WGU C725 Information Security and Assurance SET II Questions and Answers (2022/2023) (Verified Answers)

WGU C725 Information Security and Assurance SET II Questions and Answers (2022/2023) (Verified Answers) After determining the potential attack concepts, the next step in threat modeling is to perform ______________ analysis. ______________ analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements.Also known as decomposing the application Reduction analysis Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if you're focusing on software, computers, or operating systems; they might be protocols if you're focusing on systems or networks; or they might be departments, tasks, and networks if you're focusing on an entire business infrastructure. Each identified sub-element should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs. Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details about Security Stance and Approach The Five Key Concepts in the Decomposition process. In the decomposition process, any location where the level of trust or security changes. Trust Boundaries In the decomposition process, the movement of data between locations Data Flow Paths In the decomposition process, locations where external input is received Input Points In the decomposition process, any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security Privileged Operations In the decomposition process, the declaration of the security policy, security foundations, and security assumptions Details about Security Stance and Approach The concept that most computers, devices, networks, and systems are not built by a single entity. supply chain T or F When evaluating a third party for your security integration, you should consider the following processes:On-Site Assessment, Document Exchange and Review, Process/Policy Review, Third-Party Audit True When engaging third-party assessment and monitoring services, keep in mind that the external entity needs to show security-mindedness in their business operations. If an external organization is unable to manage their own internal operations on a secure basis, how can they provide reliable security management functions for yours? Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews. Document Exchange and Review Visit the site of the organization to interview personnel and observe their operating habits. On-Site Assessment Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review. Process/Policy Review Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity's security infrastructure, based on Service Organization Control (SOC) (SOC) reports. Statement on Standards for Attestation Engagements (SSAE) is a regulation that defines how service organizations report on their compliance using the various SOC reports. The SSAE 16 version of the regulation, effective June 15, 2011, was replaced by SSAE 18 as of May 1, 2017. The SOC1 and SOC2 auditing frameworks are worth considering for the purpose of a security assessment. The SOC1 audit focuses on a description of security mechanisms to assess their suitability. The SOC2 audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality. For more on SOC audits, see AICPA.For all acquisitions, establish minimum security requirements. These should be modeled from your existing security policy. The security requirements for new hardware, software, or services should always meet or exceed the security of your existing infrastructure. When working with an external service, be sure to review any service-level agreement (SLA) to ensure that security is a prescribed component of the contracted services. This could include customization of service-level requirements for your specific needs. Third-Party Audit This is the collection of practices related to supporting, defining, and directing the security efforts of an organization. This is closely related to and often intertwined with corporate and IT governance. Security governance This is the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor. These auditors might be designated by a governing body or might be consultants hired by the target organization. Third-party governance The process of reading the exchanged materials and verifying them against standards and expectations. This review is typically performed before any on-site inspection takes place. If the exchanged documentation is sufficient and meets expectations (or at least requirements), then an on-site review will be able to focus on compliance with the stated documentation. Documentation review The process by which the goals of risk management are achieved. Risk Analysis An ________ is anything within an environment that should be protected. It is anything used in a business process or task. It can be a computer file, a network service, a system resource, a process, a program, a product, an IT infrastructure, a database, a hardware device, furniture, product recipes/formulas, intellectual property, personnel, software, facilities, and so on. Asset A dollar value assigned to an asset based on actual cost and nonmonetary expenses. These can include costs to develop, maintain, administer, advertise, support, repair, and replace an asset; they can also include more elusive values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits. Asset valuation Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.They are any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets. They can be large or small and result in large or small consequences. They can be intentional or accidental. They can originate from people, organizations, hardware, networks, structures, or nature. Threats The weakness in an asset or the absence or the weakness of a safeguard or countermeasure. Vulnerability Being susceptible to asset loss because of a threat Exposure The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset Risk T or F Risk = threat * vulnerability True Security controls, or countermeasures that remove or reduce a vulnerability or protects against one or more specific threats. It can be installing a software patch, making a configuration change, hiring security guards, altering the infrastructure, modifying processes, improving the security policy, training personnel more effectively, electrifying a perimeter fence, installing lights, and so on. It is any action or product that reduces risk through the elimination or lessening of a threat or a vulnerability anywhere within an organization. Safeguards An _______ is the exploitation of a vulnerability by a threat agent. In other words, it is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets. It can also be viewed as any violation or failure to adhere to an organization's security policy. Attack A _______ is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a _________ is combined with an attack, a penetration, or intrusion, can result. Breach A _____________ is the condition in which a threat agent has gained access to an organization's infrastructure through the circumvention of security controls and is able to directly imperil assets. Penetration A type of risk analysis that assigns real dollar figures to the loss of an asset. Quantitative risk analysis A type of risk analysis that assigns subjective and intangible values to the loss of an asset. Qualitative risk analysis Step 1. Inventory assets and assign a value Step 2. Research each asset Step 3. Perform a threat analysis Step 4. Derive the overall loss Step 5. Research countermeasures Step 6. Perform a cost/benefit analysis The six major steps or phases in quantitative risk analysis A step in the quantitative risk analysis.Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this lesson named "Asset Valuation.") Step 1. Inventory assets and assign a value A step in the quantitative risk analysis.Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure. Step 5. Research countermeasures A step in the quantitative risk analysis.Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE). Step 2. Research each asset A step in the quantitative risk analysis.Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat. Step 6. Perform a cost/benefit analysis A step in the quantitative risk analysis.Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE). Step 4. Derive the overall loss Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO).