Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

4. CISSP > CH 1. Security Governance Through Principles and Policies > Flashcards

CH 1. Security Governance Through Principles and Policies Flashcards

1
Q

Confidentiality (Definition)

A
  • measures used to ensure the protection of the secrecy of data, objects, and resources.
  • focuses security measures on ensuring that no one other than the intended recipient of a message is able to receive/read it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the goal of Confidentiality?

A
  • prevent unauthorized access to data
  • encrypts data at rest (stored on a disk)
  • encrypts data on the network (in transit)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does Confidentiality protection provide?

A
  • provides a means for authorized users to access and interact with resources
  • actively prevents unauthorized users from accessing and interacting with resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an access control?

A
  • the management of a relationship between subjects and objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an “object” in a security relationship?

A
  • the passive element in a security relationship

- such as files, computers, network connections, and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an “subject” in a security relationship?

A
  • the active element in a security relationship that acts upon or against an object
  • such as users, programs, and computers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are examples of attacks used to violate confidentiality?

A
  • capturing network traffic
  • stealing passwords
  • social engineering
    port scanning
  • shoulder surfing
  • sniffing
  • escalation of privileges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are examples of human error that results in a violation of confidentiality?

A
  • not encrypting data transmissions
  • no securing access points
  • backdoors in code
  • misrouted faxes
  • documents left on printers
  • not locking terminals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What countermeasures can help ensure confidentiality against possible threats?

A
  • encryption
  • network traffic padding
  • access controls
  • authentication procedures
  • data classification
  • personnel training
  • IPsec tunnel for VPN
  • Multi-factor Authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Sensitivity (Definition)

A
  • refers to the quality of information

- could cause harm if disclosed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Discretion (Definition)

A
  • an act or decision where an operator can influence or control disclosure in order to minimize harm or damage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Criticality (Definition)

A
  • the level to which information is mission critical

- the higher the level of criticality, the more likely the need to maintain the confidentiality of the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Concealment (Definition)

A
  • the act of hiding or preventing disclosure

- often viewed as a means of cover, obfuscation, or distraction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Through Obscurity (Definition)

A
  • the concept of attempting to gain protection through hiding, silence, or secrecy
  • not considered a valid security measure, but may still have value
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Secrecy (Definition)

A
  • the act of keeping something a secret or preventing the disclosure of information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Privacy (Definition)

A
  • refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Seclusion (Definition)

A
  • involves something in an out-of-the-way location

- this location can also provide strict access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Isolation (Definition)

A
  • the act of keeping something separated from others

- Isolation can be used to prevent commingling of information or disclosure of information (confidentiality)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Integrity (Definition)

A
  • the concept of protecting the reliability and correctness of data
  • prevents unauthorized alteration of data
  • ensures that data remains correct, unaltered, and preserved
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does properly implemented Integrity protection provide?

A
  • a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses or intrusions) as well as mistakes made by unauthorized users.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does a security mechanism that protects Integrity provide?

A
  • high level of assurance that the data, objects, and resources are unaltered from their original protected state.
  • prevents alterations while the object is in storage, in transit, or in process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the three perspectives that Integrity is examined from?

A
  • preventing unauthorized subjects from making modifications
  • preventing authorized subjects from making unauthorized modifications (mistakes)
  • maintaining the internal and external consistency of objects so that their data is correct
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are examples of attacks on data Integrity?

A
  • viruses
  • logic bombs
  • unauthorized access
  • errors in coding and applications
  • malicious modifications
  • intentional replacement
  • system back doors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are examples of unauthorized changes made by authorized users?

A
  • modifying or deleting files
  • entering invalid data
  • altering configurations
  • errors in commands, codes, and scripts
  • introducing a virus
  • executing malicious code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are examples of security measures to protect against Integrity violations?
- access control - authentication procedures - intrusion detection - data encryption - hash total verifications - interface restrictions - personnel training
26
Accuracy (Definition)
- being correct and precise
27
Truthfulness (Definition)
- being a true reflection of reality
28
Authenticity (Definition)
- being authentic or genuine
29
Validity (Definition)
- being factually or logically sound
30
Nonrepudiation (Definition)
- not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
31
Accountability (Definition)
- being responsible or obligated for actions and results
32
Responsibility (Definition)
- being in charge or having control over something or someone
33
Completeness (Definition)
- having all needed and necessary components or parts
34
Comprehensiveness (Definition)
- being complete in scope | - the full inclusion of all needed elements
35
Availability (Definition)
- authorized subjects are granted timely and uninterrupted access to objects
36
What must occur for Availability to be maintained on a system?
- controls must be in place to ensure authorized access and an acceptable level of performance, to quickly handle interruptions, to provide for redundancy, to maintain reliable backups, and to prevent data loss or destruction
37
What are examples of threats to Availability?
- device failure - software errors - environmental issues (heat, static, flooding, power loss) - DoS attacks - Object destruction - Communication interruptions
38
What are examples of unintended violations of Availability?
- Accidentally deleting files - overutilization of hardware or software components - under-allocating resources - mislabeling or incorrectly classifying objects
39
What are examples of countermeasures to prevent violations of Availability?
- access controls - monitoring performance and network traffic - using firewalls and routers to prevent DoS attacks - implementing redundancy for critical systems - maintaining and testing backup systems - fault tolerant disk
40
Usability (Definition)
- the state of being easy to use or learn or being able to be understood and controlled by a subject
41
Accessibility (Definition)
- the assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
42
Timeliness (Definition)
- being prompt, on time, within a reasonable time frame, or providing low-latency response
43
5 elements of AAA services?
- Identification - Authentication - Authorization - Auditing - Accounting
44
Identification
- claiming to be an identity when attempting to access a secured area or system - the process by which a subject professes an identity and accountability is initiated - can include: providing a username; swiping a smart card; waving a proximity device; speaking a phrase; using a biometric device
45
Authentication
- proving that you are that identity - the process of verifying or testing that the claimed identity is valid - most common form is a password - Identification and authentication are often used together as a single two-step process
46
Authorization
- defining permissions (i.e. allow/grant and/or deny) of a resource and object access for a specific identity - once a subject is authenticated, access must be authorized - just because a subject has been identified and authenticated does not mean they have been authorized
47
Auditing
- recording a log of the events and activities related to the system and subjects - the programmatic means by which a subject's actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system
48
Accounting (aka Accountability)
- reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions - an organization's security policy can be properly enforced only if accountability is maintained. - effective accountability relies on the capability to prove a subject's identity and track their activities. - if you are unable to legally support your security efforts, then you will be unlikely to be able to hold a human accountable for actions linked to a user account.
49
Access control matrix
- compares the subject, the object, and the intended activity - if the specific action is allowed, the subject is authorized
50
What is needed to hold a human accountable for their actions linked to a user account?
- multi-factor authentication - with only a password as authentication, there is significant room for doubt since passwords are the least secure form of authentication - w/ MFA there is very little possibility that any other human could have compromised the authentication process
51
What is required for legal restitution of a computer crime?
1) demonstrate that a crime was committed 2) that the suspect committed the crime 3) that you took reasonable efforts to prevent the crime * ** your organization's security needs to be legally defensible ***
52
Layering
- aka Defense in Depth - the use of numerous, different controls to guard against whatever threats come to pass - when security solutions are designed in layers, a failed control should not result in exposure of systems or data
53
Abstraction
- used for efficiency - similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective - thus, the concept of abstraction is used when classifying objects or assigning roles to subjects
54
Data Hiding
- the act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject
55
Security through Obscurity
- does not implement any form of protection - it is an attempt to hope something important is not discovered by keeping knowledge of it a secret. - an example of security through obscurity is when a programmer is aware of a flaw in their software code, by they release the product anyway hoping that no one discovers the issue and exploits it
56
Encryption
- the art and science of hiding the meaning or intent of a communication from unintended recipients.
57
What is the primary benefit of hashing?
- integrity
58
What is the primary benefit of fault tolerant routers?
- availability
59
What is the primary benefit of IPsec using AES encryption?
- confidentiality
60
What is the "authentication factor"?
- the "authentication factor" used to verify identity is typically labeled as, or considered to be, private information
61
Which two security concepts are often used together, and required to gain access to a system?
- identification | - authentication
62
What are the different authentication types?
- something you know (e.g. passwords, PINs) - something you have (e.g. keys, tokens, smart cards) - something you are (e.g. biometrics, such as iris)
63
What does the process of authorization ensure?
- the process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity
64
What is the difference between monitoring and auditing? Which can you do without the other?
- monitoring is a type of watching or oversight - auditing is recording of the information into a record or file - it is possible to monitor without auditing, but you cannot audit without some form of monitoring.
65
How does Abstraction simplify security?
- by enabling you to assign security controls to a group of objects collected by type or function
66
Security Governance?
- the collection of practices related to supporting, defining, and directing the security efforts of an organization
67
Business Case?
- a documented argument or stated position in order to define a need to make a decision or take some form of action - to make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task
68
What is meant by a top-down approach for security management and planning?
- senior management is responsible for initiating and defining policies for an organization - security policies provide direction for all levels of the organization's hierarchy - middle management fleshes out the security policy into standards, baselines, guidelines, and procedures. - the operational managers or security professionals must then implement the configurations prescribed in the security management documentation - finally, the end users must comply with all the security policies of the organization
69
What are the three types of plans developed by the Security Management Planning team?
- Strategic plan - Tactical plan - Operational plan
70
Strategic Plan
- long-term plan that is fairly stable - defines the organization's security purpose - helps to understand security function and align it to the goals, mission, and objectives of the organization. - useful for about 5 years if it is maintained and updated annually - should include a risk assessment
71
Tactical Plan
- midterm plan - developed to provide more details on accomplishing the goals of the strategic plan - useful for about a year - prescribes and schedules the tasks necessary to accomplish organizational goals
72
Operational Plan
- short-term - highly detailed - must be updated often (monthly or quarterly) - spell out how to accomplish various goals of the organization - includes: resource allotments, budgetary requirements, staffing assignments, scheduling, step-by-step implementation procedures
73
What is the goal of change management?
- ensure that any change does not lead to reduced or compromised security
74
Change Management
- improves the security of an environment by protecting implemented security from unintentional, tangential, or affected reductions in security - responsible for making it possible to roll back any change to a previous secure state
75
What is the primary purpose of Change Management?
- make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management
76
What are the requirements of Change Management?
- implement change in a monitored and orderly manner - include a formalized testing process to verify a change produces expected results - all changes can be reversed - uses are informed of changes before they occur - minimize negative impacts on business - changes reviewed by a Change Advisory Board
77
Data Classification
- the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality - the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities - some data items need more security than others - data classification is used to determine how much effort, money, and resources are allocated to protect the data and control access to it
78
What are the benefits of Data Classification?
- demonstrates an organization's commitment to protecting valuable resources and assets - assists in identifying those assets that are most critical or valuable to the organization - it lends credence to the selection of protection mechanisms - often required for regulatory compliance or legal restrictions - helps to define access levels, types of authorized uses, and parameters for declassification/destruction of resources that are no longer valuable
79
What are some criteria that can be used for data classification?
- usefulness of the data - timeliness of the data - value or cost of the data - maturity or age of the data - when data expires - data disclosure damage assessment - who has access to the data - who is restricted from the data - storage of the data
80
What are the 7 steps to implement a data classification scheme?
1. identify the custodian 2. specify the classification criteria for information 3. classify and label each resource 4. document any exceptions 5. select security controls to protect data 6. specify procedures for declassifying data 7. create enterprise-wide awareness program
81
What are the 5 levels of government/military classification?
- US Can Stop Terrorism (shortcut) - Top Secret (highest level): disclosure would compromise National Security (NS) - Secret: cause serious damage to NS - Confidential: cause damage to NS - Sensitive But Unclassified: for official use only - Unclassified: neither sensitive nor classified
82
What are the 4 levels of business classification?
- Confidential (highest): internal use only; significant impact if disclosed (e.g. proprietary data) - Private - Sensitive - Public
83
COBIT
- Control Objectives for Information and Related Technology - documented set of best IT security practices crafted by ISACA - prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives
84
What are the 5 key principles of COBIT?
1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-End 3. Applying a Single, Integrated Framework 4. Enabling a Holistic Approach 5. Separating Governance From Management
85
Due Care
- using reasonable care to protect the interests of an organization
86
Due Dilligence
- practicing the activities that maintain the due care effort
87
Security Policy
- a document that defines the scope of security needed by an organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection - overview or generalization of an organization's security needs - defines the main security objectives and outlines the security framework of an organization
88
What are examples of Security Policy uses?
- Assign responsibilities - Define roles - Specify audit requirements - Outline enforcement processes - Indicate compliance requirements - Define acceptable risk levels
89
What are the three categories of Security Policy?
- regulatory - advisory - informative
90
Regulatory Policy
- required whenever industry or legal standards are applicable to your organization - discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance
91
Advisory Policy
- discusses behaviors and activities that are acceptable and defines consequences of violations - most policies are advisory
92
Informative Policy
- designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers - provides support, research, or background information relevant to the specific elements of the overall policy
93
What is a rule of thumb for Security Policies?
- security policies should not address individuals - instead, policies should define tasks and responsibilities to fit a role - then, these defined roles are assigned to individuals as a job description or an assigned work task
94
Acceptable Use Policy
- defines a level of acceptable performance and expectation of behavior and activity
95
Standards
- define compulsory requirements for the homogenous use of hardware, software, technology, and security controls - tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies
96
Baseline
- defines a minimum level of security that every system throughout the organization must meet - a more operationally focused form of a standard - takes the goals of a security policy and the requirements of a standard and defines them specifically in the baseline as a rule against which to implement and compare IT systems
97
Guidelines
- offer recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users - flexible - outline methodologies, include suggested actions
98
Threat Modeling
- the security process where potential threats are identified, categorized, and analyzed - can be proactive or reactive - identifies the potential harm, probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat
99
Proactive Threat Modeling
- defensive approach - takes place during the early stages of systems development (initial design) - based on predicting threats and designing in specific defenses during the coding and crafting process - more cost effective and successful
100
Reactive Threat Modeling
- adversarial approach - takes place after a product has been created and deployed - ethical hacking, pentesting, source code review, and fuzz testing
101
Fuzz Testing
- dynamic testing technique - provides many different types of input to software - stresses its limits and finds previously undetected flaws
102
STRIDE
- threat categorization theme developed by Microsoft - Spoofing - Tampering - Repudiation - Information disclosure - Denial of service
103
Spoofing
- an attack with the goal of gaining access to a target system through the use of falsified identity - results in data theft or privesc
104
What are some targets of spoofing?
- IP - MAC - usernames - system names - SSID - email addresses
105
Tampering
- any action resulting in unauthorized changes or manipulation of data - can be data in transit or storage - violations of integrity and availability
106
Repudiation
- the ability of a user or attacker to deny having performed an action or activity - allows attackers to maintain plausible deniability to not be held accountable for their actions - can result in innocent third parties being blamed
107
What are some causes of Information Disclosure?
- failing to remove debugging code - leaving sample accounts - not sanitizing programming notes in HTML - using hidden form fields - detailed error messages
108
What are some means of DoS?
- flaw exploitation - connection overload - traffic flooding
109
What are some permanent examples of DoS attack?
- destruction of dataset - replacement of software with malicious alternatives - forcing a firmware flash operation to install faulty firmware
110
PASTA
- seven-stage threat modeling methodology - risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets being protected
111
What are the 7 steps of PASTA
- Stage I: definition of the Objectives (DO) for the analysis of Risks - Stage II: definition of the Technical Scope (DTS) - Stage III: Application Decomposition and Analysis (ADA) - Stage IV: Threat Analysis (TA) - Stage V: Weakness and Vulnerability Analysis (WVA) - Stage VI: Attack Modeling & Simulation (AMS) - Stage VII: Risk Analysis & Management (RAM)
112
TRIKE
- threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and DREAD - provides a method of performing a security audit in a reliable and repeatable procedure - used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions
113
VAST
- Visual, Agile, and Simple Threat | - threat modeling concept based on Agile project management and programming principles
114
Reduction Analysis
- aka Decomposing the application - purpose is to gain a greater understanding of the logic of the product as well as its interactions with external elements
115
What are the 5 key concepts of Reduction Analysis?
1. Trust Boundaries 2. Data Flow Paths 3. Input Points 4. Privileged Operations 5. Details about Security Stance and Approach
116
DREAD
- rating system for threats - scale of 1 to 100; 100 is most severe - Answers 5 questions about each threat: 1. Damage potential 2. Reproducibility 3. Exploitability 4. Affected users 5. Discoverability - a value is assigned to each question
117
What should be considered when evaluating a third party for security integration?
- On-site Assessment - Document Exchange and Review - Process/Policy Review - Third-Party Audit
118
Basic definition of Risk?
- potential/probability for loss
119
Counter measure?
- compensates for a vulnerability
120
Threat agent?
- takes advantage of a weakness
121
What are the 3 types (categories) of control?
- technical - administrative - physical
122
What are examples of Administrative controls?
- policies - security awareness - standards - guidelines
123
What are examples of Technical controls?
- tokens - smart cards - biometric readers - passwords - encryption - ACL on file system
124
What are examples of Physical controls?
- security guard - locked door - fence
125
DR
- disaster recovery
126
DRP
- disaster recovery plan
127
BC
- business continuity
128
BCP
- business continuity plan - long-term - makes sure that business can continue
129
BIA
- business impact analysis - identifies all critical systems - how long critical systems can be down, and business still survive - regulatory requirements that apply to business - costs involved regarding loss if business is down - dependencies on other systems
130
What are the phases of a policy life cycle?
- Develop - Publish - Adopt - Review
131
What does a policy need to be successful?
- Endorsement from management - Relevance to the organization - Realistic - Adaptable/Flexible - Enforceable; measurable
132
What are approaches to threat modeling?
- attacker perspective - asset perspective - architecture perspective
133
What is the "work factor"?
When threat modeling, determining how much work it would take for an attacker to compromise a system
134
IOA
- indicator of attack | - attack is currently underway, but hasn't been completed yet
135
What is threat modeling a part of?
- Due dilligence
136
What are some key steps of Supply Chain Risk Management?
1. Clear identification and documentation of what is outsourced 2. Consider the risks and have a backup plan 3. BIA and contingency plans in case the supply chain is disrupted
137
What is a good practice to follow when selecting vendors?
- pick vendors that are following industry standards | - conduct a third-party audit of the vendor
138
What are some examples of industry standards vendors should be following?
- ISO 9001: quality standards | - ISO 27001: information security standards
139
What is the auditing standard?
- SSAE
140
What is the quality management standard?
- ISO 9001
141
What are the ISMS standards?
- ISO 27001
142
What is the association representing the accounting profession?
- AICPA

4. CISSP (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions