Which of the following terms means that the information is accessible to those authorized to view or modify it?

Which security related phrase relates to the integrity of data?
A. Accessibility is authorized
B. Modification is authorized
C. Knowledge is authorized
D. Non-repudiation is authorized

B. Modification is authorized

Integrity means that any data is stored and transferred as intended and that any modification is authorized. Integrity is part of the CIA triad.
Availability means that any information is accessible to those authorized to view or modify it. Availability is part of the CIA triad.
Confidentiality means that certain information should only be known to certain people. Confidentiality is part of the CIA triad.
Non-repudiation means that a subject cannot deny doing something, such as creating, modifying, or sending a resource. Having a witness to signing a legal document is an example.

An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) framework. When documenting the "detect" function, what does the engineer focus on?
A. Evaluate risks and threats
B. Install, operate, and decommission assets
C. Ongoing proactive monitoring
D. Restoration of systems and data

C. Ongoing proactive monitoring

Identify covers developing security policies and capabilities, and evaluating risks, threats, and vulnerabilities and recommend security controls to mitigate them.
Protect and procure covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle.
Detect refers to performing ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.
Recovery deals with the implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

How might the goals of a basic network management not be well-aligned with the goals of security?
A. Management focuses on confidentiality and availability.
B. Management focuses on confidentiality over availability.
C. Management focuses on integrity and confidentiality.
D. Management focuses on availability over confidentiality.

D. Management focuses on availability over confidentiality

Security is increasingly thought of as a dedicated function. The goals of a network manager are not always well-aligned with the goals of security; network management focuses on availability over confidentiality.
System security may be a dedicated business unit with its own management structure. As a result, network management might only concern itself with availability.
The goals of a basic network management are not always well-aligned with the goals of security; network management would not focus on confidentiality, but rather availability.
Network management would encompass the responsibility for systems up-time and availability. Security administrators would focus on integrity and confidentiality.

Any external responsibility for an organization's security lies mainly with which individuals?
A. The owner
B. Tech staff
C. Management
D. Public relations

A. The owner

External responsibility for security (due care or liability) lies mainly with directors or owners. It is important to note that all employees share some measure of responsibility.
Technical and specialist staff have the direct responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators.
Managers at an organization may have responsibility for a specific domain or unit, such as building control, ICT, or accounting.
Non-technical staff have the responsibility of complying with policy and with any relevant legislation. Public relations is responsible for media communications.

What distinguishes DevSecOps from a traditional SOC?
A. Software code is the responsibility of a programming or development team.
B. Identification as a single point-of-contact for the notification of security incidents.
C. A cultural shift within an organization to encourage much more collaboration.
D. Security is a primary consideration at every stage of software development.

D. Security is a primary consideration at every stage of software development

DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment.
Traditionally, software code would be the responsibility of a programming or development team. Separate development and operations departments or teams can lead to silos.
A dedicated cyber incident response team (CIRT)/computer security incident response team (CSIRT)/computer emergency response team (CERT) as a single point-of-contact for the notification of security incidents.
Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators.

A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit.
A. Managerial
B. Technical
C. Physical
D. Compensating

A. Managerial

The three broad classes of security controls are Technical, Operational, and Managerial. Managerial is the control that gives oversight of the information system including selection of other security controls. An example of this type of control is regular scans and audits.
Technical controls are those that are implemented in operating systems, software, and security applies. These include Access Control Lists (ACL) and Intrusion Detection Systems.
Physical controls deter access to premises and hardware. Examples include alarms, gateways, and locks.
Compensating controls are in place to restore function after an attack has occurred.

The _____ requires federal agencies to develop security policies for computer systems that process confidential information.
A. Sarbanes-Oxley Act (SOX)
B. Computer Security Act
C. Federal Information Security Management Act (FISMA)
D. Gramm-Leach-Bliley Act (GLBA)

B. Computer Security Act

The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information.
The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.
The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program.
The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.

After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address?
A. Compensating
B. Deterrent
C. Corrective
D. Detective

C. Corrective

An incident response plan is corrective. It responds to and fixes an incident. It may also prevent its recurrence.
Compensating is a security control that does not prevent the attack, but rather restores the function of the system through other means, such as using data backup or an alternative site.
A deterrent is the control that may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
A detective is the control that may not prevent or deter access but will identify and record any attempted or successful intrusion.

The IT department head returns from an industry conference feeling inspired by a presentation on the topic of defense in depth. A meeting is scheduled with IT staff to brainstorm ideas for implementing defense in depth throughout the organization. Which of the following ideas are consistent with this industry's best practice? (Select all that apply.)
A. Provide user training on identifying cyber threats.
B. Adopt a vendor-specific stance.
C. Align administrative and technical controls with control functions.
D. Move endpoint security to the firewall.

A. Provide user training on identifying cyber threats
C. Align administrative and technical controls with control functions

Defense in depth means an attacker must get past multiple security controls to fully compromise a network. Since employees are the greatest security risk, user training is a critical component of defense in depth.
Administrative and technical controls should align with the control functions - prevent, deter, detect, correct, and compensate.
Vendor-specific policies are not consistent with defense in depth. A single vendor often means less innovation, the likelihood that some of the bundled products will be second-rate, and a more vulnerable attack surface due to a single supplier code.
Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level. Endpoint security contrasts with the focus on perimeter security, like firewalls.

Which of the following focuses exclusively on IT security, rather than IT service delivery?
A. National Institute of Standards and Technology (NIST)
B. International Organization for Standardization (ISO)
C. Control Objectives for Information and Related Technologies (COBIT)
D. Sherwood Applied Business Security Architecture (SABSA)

A. NIST

NIST is the only organization within the IT governance space focusing solely on security. Its standards are used by US federal agencies and publishes cybersecurity best practice guides and research.
ISO develops standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series). It is a commercial product.
COBIT is an IT governance framework with security as a core component. COBIT is published by ISACA and is also a commercial product, available through APMG International.
SABSA is a methodology for providing information assurance aligned to business needs and driven by risk analysis.

Which of the following terms means that information is stored and transferred as intended and that any modification is authorized?

Which of the following refers to technical control?

Which of the following of the CIA triad ensures that the information is correct and no unauthorized person has altered it?

What is Information Security what essential protections must be in place to protect information systems from danger?