CISSP Domain 1 - Flashcards

Question 1

Q

CIA - Confidentiality

Answer

A

High level of assurance that info is kept from unauthorized parties
Attacks: Shoulder surfing, social engineering, decryption, brute-force
Defense: Encryption, access controls

Question 2

Q

CIA - Confidentiality - Definition

Answer

A

High level of assurance that info is kept from unauthorized parties

Question 3

Q

CIA - Confidentiality - Attacks

Answer

A

Shoulder surfing
Social engineering
Decryption
Brute-force

Question 4

Q

CIA - Confidentiality - Defense

Answer

A

Encryption

* Access Controls

Question 5

Q

CIA - Confidentiality - Related concepts

Answer

A

Sensitivity: What could happen if this info was disclosed
Discretion: When you choose to control the information disclosure to limit damage
Concealment: Act of hiding or preventing disclosure
Secrecy: Keeping something secret
Privacy: Keeping sensible info confidential
Seclusion: Storing something in an out-of-the-way manner
Isolation: Keeping something separated from others

Question 6

Q

Sensitivity

Answer

A

What could happen if this info was disclosed

Question 7

Q

Discretion

Answer

A

When you choose to control the information disclosure to limit damage

Question 8

Q

Concealment

Answer

A

Act of hiding or preventing disclosure

Question 9

Q

Secrecy

Answer

A

Keeping something secret

Question 10

Q

Privacy

Answer

A

Keeping sensible info confidential

Question 11

Q

Seclusion

Answer

A

Storing something in an out-of-the-way location. This 
location can also provide strict access controls. Seclusion can help enforcement of 
confidentiality protections

Question 12

Q

Isolation

Answer

A

Keeping something separated from others

Question 13

Q

CIA - Integrity

Answer

A

When info remains unaltered by unauthorized parties 
Approaches: 
Preventing intentional unauthorized modification 
Preventing accidental modifications 
Ensure internal and external consistency of the information

Question 14

Q

CIA - Availability

Answer

A

<p>Usable access to a resource is always provided in a timely and uninterrupted manner<br>
* Examples:<br>
- Load Balancing<br>
- Clustering<br>
- Backups<br>
- Redundancy</p>

Question 15

Q

AAA (IAAAA)

Answer

A

- Identification: A subject claims a specific identity 

- Authentication: A subject proves he is who he claims to be 
- Authorization: Deciding what the subject can access and how can it be used 
- Auditing: Recording activities of the subject in a log 
- Accountability: Reviewing the log to check for compliance

Question 16

Q

From Vulnerability to Exposure - Vulnerability

Answer

A

A weakness in a system that allows a threat to compromise security 
Examples: 
* AP without security enabled 
* Too many ports allowed on a firewall 
* Unneeded service running on a server

Question 17

Q

From Vulnerability to Exposure - Exploit

Answer

A

Occurs when a vulnerability is taken advantage of by an attacker

Question 18

Q

From Vulnerability to Exposure - Threat

Answer

A

Danger that a vulnerability will be exploited

Question 19

Q

From Vulnerability to Exposure - Threat Agent

Answer

A

Entity that exploits a vulnerability

Question 20

Q

From Vulnerability to Exposure - Risk

Answer

A

The likelihood that a threat agent will exploit a vulnerability combined with the damage that could result

Question 21

Q

From Vulnerability to Exposure - Exposure

Answer

A

Single real-world instance of a vulnerability being exploited by a threat agent

Question 22

Q

From Vulnerability to Exposure - Control

Answer

A

Countermeasure put into place to mitigate the risk

Question 23

Q

Controls - Categories

Answer

A

* Administrative Controls: Controls put in place by management 
Examples 
Training 
Security Policy 
* Technical Controls: Software elements such as hashing, encryption or authentication enforcement 
* Physical Controls: Controls that are physical 
* Examples 
- Lighting 
- Fences 
- Keycards 
- Security Guards

Question 24

Q

Controls - Functions

Answer

A

* Preventative: Avoid an incident 

* Corrective: Fix a component or system 
* Deterrent: Discourage an attacker 
* Detective: Identify an intruder 
* Recovery: Bring environment back to normal operation 
* Compensating: Alternative control if the first choice is unavailable

Question 25

Q

Security Frameworks - ISO 27000 Series - BS7799

Answer

A

* Created in 1995 
* Published by British Standards Institute 
* Outlines how an ISMS should be created and maintained 
* Part 1 
Describes controls 
* Part 2 
Shows how an ISMS can be setup

Question 26

Q

Security Frameworks - ISO 27000 Series (1-8,11, 14-15,31-35,37,799)

Answer

A

<p>ISO 27000<br>
Overview and vocabulary for the rest of the 27000 series<br>
ISO 27001<br>
Standard for creation, implementation, control and improvement of ISMS<br>
ISO 27002<br>
General guidelines for implementing an ISMS<br>
ISO 27003<br>
ISMS implementation<br>
ISO 27004<br>
ISMS measurement<br>
ISO 27005<br>
Risk management<br>
ISO 27006<br>
Certification body requirements<br>
ISO 27007<br>
ISMS auditing<br>
ISO 27008<br>
Guidance for auditors<br>
ISO 27011<br>
Telecommunications organizations<br>
ISO 27014<br>
Information security governance<br>
ISO 27015<br>
Financial sector<br>
ISO 27031<br>
Business continuity<br>
ISO 27032<br>
Cybersecurity<br>
ISO 27033<br>
Network security<br>
ISO 27034<br>
Application security<br>
ISO 27035<br>
Incident management<br>
ISO 27037<br>
Digital evidence collection and preservation<br>
ISO 27799<br>
Health organizations</p>

Question 27

Q

ISO 27000

Answer

A

Overview and vocabulary for the rest of the 27000 series

Question 28

Q

ISO 27001

Answer

A

Standard for creation, implementation, control and improvement of ISMS

Question 29

Q

ISO 27002

Answer

A

General guidelines for implementing an ISMS

Question 30

Q

ISO 27003

Answer

A

ISMS implementation

Question 31

Q

ISO 27004

Answer

A

ISMS measurement

Question 32

Q

ISO 27005

Answer

A

Risk management

Question 33

Q

ISO 27006

Answer

A

Certification body requirements

Question 34

Q

ISO 27007

Answer

A

ISMS auditing

Question 35

Q

ISO 27008

Answer

A

Guidance for auditors

Question 36

Q

ISO 27011

Answer

A

Telecommunications organizations

Question 37

Q

ISO 27014

Answer

A

Information security governance

Question 38

Q

ISO 27015

Answer

A

Financial sector

Question 39

Q

ISO 27031

Answer

A

Business continuity

Question 40

Q

ISO 27032

Answer

A

Cybersecurity

Question 41

Q

ISO 27033

Answer

A

Network security

Question 42

Q

ISO 27034

Answer

A

Application security

Question 43

Q

ISO 27035

Answer

A

Incident management

Question 44

Q

ISO 27037

Answer

A

Digital evidence collection and preservation

Question 45

Q

ISO 27799

Answer

A

Health organizations

Question 46

Q

Security Frameworks - Enterprise Architecture Development - Introduction

Answer

A

* Addresses the structure and behavior of an organization 

* It's a guidance on how to build an architecture 
* Allows each group of people within an organization to view the business in terms they can understand

Question 47

Q

Security Frameworks - Enterprise Architecture Development - Zachman

Answer

A

* Created by John Zachman in the 80s 
* This framework is not security oriented, but it is a good template to work with because it offers direction on how to understand an actual enterprise in a modular fashion 
* 2-dimensional matrix 
X-axis 
5 different audiences 
Y-axis 
6 different views

Question 48

Q

Security Frameworks - Enterprise Architecture Development - Zachman (audiencies - views)

Answer

A

Audiences: 

* Executives 
* Business Managers 
* System Architects 
* Engineers 
* Technicians 
* Entire enterprise

Views 

* What 
* How 
* Where 
* Who 
* When 
* Why

Question 49

Q

Security Frameworks - Enterprise Architecture Development - TOGAF

Answer

A

* Created by US DoD 
* Architecture types 
Business 
Data 
Application 
Technology 
* Architecture Development Method (ADM) 
Used to create each type 
The last step feeds back into the first step 
After each iteration, the process has been improved to reflect changing requirements 
Each iteration addresses each of the four views

Question 50

Q

Security Frameworks - Enterprise Architecture Development - Military Oriented

Answer

A

* Department of Defense Architecture Framework: 
- Involves things as command, control, surveillance and reconnaissance 
- One of its primary objectives is to ensure a common communication protocol and standard payloads 
* Ministry of Defence Architecture Framework 
- British version of DoDAF

Question 51

Q

Security Frameworks - Enterprise Architecture Development - Sherwood Applied Business Security Architecture (SABSA)

Answer

A

<p>* It's an Enterprise Security Architecture: Ensures an organization has an effective ISMS in place<br>
* Similar to Zachman<br>
* Views:<br>
- Assets (What)<br>
- Motivation (Why)<br>
- Process (How)<br>
- People (Who)<br>
- Location (Where)<br>
Time (When)<br>
* Y-Axis from wide to narrow<br>
- Contextual<br>
- Conceptual<br>
- Logical<br>
- Physical<br>
- Component<br>
- Operational<br>
* Difference between SABSA and the others<br>
- It is also a methodology<br>
- Provides an actual process to follow<br>
- It is geared toward security</p>

Question 52

Q

Security Frameworks - Architecture Framework Terms

Answer

A

* Strategic Alignment: An architecture is strategically aligned when it meets the needs of the business and all legal or regulatory requirements 

* Business Enablement: A good security architecture must enable the business to thrive by not getting in the way, but still providing proper security 
* Process Enhancement: Security forces us to take a closer look at existing processes. This could lead us to improve them 
* Security Effectiveness: Most quantifiable of the attributes. Examples: ROI, SLA achievements

Question 53

Q

Security Frameworks - Frameworks for Implementation

Answer

A

* COSO Internal Control 

* COBIT 
* NIST SP 800-53

Question 54

Q

Security Frameworks - Frameworks for Implementation - COSO IC

Answer

A

<p>* Identifies 17 control principles grouped into 5 categories<br>
* Created in the 80s as a result of financial fraud<br>
* Provides Corporate Governance<br>
* Categories<br>
- Control Environments<br>
- Risk Assessments<br>
- Control Activities<br>
- Information and Communication<br>
- Monitoring Activities</p>

Question 55

Q

Security Frameworks - Frameworks for Implementation - COBIT

Answer

A

* Created by ISACA and ITGI 
* Defines 17 enterprise and 17 IT goals 
* It's not strictly security related 
* It is an IT related subset of COSO IC 
* Principles 
Meeting stakeholder needs 
Covering the enterprise end-to-end 
Applying a single integrated framework 
Enabling a holistic approach 
Separating governance from management

Question 56

Q

Security Frameworks - Frameworks for Implementation - NIST SP 800-53

Answer

A

* Created by the US government 

* Specifies the control that federal agencies must implement 
* If an agency doesn't comply, they are violating the FISMA (Federal Information Security Management Act of 2002) 
* Contains a list of 18 control categories

Question 57

Q

Security Frameworks - Frameworks for Implementation - Private vs Federal controls

Answer

A

<p>Administrative = Management<br>
Technical = Technical<br>
Physical = Operational</p>

Question 58

Q

Security Frameworks - Process Development

Answer

A

* ITIL 

* Six Sigma 
* Capability Maturity Model Integration (CMMI)

Question 59

Q

Security Frameworks - Process Development - ITIL

Answer

A

* Developed in the UK in the 80s 
* De facto standard for IT management best practices 
* Focuses on achieving SLAs between the IT department and its customer 
* Stages 
- Design 
- Transition 
- Operation 
* Each stage has between 3 and 5 steps

Question 60

Q

Security Frameworks - Process Development - Six Sigma

Answer

A

* Measures process quality by using statistical calculations 
* A sigma rating is applied to a process to indicate the percentage of defects it contains

Question 61

Q

Security Frameworks - Process Development - Capability Maturity Model Integration (CMMI)

Answer

A

* Created by Carnegie Mellon for US DoD 
* Determines the maturity of an organization's processes 
* Designed to make improvements in an incremental and standard manner 
* Levels: 
- Level 0: Nonexistent Management 
- Level 1: Unpredictable Processes 
- Level 2: Repeatable Processes 
- Level 3: Defined Processes 
- Level 4: Managed Processes 
- Level 5: Optimized Processes

Question 62

Q

Security Frameworks - The Process Life Cycle

Answer

A

* Focuses on how to keep processes up-to-date and healthy 

* Four steps, and the last one feeds right back into the first one to start a new iteration 
* Steps: Plan, Implement, Operate, Evaluate

Question 63

Q

Security Frameworks - The Process Life Cycle - Steps - 1: Plan (6)

Answer

A

- Establish MGMT and oversight committees 
- Identify business drivers and threats 
- Perform a risk assessment 
- Create security architectures for the business, data, application and infrastructure 
- Select possible solutions for the problems identified 
- Get mgmt approval to move to the next steps

Question 64

Q

Security Frameworks - The Process Life Cycle - Steps - 2: Implement (8)

Answer

A

- Assign duties 
- Establish baselines 
- Put security policies into operation 
- Identify data that needs to be secured 
- Create blueprints 
- Implement controls based on the blueprints 
- Implement solutions to monitor the controls based on the blueprints 
- Establish goals, SLAs and metrics based on the blueprints

Answer 65

A

- Follow established procedures to ensure baselines met the blueprints 
- Execute audits 
- Execute tasks defined by the blueprints 
- Ensure SLAs are met

Answer 66

A

- Review logs, audit results, metrics and SLAs 

- Determine if the blueprint goals have been met 
- Hold quarterly meetings with the steering committee 
- Identify actions to improve as an input into the first step

Answer 67

A

Any law that deals with computer-based crime

Answer 68

A

* Computer-assisted: Computer is a tool 
- Example: Stealing money from a bank across the Internet 
* Computer-targeted: Computer is the victim 
- Example: DoS attack 
* Computer is incidental: Computer is involved but didn't play a significant role in the crime 
- Example: If a computer is used to temporarily store stolen or illegal goods

Answer 69

A

* Script Kiddies: Unsophisticated individuals who know just enough about pre-built hacking tools 
*Types of serious hackers 
1- The ones who randomly sniff around 
2- APT (Advanced Persistent Threats) 
- Most dangerous 
- They target specific persons or organizations

Answer 70

A

<p>* OECD has issued guidelines on how to deal with data that is transfered between countries<br>
* Core principles:<br>
Collection Limitation<br>
Data Quality<br>
Purpose Specification<br>
Use Limitation<br>
Security Safeguards<br>
Openness<br>
Individual Participation<br>
Accountability</p>

Answer 71

A

<p>* They deal with US and EU data transfer requirements<br>
* Rules:<br>
- Notice<br>
- Choice<br>
- Onward Transfer<br>
- Security<br>
- Data Integrity<br>
- Access<br>
- Enforcement</p>

Answer 72

A

* Each country has its own laws regarding import and export of goods 
* Wassenaar Agreement 
- Followed by 41 countries including the US 
- Goal: To prevent the buildup of further military capabilities 
- The Information Security part deals with the exchange of cryptography

Answer 73

A

* Civil (Code) Law System: Lower courts are not compelled to follow the decisions made by upper courts 

* Common Law System: Based on precedence 
* Customary Law System: deals with personal conduct and behavior, 
* Religious Law System: Based on religious beliefs of that region 
* Mixed Law System: Two or more of the previously mentioned systems used together

Answer 74

A

* Criminal 
- To be convicted, guilt beyond reasonable doubt must be established 
- Cases are usually brought about by government prosecutors with a guilty or not guilty verdict 
* Civil/Tort 
- Offshoot of Criminal Law 
- Deals with wrongs commited against an individual or company that has resulted in injury or damages 
- If found liable, monetary reparations are usually made by the defendant, but loss of freedom is never a result 
* Administrative 
It addresses issues such as international trade, manufacturing, environment and immigration

Answer 75

A

<p>* Law that allows individuals or companies to protect what is rightly theirs from illegal duplication or use<br>
* IP types:<br>
- Trade Secret<br>
- Copyright<br>
- Trademark<br>
- Patent</p>

Answer 76

A

* Something a company creates or owns that is crucial to its survival and profitability 

* Doesn't expire until it's not a trade secret 
* Most companies with trade secrets make their employees sign an NDA 
* Example: Coca-Cola formula

Answer 77

A

* Gives the author of a work the rights to control the display, adaptation, reproduction or distribution of that original work 
* Protects the expression of the idea rather than the idea itself 
* Expires after a limited amount of time 
* Specific to the computer industry 
- Protects source code and object code 
- Protects user interfaces

Answer 78

A

* Protects a name, symbol, word, sound, shape, color or any combination thereof 

* Represents a company's brand identity to its potential consumers 
* WIPO (World Intellectual Property Organization) oversees International Trademark Law

Answer 79

A

* Given to individuals or companies to protect an invention 
* Strongest form of IP protection 
* The invention must be novel, useful and non-obvious 
* Has an expiration date (20 years) 
* Specific to computer industry 
- Algorithms are commonly patented 
- Patent infringement prosecution is a matter of everyday life 
- Patent trolls buy patents only to sue infringing companies

Answer 80

A

* A company must properly classify the data and implement sufficient protection (Due care) 
* If Due Care is not taken, litigation will fail 
* Software Piracy: Occurs whem protected works or data is duplicated or used without permission or compensation to the author 
* Software Licensing: Freeware, Shareware, Commercial, Academic 
* EULA: Used for communicating the licensing requirements 
* FAST/BSA: Promote enforcement of software rights in order to combat piracy 
* DMCA: 
- Prohibits attempts to circumvent copyright protection mechanisms 
- In Europe, a similar law is the Copyright Directive

Answer 81

A

<p>* Any data that can be used to identify, contact or locate an individual<br>
* It's sensitive data because it can be used for identity theft<br>
* Typical PII components<br>
Full Name<br>
ID Number<br>
Biometrics<br>
Digital Identities<br>
Birthdate</p>

Answer 82

A

* Federal Privacy Act of 1974 

* Federal Information Security Management Act of 2002 (FISMA) 
* Department of Veterans Affairs Information Security Protection Act 
* Health Insurance Portability and Accountability Act (HIPAA) 
* Health Information Technology for Economic and Clinical Health Act (HITECH) 
* USA Patriot Act 
* Gramm-Leach-Bliley Act (GLBA) 
* Personal Information Protection and Electronic Documents Act (PIPEDA) 
* Payment Card Industry Data Security Standard (PCI DSS) 
* Economic Espionage Act of 1996

Answer 83

A

Federal agencies could collect and store info about an individual's academic, medical, financial, criminal and employment history only if the agency had a necessary and relevant need to

Answer 84

A

<p>* Requires high-level officials of each agency to hold annual reviews of the information security programs and report the results to the Office of Management and Budget (OMB), which in turn reports to congress on the level of compliance achieved<br>
* Requirements<br>
- Inventory of Information Systems<br>
- Categorization of the information and information systems according to risk<br>
- Security controls<br>
- Risk Assessment<br>
- System security plan<br>
- Certification and accreditation<br>
- Continuous monitoring</p>

Answer 85

A

* FISMA + Additional requirements on that agency alone 
* Due to an incident in 2006

Answer 86

A

* PHI (Patient Health Information): PII+specific health details 

* Defines rules for any facility that creates, accesses, shares or destroys patient data 
* Works with fines 
* Does not require notification of data breaches

Answer 87

A

* Created in 2009 
* Subtitle D 
- Electronic transmission of health information 
- Helps enforce HIPAA rules 
* It directs the US Secretary of Health and Services (HHS) to provide guidance on effective controls to protect data 
* Companies that comply with this guidance do not have to report data breaches. Otherwise, they have 60 days to report to HHS and the affected individuals

Answer 88

A

* Reduces restrictions on law enforcement when searching electronic records 

* Allows greater foreign intelligence gathering within the US 
* Gives the Secretary of Treasury greater power to regulate financial transactions 
* Broadens the ability to detain or deport immigrants suspected of terrorism 
* Expands the definition on terrorism to include domestic terrorism 
* Now the government can monitor individual's electronic communications at will

Answer 89

A

* aka Financial Services Modernization Act 

* Requires financial institutions to create privacy notices and give their customers the ability to opt out of sharing their information with third parties 
* In the event of a data breach the institution must report it to the federal regulators, law enforcement and affected customers

Answer 90

A

Canadian protection of privacy law regarding e-commerce

Answer 91

A

* It's a standard for data security created by the major credit companies 
* Credit companies will not work with a company that it's not PCI compliant

Answer 92

A

* Passed in 1996 

* Defines who can investigate data breaches 
* Protects IP

Answer 93

A

USA: Has a number of laws on the book 

| EU data protection regulation: Standardized data breach notification

Answer 94

A

High-level statement that describes how security works within the organization.

Answer 95

A

* Organizational Security Policy: 

- Dictates how a security program will be constructed and describes how enforcement will be implemented. 
- Sets the various goals.Addresses laws and regulations. Provides direction on the amount of risk management it's willing to accept. 
- Should be periodically reviewed and updated. 
- Documentation should be version-controlled and applicable for several years into the future. 
* Issue-specific policy: Provides more detail on an area that needs further explanation. Must not be technology-specific. Examples: E-mail policy 
* System-specific policies: Contain details that are specific to a system. Sufficiently generic to allow for other technologies and solutions

Answer 96

A

* Informative:Informs employees on a broad range of topics in an unenforceable manner 

* Regulatory: Addresses regulatory requirements for a specific industry such as GLBA, PCI or HIPAA 
* Advisory: Advises employees on enforceable rules governing actions and behaviors

Answer 97

A

* Provide instruction on how to meet the policy 

| * Standards must always be enforced

Answer 98

A

* Point in time that is used as a comparison for future changes 
* A baseline results in a consistent reference point

Answer 99

A

Reflect recommendations and guides for employees when a specific standard does not really apply

Answer 100

A

Where policies tell us where we want to go and standards provide the tools, procedures give us the step-by-step instructions on how to do it

Answer 101

A

* Organizational 

* Business Process 
* Information Systems (Our focus)

Answer 102

A

ISRM policy should address the following elements 

- The objectives of the ISRM team 
- What is considered an acceptable level of risk 
- How risks will be identified 
- How the ISRM policy fits within the organization's strategic planning 
- Roles and responsibilities for the ISRM 
- Mapping of risk to controls, performance targets and budgets 
- How staff behavior and resource allocation will be modified 
- How the effectiveness of controls will be monitored

Answer 103

A

* It can be a single person or more 

| * Usually not 100% of their time in ISRM

Answer 104

A

* Frame: Define the assumptions, constraints, priorities and the amount of risk the organization can tolerate 

* Assess: Determine threats, vulnerabilities and attack vectors 
* Respond: Match the available resources against a prioritized list of risks 
* Monitor: Continuously watch the controls to assess their effectiveness against the risk each was designed to protect the organization from

Answer 105

A

* Information: Data at rest / Data in motion / Data in use 

* Processes: Blocks of code executing in-memory 
* People: Usual attack vector / Social engineering / Social networks / Passwords

Answer 106

A

* Potential cause of an unwanted incident, which may result in harm to a system or organization 
* Sources: 
- Deliberate outsiders 
- Deliberate insiders (The most dangerous group) 
- Accidental insiders

Answer 107

A

* There are two ends to an attack 
- Attacker 
- Target 
- Means to an attack 
* Attack Tree: Steps and substeps in an attack 
* Attack Chain: One path that can be contained in an attack tree

Answer 108

A

* Reduces the number of attacks to consider by identifying commonalities 
* Reduces the threat posed by attackers: the closer to the root a mitigation is implemented, the more risks it is likely to control 
Assessing and Analyzing Risk - Risk Assessment,* Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls 
* Outputs a list of vulnerabilities and threats

Answer 109

A

* Prioritizes the list obtained through the Risk Assessment 

* Assesses the amount of resources to properly mitigate the top threats 
* Goals 
- Identify and valuate assets 
- Identify vulnerabilities and associated threats 
- Quantify the likelihood of the threats 
- Calculate an economic balance between each threat and the cost of a countermeasure 
* Outputs a cost/benefit comparison

Answer 110

A

Individuals from all departments
Good questions for this team to ask are
1. What could happen?
2. What would the impact be?
3. How often could it happen?
4. Do we really believe the first three answers?

Answer 111

A

* Calculating currency-based value for each asset 
* Issues to be examined 
- Cost to acquire or develop the asset 
- Cost to maintain and protect the asset 
- Value of the asset to owners and users 
- Value of the asset to adversaries 
- Price others are willing to pay for the asset 
- Cost to replace the asset if lost 
- Operational and production activities affected if the asset is unavailable 
- Liability issues if the asset is compromised 
- Usefulness and role of the asset in the organization 
* Two questions should be asked: 
- What is the cost to protect an asset? 
- What is the cost if we did not protect an asset? 
* Allows us to do the following 
- Perform an effective cost/benefit analysis 
- Select proper controls 
- Determine the amount of insurance to purchase 
- Define exactly what is at risk 
- Comply with legal and regulatory requirements

Answer 112

A

* Threats can arise from seemingly innocuous sources such as our own applications and users 
Examples: 
- An application could have a logic flaw, known as illogical processing, which destroys or compromises data or resources. This can then lead to cascading errors wherein a small flaw is passed to another process, which can amplify the flaw 
- A user can enter invalid data or even accidently delete important data 
* Loss Potential:Each risk has it 
* Delayed Loss: It happens after the vulnerability has been exploited. Example: Your company's reputation takes a hit

Answer 113

A

* NIST SP 800-30 
* Facilitated Risk Analysis Process (FRAP) 
* Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) 
* AS/NZS 4360 
* ISO 27005 
* Failure Mode and Effect Analysis (FMEA) 
* Central Computing and Telecommunications Agency 
Risk Analysis and Management Method (CRAMM)

Answer 114

A

<p>1- Prepare for the assessment<br>
2- Conduct the assessment<br>
a. Identify threats<br>
b. Identify vulnerabilities<br>
c. Determine likelihood<br>
d. Determine magnitude<br>
e. Calculate risk<br>
3- Communicate the results<br>
4- Maintain the assessment</p>

Answer 115

A

Stresses a qualitative measurement of risk instead of trying to actually calculate a risk value

Answer 116

A

* The premise of this methodology is that the people involved with a system or process should be the only ones making the decisions on security, as opposed to higher-level or external influences 
* Meant for entire organization

Answer 117

A

Focuses on the organization's overall health, but could be used in Security

Answer 118

A

Describes how RM should be carried out for ISMS

Answer 119

A

* Focuses on identifying functions, their failures and the causes of those failures 

* Excels when examining a single system, but tends to break down when considering multiple systems 
* Steps 
1) Create a block diagram 
2) Consider what happens when each block fails 
3) Create a table of each failure and the corresponding impact 
4) Correct the design and repeat #3 until the system no longer has unacceptable weaknesses 
5) Have engineers review the design and table

Answer 120

A

* UK originated 

* Siemens has an automated tool for it 
* Stages 
1) Define objectives 
2) Assess risk 
3) Identify countermeasures

Answer 121

A

* Asset Value (AV): Given by the Risk Assessment phase 
* Exposure Factor (EF): The percentage of loss that a realized threat could have on that asset 
Single Loss Expectancy (SLE): SLE=AVEF 
* Annual Rate of Occurence (ARO): Number of times per year that we can expect the threat to take place 
* Annualized Loss Expectancy (ALE): 
- ALE=SLE*ARO 
- We shouldn't expend more than the ALE in protecting that asset

Answer 122

A

Given by the Risk Assessment phase

Answer 123

A

The percentage of loss that a realized threat could have on that asset

Answer 124

A

SLE=AV*EF

Answer 125

A

Number of times per year that we can expect the threat to take place

Answer 126

A

ALE=SLE*ARO

Answer 127

A

* Various scenarios are discussed and threats and possible controls are ranked based on opinions 

* Each threat is ranked 
* A matrix is usually used to facilitate this discussion 
- Y-Axis: Likelihood of occurrence 
- X-Axis:The impact 
* Delphi technique 
- Each group member provides a written opinion on each threat and gives the answer to the risk assessment team 
- The team then compiles the results and distributes it to the group who write down comments anonymously 
- The results are then compiled and redistributed until a consensus is reached

Answer 128

A

- Each group member provides a written opinion on each threat and gives the answer to the risk assessment team 

- The team then compiles the results and distributes it to the group who write down comments anonymously 
- The results are then compiled and redistributed until a consensus is reached

Answer 129

A

VC = ALE_before - ALE_after

Answer 130

A

* The actual product 

* Design and planning 
* Implementation 
* Environment modifications 
* Compatibility with other controls 
* Maintenance 
* Testing 
* Repair, replacement or upgrades 
* Operating and support 
* Negative impacts on productivity 
* Subscription 
* Time for monitoring and responding to alerts

Answer 131

A

* Can be installed without affecting other mechanisms 

* Provides uniform protection 
* Administrator can override 
* Defaults to least privilege 
* Ability to enable/disable as desired 
* Does not distress users 
* Differentiation between user and administrator roles 
* Minimum human interaction 
* Assets are still protected during a reset 
* Easily updated 
* Provide sufficient audit trail 
* Not have heavy dependence on other components 
* Does not introduce heavy barriers for users 
* Produce human-readable output 
* Easy reset to baseline configuration 
* Testable 
* Does not introduce compromises 
* Does not impact system performance 
* Does not require many exceptions across the environment 
* Proper alerting 
* Does not impact existing assets 
* Is not highly-visible

Answer 132

A

* Total Risk: TR = threats x vulnerability x asset value 

* Residual Risk: RR = total risk x controls gap 
* You can't plug in numbers into these formulas, as they are conceptual 
* How to deal with the risk 
- Transfer the risk 
- Risk avoidance 
- Risk reduction 
- Accept the risk

Answer 133

A

TR = threats x vulnerability x asset value

Answer 134

A

RR = total risk x controls gap

Answer 135

A

* Transfer the risk 

* Risk avoidance 
* Risk reduction 
* Accept the risk

Answer 136

A

* Not a viable option unless you can verify how the partner handles risk 
* An organization can still be found liable if an outsourcing partner failed to mitigate a risk

Answer 137

A

Allow an organization to: 

1) Identify and assess risk 
2) Reduce it to an acceptable level 
3) Ensure the risk remains at an acceptable level

Answer 138

A

* NIST RMF (SP 800-37) 

- Operates around a systems life-cycle 
- Focuses on certification and accreditation 
* ISO 31000:2009 
- Acknowledges that there are things which we cannot control 
- Focuses instead on managing the fallout 
- It can be broadly applied to an entire organization 
* ISACA Risk IT: Attempts to integrate NIST, ISO 31000 and COBIT 
* COSO Enterprise Risk Management-Integrated Framework 
- Generic framework 
- Takes a top-down approach

Answer 139

A

* Identification of systems, subsystems and boundaries that the organization has 
* This will give you the info you need to select the controls

Answer 140

A

* Assumptions 

- Risk Assessment has been done 
- Common controls across the organization have been identified 
* When considering a new system 
- Are there new risks specific to it or into your architecture by introducing this new system? 
- Perform new Risk Asessment on the new system and its effect on the larger ecosystem 
- Compare results to determine if we need to modify controls or new controls are needed

Answer 141

A

* Implementing is simple 

* Documenting is important 
- So everyone will understand the what, where and why of each control 
- Allows the controls to be integrated into an overall assessment and monitoring plan

Answer 142

A

* The control must be assessed to see how effective it has been 

* Should be done by individuals who did not implement the control 
* Results should be added to the documentation to be referred during the next round of assessments

Answer 143

A

Forwarding all documentation and assessment results to the person or the group who can authorize integration of the system into the general architecture

Answer 144

A

* Once the system is in general operation, it must be monitored to ensure it remains effective 
* If any changes in operation or threats are detected, the system must be updated

Answer 145

A

Is how an organization will minimize the effects of a disaster or disruption to business and return to some level of acceptable productivity

Answer 146

A

Goes into effect during the emergency

Answer 147

A

Addresses how the organization will return to full capacity, including backup data centers, spinning up new locations for people to work, or altering processes during the interim

Answer 148

A

* Encompasses both DR and CP 

* Must address all CIA 
* Much more than buildings and hardware: People run the systems and must know them 
* Example: During a disaster, you can't just leave a sensitive server sitting in an abandoned building (Confidentiality), you can't assume storage media will remain safe and secure (integrity) and you have to make sure those resources are back up and running as soon as possible (availability)

Answer 149

A

* It's the way to implement BCM 

* Contains strategy documents providing detailed procedures: To ensure critical functions are maintained that will minimize loss 
* The procedures cover 
- Emergency responses 
- Extended backup operations 
- Post-disaster recovery 
* Can quickly become outdated due to turnover and undocumented changes

Answer 150

A

1) Write the continuity planning policy statement: Write a policy and assign authority to carry out the policy tasks 

2) Conduct the business impact analysis (BIA): 
- Identify critical functions and systems 
- Prioritize the list 
3) Identify preventative controls: Select and implement controls to address the BIA 
4) Create contingency strategies: Make sure systems can be brought online quickly 
5) Develop an information system contingency plan: Write procedures and guidelines on how the organization will remain functional in a crippled state 
6) Ensure plan testing, training and exercises 
7) Ensure plan maintenance: Put in place steps to ensure the BCP is updated regularly

Answer 151

A

* ISO 27031: Describes the concepts of information communication technology (ICT) readiness for business continuity 

* ISO 22301: The ISO standard for BCM 
* Business Continuity Institute's Good Practice Guidelines (GPG) 
* DRI International Institute's Professional Practices for Business Continuity Planners

Answer 152

A

* BCM must be built upon a solid understanding of 

- How the organization operates 
- The organizational components that are critical to continuing its reason for being 
* BCP 
- Living entity that is continually revisited and updated as-needed 
- Should define and prioritize the organization's critical mission and business functions, and provide a sequence for recovery 
- Must have management's full support

Answer 153

A

* Leader for the BCP team 

| * Will oversee the development, implementation, and testing of the business continuity and disaster recovery plans

Answer 154

A

* Specific, qualified people 

* People who are familiar with the different departments within the company 
* People from at least the following departments 
- Business units 
- Senior management 
- IT department 
- Security department 
- Communications department 
- Legal department

Answer 155

A

Should it cover one or all facilities? Should it encompass large threats or smaller ones as well? 
This kind of decision is for Senior Executives

Answer 156

A

* Scope 

* Mission 
* Principles 
* Guidelines 
* Standards

Answer 157

A

1. Identify and document the components of the policy 

2. Identify and define policies of the organization that the BCP might affect 
3. Identify pertinent legislation, laws, regulations, and standards 
4. Identify "good industry practice" guidelines by consulting with industry experts 
5. Perform a gap analysis. Find out where the organization currently is in terms of continuity planning, and spell out where it wants to be at the end of the BCP process 
6. Compose a draft of the new policy 
7. Have different departments within the organization review the draft 
8. Incorporate the feedback from the departments into a revised draft 
9. Get the approval of top management on the new policy 
10. Publish a final draft, and distribute and publicize it throughout the organization

Answer 158

A

* To ensure BCP doesn't run out of funds * SWOT analysis - Strengths: Characteristics of the project team that give it an advantage over others Weaknesses: Characteristics that place the team at a disadvantage relative to others Opportunities: Elements that could contribute to the project's success Threats: Elements that could contribute to the project's failure

Answer 159

A

* Due Dilligence 

- Doing everything within one's power to prevent a disaster from happening 
- Applicable to leaders 
* Due Care 
- Taking precautions that a reasonable and competent person would have done 
- Applicable to everyone

Answer 160

A

* Activity at the beginning of BCP where interviews are executed and data collected to identify and classify business and individual functions 

* Steps 
1) Select individuals for interviewing 
2) Create data-gathering techniques 
3) Identify critical functions 
4) Identify resources 
5) Calculate how long functions can survive without resources 
6) Identify vulnerabilities and threats 
7) Calculate risk (risk = threat x impact x probability) 
8) Document findings and report to management

Answer 161

A

Each critical system must be examined to see how long the organization can survive without it

Answer 162

A

* Committing fully to the BCP 

* Setting policy and goals 
* Ensuring the required funds and resources are available 
* Taking responsibility of the outcome of the BCP 
* Appointing a team

Answer 163

A

* Identifying legal and regulatory requirements 

* Identifying vulnerabilities and threats 
* Estimating threat likelihood and potential loss 
* Perform a BIA 
* Indicate which functions and processes must be running before others 
* Identifying interdependencies 
* Developing procedures and steps to resume business after a disaster 
* Identify individuals who will interact with external players

Answer 164

A

Dictates who will step in until an absent executive returns or a permanent replacement can be found

Answer 165

A

* Process that ensures a single person cannot complete a critical task by himself 

* Example: Before launching a nuclear missile, two people have to insert a key. This is an example of dual control 
* In businesses, usually put into place to prevent fraud in the form of split knowledge 
* Example: One person can create a named user in a system (authentication), but cannot assign rights to that user (authorization). Another user must assign authorization. To create a rogue account, two employees must collude with each other, thereby reducing the likelihood of this happening

Answer 166

A

* Administrative detection control to uncover fraudulent activities 
* Goal: Move employees around so that each does not have control over the same business function for too long

Answer 167

A

For employees operating in sensitive areas, it should be implemented in order to detect fraud

Answer 168

A

* Before hiring new employees: HR should always look into the individual's background for character traits 

* NDA's must be signed by new employees 
* Background checks 
- Social security number trace 
- County/state criminal history 
- Federal criminal history 
- Sexual offender registry check 
- Employment verification 
- Education verification 
- Reference verification 
- Immigration check 
- License or certification validations 
- Credit report 
- Drug screening

Answer 169

A

* Surrender of ID badges or keys 

* Escort from the premises 
* Immediate disabling of user accounts or other access 
* Severance package dependent upon completion of an exit interview and surrender of company property. This encourages terminated employees to comply

Answer 170

A

* During the hiring process 

* Attributes 
- Repeats the most important messages in different formats 
- Up-to-date 
- Entertaining and positive 
- Simple to understand 
- Supported by senior management 
* Audiences for this training 
- Management: Short orientation that focuses on how security pertains to corporate assets and financial goals and losses 
- Staff: Policies, procedures, standards and guidelines 
- Technical employees: In-depth training on daily activities

Answer 171

A

Framework providing Oversight, Accountability and Compliance

Answer 172

A

* ISO 27004: How to measure Security Program effectiveness 
* NIST SP 800-55: Government's version of ISO 27004

Answer 173

A

* Protect society, the common good, necessary public trust and confidence, and the infrastructure 

* Act honorably, justly, responsibly and legally 
* Provide diligent and competent service to principals 
* Advance and protect the profession

Answer 174

A

1) Thou shalt not use a computer to harm other people 

2) Thou shalt not interfere with other people's computer work 
3) Thou shalt not snoop around in other people's computer files 
4) Thou shalt not use a computer to steal 
5) Thou shalt not use a computer to bear false witness 
6) Thou shalt not copy or use proprietary software for which you have not paid 
7) Thou shalt not use other people's computer resources without authorization or proper compensation 
8) Thou shalt not appropriate other people's intellectual output 
9) Thou shalt think about the social consequences of the program you are writing or the system you are designing 
10) Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans

Answer 175

A

Seeks to gain unauthorized access to the resources of the Internet
Disrupts the intended use of the Internet
Wastes resources (people, capacity, computer) through such actions
Destroys the integrity of computer-based information<
Compromises the privacy of users

Brainscape's Knowledge GenomeTM

CISSP Domain 1 - Flashcards

Brainscape's Knowledge Genome^TM