Professionals who conduct security audits and assessments to evaluate and ensure compliance with security policies and standards.

Risk avoidance is a risk management strategy that involves taking actions to completely eliminate or withdraw from activities, processes, or situations that pose potential risks. This strategy aims to prevent exposure to certain risks by avoiding any actions or decisions that could lead to those risks.

Ensuring the randomness of session identifiers enhances the security of authentication processes, while the presence of auditing capabilities supports accountability, anomaly detection, and compliance with security policies and regulations. These measures collectively contribute to Non-repudiation

Correct Answer: Delphi Technique

The Delphi Technique is a structured and iterative forecasting or decision-making method that involves gathering input from a group of experts anonymously. A facilitator then presents a summary of their opinions, and the experts provide further feedback based on this summary. This process continues through multiple rounds until a consensus or convergence of opinions is reached.

Explanation of other options:

1. Predictive Analysis: This involves using historical data and statistical algorithms to predict future outcomes, but it does not specifically rely on iterative expert consensus.
2. Threat Modelling: This is a systematic approach to identifying potential threats and vulnerabilities within a system, focusing on understanding and mitigating risks rather than achieving a consensus.
3. Behavioral Analysis: This involves examining patterns in human or system behavior to detect anomalies or security threats, but it is not related to gathering expert opinions iteratively.

Correct Answer: Fault Tree Analysis (FTA)

Fault Tree Analysis (FTA) is a systematic method for analyzing and visually representing the potential causes of a specific undesirable event or system failure. It uses a tree-like structure to break down complex events into contributing factors, helping identify the root causes and pathways that lead to the undesired outcome. FTA is commonly used in risk assessment, safety engineering, and reliability engineering to understand and mitigate factors that can lead to failures or accidents.

Explanation of other options:

1. 1. Threat Analysis: This involves identifying and evaluating potential threats to a system or organization, focusing more on security risks than system failures or accidents.
   2. Binary Tree Analysis: A binary tree is a data structure used in computer science, not a method for analyzing causes of system failures or accidents.
   3. Malware Analysis: This involves examining and understanding malware to identify its behavior and impact, but it does not use a tree-like structure to identify root causes of system failures.

Freeware is a proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author’s permission

Correct Answer: Two persons review and approve the work of each other, for every sensitive operations.

The Two-man control or four-eyes principle is a security measure where two persons review and approve each other’s work for every sensitive operation. This principle is designed to prevent errors, fraud, or unauthorized actions by ensuring that no single individual has complete control over a critical task.

Explanation of other options:

1. One person creates the work and other approves for every sensitive operation: This describes a partial implementation of the principle, but two-man control requires that both individuals have equal authority to review and approve each other’s actions.
2. One person works when the other is in leave: This is unrelated to the two-man control principle, which focuses on collaboration and oversight, not replacement during absence.
3. One person does half work and other does the other half for sensitive operations: This describes a division of labor rather than a control mechanism for reviewing and approving sensitive tasks.

A trapdoor, in the context of cybersecurity, refers to a hidden and unauthorized entry point or vulnerability in a software application or system. It allows privileged access without going through standard authentication processes.

Determine who needs the information and circumstances for release is the job of the Data/Information owner

Likelihood represents the probability or likelihood of the risk event occurring.

Impact represents the consequence or impact of the risk event if it does occur.

Non-Repudiation is the right term to describe the above question

Correct Answer: Always verify, never trust – Trust is granted only after rigorous verification, regardless of whether the user is inside or outside the network.

The Zero Trust security model operates on the principle of “Always verify, never trust.” It means that trust is not automatically granted based on the location of the user (inside or outside the network). Instead, every user and device must be rigorously verified and authenticated before being granted access to resources, regardless of their location.

Explanation of other options:

1. Trust but verify – Trust is given by default to users and devices inside the network but verified for external users: This is not aligned with Zero Trust, which does not assume trust based on location. The Zero Trust model explicitly avoids trusting internal users and devices by default.
2. Least privilege access – Users and devices are given minimal access rights required to perform their tasks: While the principle of least privilege is an important component of the Zero Trust model, it does not fully describe the core principle of Zero Trust, which involves continuous verification of trust.
3. Firewall-centric security – Network security relies primarily on the use of firewalls to segregate and protect the internal network from external threats: This approach focuses on perimeter-based security, which is not in line with the Zero Trust model’s emphasis on verifying every access attempt.

A truly quantitative risk analysis in information security faces several challenges, making it difficult to achieve complete quantification. Here are some reasons why achieving a fully quantitative risk analysis is challenging due to Uncertain data, complexity of systems, human factors etc.

The correct answer is “Residual risk.”

Residual risk refers to the level of risk that remains after vulnerabilities have been identified and countermeasures (or mitigating actions) have been implemented. It’s the risk that persists even after all efforts to reduce or eliminate risk have been made, as no system is entirely free of risk.

The other terms do not specifically capture the risk remaining after mitigation measures:

1. Inherent risk is the risk before any controls or mitigations are applied.
2. Deferred risk refers to risks that may be postponed or addressed later.
3. Impact risk is not a standard term but may refer to the potential damage if a risk is realized.

The correct answer is “Policy.”

A policy is a tool used to communicate and enforce organizational and management goals and objectives at a high level. Policies provide a formal framework for decision-making and set the direction for the organization in areas such as security, compliance, and operations. They are typically broad and strategic, guiding how an organization operates and ensuring alignment with its goals.

1. Organization values define the core principles and culture.
2. Security Baseline refers to minimum security requirements.
3. Guidelines offer recommended practices, but are not mandatory like policies.