CISSP Domain-1

Question 1

Q:Accountability vs. Auditing

Answer 1

“Auditing recording a log of the events and activities related to the system and subjects

Accounting (aka accountability) reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions”

Question 2

confidentiality

Answer 2

no unautorized can access the data ,prevent disclosure of information “for data at Rest Encryption AES 256
for Data at motion Secure transmission protocol SSL TLS IPSEC
for Data in Use clean desk, shoulder surfing, screen view angle protector
PC locking (automatic and when leaving)
“

Question 3

Integrity

Answer 3

unauthorized modification of DATA

Question 4

Availability

Answer 4

Authorized people can access data when they need

Question 5

Threats on CIA

Answer 5

“Cryptanalysis : attack on encryption
Social Engineering
Key logger
IoT: the going number of connected devices
may create backdoor to access another device”

Question 6

Non repudation

Answer 6

Digital signature with my own private key

Question 7

Framework

Answer 7

is a logical structure to ducument and organize processes ,”Intl Framework : ISO 27000
National : NIST cybersecurity framework
Regulrity : FDIC cybersecurity assestment tool (CAT)
Industry : HITRUST common security framework Health care
PCS DSS credit card industry
“

Question 8

Benchmark

Answer 8

“information secuirty benchmark is intended
to help an org indentify their cybesecurity
capabilites and initiatives and compare those
efforts to peers or competetiors in same industry .
“

Question 9

CIS Benchmark

Answer 9

” >Center for Internet Secuirty
>Hardening Vulnerability Checklist across all platform
>secure configuration guidance
> consensus-derived checklists”

Question 10

NIST SP800

Answer 10

“National institute of standard and tech NIST SP 800

govt sector configuration guidelines”

Question 11

NCP

Answer 11

“National Checklist program , us govt repository
of publically configuration checklist of different products
“

Question 12

NIST cybersecurity framework

Answer 12

“This voluntary Framework consists of standards, guidelines,
and best practices to manage cybersecurity-related risk.”

Question 13

HITRUST

Answer 13

“HITRUST CSF is a controls-based risk management framework that aligns with and supports the NIST Framework,widely adopted in healthcare
“

Question 14

NVD

Answer 14

NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).

Question 15

Due Care Vs Due Deligence

Answer 15

“Due care is what a prudent man should do under a similar condition
Due deligence is investigation before engaging in a contact or business”

Question 16

Downstream Liability

Answer 16

“when your organizations IT system is compromised
and they become source of attack to another systems
then it is called the downstream liability .”

Question 17

Owners/Custodian/users

Answer 17

“Owners: part of management who will protect subset of information
Custodian : IT guys , implement solution, maintenance monitor
User: follow regular organizational policy”

Question 18

Security Governance

Answer 18

“security governence emphasizes on securit is no only
itissues.security gooverence is the practices that are taken
to define,support and direct the secuirty efforts of an origaization.
NIST SP 8–053 and NIST800-100 are security frame work for
govt and military ,
but they can be adopted in other organizations also
security governence managed by board of directors.”

Question 19

Security Management

Answer 19

“Security managment planning ensures that
security policies should be aligned with
the goals , mission and objectives of the organizations.
This includes design and implementing seurity based on
business cases.”

Question 20

Business Case

Answer 20

“Documented arguent in order define a need
to make decission , its often needed before a start of a new project .It is also necessary to allocate budget.
“

Question 21

Key note

Answer 21

“The best security plan is useless without the approval from sr management
if company does not practice due care and due deligence then
manager can be held liable for negligence and held accountable
for both asset and financial looses”

Question 22

Strategic Tactical operational planning

Answer 22

“Strategic planning : 5 years , should include a risk assesment
Tactical Planning 1 year , planning to achieve goals set in
strategic planning , or canbe crafted adhoc based
upon unpredicted events.

Operational plans short term , monthly quarter , step by step
“

Question 23

Security alignment

Answer 23

” align security policies with

business cases to support orginizational goals”

Question 24

value delivery

Answer 24

“optimize investments in support of business objectives

“

Question 25

Synergy

Answer 25

"A synergy is where the whole is greater than the sum of its parts. In other words, when two or more people or organizations combine their efforts, they can accomplish more together than they can separately"

Question 26

Governance Ecosystem

Answer 26

``` "board of directors: > promoting effective governance > Determine risk tolerance > allocate funds > Ensure compliance with laws > Reviewing audut and examination results > Due care due diligence" "Executive Management > strategic alignment > Value delivery > Risk management > process assurance " ```

Question 27

Point to be remembered

Answer 27

CISO must apply to Sr management directly not to CIO

Question 28

OECD privacy principles,privacy framework , every policy follows it Eight driving principles

Answer 28

"Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except: (a) with the consent of the data subject; or (b) by the authority of law. Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Individual Participation Principle: An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above."

Question 29

Openness principles

Answer 29

Openness. The principle of Openness states that an organization shall make its policies and procedures about how it manages personal information readily available. ... When providing the information, it should be available in a form that's generally understandable

Question 30

Canada Mexican Europe

Answer 30

Personal information protection and electronic documents act(PIPEDA) The protection of personal data held by companies European union data protection directive superseded by GDPR(general data protection regulations)

Question 31

OECD

Answer 31

For Privacy and Trans border flows

Question 32

Privacy Violation

Answer 32

Violation of privacy principles and regulations

Question 33

Data compilation

Answer 33

collection of data to be used" later "to be determined

Question 34

Data wirehousing

Answer 34

combines data collected from several sources and store in large database

Question 35

Data mining

Answer 35

process of analysis analyzing the collected data look for trends correlation resulting in metadata.

Question 36

Aggregation

Answer 36

Individual pieces of data that are combined to create a bigger picture

Question 37

inference

Answer 37

ability to derive information that is not explicitly available.

Question 38

privacy laws

Answer 38

glba financial records hipaa medical records ferpa students educational records federal privacy act datacollected by government coppa online collection and use of data minor unger 13 gdpr citizen privacy protection

Question 39

The Cookie Law Explained An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing

Answer 39

he Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not.

Question 40

Privacy statement

Answer 40

When collects any PI data then it must tell >what information may be collected >how the information will be used > who the information may be shared with >why and how 3rd party may use this information > How to opt out > provide a mechanism how to report data breach >provide commitment to data quality and data security data is generally considered high quality if it is "fit for [its] intended uses in operations, decision making and planning

Question 41

Computer Crime

Answer 41

when computer is used for committing crime ,1.Computer as a target of crime , 2. computer as a tool for crime

Question 42

US Federal Laws for Cyber crime

Answer 42

Computer Fraud and abuse act : unauthorized access to federal govt , financial institution system,or any system used for foriegn currency Wiretrap act : unauthorized interception of digital communications Electronic communications privacy act : unauthorized access or damage to electronic message in store NAtional information infrastructure protection act : primariliy federal antihacking statute ,(low passed by legislative body)

Question 43

script kiddies vs real hacker

Answer 43

The hacker or cracker will usually have a stable of scripts they can run to do whatever they want in order to perform an action while they manually do something else at the same time A script kiddie will use, you guessed it, scripts made by actual hackers and crackers in order to get the look of a hacker. They will basically just run the script and it will do whatever it was programmed for

Question 44

Hacktivism -> political statement

Answer 44

Hacktivism is usually directed at corporate or government targets. Hacktivists' targets include religious organizations, terrorists, drug dealers, and pedophiles. An example of hacktivism is denial of service attacks (DoS) which shut down a system to prevent customer access.

Question 45

Computer as a target

Answer 45

Computer viruses Denial-of-service attacks Malware (malicious code)

Question 46

Computer as a Tool

Answer 46

Fraud and identity theft (although this increasingly uses malware, hacking or phishing, making it an example of both "computer as target" and "computer as tool" crime) Information warfare Phishing scams Spam Propagation of illegal obscene or offensive content, including harassment and threats

Question 47

nation state hackers

Answer 47

hackers working for government rather than a group of criminals.

Question 48

Data breach Disclosure and Notification requirements to impacted parties

Answer 48

Sector Specific : GLBA HIPAA Disclosure of PII GDPR has data breach disclosure and notification requirements PCI-DSS has data breach notification requirements

Question 49

hackers vs motivation 1) Origanized crime 2) Nation States 3) Insider 4) Competitors

Answer 49

1) Financial Gain 2) Fear, Disruption,Sabotage,influence,ip theft 3) Grievance , perceived morality 4) Espionage

Question 50

Intellectual Property LAWs PRotect

Answer 50

``` 1> Patent 2>trademark 3>tradesecret 4>copyright 5> Software licensing ```

Question 51

software licenses

Answer 51

free software & opensource free means freedom , you can do anything , even modify and sell if its open source then you cant sell freeware no cost minimal freedom no source code Shareware refers to a program that is initially available without any costs attached, and users are encouraged to distribute copies. Commercial

Question 52

Software Piracy

Answer 52

unauthorized distribution and opying of copyrighted software .DMCA Digital Millenium Copyright act protects software privacy

Question 53

Legally Enforceable software use agreement

Answer 53

EULA

Question 54

BSA the software alliance

Answer 54

developed by microsoft working worldwide for the protection of software ip theft Report software piracy http://reporting.bsa.org

Question 55

Criminal Law

Answer 55

protect society Punishment: monetary penalty (small+medium) + imprisonment criminal laws passed by the lagislature body

Question 56

Civil law

Answer 56

between an individual and organizations | outcome : severe penalty

Question 57

CFAA

Answer 57

CFAA Computer Fruad and abuse act first major cyber crime related law Fine : 5000$ any compuer used by federal gvt any computer used by fonancial org @CFAA amendment : any computer than federal computer the creation of any type of malicious code that can harm to a system allowed imprisonment of the offenders

Question 58

prudent man

Answer 58

@Prudent men , due care due deligence Federal Sentencing guideline

Question 59

FISMA

Answer 59

@Federal information security management Act (FISMA) replace computer secuirty ACT and government information secuirty reform act NIST developed FISMA Govet agency and contractor peridical assessment of risk Fisma supports BCP

Question 60

Copyright

Answer 60

>> software copyright under literary works copyright after 70 years of last surviving author dies for work for hire :after 95 years of publich or 120 years of creation which is shorter DMCA digital millenium copyright act usa under DMCA serice providers can not be blamed for copyright act

Question 61

Trademark

Answer 61

>> trade mark: logo, slogan, TM symbol -> you want to protect trademark if you want to officially register then USPTO (R) symbol Trademark cantbe descriptive aboutservices and offer Trademark for 10 years

Question 62

Patent

Answer 62

>> patent protect IP right for inventor for 20 years | > invention must be new original and useful

Question 63

patent troll

Answer 63

a company that obtains the rights to one or more patents in order to profit by means of licensing or litigation, rather than by producing its own goods or services.

Question 64

Trade secret protection

Answer 64

Best way to protect trade secret is NDA for computer software trade secret provides best protection coppyright provides the source code Economic espionage act this law to protect trade secret

Question 65

Trans-border Laws

Answer 65

ITAR international traffic in ARMS regulation controls military items export EAR Export administration regulation controls commercial products but have connection with military informations .Commercial control List (CCL ) found in US department of commerce.

Question 66

US privacy LAws

Answer 66

4th Amendment : no one can search any others property without warrant Privacy Act of 1974 : only for govt agencies, ECPA :electronic communications privacy act of 1986 mobile phone, email ,voice email monitoring is prohibited

Question 67

Persona identification information

Answer 67

> personal informations including 1. Social security number 2. Drivers license number 3. State identification card number 4. creditcard/debit card number 5. bank account number 6. health insurance information

Question 68

us Patriot act

Answer 68

USA patriot act : allow wiretapping , ISP may voluntary | provide much information

Question 69

EU citizens privacy

Answer 69

EU citizens data going outside must be protected Safe Harour agreement between EUand USA Department of Commerce certify . GDPR relaces data protection diretive data breach notification must be submitted ot the effected personnel right to be forgotten that require compnies to delete informations

Question 70

SOX

Answer 70

financial org audit compliance SOX sarbanes oxley act

Question 71

PCI DSS

Answer 71

PCI dss 12 main requirements install and maintain firewall to protect cardholder data dont use vendor supply default pass protect stored card holder data encrypt transmission of card holder data protect all system against malware develop and maintain secure system and apps restrict acces to card holder data by business need t know restrict physicall access to card holder data track and onitor all access to network resources and card holder data regular test security systems nd processes maintain a policy that addresses information secuity for all personnel

Question 72

PII PI NON PII

Answer 72

Privacy ACT of 1974 limits govt agencies to disclose user PII information The privacy shield framework Us company to comply with EU data protection Personally Identifiable Information (PII) is a term used mainly within the USA. Personal Data is considered to be the European equivalent of PII "logo-nist PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information" Passport Linked , birth place: linkable "Examples of non-PII include, but are not limited to: Device IDs IP addresses Cookies"

Question 73

Trustworthy computing

Answer 73

The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure, available, and reliable.