Domain 1

Question 1

ICS2 Code of Ethics

Answer 1

1. Protect Society, the commonwealth, the infrastructure
2. Act honorably, honestly, justly, legally
3. Provide diligent and competent service to principals
4. Advance and protect the profession

Question 2

4 Levels of Security Policy Development

Answer 2

1. Acceptable use policy
2. Security baselines
3. Security guidelines
4. security procedures

Question 3

3 types of security plans

Answer 3

1. Strategic (long term, stable, risk assessment, 5 year)
2. Tactical (mid term, details on goals of strategic plan, 1 year)
3. Operational (short term, highly detailed, based on strategic + tactical, monthly/quarterly)

Question 4

Primary risk management framework for the exam

Answer 4

NIST 800-37

Question 5

Secondary risk management frameworks for the exam

Answer 5

1. OCTAVE
2. FAIR
3. TARA

Question 6

7 steps of risk management framework (RMF), especially NIST 800-37

Answer 6

1. PREPARE to execute the RMF
2. CATEGORIZE information systems
3. SELECT security controls
4. IMPLEMENT security controls
5. ASSESS security controls
6. AUTHORIZE the system
7. MONITOR the security controls

People Can See I Am Always Monitoring

Question 7

Fact on risk management

Answer 7

Not every risk can be mitigated

Question 8

Who decides how risk is handled?

Answer 8

Management

Question 9

What should I do in case of legal issues?

Answer 9

Calling an attorney

Question 10

Inherent Risk

Answer 10

Newly identified, not addressed with strategies, absence of controls

Question 11

Total risk

Answer 11

amount of risk WITHOUT ANY safeguards + controls

Question 12

Formula Total Risk

Answer 12

total risk = threats * vulnerabilities * asset value

Question 13

Formula Risk

Answer 13

risk = threat * vulnerabilities

Question 14

6 major steps of Quantitative Risk Analysis

Answer 14

1. INVENTORY assets and assign value (AV)
2. Identify THREATS (+ calculate EF and SLE)
3. Perform a THREAT ANALYSIS (+ calculate likelihood in single year –> ARO=
4. Estimate the POTENTIAL LOSS (by calculating ALE)
5. Research COUNTERMEASURES for threat (+ calculate change to ARO and ALE)
6. Perform a COST BENEFIT analysis

Question 15

Quantitative Risk Analysis

Answer 15

Dollar value, objective

Question 16

Qualitative Risk Analysis

Answer 16

Scoring System (rank threats + effectiveness controls), subjective

Question 17

Delphi Technique

Answer 17

qualitative, anonymous, feedback + response –> arrive at consensus

Question 18

What threat agents do

Answer 18

exploiting vulnerabilties

Question 19

Exposure Factor (=EF)

Answer 19

percentage of loss in case asset gets hit

Question 20

Single Loss Expectancy (=SLE)

Answer 20

costs, single realized risk, specific asset

Question 21

Formula for SLE

Answer 21

SLE = Asset Value (AV) x Exposure Factor (EF)

Question 22

Annualized Rate of Occurrence (=ARO)

Answer 22

risk / threat frequency within single year

Question 23

Annualized Loss Expectancy (=ALE)

Answer 23

yearly cost, realized threat, specific asset

Question 24

Formula for ALE

Answer 24

SLE x ARO

Question 25

Safeguard evaluation considerations

Answer 25

mitigate risk, transparent, difficult to bypass, cost effective

Question 26

Formula Value of Safeguard

Answer 26

ALE before safeguard - ALE after safeguard - annual costs of safeguard = ALE 1 - ALE2 - ALC

Question 27

Controls Gap

Answer 27

Amount of risk reduced by implementing safeguard

Question 28

Formula Residual Risk

Answer 28

Residual risk = Total risk - controls gap

Question 29

Threat Modeling

Answer 29

potential threats identified, categorized, analyzed --> goal = eradicate or reduce threats proactive or reactive

Question 30

Threat Model Focus

Answer 30

- Focused on assets (asset valuation) - Focused on attacks (threats based on attackers goals) - Focuses on software (potential threats agains software)

Question 31

STRIDE (threat model Microsoft)

Answer 31

``` Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege ```

Question 32

PASTA (threat model, focus on AV)

Answer 32

1. Definition of Objectives 2. Definition of Technical Scope 3. App Decomposition and Analysis 4. Threat Analysis 5. Weakness and Vulnerability Analysis 6. Attack Modeling and Simulation 7. Risk Analysis & Management

Question 33

VAST (threat model)

Answer 33

Visual Agile Simple Threat

Question 34

Trike (threat model)

Answer 34

focus on risk based approach

Question 35

DREAD (threat model)

Answer 35

``` Damage potential Reproducibility Exploitability Affected users Discoverability ```

Question 36

2 Types of Security Controls

Answer 36

``` Safeguard = proactive Countermeasure = reactive ```

Question 37

Control Types

Answer 37

- Deterrent (discourage violation) - Preventative (stop unwanted/unauthorized activity) - Detective (discover/detect unwanted/unauthorized activity) - Compensating (options to other existing controls) - Corrective (return systems to normal) - Recovery (extension of corrective controls) - Directive (control the actions of subjects)

Question 38

Types of Law

Answer 38

Criminal Law Civil Law Administrative Law

Question 39

Computer Fraud and Abuse Act (CFAA)

Answer 39

first major piece of US cyber-crime-specific legislation

Question 40

Federal Sentencing Guidelines

Answer 40

punishment guidelines, help federal judges interpret computer crime laws

Question 41

Federal Information Security Management Act (FISMA)

Answer 41

formal infosec operations, for government

Question 42

Copyright and Digital Millennium Copyright Act

Answer 42

literary, music, dramatic work

Question 43

Trademarks

Answer 43

words, slogan, logos (identification of company, products, services)

Question 44

Patents

Answer 44

intellectual property rights of inventor (not secret)

Question 45

Trade secrets

Answer 45

Secret, absolutely critical to business (like Coca Cola recipe), must not be disclosed

Question 46

4 Licensing types

Answer 46

- contractual - shrink wrap - click through - cloud services

Question 47

Absolute basis for privacy rights

Answer 47

4th amendment of the US constitution

Question 48

Healthcare specific laws

Answer 48

HIPAA, HITECH

Question 49

FI specific laws

Answer 49

Gramm Leach Bliley Act

Question 50

Law related to privacy of Children online

Answer 50

COPPA = Children Online Privacy Protection Act

Question 51

2 Laws related to Electronic Communication

Answer 51

``` ECPA = Electronic Communication Privacy Act CALEA = Communications Assistance for Law Enforcement Act ```

Question 52

5 Business Continuity Planning process steps

Answer 52

1. Strategy DEVELOPMENT 2. Provision and PROCESSES 3. Plan APPROVAL 4. Plan IMPLEMENTATION 5. Training and EDUCATION

Question 53

Governance

Answer 53

the process of how an organization is managed

Question 54

Security Governance

Answer 54

the entirety of policies, roles, processes to make security decisions

Question 55

Security Control Frameworks

Answer 55

- ISO27001/27002 - COBIT = Control Objectives for Information and related Technology (maintained by ISACA) - ITIL = Information Technology Infrastructure Library (Best Practices for IT Service Management) - Risk Management Framework (especially NIST SP 800-37 + 800-53) - CSA STAR Cloud Service Alliance (Start Ratings for Cloud Service Providers)

Question 56

Due Care

Answer 56

What the organization owes its customers

Question 57

Due Diligence

Answer 57

Any activity to to demonstrate or provide due care, evidence of providing due care

Question 58

Risk Frameworks (NOT only RMF)

Answer 58

- ISO 3100 (Risk Management Principles and Guidelines) - ISO 27005 (IT Security Risk Management) - COSO (ERM framework, financial reporting irregulatories and fraud) - ISACA (Risk IT, connect strategic risk with IT risk management) - NIST (RMF, SP 800-37)

Question 59

3rd party assessment and monitoring

Answer 59

- ISO certified audits - CSA STAR evaluation - AICPA SSAE 16 SOC Reports

Question 60

Industry standards

Answer 60

- set by industry participants - can eventually evolve into legal standard - may be accepted by regulators - examples: ISO, CSA STAR, Uptime Institute

Question 61

PII data examples

Answer 61

- Name - Home address - Tax identification numbers / social security numbers - mobile telephone numbers - specific computer data (MAC address, IP address of users client)

Question 62

data owner / data controller

Answer 62

entity that collects or controls PII data

Question 63

data processor

Answer 63

creating, storing, sending, etc. on behalf of the data owner

Question 64

data custodian

Answer 64

manages data day to day (system admin, database admin, etc.)

Question 65

What kind of data storage is PCI DSS prohibiting?

Answer 65

CVV (Card Verification Value)

Question 66

Does the information security policy require signing by employees?

Answer 66

No

Question 67

Opposite of CIA

Answer 67

DAD = Disclosure, Alteration, Destruction

Question 68

IAAA - requirements for accountability

Answer 68

- Identification - Authentication - Authorization - Accountability

Question 69

Responsibility of the ISO

Answer 69

- Written products - CIRT - Security Awareness - Communicate risk to higher management - report as high a level as possible - security is everyone's responsibility

Question 70

Wassenaar Arrangement (WA)

Answer 70

Dual use goods & trade, international cryptographic agreement, prevent destabilizing

Question 71

Section 302

Answer 71

CEOs CFOs can go to jail, in case they sign false info

Question 72

Section 404

Answer 72

describing logical controls over accounting files; good auditing and information security

Question 73

Wire tapping

Answer 73

eavesdropping on communication, only legal with prior consent or warrant

Question 74

Data Diddling

Answer 74

act of modifying information, programs, documents to commit fraud tampers with INPUT data

Question 75

Water holing

Answer 75

creates a buch of websites with similar names

Question 76

Work function / factor

Answer 76

how difficult is it to get cipher text to clear text (cost/time)?

Question 77

SLR (Service Level Requirements)

Answer 77

requirements from a clients perspective

Question 78

Service level report

Answer 78

insight into service providers ability to deliver the agreed service quality