IAS Midterm Reviewer (all answers lower letters)
IAS Midterm Security Quiz
Welcome to the IAS Midterm Reviewer! This comprehensive quiz is designed to test your knowledge on various aspects of application security, data privacy, and information management.
Prepare to engage with questions covering:
- Confidentiality, Integrity, Availability
- Access Control Measures
- Risk Management Strategies
It describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked.
It is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data.
It is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations.
It refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations.
This domain addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed, and methods used to gather evidence.
It looks at how information security controls and safeguards are implemented in IT systems in order to protect the Confidentiality, Integrity, and Availability of the data that are used, processed, and stored in those systems.
It consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible
It describes security measures that are designed to denyunauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm.
It is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them
It is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents.
This is achieved when the recipient of a message can be confident that the message actually came from the purported sender
This is achieved when the recipient of a message can prove to an independent third party that the message actually came from the purported sender
Enumerate the 10 Steps in Developing Comprehensive Privacy Program. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.
This states that No individual should possess two permissions that, in combination, allow them to perform a highly sensitive action
This is the ability to trace every action taken on a system back to an individual user without any ambiguity and without allowing the user to deny responsibility for that action
It is often called the “Prudent Man” rule, which is doing what any responsible person would do, In other words, this is implementing a security measure to mitigate against certain risk
It is essentially the management of due care. In other words, ensuring the implemented security measure was done correctly
It is the opposite of due care. If you’re not performing due care, what a prudent man would do, and you suffer a negative loss, you could be held legally liable.
It is used to prove identity through the use of some type of credential that is previously known by the authenticator.
3 Factors of Authentication
Something You Know
Something You Want
Something You Dream About
Something You Have
Something You Are
Something You Wish
Which are common technical controls?
Encryption
Firewall
Google Chrome
Operating System
Antivirus Software
Password Management
Hard Drive
Backups
Backlogs
Access Control Models
Physical Security Systems
This security control includes implementing different access control methods with technology you can touch
It defines the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information
Which are common Logical Access Controls (select 5)
Administrative Controls
Access Control Lists
Window Group Policies
Pass Policies
Technical Controls
Account Policies
Device Policies
They are much more specific than policies. They are tactical documents because they lay out specific steps or processes required to meet a certain requirement.
It is a minimum level of security that a system, network, or device must adhere to. These are usually mapped to industry standards.
This is the most specific of security documents. This is a detailed, in-depth, step-by-step document that details exactly what is to be done.
Enumerate the Asset Identification & Classification Process. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.
Enumerate the Asset Lifecycle. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.
It is the use of data sets much larger than those that may be handled by conventional data processing and analytic techniques
They are the business leaders with overall responsibility for data. They set policies and guidelines for their data sets.
They handle the day-to-day data governance activities. They are delegated responsibility by data owners.
It is the process that businesses and organizations use to implement changes through building and delivering effective change strategies. It includes reviewing reasons for change, implementing changes, and helping people adapt to these changes. This could be staff structure, introducing new technology, reducing costs, increasing profits, or a combination of these to reach a desired goal.
Enumerate the 9 steps of Change Management. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.
It is the analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system
It ensures that an organization’s information security controls are consistent with the laws, regulations and standards that govern the org’s activities
It is manipulating people into divulging information or performing an action that undermines security
This type of social engineering gains a victim's trust, typically by creating a backstory that makes them sound trustworthy.
This type of social engineering is a physical security attack that involves an attacker following someone into a secure or restricted area
This type of social engineering occurs when the threat actors directly observes information like log-in credentials, ATM, PINs by hovering over the shoulder of the user.
This type of social engineering is present when someone is secretly listening to confidential information while others are conversing
It combines authentication techniques from two or more of the authentication categories: something you know, something you have and something you are.
This states that individuals may have accounts across multiple systems. This reduces the number of individual identities a user must have
This is an authentication system that shares a single authentication session across multiple systems, avoiding asking users to log in multiple times.
Which of these scenarios are subjected to account monitoring (select 5)
Impossible travel time logins
Unusual network locations logins
Sleeping at work
Late at morning ceremonies
Unusual time-of-day logins
Deviations from normal behavior
Deviations in Volume of Data Transferred
After onboarding, administrators create authentication credentials and grant appropriate authorization
During offboarding process, administrators disable accounts and revoke authorizations at the appropriate time
It is an access control system where the operating system restricts authorizations based upon labels, and users are not permitted to modify those authorizations
It is an access control system where permissions may be set by the owners of files, computers and other resources
This model is based on a principle known as ‘least privilege’. An employee is only allowed to access the areas or resources necessary to perform the duties associated with their role in the business. Access can be based on factors such as an employee’s seniority, job title, or responsibilities.
models are frequently used in conjunction with other models, particularly role-based models. This hybrid approach enables administrators to set granular rules that provide additional levels of security to meet specific types of risk.
These are rules that don’t change, unless the administrator decides to make changes to meet emerging threats or new security requirements. For example, an administrator can change the rules applying to an area if it requires a higher level of security.
These are rules that can change under certain circumstances. For example, if the security system detects multiple failed attempts at authorization, the user can be denied access.
These are rules that can deny access to any user who does not have specific credentials to enter an area.
This model is often described as a more granular form of Role-Based Access Control since there are multiple that are required in order to gain access.
This is a dynamic access control model that determines access based on the level of evaluated risk involved in the transaction. One commonly-used example is identifying the risk profile of the user logging in. If the device being logged in from is not recognized, that could elevate the risk to prompt additional authentication. If an action deemed high-risk occurs, such as attempting to update banking information, that could trigger more risk-based prompts.
It is any weakness in the system, design implementation, software code, or lack of preventive mechanisms
It is a type of risk that results directly from operating within a specific industry at a specific time
It is a type of risk that result from internal failures from internal processes, people, or systems. It can result from unforeseen external events like power outage or cyber attack.
It is a type of risk that involves the loss of the company's reputation or community standing from product failures, lawsuits, or negative publicity.
It is a type of threat that occurs when someone makes a mistake that hurts the security of the system
The main goal of this is to minimize the risk to an acceptable level and not necessarily to eliminate all risks
If the organization cannot afford to accept, avoid or mitigate the risk, they can transfer that risk to another business
In this case, the risk is too high to accept, the system configuration or design is changed to avoid the risk associated with a specific vulnerability
This is when the organization accepts the risk associated with a system's vulnerabilities and their associated risks
This is something senior executives do to compare one risk against another in order to make the best resourcing decisions
Enumerate the NIST RISK Management Framework Process. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.
Enumerate what's included in ISO 31000 Risk Management. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.
Enumerate the contents of Risk Register. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.
This is the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape and adapt security controls based upon that information.
{"name":"IAS Midterm Reviewer (all answers lower letters)", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Welcome to the IAS Midterm Reviewer! This comprehensive quiz is designed to test your knowledge on various aspects of application security, data privacy, and information management.Prepare to engage with questions covering:Confidentiality, Integrity, AvailabilityAccess Control MeasuresRisk Management Strategies","img":"https:/images/course3.png"}