Domain 2: Determining Data Security Controls

Question 1

System has been approved to meet the security requirements of the data owner

Answer 1

Certification

Question 2

Data owner’s acceptance of the certification and of the residual risk

Answer 2

Accreditation

Question 3

Risk Management framework from Carnegie Mellon University

Answer 3

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Question 4

What’s the three phase process for managing risk according to OCTAVE?

Answer 4

Phase 1 - Identify staff knowledge, assets, and threats
Phase 2 - Identify vulnerabilities and evaluate safeguards
Phase 3 - Conduct the risk analysis and develop the risk mitigation strategy

Question 5

• Internationally agreed-upon standard for describing and testing the security of IT products
• Replaced the TCSEC (US) and ITSEC (Europe)

Answer 5

International Common Criteria

Question 6

• The system or product that is being evaluated

- International Common Criteria term

Answer 6

Target of Evaluation (ToE)

Question 7

• Documentation describing the ToE, including the security requirements and operational environment
• International Common Criteria term

Answer 7

Security target

Question 8

• Independent set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems
• International Common Criteria term

Answer 8

Protection Profile

Question 9

• The evaluation score of the tested product or system

- International Common Criteria term

Answer 9

Evaluation Assurance Level (EAL)

Question 10

• Functionally tested

- International Common Criteria Evaluation Assurance Level (EAL)

Answer 10

EAL1

Question 11

• Structurally test

- International Common Criteria Evaluation Assurance Level (EAL)

Answer 11

EAL2

Question 12

• Methodically tested and checked

- International Common Criteria Evaluation Assurance Level (EAL)

Answer 12

EAL3

Question 13

• Methodically, designed, tested and reviewed

- International Common Criteria Evaluation Assurance Level (EAL)

Answer 13

EAL4

Question 14

• Semi Formally designed and tested

- International Common Criteria Evaluation Assurance Level (EAL)

Answer 14

EAL5

Question 15

• Semi Formally verified, designed and tested

- International Common Criteria Evaluation Assurance Level (EAL)

Answer 15

EAL6

Question 16

• Formally verified, designed, and tested

- International Common Criteria Evaluation Assurance Level (EAL)

Answer 16

EAL7

Question 17

Control framework for employing security governance best practices within an organization

Answer 17

COBIT

Question 18

What are the four COBIT domains?

Answer 18

1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate

Question 19

Framework for providing the best service in IT service management

Answer 19

Information Technology Infrastructure Library (ITIL)

Question 20

What are the five ITIL Service Management Practices?

Answer 20

1. Service Strategy - Helps IT provide services
2. Service Design - Details the infrastructure and architecture required to deliver IT services
3. Service Transition - Describes taking new projects and making them operational
4. Service Operation - Covers IT operations controls
5. Continual Service Improvement - Describes easy to improve existing IT services

Question 21

Process of determining which ports of a standard will be employed by an organization

Answer 21

Scoping

Question 22

Process of customizing a standard for an organization

Answer 22

Tailoring

Question 23

• Data stored on a media
• i.e. hard drives, external USB drives, SANs, etc
• Best protection encryption

Answer 23

Data at Rest

Question 24

• Data transmitted over a network

- Best protection end-to-end encryption

Answer 24

Data in Transit

Question 25

Data in memory or temporary storage buffers, while an application is using it.

Answer 25

Data in Use

Question 26

- An alias - i.e. In a medical database instead of referencing a patient’s personal name it could just refer to the patient as Patient 95764 in the record

Answer 26

Pseudonymization

Question 27

The process of removing all relevant data so that it is impossible to identify the original subject or person.

Answer 27

Anonymization

Question 28

Swaps data in individual data columns so that records no longer represent the actual data.

Answer 28

Data Masking

Question 29

Typically designed around a limited set of specific functions in relation to the larger product of which it's a component

Answer 29

Embedded system

Question 30

Applications, OSs, hardware sets, or networks that are configured for a specific need, capability, or function and then set to remain unaltered

Answer 30

Static environments