Domain 1

Question 1

Which control functionality is Lighting out of 6 control functionalities?

Answer 1

Physical Deterrent

Question 2

Security Policy out of 6 control functionalities

Answer 2

Administrative Preventive

Question 3

Separation of duties out of 6 control functionalities

Answer 3

Administrative Preventive

Question 4

job rotation out of 6 control functionalities

Answer 4

Administrative Detective

Question 5

Information Classification out of 6 control functionalities

Answer 5

Administrative Preventive

Question 6

Server images out of 6 control functionalities

Answer 6

Technical Corrective

Question 7

ISO/IEC 27000 ISO/IEC 27001 ISO/IEC 27002 ISO/IEC 27003 ISO/IEC 27004 ISO/IEC 27005 ISO/IEC 27006 ISO/IEC 27007 ISO/IEC 27008 ISO/IEC 27011 ISO/IEC 27014 ISO/IEC 27015 ISO/IEC 27031 ISO/IEC 27032 ISO/IEC 27033 ISO/IEC 27034 ISO/IEC 27035 ISO/IEC 27037 ISO/IEC 27799

Answer 7

Overview and vocabulary
ISMS requirements
Code of practice for information security management ISMS implementation
ISMS measurement
Risk management
Certification body requirements
ISMS auditing
Guidance for auditors
Telecommunications organizations
Information security governance
Financial sector
Business continuity
Cybersecurity
Network security
Application security
Incident management
Digital evidence collection and preservation
Health organizations

Question 8

Zachman Architecture Framework

Answer 8

The Zachman Framework is a two-dimensional model that uses six basic commu- nication interrogatives (What, How, Where, Who, When, and Why) intersecting with different perspectives (Executives, Business Managers, System Architects, Engineers, Technicians, and Enterprise-wide) to give a holistic understanding of the enterprise.
The goal of this framework is to be able to look at the same organization from different viewpoints.

Question 9

The Open Group Architecture Framework (TOGAF),

Answer 9

TOGAF is a framework that can be used to develop the following architecture types:
  Business architecture
  Data architecture
  Applications architecture    
Technology architecture

create these individual architecture types through the use of its Architecture Development Method (ADM).

Question 10

DoDAF

Answer 10

The focus of the architecture framework is on command, control, communications, computers, intel- ligence, surveillance, and reconnaissance systems and processes.

It is not only important that these different devices communicate using the same protocol types and interoper- able software components, but also that they use the same data elements.

Question 11

The Ministry of Defence Architecture Framework (MODAF)

Answer 11

The crux of the framework is to be able to get data in the right format to the right people as soon as possible.

Question 12

enterprise security architecture

Answer 12

subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures.

It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic ISMS

Question 13

main reason to develop an enter- prise security architecture

Answer 13

to ensure that security efforts align with business practices in a standardized and cost-effective manner.

The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease of use, standardization, and governance.

Question 14

Sherwood Applied Business Security Architecture (SABSA)

Answer 14

similar to the Zachman Framework.

Each layer of the framework decreases in abstraction and increases in detail so it builds upon the others and moves from policy to practical implementation of technology and solutions. The idea is to provide a chain of traceability through the contextual, conceptual, logical, physical, component, and operational levels.

Question 15

Sherwood Applied Business Security Architecture (SABSA)

Answer 15

a framework and methodology for enterprise security architecture and service management.

Since it is a framework, this means it provides a structure for individual architectures to be built from. Since it is a methodology also, this means it provides the processes to follow to build and maintain this architecture. SABSA provides a life-cycle model so that the architecture can be constantly monitored and improved upon over time.

Question 16

Strategic Alignment

Answer 16

Strategic alignment means the business drivers and the regu- latory and legal requirements are being met by the security enterprise architecture.

Question 17

difference between an ISMS and an enterprise security architecture

Answer 17

An ISMS outlines the controls that need to be put into place (risk management, vulnerability management, business continuity planning, data protection, auditing, configuration management, physical security, etc.) and provides direction on how those controls should be managed throughout their life cycle.

The enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment. The security components of the ISMS have to be interwoven throughout the business environment and not siloed within individual company departments.

Question 18

Business enablement

Answer 18

Security enables the company to move to this different working model by providing the necessary protection mechanisms.

Question 19

Process Enhancement

Answer 19

organization that is serious about securing its environment will have to take a close look at many of the business processes that take place on an ongoing basis.

Question 20

Process reengineering under Process Enablement

Answer 20

When you look at many business processes taking place in all types of organizations, you commonly find a duplication of efforts, manual steps that can be easily automated, or ways to streamline and reduce time and effort that are involved in certain tasks. This is commonly referred to as process reengineering.

Question 21

Security effectiveness

Answer 21

Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system.

Question 22

Enterprise vs. System Architectures

Answer 22

An enterprise architecture addresses the structure of an organization. A system architecture addresses the structure of software and computing components.

Question 23

Cobit

Answer 23

1. Meeting stakeholder needs
2. Covering the enterprise end to end
3. Applying a single integrated framework 4. Enabling a holistic approach
4. Separating governance from management

Question 24

Cobit

Answer 24

They ensure that we meet the second goal of covering the enterprise end to end by explicitly tying enterprise and IT goals in both the governance and management dimensions.

governance is a set of higher-level processes aimed at balancing the stakeholder value proposition, while management is the set of activities that achieve enterprise objectives.

A majority of the security compliance auditing practices used today in the industry are based off of COBIT.

Question 25

three control categories

Answer 25

For Commercial
- Administrative, Technical, Physical

For Government
- Management, Technical, operational

Question 26

COSO IC

Answer 26

17 internal control principles that are grouped into five internal control components.

• Control environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring Activities

The COSO IC framework is a model for corporate governance, and COBIT is a model for IT governance.

SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model.

Question 27

ITIL

Answer 27

Although ITIL has a component that deals with security, its focus is more toward internal SLAs between the IT department and the “customers” it serves. The customers are usually internal departments.

Question 28

Life Cycle of security program

Answer 28

1. Plan and organize
2. Implement
3. Operate and maintain
4. Monitor and evaluate

Question 29

control objective vs blueprints vs. description vs. architecture vs. checklist

Answer 29

To tie these pieces together, you can think of the ISO/IEC 27000 that works mainly at the policy level as a description of the type of house you want to build (ranch style, five bedrooms, three baths). The security enterprise framework is the architecture layout of the house (foundation, walls, ceilings). The blueprints are the detailed descriptions of specific components of the house (window types, security system, electrical system, plumbing). The control objectives are the building specifications and codes that need to be met for safety (electrical grounding and wiring, construction material, insulation, and fire protection).

A building inspector will use his checklists (building codes) to ensure that you are building your house safely. Which is just like how an auditor will use his checklists (COBIT or NIST SP 800-53) to ensure that you are building and maintaining your security program securely.

Question 30

computer-assisted, targeted, incidental

Answer 30

a computer-targeted crime could not take place without a computer, whereas a computer-assisted crime could.

Question 31

Privacy Act of 1974

Answer 31

Government agencies can maintain this type of information only if it is necessary and relevant to accomplishing the agency’s purpose. The Privacy Act dictates that an agency cannot disclose this information without written permission from the individual.

Question 32

Federal Information Security Management Act (FISMA) of 2002

Answer 32

U.S. law that requires every federal agency to create, document, and implement an agency-wide secu- rity program to provide protection for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source

Question 33

HIPAA vs. HITECH vs. Omnibus Rule

Answer 33

HITECH added more technical requirements to hospitals and doctors who were using electronic health records. A section of HITECH also improved provisions of HIPAA.
This was when carriers began issuing business associate agreements with all their agents. HITECH had extended the Privacy and Security Rules of HIPAA to business associates: agents of carriers. It also imposed new requirements regarding breaches - covered entities are now obligated to report large data breaches to the government and the affected individuals.

HIPAA and HITECH were updated in 2013 when the Omnibus Rule was released. The greatest change was that the Security and Breach Notification Rules of HIPAA, as well as updates from HITECH, were now to be upheld by business associates.

Where previously, business associates were only obligated to their covered entity, now they were directly liable for any non-compliance and any fines associated with the non-compliance.

Question 34

REP (Reasonable expectation of privacy)

Answer 34

In the U.S. legal system, the REP standard is used when defining the scope of the privacy protections provided by the Fourth Amendment of the Constitution. If employees are not specifically informed that work-related monitoring is possible and/or probable, when the monitoring takes place, employees could claim that their privacy rights have been violated and launch a civil suit against your company.

Question 35

Comprehensive Crime Control Act (CCCA) of 1984

Answer 35

This law was carefully written to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states’ rights and treading on thin constitutional ice.

Access classified information or financial information in a federal system without authorization or in excess of authorized privileges

Question 36

Computer Fraud and Abuse Act (CFAA) of 1986

Answer 36

Computer crime law enacted as part of the CCCA was amended by the more well-known Computer Fraud and Abuse Act (CFAA) in 1986.

Instead of merely covering federal computers that processed sensitive information, the act was changed to cover all “federal interest” computers. This widened the coverage of the act to include the following:
Any computer used exclusively by the U.S. government Any computer used exclusively by a financial institution

Question 37

Computer Fraud and Abuse Act (CFAA) of 1994

Answer 37

Outlawed the creation of any type of malicious code that might cause damage to a computer system
Modified the CFAA to cover any computer used in interstate commerce rather than just “federal interest” computer systems

Question 38

National Information Infrastructure Protection Act of 1996

Answer 38

In 1996, Congress passed yet another set of amendments to the Computer Fraud and Abuse Act designed to further extend the protection it provides.

Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce.

Question 39

Computer Security Act (CSA) of 1987

Answer 39

mandate baseline security requirements for all federal agencies.

To give the National Institute of Standards and Technology (NIST) responsibility for developing standards and guidelines for federal computer systems. For this purpose, NIST draws on the technical advice and assistance (including work products) of the National Security Agency where appropriate.

Question 40

NIST 800-39 vs. 800-37

Answer 40

https://www.threatconnect.com/blog/threat-intelligence-within-risk-management/

Question 41

delayed loss

Answer 41

Delayed loss is secondary in nature and takes place well
after a vulnerability is exploited. Delayed loss may include damage to the company’s reputation, loss of market share, accrued late penalties, civil suits, the delayed collection of funds from customers, resources required to reimage other compromised systems, and so forth.

Question 42

Facilitated Risk Analysis Process

Answer 42

The crux of this qualitative methodology is to focus only on the systems that really need assessing, to reduce costs and time obligations. It stresses prescreening activities so that the risk assessment steps are only carried out on the item(s) that needs it the most. FRAP is intended to be used to analyze one system, application, or business process at a time.

Question 43

kinds of risk assessment

Answer 43

NIST 800-30, FRAP, OCTAVE, AS/NZS 4360, FMEA, CRAM

Question 44

NIST 800-30

Answer 44

Prepare, conduct, communicate, maintain the risk.
is mainly focused on computer systems and IT security issues. It does not explicitly cover larger organizational threat types, as in succession planning, environmental issues, or how security risks associate to business risks. It is a methodology that focuses on the operational components of an enterprise, not necessarily the higher strategic level.

Question 45

OCTAVE

Answer 45

This places the people who work inside the organization in the power positions as being able to make the decisions regarding what is the best approach for evaluating the security of their organization. This relies on the idea that the people working in these environments best understand what is needed and what kind of risks they are facing.

Question 46

AS/NZS 4360

Answer 46

AS/NZS 4360 takes a much broader approach to risk management. This Australian and New Zealand methodology can be used to understand a company’s financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose. This risk methodology is more focused on the health of a company from a business point of view, not security.

Question 47

FMEA

Answer 47

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. FMEA is commonly used in product development and operational environments.
The application of this process to a chronic failure enables the determination of where exactly the failure is most likely to occur. Think of it as being able to look into the future and locate areas that have the potential for failure and then applying corrective measures to them before they do become actual liabilities.

Question 48

Fault Tree Analysis

Answer 48

While FMEA is most useful as a survey method to identify major failure modes in a given system, the method is not as useful in discovering complex failure modes that may be involved in multiple systems or subsystems. A fault tree analysis usually proves to be a more useful approach to identifying failures that can take place within more complex environments and systems

Question 49

CRAMM

Answer 49

CRAMM (Central Computing and Telecommunications Agency Risk Analysis and Management Method), which was created by the United Kingdom, and its automated tools are sold by Siemens. It works in three distinct stages: define objectives, assess risks, and identify countermeasures.

Question 50

Risk Assessment vs. Risk Analysis

Answer 50

A risk assessment is used to gather data. A risk analysis examines the gathered data to produce results that can be acted upon.

Question 51

Vulnerability Assessment vs. Risk Assessment

Answer 51

A vulnerability assessment just finds the vulnerabilities (the holes). A risk assessment calculates the probability of the vulnerabilities being exploited and the associated business impact.

Question 52

Quantitative vs Qualititative Analysis

Answer 52

Quantitative evaluation can be used for tangible assets (monetary values), and a qualitative assessment can be used for intangible assets (priority values).

Question 53

BCP vs. BCM

Answer 53

While the term “BCP” actually applies to a plan and “BCM” applies to the overall management of continuity, these terms are commonly used interchangeably.

Question 54

ISO and NIST performance metrics & measurement

Answer 54

ISO 27004, NIST 800-55 rev1

Question 55

RFC 1087

Answer 55

RFC 1087 is called “Ethics and the Internet.” This RFC outlines the concepts pertaining to what the IAB considers unethical and unacceptable behavior.