Domain 1: Security and Risk Management

Question 1

Patent

Answer 1

Patents legally secure protection for inventions. Patents must be unique ideas that provide useful processes to complete a task.

Question 2

Reduction Analysis

Answer 2

A reduction analysis supports threat modeling by identifying elements common to underlying threats.

Also called decomposition

Breaks threat modeling into 5 separate concepts:
Trust Boundaries
Dataflow paths
Input points
Privileged Operations
Details about security stance and approach.

If password attacks are a threat common to several applications, but each of those applications relies on Microsoft Active Directory for authentication and authorization, then Microsoft Active Directory need only be evaluated once for password attacks (not for each application).

Question 3

Risk

Answer 3

The possibility or likelihood that a vulnerability will be exploited.

Risk = Threat x Vulnerability x Impact

OR

Risk = Threat x Vulnerability

Question 4

DREAD rating system

Answer 4

Risk rating system

The DREAD rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat:

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 5

SLE

Answer 5

Single loss expectancy

Question 6

ALE

Answer 6

Annual Loss Expectancy

SLE x ARO. Or ( EF x AV) x ARO

Annualized loss expectancy (ALE) measures exactly a one-year financial loss an asset may suffer from a specifically identified threat.

Question 7

ARO

Answer 7

Annualized rate of occurence

Question 8

EF (think quantitaive risk analysis)

Answer 8

Exposure Factor

Question 9

Threat Modeling

Answer 9

Threat modeling is the security process wherein potential threats to assets are identified and analyzed. Goal is to proactively model attacks to identify weak spots and opportunites for control improvement

Question 10

Threat Hunting

Answer 10

Threat hunting refers to a technique used in security operations in which production environments are actively scrutinized by an experienced analyst for threats and indicators of compromise.

Question 11

Due Care

Answer 11

Due care is best defined as taking and making decisions that a reasonable and competent person would make.

Question 12

Due Diligence

Answer 12

Puts governance structures in place to protect an organizations interests.

• Things done in advance.
• Generally strategic, not tactical.

Question 13

Non repudiation

Answer 13

Non-repudiation in digital security refers to ensuring that an authentication event is genuine or provides proof of data’s origin and integrity.

Question 14

Risk mitigation

Answer 14

Risk mitigation is when the risk is reduced to an acceptable level aligned with the organization’s risk appetite. It is never possible to eliminate all risk.

Question 15

Risk analysis

Answer 15

Synonymous with Risk Assessment. Systematic process of identifying, analyzing, and evaluating potential threats and vulnerabilities that could impact an organization’s information assets.

Question 16

What does a Trademark protect?

Answer 16

Brand Identity - i.e. logo, slogan, catchphase, etc

Question 17

What is Governance?

Answer 17

Governance is the process in which senior management directs an organization to meet its objectives.

Governance must involve oversight to ensure that the goals set by senior management have been met. When performing security governance, IT managers need to keep security objectives in alignment with business objectives.

Question 18

VAST

Answer 18

Threat Modeling framework:

Visual, Agile, and Simple Threat

VAST uses Agile programming concepts to conduct threat modeling.

Question 19

Due care

Answer 19

Due Care is acting in a way that a reasonable and competent person would act in a given scenario. Exercising due care can help reduce an organization’s liability in the event of a security breach. A lack of due care can be described as negligence.

-Things done in the moment.
-Generally tactical, not strategic.

Question 20

Ultimately, who is accountable for the security of a company or organization?

Answer 20

Senior management

Question 21

Procedure

Answer 21

Procedures usually detail a step-by-step process to accomplish the desired results.

Question 22

Guideline

Answer 22

Guidelines offer suggestions no how to execute policy, standards, or procedures. Provide recommendations but are not required.

NOT the same as best practices.

Question 23

Baseline

Answer 23

Define minimum level of security that every system throughout the organization must meet.

Baseline is more operationally focused form of a standard.

All systems not complying w/baseline must be taken off line.

Usually system specific.

Question 24

Inherent Risk

Answer 24

Level of default, natural, or native risk in an environment/system/product.

Question 25

Residual Risk

Answer 25

Amount of risk leftover after remediating controls have been put in place.

Question 26

BCP

Answer 26

A Business Continuity Plan (BCP) deals with both preparing for a disaster and aiding after a disaster has occurred.

7 step process:

Develop the contingency planning policy statement.

Conduct the Business Impact Analysis (BIA).

Identify preventive controls.

Create contingency strategies
.
Develop an information system contingency plan.

Ensure plan testing, training, and exercises.

Ensure plan maintenance.

Question 27

Strategic Alignment

Answer 27

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 17-19.

Strategic alignment means that security policy aligns and supports the business’s objectives, goals, and mission. This is done through the use of Strategic plans, Tactical plans, and Operational plans.

Strategic plans are long-term plans. Example: Create a disaster recovery location within five years.
Tactical plans are more detailed than strategic plans and cover a shorter amount of time. Example: Install servers in the third quarter and set up backups in the fourth quarter.
Operational plans are short, detailed plans. Example: Use Network File System (NFS) with a storage area network (SAN) to attach storage to the servers next week.

Question 28

Change Management

Answer 28

The process of making intentional, vetted changes to an environment, including planning, testing, documenting, and validating security is maintained as a result.

Question 29

Electrical Spike

Answer 29

Momentary period of high voltage.

Question 30

Electrical Surge

Answer 30

Prolonged period of high voltage.

Question 31

Electrical Sag

Answer 31

Momentary low voltage

Question 32

Electrical brownout

Answer 32

Prolonged low voltage

Question 33

Electrical Blackout

Answer 33

Complete loss of power.

Question 34

FISMA

Answer 34

Federal Info Sec Management Act -

Applies to fed gov agencies and contractors. Passed in 2002.

Question 35

ITAR

Answer 35

International Traffic in Arms Regulation

The International Traffic in Arms Regulation (ITAR) is a U.S. regulation that restricts and controls the export of defense and military technologies to foreigners. Organizations that manufacture or process information on controlled technologies must establish strict and rigid controls to ensure data is not disclosed to unauthorized individuals.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 158-159.

Question 36

Economic Espionage Act

Answer 36

1996 Protects trade secrets.

If stolen, up to $250,000 fine. If stolen and traded to foreign govt, then $500,000 fine.

Question 37

Computer Fraud and Abuse Act CFAA

Answer 37

1984 First major piece of cybercrime legislation in the US. Covers computer crimes crossing state boundaries.

Question 38

Privacy Act of 1974

Answer 38

The Privacy Act of 1974 restricts the way the government can use private information. It also defines exceptions, such as the census, law enforcement, and health and safety.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 160-161.

Question 39

When conducting a BIA - is negative publicity qualitative, or quantitative?

Answer 39

Generally qualitative.

Question 40

What does this statement define?

Presence of a vulnerability when a related threat exists

Answer 40

Exposure

Question 41

TOGAF

Answer 41

The Open Group Architecture Framework (TOGAF) is a standard that helps organizations design, plan, implement, and govern information technology architecture.

TOGAF uses the Architecture Development Method (ADM) to create architectures for business, data, applications, and technology.

Question 42

Strategic Plan

Answer 42

Strategic plans are long-term plans that are fairly stable and define the organizations security purpose. Aligns goals , mission, and objectives of the organization.

Example: Create a disaster recovery location within five years.
Tactical plans are more detailed than strategic plans and cover a shorter amount of time. Example: Install servers in the third quarter and set up backups in the fourth quarter.
Operational plans are short, detailed plans. Example: Use Network File System (NFS) with a storage area network (SAN) to attach storage to the servers next week.

Question 43

Cybersecurity Enhancement Act of 2014

Answer 43

Amends the National Institute of Standards and Technology Act to permit the National Institute of Standards and Technology (NIST) to produce and support industry-led standards and procedures that reduce cyber risks for organizations.

Question 44

USPTO

Answer 44

United Stated Patent and Trademark Office.

Administers registration of trademarks.

Question 45

Who administers the copyright program?

Answer 45

Library of Congress

Question 46

PCI-DSS

Answer 46

Payment Card Industry Data Security Standard:

has 12 main requirements.

Question 47

Digital Millennium a copyright act

Answer 47

Digital Millennium Copyright Act (DMCA) of 1998 inhibits trading, manufacturing, or selling in any way that is designed to override copyright protection mechanisms. It also addresses ISPs that unknowingly support the posting of copyrighted material by subscribers. If the ISP is alerted the material is copyrighted, the ISP must remove the material

Question 48

COBIT - control objectives for information and related technology

Answer 48

ISACA Specified:

six principles

Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System

Question 49

COSO - Committee of Sponsoring Organizations of the Treadway Commission

Answer 49

Framework focused on reducing and detecting financial fraud.

Has 20 main principles.

Question 50

Trade Secret

Answer 50

Trade secrets legally secure protections on data critical to an organization’s operations. This intellectual property usually requires other legal support, such as non-disclosure agreements (NDA) and non-compete clauses. An example of a trade secret is the Coca-Cola formula.

Question 51

(Threat x vulnerability x asset value) - control gap = _________________

Answer 51

Residual risk.

Question 52

SCRM - Supply Chain Risk Management

Answer 52

SCRM (Supply Chain Risk Management) is a structured approach to managing resiliency in the sourcing of components and materials. Due to the global, interconnected nature of modern supply chains, the effects from even minor or distant disruptions can cascade to have critical institutional impacts, making supply chain risk management an essential element of broader enterprise risk management practices.

Question 53

Abstraction

Answer 53

Abstraction is a principle that is commonly applied to simplify security-related management activities, such as permissions assignment. Abstraction simplifies complex sets through the grouping of similar, fundamental elements. Organizing similar user characteristics into roles, and security permissions into groups, are examples of abstraction being applied.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 12.

Question 54

License

Answer 54

A legally established contract of use and limitations. Licenses are a contract between a vendor and a consumer. Most software vendors require a license per seat, which means you need to purchase one for each computer that has the software installed.R

Question 55

RFC 1087

Answer 55

In 1989, the Internet Architecture Board (IAB) published RFC 1087, a statement of policy titled “Ethics and the Internet”. This statement promoted responsible use of the internet and characterized five categories of activity as unethical. RFC 1087 is considered a forerunner to many contemporary ethics policies.

Question 56

Ten Commandments of Computer Ethics

Answer 56

The Ten Commandments of Computer Ethics was developed by the Computer Ethics Institute to provide an ethical framework for computer use. Each of its canons begins with “Thou shalt not” in the style of the biblical Ten Commandments.

Question 57

The Code of Fair Information Practices

Answer 57

Developed by a government advisory committee in 1973, was an early attempt at defining ethical principles for the handling of personal information. The COSO Framework does not directly relate to ethics, but to internal controls.

Question 58

Does PHI include billing information?

Answer 58

Yes

Question 59

Administrative investigation

Answer 59

only internal, not meant for legal or third party disputes

Question 60

Directive control

Answer 60

An access control that directs, confines, or controls the actions of subjects to force or encourage compliance with security policy.

i.e. - a sign on doors that says, “No Tailgating!”

Question 61

Safe Harbor - DMCA Digital millenium copyright act

Answer 61

This protects ISPs or other online providers from liability for their users sharing copyrighted material, provided they meet specific requirements, such as implementing a notice and takedown procedure and adopting a policy to terminate the accounts of repeat infringers.

Question 62

Military and Intelligence Attack

Answer 62

Goal is to obtain secret and restricted information from military or law enforcement systems. Targets the classified data that resides on systems.