Exam (elaborations)
WGU Information Security And Assurance (C725) SET II – Q’s And A’s
- Course
- Institution
WGU Information Security And Assurance (C725) SET II – Q’s And A’s
[Show more]
Content preview
WGU Information Security And Assurance (C725) SETII – Q’s And A’s
After determining the potential attack concepts, the next step in threat
modeling is to perform ______________ analysis. ______________ analysis is also
known as decomposing the application, system, or environment. The purpose
of this task is to gain a greater understanding of the logic of the product as
well as its interactions with external elements.Also known as decomposing
the application Right Ans - Reduction analysis
Whether an application, a system, or an entire environment, it needs to be
divided into smaller containers or compartments. Those might be
subroutines, modules, or objects if you're focusing on software, computers, or
operating systems; they might be protocols if you're focusing on systems or
networks; or they might be departments, tasks, and networks if you're
focusing on an entire business infrastructure. Each identified sub-element
should be evaluated in order to understand inputs, processing, security, data
management, storage, and outputs.
Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations,
Details about Security Stance and Approach Right Ans - The Five Key
Concepts in the Decomposition process.
In the decomposition process, any location where the level of trust or security
changes. Right Ans - Trust Boundaries
In the decomposition process, the movement of data between locations
Right Ans - Data Flow Paths
In the decomposition process, locations where external input is received
Right Ans - Input Points
In the decomposition process, any activity that requires greater privileges
than of a standard user account or process, typically required to make system
changes or alter security Right Ans - Privileged Operations
,In the decomposition process, the declaration of the security policy, security
foundations, and security assumptions Right Ans - Details about Security
Stance and Approach
The concept that most computers, devices, networks, and systems are not
built by a single entity. Right Ans - supply chain
T or F
When evaluating a third party for your security integration, you should
consider the following processes:On-Site Assessment, Document Exchange
and Review, Process/Policy Review, Third-Party Audit Right Ans - True
When engaging third-party assessment and monitoring services, keep in mind
that the external entity needs to show security-mindedness in their business
operations. If an external organization is unable to manage their own internal
operations on a secure basis, how can they provide reliable security
management functions for yours?
Investigate the means by which datasets and documentation are exchanged as
well as the formal processes by which they perform assessments and reviews.
Right Ans - Document Exchange and Review
Visit the site of the organization to interview personnel and observe their
operating habits. Right Ans - On-Site Assessment
Request copies of their security policies, processes/procedures, and
documentation of incidents and responses for review. Right Ans -
Process/Policy Review
Having an independent third-party auditor, as defined by the American
Institute of Certified Public Accountants (AICPA), can provide an unbiased
review of an entity's security infrastructure, based on Service Organization
Control (SOC) (SOC) reports. Statement on Standards for Attestation
Engagements (SSAE) is a regulation that defines how service organizations
report on their compliance using the various SOC reports. The SSAE 16
version of the regulation, effective June 15, 2011, was replaced by SSAE 18 as
of May 1, 2017. The SOC1 and SOC2 auditing frameworks are worth
considering for the purpose of a security assessment. The SOC1 audit focuses
, on a description of security mechanisms to assess their suitability. The SOC2
audit focuses on implemented security controls in relation to availability,
security, integrity, privacy, and confidentiality. For more on SOC audits, see
AICPA.For all acquisitions, establish minim Right Ans - Third-Party Audit
This is the collection of practices related to supporting, defining, and directing
the security efforts of an organization. This is closely related to and often
intertwined with corporate and IT governance. Right Ans - Security
governance
This is the system of oversight that may be mandated by law, regulation,
industry standards, contractual obligation, or licensing requirements. The
actual method of governance may vary, but it generally involves an outside
investigator or auditor. These auditors might be designated by a governing
body or might be consultants hired by the target organization. Right Ans -
Third-party governance
The process of reading the exchanged materials and verifying them against
standards and expectations. This review is typically performed before any on-
site inspection takes place. If the exchanged documentation is sufficient and
meets expectations (or at least requirements), then an on-site review will be
able to focus on compliance with the stated documentation. Right Ans -
Documentation review
The process by which the goals of risk management are achieved. Right
Ans - Risk Analysis
An ________ is anything within an environment that should be protected. It is
anything used in a business process or task. It can be a computer file, a
network service, a system resource, a process, a program, a product, an IT
infrastructure, a database, a hardware device, furniture, product
recipes/formulas, intellectual property, personnel, software, facilities, and so
on. Right Ans - Asset
A dollar value assigned to an asset based on actual cost and nonmonetary
expenses. These can include costs to develop, maintain, administer, advertise,
support, repair, and replace an asset; they can also include more elusive
values, such as public confidence, industry support, productivity
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Zendaya. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $15.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
80796 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now