CISSP - Wiley 9th Edition - Chapter 1

Question 1

Confidentiality

Answer 1

The concept of the measures used to ensure the protection of the secrecy of data, objects, or resources.

Question 2

Countermeasures to ensure Confidentiality

Answer 2

Encryption
Network traffic padding
Strict access control
Rigorous authentication procedures
Data classification
Personnel training

Question 3

Intregrity

Answer 3

The concept of protecting the reliability and correctness of data

Question 4

Attacks that focus on the violation of integrity

Answer 4

Viruses
Logic bombs
Unauthorized access
Errors in coding and applications
Malicious modification
Intentional replacement
System backdoors

Question 5

Availability

Answer 5

Authorized subjects are granted timely and uninterrupted access to objects

Question 6

Countermeasures to ensure availability

Answer 6

Design intermediary delivery systems properly
Use access controls effectively
Monitor performance and network traffic
Use firewalls and routers to prevent DoS attacks
Implement redundancy for critical systems
Maintain and test backup system

Question 7

CIA Triad

Answer 7

Confidentiality, Integrity, Availability
The primary goals and objectives of a security infrastructure

Question 8

DAD Triad

Answer 8

Disclosure, Alteration, Destruction
The failures of security protections of the CIA Triad

Question 9

Authenticity

Answer 9

The security concept that data is authentic or genuine and originates from its alleged source

Question 10

Non-repudiation

Answer 10

Ensures that the subject of an activity or who caused an event cannot deny that the event occurred

Question 11

AAA Services

Answer 11

Core security mechanism of all security environments
5 elements:
Identification
Authentication
Authorization
Auditing
Accounting

Question 12

Identification

Answer 12

Claiming to be an identity when attempting to access

Question 13

Authentication

Answer 13

Proving that you are the claimed identity

Question 14

Authorization

Answer 14

Defining the permissions of a resource and object access for a specific identity or subject

Question 15

Auditing

Answer 15

Recording a log of the events and activities related to the systems and subjects

Question 16

Accounting

Answer 16

Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions

Question 17

Defense in Depth

Answer 17

Layering, the use of multiple controls in a series. By creating the controls in a series, each attack will be scanned, evaluated, or mitigated by each security control

Question 18

Abstraction

Answer 18

Similar elements are placed into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Abstraction is used for efficiency

Question 19

Data Hiding

Answer 19

Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Question 20

Encryption

Answer 20

The science of hiding the meaning or intent of a communication from unintended recipients

Question 21

Security Boundaries

Answer 21

The line of intersection between any two areas, subnets, or environments that have different security requirements or needs

Question 22

Security Governance

Answer 22

The collection of practices related to supporting, evaluating, defining, and directing the security efforts of an organization.
Ideally performed by the Board of Directors or C level executives.

Question 23

Third-Party Governance

Answer 23

The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligations, or licensing requirements.

Question 24

Documentation Review

Answer 24

The process of reading the exchanged materials and verifying them against standards and expectations.

Question 25

Authorization to Operate

Answer 25

Approval to proceed with software, system, or relationship with a third-party vendor

Question 26

Security Function

Answer 26

The aspect of operating a business that focuses on the task of evaluating and improving security over time.

Question 27

Security Management Planning

Answer 27

Ensures proper creation, implementation, and enforcement of a security policy. This aligns the security functions to the strategy, goals, mission, and objectives of the organization.

Question 28

Business Case

Answer 28

A documented argument or stated position in order to define a need to make a decision or take some form of action. Demonstrate a business specific need to alter an existing process or choose an approach to a business task.

Question 29

Top-Down Approach

Answer 29

Upper or senior management are responsible for initiating and defining policies for the organization.

Question 30

Strategic Plan

Answer 30

A long-term plan that is fairly stable defining the organizations security purpose, the security function and aligns it to the goals, mission, and objectives of the organization

Question 31

Tactical Plan

Answer 31

A mid-term plan developed to provide more details on accomplishing goals set forth in the strategic plan or ad-hoc based on based on unpredicted events.

Question 32

Operational Plan

Answer 32

A shirt-term, highly detailed plan based on the strategic and tactical plans. They spell out how to accomplish the various goals of the organization.