WGU C725 Information Security and Assurance SET II
Questions and Answers (2022/2023) (Verified Answers)
After determining the potential attack concepts, the next step in threat modeling
is to perform ______________ analysis. ______________ analysis is also known
as decomposing the application, system, or environment. The purpose of this
task is to gain a greater understanding of the logic of the product as well as its
interactions with external elements.Also known as decomposing the application
Reduction analysis
Whether an application, a system, or an entire environment, it needs to be divided into
smaller containers or compartments. Those might be subroutines, modules, or objects if
you're focusing on software, computers, or operating systems; they might be protocols if
you're focusing on systems or networks; or they might be departments, tasks, and
networks if you're focusing on an entire business infrastructure. Each identified sub-
element should be evaluated in order to understand inputs, processing, security, data
management, storage, and outputs.
Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details
about Security Stance and Approach
The Five Key Concepts in the Decomposition process.
In the decomposition process, any location where the level of trust or security
changes.
Trust Boundaries
In the decomposition process, the movement of data between locations
Data Flow Paths
In the decomposition process, locations where external input is received
Input Points
In the decomposition process, any activity that requires greater privileges than of
a standard user account or process, typically required to make system changes
or alter security
Privileged Operations
In the decomposition process, the declaration of the security policy, security
foundations, and security assumptions
Details about Security Stance and Approach
The concept that most computers, devices, networks, and systems are not built
by a single entity.
supply chain
T or F
When evaluating a third party for your security integration, you should consider
the following processes:On-Site Assessment, Document Exchange and Review,
Process/Policy Review, Third-Party Audit
True
When engaging third-party assessment and monitoring services, keep in mind that the
, external entity needs to show security-mindedness in their business operations. If an
external organization is unable to manage their own internal operations on a secure
basis, how can they provide reliable security management functions for yours?
Investigate the means by which datasets and documentation are exchanged as
well as the formal processes by which they perform assessments and reviews.
Document Exchange and Review
Visit the site of the organization to interview personnel and observe their
operating habits.
On-Site Assessment
Request copies of their security policies, processes/procedures, and
documentation of incidents and responses for review.
Process/Policy Review
Having an independent third-party auditor, as defined by the American Institute of
Certified Public Accountants (AICPA), can provide an unbiased review of an
entity's security infrastructure, based on Service Organization Control (SOC)
(SOC) reports. Statement on Standards for Attestation Engagements (SSAE) is a
regulation that defines how service organizations report on their compliance
using the various SOC reports. The SSAE 16 version of the regulation, effective
June 15, 2011, was replaced by SSAE 18 as of May 1, 2017. The SOC1 and SOC2
auditing frameworks are worth considering for the purpose of a security
assessment. The SOC1 audit focuses on a description of security mechanisms to
assess their suitability. The SOC2 audit focuses on implemented security
controls in relation to availability, security, integrity, privacy, and confidentiality.
For more on SOC audits, see AICPA.For all acquisitions, establish minimum
security requirements. These should be modeled from your existing security
policy. The security requirements for new hardware, software, or services should
always meet or exceed the security of your existing infrastructure. When working
with an external service, be sure to review any service-level agreement (SLA) to
ensure that security is a prescribed component of the contracted services. This
could include customization of service-level requirements for your specific
needs.
Third-Party Audit
This is the collection of practices related to supporting, defining, and directing
the security efforts of an organization. This is closely related to and often
intertwined with corporate and IT governance.
Security governance
This is the system of oversight that may be mandated by law, regulation, industry
standards, contractual obligation, or licensing requirements. The actual method
of governance may vary, but it generally involves an outside investigator or
auditor. These auditors might be designated by a governing body or might be
consultants hired by the target organization.
Third-party governance
The process of reading the exchanged materials and verifying them against
standards and expectations. This review is typically performed before any on-site
inspection takes place. If the exchanged documentation is sufficient and meets
Questions and Answers (2022/2023) (Verified Answers)
After determining the potential attack concepts, the next step in threat modeling
is to perform ______________ analysis. ______________ analysis is also known
as decomposing the application, system, or environment. The purpose of this
task is to gain a greater understanding of the logic of the product as well as its
interactions with external elements.Also known as decomposing the application
Reduction analysis
Whether an application, a system, or an entire environment, it needs to be divided into
smaller containers or compartments. Those might be subroutines, modules, or objects if
you're focusing on software, computers, or operating systems; they might be protocols if
you're focusing on systems or networks; or they might be departments, tasks, and
networks if you're focusing on an entire business infrastructure. Each identified sub-
element should be evaluated in order to understand inputs, processing, security, data
management, storage, and outputs.
Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details
about Security Stance and Approach
The Five Key Concepts in the Decomposition process.
In the decomposition process, any location where the level of trust or security
changes.
Trust Boundaries
In the decomposition process, the movement of data between locations
Data Flow Paths
In the decomposition process, locations where external input is received
Input Points
In the decomposition process, any activity that requires greater privileges than of
a standard user account or process, typically required to make system changes
or alter security
Privileged Operations
In the decomposition process, the declaration of the security policy, security
foundations, and security assumptions
Details about Security Stance and Approach
The concept that most computers, devices, networks, and systems are not built
by a single entity.
supply chain
T or F
When evaluating a third party for your security integration, you should consider
the following processes:On-Site Assessment, Document Exchange and Review,
Process/Policy Review, Third-Party Audit
True
When engaging third-party assessment and monitoring services, keep in mind that the
, external entity needs to show security-mindedness in their business operations. If an
external organization is unable to manage their own internal operations on a secure
basis, how can they provide reliable security management functions for yours?
Investigate the means by which datasets and documentation are exchanged as
well as the formal processes by which they perform assessments and reviews.
Document Exchange and Review
Visit the site of the organization to interview personnel and observe their
operating habits.
On-Site Assessment
Request copies of their security policies, processes/procedures, and
documentation of incidents and responses for review.
Process/Policy Review
Having an independent third-party auditor, as defined by the American Institute of
Certified Public Accountants (AICPA), can provide an unbiased review of an
entity's security infrastructure, based on Service Organization Control (SOC)
(SOC) reports. Statement on Standards for Attestation Engagements (SSAE) is a
regulation that defines how service organizations report on their compliance
using the various SOC reports. The SSAE 16 version of the regulation, effective
June 15, 2011, was replaced by SSAE 18 as of May 1, 2017. The SOC1 and SOC2
auditing frameworks are worth considering for the purpose of a security
assessment. The SOC1 audit focuses on a description of security mechanisms to
assess their suitability. The SOC2 audit focuses on implemented security
controls in relation to availability, security, integrity, privacy, and confidentiality.
For more on SOC audits, see AICPA.For all acquisitions, establish minimum
security requirements. These should be modeled from your existing security
policy. The security requirements for new hardware, software, or services should
always meet or exceed the security of your existing infrastructure. When working
with an external service, be sure to review any service-level agreement (SLA) to
ensure that security is a prescribed component of the contracted services. This
could include customization of service-level requirements for your specific
needs.
Third-Party Audit
This is the collection of practices related to supporting, defining, and directing
the security efforts of an organization. This is closely related to and often
intertwined with corporate and IT governance.
Security governance
This is the system of oversight that may be mandated by law, regulation, industry
standards, contractual obligation, or licensing requirements. The actual method
of governance may vary, but it generally involves an outside investigator or
auditor. These auditors might be designated by a governing body or might be
consultants hired by the target organization.
Third-party governance
The process of reading the exchanged materials and verifying them against
standards and expectations. This review is typically performed before any on-site
inspection takes place. If the exchanged documentation is sufficient and meets
