentication

Question 22

control for authorization

Answer 22

access control matrix

Question 23

how many additional preventive controls for security

Answer 23

3

Question 24

3 additional preventive controls for security

Answer 24

1. physical access controls
2. training
3. encryption

Question 25

(which of the 3 additional preventive controls for security is this) man traps

Answer 25

physical access control

Question 26

specifically designed rooms that serve as entry way to data center

Answer 26

man traps

Question 27

(which of the 3 additional preventive controls for security is this) process of turning normal text, called plain text, into unreadable gibberish

Answer 27

encryption

Question 28

unreadable gibberish

Answer 28

cypiertext

Question 29

turns cypiertext back into plain text

Answer 29

decryption

Question 30

in order to decrypt the data what 2 things do you need

Answer 30

1. a key 2. an algorithm

Question 31

designed to discover security breaches quickly

Answer 31

detective controls

Question 32

reveiwing the logs and looking for things that appear abnormal

Answer 32

log analysis

Question 33

tracks users that attempted to access the system and the actions they attempted to perform

Answer 33

log

Question 34

designed to respond a security issues

Answer 34

corrective controls

Question 35

how many corrective control

Answer 35

2

Question 36

2 types of corrective controls

Answer 36

1. establishing a computer incident response team to respond to major security issues 2. patch management

Question 37

applying patches to known vulnerabilities in software

Answer 37

patch management

Question 38

correction to coding

Answer 38

patch