Domain 1

Question 1

ISC2 Code of Ethics

Answer 1

PAPA

Protect society, the commonwealth,
and the infrastructure

Act honorably, honestly, justly,
responsibly, and legally

Provide diligent and competent
service to principals

Advance and protect the profession

Question 2

Types of Security Planning

Answer 2

Strategic. Long term, stable plan that should include a risk assessment. (5-yr horizon, annual updates)

Tactical. Midterm plan developed to provide more details on goals of the strategic plan. (usually ~1 year)

Operational. Short term, highly detailed plan based on the strategic and tactical plans. (monthly, quarterly)

Question 3

Primary Risk Management Framework

Answer 3

NIST 800-37 RMF

Question 4

Other RMFs

Answer 4

OCTAVE
operationally critical threat, asset, and
vulnerability evaluation

FAIR
Factor Analysis of Information Risk

TARA
Threat Agent Risk Assessment

Question 5

6 Steps of NIST 800-37 RMF

Answer 5

P CSIAAM
Prepare to execute the RMF
1. Categorize information systems
2. Select security controls
3. Implement security controls
4. Assess the security controls
5. Authorize the system
6. Monitor security controls

Question 6

Types of Risk

Answer 6

Residual - (AFTER)The risk that remains even with all conceivable safeguards in place.

Inherent - (BEFORE)Newly identified risk not yet addressed with risk management strategies.

Total - (WITHOUT)The amount of risk an organization would face if no safeguards were implemented.

Question 7

Risk Formula

Answer 7

Threat * Vulnerability

Question 8

Types of Risk Analysis

Answer 8

Quantitative - Assigns a dollar value to evaluate effectiveness of countermeasures

Qualitative - Uses a scoring system to rank threats and effectiveness of countermeasures

Delphi Technique - An anonymous feedback-and-response process used to arrive at a consensus.

Question 9

Risk Analysis Steps

Answer 9

The six major steps in quantitative risk analysis
1. Inventory assets and assign a value (asset value, or AV).
2. Identify threats. Research each asset and produce a list of all
possible threats of each asset. (and calculate EF and SLE)
3. Perform a threat analysis to calculate the likelihood of each threat
being realized within a single year. (the ARO)
4. Estimate the potential loss by calculating the annualized loss
expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the
changes to ARO and ALE based on an applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each
threat for each asset.

Question 10

Loss Potential

Answer 10

What would be lost if the threat agent is

successful in exploiting a vulnerability.

Question 11

Delayed loss

Answer 11

This is the amount of loss that can occur

over time.

Question 12

Quantitative Formula Terms

Answer 12

exposure factor (EF)
single loss expectancy (SLE)
annualized rate of occurrence (ARO)
annualized loss expectancy (ALE)
Safeguard evaluation

Question 13

Controls Gap

Answer 13

The amount of risk reduced by
implementing safeguards

total risk - controls gap = residual risk

Question 14

Supply Chain Evaluation

Answer 14

On Site Assessment. Visit organization, interview personnel, and observe their operating habits.

Document Exchange and Review. Investigate dataset and doc exchange, review processes

Process/Policy Review. Request copies of their security policies, processes, or procedures.

Third party Audit. Having an independent auditor provide an unbiased review of an entity’s security infrastructure

Question 15

Threat Modeling Focuses on 3 Approaches

Answer 15

Focused on Assets. Uses asset valuation results to identify threats to the valuable assets.

Focused on Attackers. Identify potential attackers and identify threats based on the attacker’s goals.

Focused on Software. Considers potential threats against the software the org develops.

Question 16

Threat Modeling STRIDE

Answer 16

Microsoft

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege

Question 17

Threat Modeling PASTA

Answer 17

risk centric model, which focuses on controls relative to asset value

Stage I: Definition of Objectives
Stage II: Definition of Technical Scope
Stage III: App Decomposition and Analysis
Stage IV: Threat Analysis
Stage V: Weakness and Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management

Question 18

Threat Modeling VAST

Answer 18

model, based on Agile project management and programming principles

Visual
Agile
Simple
Threat

GOAL: Scalable integration of threat management into an Agile programming environment

Question 19

Threat Modeling Trike

Answer 19

An open source threat modeling process
that implements a requirements model.

Ensures the assigned level of risk for each
asset is “acceptable” to stakeholders.

Question 20

Threat Modeling DREAD

Answer 20

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 21

Security Controls

Safeguards and Countermeasures

Answer 21

Safeguards are proactive

Countermeasures are reactive

Question 22

Control Categories

Answer 22

Technical. aka “logical”, involves the hardware or software mechanisms used to manage access.

Administrative. Policies and procedures defined by org’s security policy, other regulations and requirements

Physical. Are items you can physically touch.

Question 23

Control Types

Answer 23

Deterrent. Deployed to discourage violation of security policies.

Preventative. Deployed to thwart or stop
unwanted or unauthorized activity from occurring.

Detective. Deployed to discover or detect
unwanted or unauthorized activity.

Compensating. Provides options to other existing controls to aid in enforcement of security policies.

Corrective. modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.

Recovery. an extension of corrective controls but have more advanced or complex abilities.

Directive. direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

Question 24

LAWS: CFAA

Answer 24

Computer Fraud and Abuse Act (CFAA). The first major piece of US cybercrime specific legislation

Question 25

LAWS: Federal Sentencing Guidelines

Answer 25

provided punishment guidelines to help federal judges interpret computer crime
laws.

Question 26

LAWS: FISMA

Answer 26

Federal Information Security Management Act (FISMA). Required a formal infosec operations for federal gov’t

Question 27

LAWS: CDMCA

Answer 27

Copyright and the Digital Millennium Copyright Act (CDMCA). Covers literary, musical, and dramatic works.

Question 28

Trademarks

Answer 28

cover words, slogans, and logos used

to identify a company and its products or services.

Question 29

Patents

Answer 29

Patents protect the intellectual property

rights of inventors.

Question 30

Trade Secrets

Answer 30

intellectual property that is absolutely

critical to their business and must not be disclosed.

Question 31

Licensing

Answer 31

4 types you should know are contractual,

shrink wrap, click through, and cloud services.

Question 32

(Legal & Regulatory) Encryption and Privacy

Answer 32

Computer Export Controls. US companies can’t export to Cuba, Iran, North Korea, Sudan, and Syria.

Encryption Export Controls. regulations on the export of encryption products outside the US.

Privacy (US). The basis for privacy rights is in the Fourth Amendment to the U.S.

Privacy (EU). General Data Protection Regulation (GDPR) is the most likely to be mentioned

Question 33

HIPAA

Answer 33

Health Insurance Portability and Accountability

Question 34

HITECH

Answer 34

Health Information Technology for Economic and Clinical Health

Question 35

GLBA

Answer 35

Gramm-Leach-Bliley Act (financial institutions)

Question 36

COPPA

Answer 36

Children’s Online Privacy Protection Act (

Question 37

ECPA

Answer 37

Electronic Communications Privacy Act (

Question 38

CALEA

Answer 38

Communications Assistance for Law Enforcement Act

Question 39

Business Continuity Planning Steps

Answer 39

1. Strategy development
2. Provisions and processes
3. Plan approval
4. Plan implementation
5. Training and education

Question 40

COBIT

Answer 40

IT management and governance framework

Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End to End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management