CISSP-Security and Risk Management-Domain 1 Flashcards
What does SPOF stand for?
Single Point Of Failure
What does the acronym SOX stand for?
Sarbanes-Oxley Act of 2002
What is Due Care?
Due Care is the care a reasonable person would exercise under given circumstances.
What is CSMA/CA
Carrier Sense Multiple Access with Collision Avoidance
Uses acknowledgements, if no acknowledgement, sends information again.
Definition of Security Analyst
Works at the high level of security, helping develop policies and standards.
Definition of Data Owner
Usually a member of management who is ultimately responsible for the protection and use of a specific subset of information.
ISO/IEC 27799 is for?
Health Informatics - Information Security Management in Health
ISO/IEC 27004 is for?
Guideline for information security management measurement and metrics framework
What Protocol uses Port 80?
HTTP
Describe ISO 31000 - Risk Management
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Ssandardization.
What does MTD stand for?
Maximum Tolerable Downtime
What are the 8 CISSP domains?
Security and Risk Management Asset Security Security Engineering Communications and Network Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security
What are the OSI layers?
Physical Data Network Transport Session Presentation Application
LANs, WANs, MANs, GANs, PANs
Local Area Network Wide Area Network Metropolitan Area Network Global Area Network Personal Area Network
What Protocol uses Port 110?
POPv3
Definition of Data Custodian
Responsible for maintaining and protecting the data.
What is COBIT?
Set of control objectives for IT management.
Control OBectives for Information and related Technology
What does the acronym ISMS stand for?
Information Security Management System
What is Due Dilligence?
Due Diligence is a preemptive measure made to avoid harm to other persons or their property.
What layer is IP on?
Layer 3
What Protocol uses Port 53?
DNS UDP and TCP
What does BIA stand for?
Business Impact Analysis
Definition of a Control
A Safeguard that is put in place to reduce a risk, also called a countermeasure.
What does the acronym FMEA stand for?
Failure Mode and Effect Analysis
What Protocol uses Port 443?
HTTPS
What Protocol uses Port 143?
IMAP
ISO/IEC 27002 is for?
Code of practice for information security management
What is Fullduplex
Sends and receives communications simultaneously
What is ARP
Address Resolution Protocol
Used to translate layer 2 MAC addresses to layer 3 IP Addresses. Used to find the the MAC address
Analog vs Digital definition
Analog communications are a continuous wave of information. Digital communications are on and off (true and fale, 1’s and 0’s)
What is the Delphi Technique
A group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be.
What does the acronym MODAF stand for?
British Ministry Of Defense Architecture Framework
For door security, fail-secure defaults to?
Unlocked or Locked
Locked
What is SOMAP?
SOMAP is a Swiss nonprofit organization whose goal is to run an open information security management project and maintain free and open tools and document under the GNU license
What layer is TCP and UDP on?
Layer 4
What is RARP
Reverse Address Resolution Protocol
Used to translate layer 3 IP addresses to layer 2 MAC addresses. Used to find the IP Address
What is the difference between tangible and intangible assets?
Tangible assets have a physical presence.
Intangible assets do not have a physical presence.
What is CSMA/CD
Carrier Sense Multiple Access with Collision Detection
Waits until the network is idle before transmitting
Definition of Vulnerability
A lack of a countermeasure or weakness in a countermeasure that is in place.
What is the definition of Half-duplex
Sends and receives communication, one way at a time (not simultaneously)
Circuit Switch Network vs Packet Switch Network
Circuit Switch Networks holds the dedicated circuit up until the communication is over. Packet switch networks break communications down on packets, and send over many circuits.
What equation do you use to get Single Loss Exposure?
Asset Value x Exposure Factor (EF)
What are the three types of Network Address Translation
Static NAT: one to one
Pool NAT: Reserved and assigned as needed.
Port Address Translation: one to many private IP Addresses, uses port numbers
Single Loss Exposure (SLE) x Annualized Rate of Occurrence = ?
Annual Loss Expectancy?
What does RPO stand for?
Recovery Point Objectives
What is RFC 1918?
Used for internet traffic that does not route across the Internet. Private Email Addresses.
- 0.0.0/8
- 16.0.0/12
- 168.0.0/16
What does the acronym OCTAVE stand for?
Operationally Critical Threat, Asset, and Vulnerability Evaluation.
Example of Protocol Data Units (PDUs) encapsulation
Data, Segments, Packets, Frames, Bits Bits are Layer One Frames are Layer Two Packets are Layer Three Segments and Data are Layer Four
What is SABSA?
Model and Methodology for development of information security enterprise architectures.
ISO/IEC 27006 is for?
Guidance for bodies providing audit and certification of information security management systems
What are the 3 types of controls
Administrative
Physical
Logical/Technical
For door security, fail-secure means?
To default the locking mechanism during a failure in a way to keep information secure.
Baseband Networks vs Broadband Networks
Baseband networks have one Channel (ethernet). Broadband networks have multiple channels and can send multiple signals at a time (cable TV)
ISO/IEC 27000 Series was formally
British Standard 7799 (BS7799)
What Protocol uses Port 21?
FTP Control
Describe NIST Risk Management Framework
The NIST Risk Management Framework is a methodology for implementing risk management at the information systems tier.
What Protocol uses Port 25?
SMTP
What are the three functional types of policies?
Regulatory
Advisory
Informative
What does the acronym FRAP stand for?
Facilitated Risk Analysis Process
ISO/IEC 27005 is for?
Guideline for information security risk management
Definition of an Enterprise Security Architecture
A subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally.
What is Six Sigma?
Business Management strategy that can be used to carry out process improvement
What equation do you use to get Annual Loss Expectancy?
Single Loss Exposure (SLE) x Annualized Rate of Occurrence
What is CMMI?
Organizational development for process improvement.
Capability Maturity Model Integration.
What does RTO stand for?
Recovery Time Objective
What is COSO?
Set of internal corporate controls to help reduce the risk of financial fraud.
Committee of Sponsoring Organizations of the Treadway Comission
What are COBIT’s four domain’s?
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
What are the 4 main goals of a Risk Anlaysis
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of those potential threats.
Provide and economic balance between the impact of the threat and the cost of the countermeasure.
What Protocol uses Port 23?
Telnet
For door security, fail-safe defaults to?
Unlocked or Locked
Unlocked
The SOX Act is based upon what framework model?
COSO
Definition of an Exposure
An instance of being exposed to losses.
Describe the Facilitated Risk Analysis Process (FRAP).
A qualitative methodology to focus only on the systems that need assessing to reduce cost and time obligations of the risk assessment. It is used to analyze one system, application or business process at a time. Does not use exploitation values such as annual loss expectancy. Experience of the Risk Assessors are used to determine the criticality of risks. Very narrow scope.
What is the difference between qualitative and quantitative assessments?
A qualitative assessment uses descriptive results.
A quantitative assessment uses measurable results.
A Fault Tree Analysis identifies failures that take place within more complex environments and systems, vs the Failure Mode and Effect Analysis (FMEA).
True or False
TRUE
Describe the risk analysis process of Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE).
People inside the organization have the power to address risks, by going through rounds of facilitated workshops. Very wide scope. Octave assess all systems, applications, and business processes.
What does the acronym SOMAP stand for?
Security Officers Management and Analysis Project
ISO/IEC 27003 is for?
Guideline for ISMS implementation
Threat x Vulnerability x Asset Value = ?
Total Risk
What is the definition of Simplex
One way communication
What Protocol uses Port 20?
FTP Data
Definition of a Risk
The likelihood of a treat agent exploiting a vulnerability and the corresponding business impact.
Describe Failure Mode and Effect Analysis (FMEA)
A method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
Describe Central Computing and Telecommunications Agency Risk Analysis and Management Method (CRAMM)
Developed by United Kingdom and tools sold by Sieman. Works in three distinct stages: Define Objectives Assess Risks Identify Countermeasures
What does the acronym CMMI stand for?
Capability Maturity Model Integration
(Threat x Vulnerability x Asset Value) x control gaps = ?
Residual Risk
What does the acronym CRAMM stand for?
Central Computing and Telecommunications Agency Risk Analysis and Management Method.
What Protocol uses Port 67 and 68?
DHCP Port 67 for servers and 68 for Clients
Describe Risk IT Framework - ISACA
The Risk IT Framework fills the gap between generic risk management frameworks and detailed IT risk management frameworks.
The byproduct of likelihood and impact of an exploit is?
Likelihood x impact = ?
Risk
Definition of Threat
Any potential danger that is associated with the exploitation of a vulnerability.
What Protocol uses Port 69?
TFTP
What does the acronym OSI stand for?
Open Systems Interconnection
What does the acronym COSO stand for?
Committee of Sponsoring Organizations
What Protocol uses Port 22?
SSH
Describe Enterprise Risk Management - Integrated Framework – COSO
Enterprise Risks Management - Integrated Framework defines essential Enterprise Risk Management (ERM) components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management.
The ISO/IEC 27000 Series is used for?
Security Program Development
What are the two types of errors QA/QC mechanisms prevent?
Errors of Commission, which include those caused by data entry.
Errors of Omission, which include insufficient documentation of legitimate data.
What are the 7 functions of controls
Directive Deterrent Preventive Detective Corrective Recovery Compensating
Asset Value x Exposure Factor (EF) = ?
Single Loss Exposure (SLE)
What is the difference between strategic and tactical planning?
Strategic planning is aligning strategic business and information technology goals.
Tactical planning is providing the broad initiatives to support and achieve the goals specified in the strategic plan.
What does the acronym CISSP stand for?
Certified Information Systems Security Professional
Definition of System Owner
Responsible for one or more systems, each of which may hold and process data owned by different data owners.
What does the acronym ITIL stand for?
Information Technology Infrastructure Library
ISO/IEC 27001 is for?
ISMS Requirements
What is ITIL?
Processes to allow for IT Service management.
What are the four basic ways risk can be handled?
Transfer
Avoidance
Mitigate
Accept
Total Risk - Countermeasures = ?
Residual Risk
Threat Agent
An entity that can exploit a vulnerability
What are the 8 interrelated components of Enterprise Risk Management?
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring
