CISSP Chapter 1

Question 1

Confidentiality

Answer 1

concept of the measures used to ensure the protection of the secrecy of data, objects, or resources

Question 2

Integrity

Answer 2

protecting the reliability and correctness of data

Question 3

Availability

Answer 3

subjects are granted timely and uninterrupted access to objects

Question 4

AAA

Answer 4

authentication, authorization, and accounting

Question 5

Identification

Answer 5

claiming to be an identity when attempting to access a secured area or system

Question 6

Authentication

Answer 6

is proving that you are that claimed identity

Question 7

Authorization

Answer 7

n is defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity or subject

Question 8

Auditing

Answer 8

recording a log of the events and activities related to the system and subjects.

Question 9

Accounting

Answer 9

reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions, especially
violations of organizational security policy

Question 10

Defense in depth

Answer 10

s layering, is the use of multiple controls in a series. No one
control can protect against all possible threats.

Question 11

Abstraction

Answer 11

Similar elements are put into groups, classes, or roles that
are assigned security controls, restrictions, or permissions as a collectiv

Question 12

Data hiding

Answer 12

: preventing data from being discovered or accessed
by a subject by positioning the data in a logical storage compartment that is not accessible
or seen by the subject.

Question 13

security boundary

Answer 13

ecurity boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs

Question 14

Security governance

Answer 14

he collection of practices related to supporting, evaluating, defining,
and directing the security efforts of an organization

Question 15

Third-party governance

Answer 15

he system of external entity oversight that may be mandated by
law, regulation, industry standards, contractual obligation, or licensing requirements

Question 16

Documentation review

Answer 16

process of reading the exchanged materials and verifying them
against standards and expectations

Question 17

security policy

Answer 17

Security management planning ensures proper creation, implementation, and enforcement

Question 18

senior management

Answer 18

The best security plan is useless without one key factor. Without senior management’s approval of and commitment to the security policy, the policy
will not succeed.

Question 19

Strategic Plan

Answer 19

A strategic plan is a long-term plan that is fairly stable. It defines the
organization’s security purpose. It defines the security function and aligns it to the goals,
mission, and objectives of the organization.

Question 20

Tactical Plan

Answer 20

The tactical plan is a midterm plan developed to provide more details on
accomplishing the goals set forth in the strategic plan, or can be crafted ad hoc based
on unpredicted events. A

Question 21

Operational Plan

Answer 21

n An operational plan is a short-term, highly detailed plan based on
the strategic and tactical plans. It is valid or useful only for a short time.

Question 22

On-Site Assessment

Answer 22

Visit the site of the organization to interview personnel a

Question 23

Document Exchange and Review

Answer 23

Investigate the means by which datasets and doc

Question 24

Process/Policy Review

Answer 24

Request copies of their security policies, processes/procedures,
and documentation of incidents and responses for review

Question 25

Third-Party Audit

Answer 25

can provide an unbiased
review of an entity’s security infrastructure

Question 26

Senior Manager

Answer 26

The organizational owner (senior manager) role is assigned to the
person who is ultimately responsible for the security maintained by an organization
and who should be most concerned about the protection of its assets

Question 27

Security Professional

Answer 27

security professional role is often filled by a team that is responsible
for designing and implementing security solutions based on the approved security policy.
Security professionals are not decision makers; they are implementers.

Question 28

Asset Owner

Answer 28

assigned to the person who is responsible for
classifying information for placement and protection within the security solution

Question 29

Custodian

Answer 29

The custodian performs all activities necessary to provide adequate protection for the CIA Triad

Question 30

User

Answer 30

The user (end user or operator) role is assigned to any person who has access
to the secured system.

Question 31

Auditor

Answer 31

An auditor is responsible for reviewing and verifying that the security policy
is properly implemented and the derived security solutions are adequate.

Question 32

NIST 800-53 Rev. 5

Answer 32

contains U.S. government–sourced general recommendations for organizational security

Question 33

The Center for Internet Security (CIS)

Answer 33

provides OS, application, and hardware security
configuration guides at

Question 34

NIST Risk Management Framework (RMF)

Answer 34

) establishes mandatory requirements for federal agencies. The
RMF has six phases: Categorize, Select, Implement, Assess, Authorize, and Monitor.

Question 35

NIST Cybersecurity Framework (CSF)

Answer 35

s designed for
critical infrastructure and commercial organizations, and consists of five functions: Identify,
Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to
be performed on an ongoing basis for the support and improvement of security over time

Question 36

International Organization for Standardization (ISO)/ International Electrotechnical
Commission (IEC) 27000

Answer 36

international standard that can be the basis of implementing organizational security and related management practices

Question 37

Information Technology Infrastructure Library

Answer 37

nitially crafted by the British government, is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change. ITIL focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization.

Question 38

Due diligence

Answer 38

is establishing a plan, policy, and process to protect
the interests of an organization

Question 39

Due care

Answer 39

he continued application of this security structure onto the IT infrastructure
of an organization

Question 40

baseline

Answer 40

defines a minimum level of security that every system throughout the organization must meet

Question 41

Guidelines

Answer 41

A guideline
offers recommendations on how standards and baselines are implemented and serves as an
operational guide for both security professionals and users

Question 42

Standards

Answer 42

efine compulsory requirements
for the homogenous use of hardware, software, technology, and security controls

Question 43

standard operating procedure (SOP)

Answer 43

a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution

Question 44

. Threat modeling

Answer 44

performed as a proactive measure during design and development or as a reactive measure once a product has been deployed

Question 45

A defensive approach/proactive approach

Answer 45

threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment

Question 46

(DREAD)

Answer 46

Damage Potential How severe is the damage likely to be if the threat is realized?
Reproducibility How complicated is it for attackers to reproduce the exploit?
Exploitability How hard is it to perform the attack?
Affected Users How many users are likely to be affected by the attack (as a
percentage)?
Discoverability How hard is it for an attacker to discover the weakness?

Question 47

Supply chain risk management (SCRM)

Answer 47

he means to ensure that all of the vendors or
links in the supply chain are reliable, trustworthy, reputable organizations that disclose their
practices and security requirements to their business partners

Question 48

COBIT

Answer 48

Control Objectives for Information and Related Technology (COBIT) is a documented set of
best IT security practices crafted by the Information Systems Audit and Control Association
(ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.

Question 49

STRIDE

Answer 49

spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege

Question 50

Process for Attack Simulation and Threat Analysis (PASTA)

Answer 50

PASTA is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected

Question 51

Visual, Agile, and Simple Threat (VAST)

Answer 51

is a threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable bas

Question 52

SD3+C

Answer 52

“Secure by Design, Secure by Default, Secure in Deployment and Communication”