Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP - 2019 > Domain 1 - Security and Risk management > Flashcards

Domain 1 - Security and Risk management Flashcards

Domain one of CISSP

1
Q

What is the CIA triad?

A

1) Confidentiality: Protects information and systems from unauthorised access.
2) Integrity: Protects information and systems from unauthorised modification.
3) Availability: Ensures that information and systems are available for authorised users when needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Governanace? And what does it hope to gurantee?

A

Governance ensures:

  1. Stakeholder needs are clearly outlined.
  2. Agreed objectives are met
  3. Direction through prioritisation is set.
  4. Performance against agreed direction & objectives is being monitored

Governance attempts to guarentee:

  1. Appropriate processes are adhered to.
  2. Risks identified are appropriately reduced.
  3. Leadership have visibility of the security program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is executive managements responsibiltity with respect to governanace?

A
  1. Be informed about security
  2. Set clear direction to drive policies and strategies
  3. Set priorities
  4. Assign management responsibilities
  5. Obtain assurance from internal and external auditors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is security managements objective and responsibility?

A

Objectives:

  1. Enables the vision of the ogranisation, and as the business changes to to should the security management.
  2. Ensures assets are appropriately protected with controls
  3. Validates that policies and standards are implemente

Responsibility:

  1. CISO responsibile for developing the security strategy, overseeing the security program.
  2. Obtain senior management commitment
  3. Ensure risk and business impact assessments are completed, regulatory compliance,
  4. Develop risk mitigation strategies and security metrics
  5. Advise on information security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the difference between Due care and Due Diligence?

A

Due Care:

  1. Refers to the idea of what a resonable person would do to with respect to security in that circumstance
  2. Negilence is when a lack of due care is provided.

Due Dilgence:

  1. Refers to the proactive approach to avoiding harm and protecting assets
  2. e.g background checks, penetration testing, backup testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What makes up an effective Security program? And what are their responsibilites?

A
  1. Committee - Steering committee includes members from all affected groups and involves integrating them into the organisation
    • Decides on initiatives and priortisies information security efforts
    • reviews and recommends security policies, reviewes and audits security programme, recommends areas for investment
  2. Executive mangement - ensures and organisation functions and supporting infrastructure fufil the security directives regulatory compliance.
    • Have clear and visibile involvement, and members advise and co-ordinate their involvement
  3. Roles - All the people that make up a security program, including security professionals, security admins, information and business owners, auditors, technology people, receptionist, end users,
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

how do we manageme governance risk and regulatory compliance?

A
  1. Governance is the delegation of duties, defining accountability, and evaluating the performance.
  2. Governance risk is the set of processes to analyse risk and mitigation strategies in line with business objectives.
  3. Regulatory compliance require the security professionals need to understand the regulations and laws that apply to their organisation based on industry or local law.
    • Best achieved by defining these requirements within the security policies, standards, procedures and guidelines.
    • Often requires independant audits to attest to their compliance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the principles of ISO 27001?

A

The ISO 27000 series outlines how an information security management systems hould be built and maintained, and provides a controls framework by:

  • Ensures controls are implemented in a structured manner.
  • Developed from BS7799 and then taken over by ISO.
  • Attempt to compartmentalise, modulaise the neccessary components: 27001 for ISMS requirements, 27005 Risk management, 27033 Network Security, 27035 incident management
  • To achieve certification, third party assess compliance against the ISMS requirements laid out in 27001.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some of the controls to provide confidentiality?

A

Controls:

  • Strict access control
  • Encrypt data at rest (Whole disk, database)
  • Encryption of data in transit (IPSec, SSH and etc)
  • Training users on proper data protection methods
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some of the controls to provide integrity?

A

Sources of Integrity failures: Intentional alteration, user error, software or hardware error, acts of nature.

Controls:

  • Hashing
  • Non-repudiation/Digital Signatures
  • Access control
  • Change management
  • Configuration management
  • Intrusion detection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some of the controls to provide availability?

A

Sources of availbility failures: Malicious attackers, Component failures, application failures, utility failures.

Controls:

  • Redundant components. i.e power, RAID
  • High Availability
  • Fault tolerence
  • Patching of OS/Application vulnerabilitie and flaws
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the relationship between vulnerability, threat, risk, exposure and control?

A
  • Vulnerability is a weakness in a system that allows a particular threat to comprimise security
  • Threat is the potential danger associated with the exploitation of a vulnerability.
  • Risk is the likelihood that a threat source exploiting a vulnerabilty and the corresponding impact.
  • Exposure is an instance of being exposed to losses from exploitation.
  • Control is a countermeasure put into place to mitigate or reduce the potential risk.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the three types of controls?

A
  • Administrative: Soft controls or management
    • Security documentation, Data classification and labeling, backgroud checks.
  • Technical controls: Software or hardware components
    • Firewall, IDS, encryption
  • Physical control: Protect facilities, personel, and resources.
    • security guards, locks, fences
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the six functions of controls?

A
  • Preventative: Avoid and incident from occuring
  • Detective: Identifies and incident occuring
  • Corrective: Fixes components or systems after an incident.
  • Deterrent: Intended to discourage attackers
  • Recovery: Bring the environment back up
  • Compensating: Alternative measure of control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the principles of COBIT?

A
  • Security controls framework.
  • Framework for governance and management developed by ISACA
  • Five key principles:
    • Meeting Stakeholder needs
    • Covering the enterprise end to end
    • Applying a single integrated framework
    • Enabling a holistic approach
    • Seperating governance from management
  • Ultimately linked to the stakeholders through a series of transforms or cascading goals.
  • Specifies 17 enterprise and 17 IT related goals - remove guesswork
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the principles of NIST SP 800-53?

A
  • Security controls framework.
  • Used in the government (US) sector, Cobit commerical sector
  • Outlines the controls that agencies need to be compliant with FISMA.
  • Control categories to protect CIA include:
    • Management
    • Operational
    • Technical
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is enterprise architecture?

A
  • Conceptual construct to help individuals understand an organisation in digestable chunks.
  • When developing an architecture, stakeholders need to be identified, and then “views” need to be developed to provide the information specific to the perspective of the stakeholder.
  • Allows both business and technology people to view the same organisation in ways that make sense, reducing confusion, and optimise business functionality.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How does the Zachman Architecture framework work?

A
  • Enterprise Architecture
  • Two dimensional model that uses 6 communication interrogatives (What, How, Where, Who, When and Why?) intersecting with different perspectives (executives, developers) to give holistic view.
  • Each row should describe the enterprise completely from that perspective.
  • Not Security focused.
  • Understand an enterprise in a modular fashion
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the principles of the TOGAF framework?

A
  • Enterprise Architecture model
  • Used to develop the following architectures:
    • Business
    • Data
    • Applications
    • Technology
  • Uses the Architecture Development Method (ADM), which is an iterative and cyclic process that allows requirements to be reviewed and architectures to be updated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the principles of the DoDAF/MODAF framework?

A
  • Enterprise Architecture framework
  • Focus on the command, control, communications, surveillance, reconnaissance systems.
  • Different types of devices need to communicate using the same protocol and be interoperable with software components but also use the same data elements.
  • MODAF developed by the British MOD, another Enterprise architecutre, based on the DODAF
  • Get data in the right format to the right people as soon as possible enable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How does Enterprise Security Architecture work?

A
  • Ensure security is aligned with business practices in a cost effective manner.
  • Define security strategy in layers of solutions, and processes across and enterprise strategically, tactically, and operationally.
  • Goal is to integrate technology-oriented and business centric security process by linking the administrative, technical and physical controls and integrate these processes into the IT infrastructure, business processes and the organisation culture.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How does SABSA work?

A
  • Enterprise Security Architecure
  • Layered framework, 1st layer defining business requirements from a security perspective. Each layer decreases in abstraction and increases in detail and moves from policy to implementation.
  • Has a lifecycle model of improvement focusing on:
    • Strategic Alignment: Legal requirements met.
    • Business enablement: core business processes are integrated into security operating model.
    • Process enhancement: allow for process management to be redefined and calibrated.
    • Security Effectiveness: determine how security solutions are performing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the principles of COSO?

A
  • Controls Framework
  • COBIT was derived from COSO
  • Identifies 17 control principles grouped into five components:
    • Control environment
    • Risk Assessment
    • Control activies
    • Information and communication
    • Monitoring activies
  • COSO IC is a model for corporate governmance, COBIT for IT governance
  • COSO deals at the strategic level, while COBIT is operational.
24
Q

What are the principles of ITIL?

A
  • Process management framework.
  • De facto standard of best practices for IT Service management.
  • Provides the goals, the general activies necessary to achieve the goals, as well as the input and output values for each process required to meet these goals.
  • Focus is toward internal SLAs between the IT department and the customers it serves.
25
Q

What are the principles of Six Sigma?

A
  • Process management framework.
  • Improves process quality by using statiscal methods of measuring operation efficiency and reducing variation, defects and waste.
  • Used to measure the success factos of different controls and procedures.
  • Maturity of a process is described by a sigma rating, indicating the percentage of defects.
26
Q

What are the principles of CMMI?

A
  • Process management standard
  • Determine the maturity of an organisations processes
  • Used within organisations to help lay out a pathway of how to make incremental improvements.
  • There are 5 levels of maturity ranging from 0 - Nonexistent management, to level 5, optimised process.
  • Each level represents an evolutionary stage.
27
Q

What is the best approach to building a Security Program?

A
  • Must be Top down approach - initation, support and direction comes from top management.
  • Must utilise a cyclic that is always evaluated and improved, using:
    • Plan & Organise (Develop threat profile, architectures)
    • Implement (Assign roles, implement blueprints)
    • Operate & maintain (audits, execute tasks per blueprints, SLA)
    • Monitor &evaluate (Review SLAs, audits, develop improvement steps
  • 27000 series is like the description of a house, architecture is the layout of the house, blue prints are like security and electrical systems, and controls are the buildinng specifications and codes.
28
Q

What are the three categorises of computer crime?

A
  1. Computer assisted crime: where the computer was used as a tool to conduct the crime. eg attacking financial systems to steal funds or IP
  2. Computer targeted crime: where the computer was the victim of the crime. eg DDOS, capturing passwords, malware
  3. Computer is incidental: where a computer just happened to be involved when a crime was carried out. e.g child porn.
29
Q

What are the types of legal systems?

A
  • Civil
    • Used mainly in continental Europen countries
    • rule based law and not precedent-based
    • most widespread legal system
  • Common law:
    • Based on previous interpretations of the law
    • consists of higher court, many intermediate, and many local courts. Precedent flows down this system.
    • Broken down into criminal, civil and administrative
  • Customary law:
    • Mainly with personal conduct and patterns of behaviour
    • used in regions of the world with mixed legal system (China, India)
  • Religious law:
    • Based on religious interpretation
    • Cover all aspects of human life including religious duties
  • Mixed law system:
    • Combination of two or more legal systems.
    • Most common is civil and common law, like Canada, holland
30
Q

What has the Organisation for Economic Coperation and Development (OECD) done to address the concern that different countries have different laws related to privacy and how it should be protected?

A
  • Came up with guidelines for the various countries to follow so that data is protected.
  • Core principles include
    • Collection limitation: Collection should limited and known.
    • Data Quality: Kept complete, current and relevant as intended.
    • Purpose Specification: Subjects should be notified about the colleciton
    • Use Limitation: Only with consent of the subject can it disclosed
    • Security Safeguards: Reasable safeguards to protect data
    • Openness: Practices, policies regarding data should be open
    • Individual Partispation: Subjects must be able to find out who has their data
    • Accountibility: Organisations should be accountable for the data they keep.
31
Q

What are the main considerations of GDPR?

A
  • Defines 3 relevant parties: Subject, Controller and Processor
  • Regulation applies if any of the 3 entities is based in the EU
  • What constitues privacy data is beyond laws outside of the EU.
  • Key provisions:
    • Consent: Controllers and processors cannot use data.
    • Right to be informed: Musted inform subjects about the data use.
    • Right to restrict: Subjets can agree to collect data by the controller but disallow the processor.
    • Right to be forgotten: Request their personal data be removed.
    • Data breaches: report within 72 hours.
32
Q

What are the forms of intellectual property protections?

A
  • Trade Secret: is proprietary to a company and import for its survival. e.g formual for coke, ingredients for special sauce. Has no expiration date.
    • Require employees to sign NDAs
  • Copyright: protects the rights of the creater from unathorised copying and distribution. Protection for the life of the creater + 70 years.
  • Trademark: represents the brand identity. Protected for 10 years, but renewed indefinately
  • Patent: provided to inventions that are novel, useful and not obvious. Prevents others from using or copying the invention for 20 years.
  • Software licencing: applications usually licences the program instead of selling it outright:
    • Freeware: publically available
    • Shareware, or trialware: trial and then asked to purchase.
    • Commerical
    • Academic: Reduced costs for acadmeics.
33
Q

What is PII and what are some approaches to protecting privacy?

A
  • Personal Identifiable information (PII): data that can be used to uniquely identify or locate single person.
    • Full name, National ID number, vehicle plate number, drivers license number, credit card numbers and etc
  • Two approaches - generic approach accross all industries, regulation by industry is verticle enactment, such as financial or healthcare.
  • Need for privacy:
    • Data aggregation and retrieval advancement
    • Loss of boarders: business globalisation
    • Convergent technlogies advancement: gathering, mining
34
Q

What are some privacy protection laws on US government?

A
  • Federal privacy act: ensures agencies cannot disclose information about an individual without permission. medical, criminal, education.
  • FISMA: Requires every agengcy create a security program to provide protection on systems. NIST 800-37 helps ensure compliance.
  • VA ACT: Specifically for the department of VA because of a laptop theft incident that disclosed 26.5 million records. Was not compliant.
  • US Patiout ACT: eases restrictions on law enforement, foriegn intelligence in the USA.
35
Q

What are some of the laws on corporations to deal with privacy?

A
  • HIPPA: national standard for the storage, use, and transmission of personal medical information and healthcare. Also applies to any facility that creates, accesses, shares or destroys medical info
  • HITECH: addresses the privacy and security concerns of electronic transmission of health records, and the civil and criminal enforcement.
  • GLBA: Requires financial institutions to develop privacy notices, and enable customers to opt out of information sharing. Ensures directors are responsible for the security.
  • PIPEDA: main goal is oversee how th private sector collects, uses, and discloses personal information in regular business.
36
Q

What are self regulation standards to protect privacy and security?

A
  • PCI DSS is a proactive step the credit card industry took.
  • applies to any entity that processes, trasmits, stores or accepts credit card data.
  • made up of 12 requirements broken up into 6 categories:
    • Build and maintain a secure Network
    • Protect cardholder data
    • maintain a vulnerability management program
    • implement strong access control
    • Regularly monitor and test networks
    • maintain an information security policy.
37
Q

What is a security policy?

A
  • Overall general statement produced by senior management.
  • Need to be technology and solution independant
  • Can be:
    • Organisational: establishes how a security program will be set up, lays out the goals, assigns responsibility.
    • Issue-specific: specific issue that management feel need more attention to ensure its clear how to comply. Eg email policy
    • System specific: represents decisions that specific to the actual computers, networks and applications. eg. how a senstive database should be locked down or laptops locked down.
  • Types of policies:
    • Regulatory: applies to some regulation such as HIPPA, FISMA
    • Advisory: strongly advises employees what is acceptable
    • informative: not an enforceable policy.
38
Q

What is a security standard?

A
  • Mandatory activities, actions, or rules and gives a policy its support.
  • Ensures specific technologies, applications, and procedures are implemented in a uniform (Standardised) manner.
  • These rules are compulsory and must be enforced
  • For example, for issue-specific data classification policy “All confidential data must be protected”. A corresponding standard “Confidential information must be protected with AES256 at rest & transit”.
39
Q

What is the difference between Baselines, Guidelines and procedures?

A
  • Baselines are:
    • Refers to a point in time that is used as a comparison for future changes.
    • Used to define the minimum level of protection required.
  • Guidelines:
    • Recommended actions and operational guides to users, IT & Operation staff when a specific standard doesnt apply
  • Procedures:
    • Considered lowest level in the documentation chain because they are closest to the computers and users, and spell out how the policy, standards and guidelines will be implemented
40
Q

What is Risk Management?

A
  • Process of identifying and assessing risk, reducing it an acceptable level, and ensuring it remains at that level.
  • Requires skils in identifying threats, assessing probablility and the impact, and then taking the steps to reduce overall risk.
  • According to NIST SP 800-39:
    • Organisation: risks to the business as a whole
    • Business Process: risks to major functions of the organisation
    • Information systems: risks from a systems perspective
  • Information systems risk management policy requires commitment from senior management. Defines the level of risks, formal processes, mapping of risk to internal controls.
41
Q

What is the Risk management process?

A
  • NIST SP 800-39 describes four interrelated components:
    • Frame risk: defines the context within which all other risk activities takes place
    • Assess risk:
    • Respond to risk: matching our limited resources with our prioritized set of controls
    • Monitor risk: monitor the effectiveness of our controls against the risks.
42
Q

What are the threat modeling concepts?

A

Information systems consists of information, processes and people.

Information:

  • Data at rest: copied and given to unauthorised parties
  • Data in motion: modified and intercepting it on the network
  • Data in use: exploiting race condition, TOC/TOU

Processes: Specific kind of software vulnerability, but should include business processes.

People: Social enginering, Social networks, passwords - weak passwords.

43
Q

What are threat modeling methodologies?

A
  • Attack trees: Based on the observation that there are multiple ways to accomplish a given objective
    • Branches created by each decision point create what is known as an attack tree
    • Each of the leaf nodes represents a specific condition that must be met in order for the parent node to be effective.
    • Successful attack, is one in which the attacker traverses from a leaf node all the way to the root.
  • Reduction Analysis, two focal points:
    • One aspect is to reduce the number of attacks, and the other is to reduce the threat posed by the attack.
    • Closer you are to the root when you implement a mitigation, the more leaf conditions you will defeat.
44
Q

Difference between Risk analysis and Assessment?

A

Risk assessment is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement controls.

Risk analysis priortize their risks and shows management the amount of resources that should be applied to protecting against those risks.

  • Identify assests and their value
  • Determine the likelihood that a threat exploits vulnerability
  • Determine the business impact
  • Provide balance between impact of threat and cost of countermeasure - cost/benefit analysis
45
Q

What the methodologies for Risk Assessments?

A
  • NIST SP 800-30
    • Prepare for the assessment
    • Conduct the assessment (identify threat sources, vulnerabilties, likeihood, impact, risk)
    • Communicate results
    • Maintain assessment
  • Faciliatated Risk Analysis Process (FRAP): inteded to analyze one system, application, or business process at a time. Scope of the assessment is small, and cannot use calculations such as ALE.
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) is more in-depth assessement that requires workshops, to help ensure team members understand the methodology. Much wider in scope.
  • ISO 31000 developed by AUS/NZ, is broader approach to understand, financal, safety, and business decisions.
  • ISO 27005 is a standard for how risk management should be carried out in the framework of an ISMS, deals with IT and softer issues.
  • Failure Modes and effect Analysis (FMEA): method of determining functions, identifying functional failures, and assesing the causes of failure and their failure effects. Not as useful in complex environments. Involves the following steps:
    • Block diagram of a system or control
    • what happens if each block fails
    • In a table, identify which failures are paired with their effects and evaluation of the effects.
    • Adjust the table until the system is not known to have unacceptable problems
    • Several engineers review the FMEA.
  • Fault tree analysis is better at complex environments, by first having an undesired effect as the root, and then each situation that has the potential to cause that effect is added to the tree.
  • Central Computing and Telecommunications Agency Risk Analysis and management method (CRAMM) works in three stages: defines objectives, assess risks, and identify countermeaures. But, has questionnaires, asset dependency modeling, assessment formulas and etc) in an automated tool.
46
Q

What are the steps of Quantitative Risk analysis?

A
  • Use mathematical forumals for data interpretation.
    • Single loss expectancy: loss from a single instance
      • Asset Value x Exposure Factor (EF) = SLE, EF is % of loss
    • Annulaised loss Expectancy (ALE): Loss in a year.
      • SLE x Annualized Rate of Occurence (ARO) = ALE
    • Control selected <= ALE
  • Considerations: Uncertanity is the degree to which you lack confidence in an estatimate.
  • Main issues are the calculations are complex, laborious without tools, more preliminary work is needed.
47
Q

What are the steps of the Qualitative Analysis?

A
  • Monetary values are NOT used, instead a matrix of likelihood vs consquences ranking from low to high or 1-5 on each axis, is used to represent the risk.
  • Once selected personnel agree on the findings, then this is presented to management to help make decisions. Benefited by the communication that must happen amongst the team to identify the risk.
  • Can use the delphi technique to ensure team members opinions are made anonymous to prevent people from being pressured to vote a certain way.
48
Q

What are some risk Management frameworks (RMF)?

A
  • RMF is a structed process that identifies, assess, reduces, and ensures it remains at the reduced level.
  • NIST SP 800-37: takes a systems life cycle approach.
  • ISO 31000: focusing on uncertainity that leads to unanticipated effects. Much broader framework covering more thant IT.
  • ISACA Risk IT: Bridges the gap between the generic ISO 31000 and the IT centric NIST. Very well integrated with COBIT.
  • NIST SP 800 37, specifies 6 steps:
    • Categorise information systems: define the system, subsystems and boundaries. Any legal requirements.
    • Select security controls:
    • Implement security controls
    • Assess Security controls
    • Authorise Information system:After examining the risk exposure, determine if the residual risk is acceptable.
    • Monitor Security controls: has any vulnerabilities been discovered?
49
Q

What is the difference betweenDisaster Recovery Plan (DRP) and Business Continuity planning (BCP)?

A
  • DRP is to handle an incident and its ramifications right after disaster hits.
  • Business Continuity Planning: include getting critical systems to another environment while repair of the original facilities is under way. Planning is getting the right people to the right places, documenting the neccessary configurations, establishing alternative communication channels, providing power and making sure all dependencies are properly understood.
  • Business continutity Management (BCM) is the holistic management of both DRP and BCP.
50
Q

What are the BCP best practices and standards?

A
  • NIST SP 800-34, steps
    • Develop the continuity planning statment: assigns authority to the neccessary roles
    • Conduct the Business Impact Analysis (BIA): Identifies critial systems/app and the associated vulnerabilies and risk
    • Identify preventitive controls: to minimize the risk
    • Create contingency strategies: methods to bring systems up quickly.
    • Develop an information system contingency plan: Write policies and procedures for how to be operational in critical state.
    • Ensure plan, testing, and exercises.
    • Ensure plan maintainence.
  • ISO 27031/2011: Guidelines for readiness for business continuity
  • ISO 22331:2012:
51
Q

How do you make BCM Part of the Enterprise Security Program?

A
  • Understanding the organisation first, using frameworks such as Zachmans framework as it allows you to understand the company’s architecture and picies and components.
  • CBK is broken down into eight domains, which are top tier disciples, and thus each company should have at least 8 sets of policies, procedures.
  • Senior management must known the responsibility and has the view that extends beyond each functional manager’s focus.
  • To get BCP support from management, business cases must be made include vulnerabilites, legal obligations, and current status of recovery.
  • Include a cost/benefits should include shareholder, stakeholder, regulatory, and legislative impacts.
52
Q

What are the components of a BCP project?

A
  • Setting up budget and staff for the program (BCP committee).
  • Assigning duties and responsibilties to the BCP coordinator and to the representatives.
  • Senior management kick-off the BCP program with formal annocement.
  • Awareness-raising activities to let employees known about the BCP program and to build internal support for it.
  • Establishment of skills training for the support of the BCP effort.
  • Start the data collection throughout the organisation to aid in crafting various continuity options.
  • Putting into effect quick wins and low hanging fruit
53
Q

What is the purpose of a Business Impact Analysis?

A
  • Is a functional analysis in which a team collects data through interviews and documentary sources; documents business function, develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level.
  • BCP committee must identity the threats to the company and map them to the following:
    • Maxiumum tollerable downtime: Nonessential 30 days to Critical minutes to hours.
    • Operational disruption and productivity
    • FInancial considerations
    • Regulatory responsibilties
    • Reputation
  • BIA is conducted after the data gathering phases.
54
Q

What are the responsbilities for the BCM from a management and BCP team perspective?

A

Managements responsibility:

  • Committing fully to the BCP
  • Setting policy and goals
  • Make available the neccessary funds and ressources
  • Taking responsibility for the outcome of the development of the BCP
  • Appointment a team for the process

BCP team’s responsbility are as follows:

  • Identifying regulatory and legal requirements
  • identifying all possible vulnerabilities and threats
  • Estimating the possibilties of these threats.
55
Q

What are the personnel Security issues?

A
  • HR Practices: Hiring qualified individual, conducting background checks, using detailed job descriptions, providing neccessary training, enforcing strict access controls and terminating individuals in way that parties involved.
  • Seperation of duties: make sure one individual cannot complete a critical tasks by themselves. Collusion must take place for fraud to be commited
    • Split knowledge: no one person knows everything. Two people need to combine their knowledge to complete some task
    • dual control. Two people need to be available and active to perform the operation
  • Rotation of duties: A detective control to uncover fraduelent activities that would have been hidden because they were doing the activity for so long.
56
Q

What is Security Governance?

A
  • A framework that allows for the security goals of an organisation to be set and expressed by senior management.
  • Oversight mechanisms developed, to ensure those that are responsible are constantly updated on the health and security of the organisation.
  • A system of integrated processes that helps ensure consistent oversight, accountability, and compliance.
  • Use of metrics:
    • assess the effectiveness of our work, identify deficiencies and prioritise the things that still need work
    • Measurement will need to happen on a continuous basis so the data collection methods are repeatable
    • Measurements compared with set values to determine performance.
    • Industry best practices for metrics include, 27004, NIST 800-55
57
Q

What are the ISC^2 code of ethics?

A
  • Protect society the common good, neccessary public trust and confidence and the infrastructure
  • Act honorably, Justly responsibly and legally
  • provide diligent and competent service to principals
  • advance and protect the profession.

CISSP - 2019 (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions