DOMAIN 1: Security and Risk Management

Question 1

CIA Confidentiality

Answer 1

Protecting secrets (ex: military, pharmaceutical

Question 2

CIA - Integrity

Answer 2

Protecting accuracy and authenticity (ex: banks, brokerage firms)

Question 3

CIA- Availability

Answer 3

Protecting stability and reliability . (ex: ISP, Telecomm)

Question 4

DAD

Answer 4

• Disclosure, Alteration, and Destruction (NEGATIVE)

Question 5

Information/data owners (Data Controllers)

ACCOUNTABLE for Assets

Answer 5

Business unit/division. Usually a person in the unit will be designated as the “owner”.

1) Must identify assets
2) Classify the assets
3) Determines access permissions for the assets

Question 6

Custodians (stewards) (RESPONSIBLE for assets)

Answer 6

They don’t own the data, but they have
maintenance responsibilities for the assets.
(IT, operations, helpdesk, etc.)
- Perform day-to-day tasks: ensure CIA, perform backups,
implements security controls, etc.

Question 7

System Owners

Answer 7

“Own” the equipment , systems, networks, etc.

(ex: IT department) Here, “own” means “responsible for”

Question 8

Auditors

Answer 8

Check for compliance . They bring an outside

scope or perspective. Can be internal or external auditors, but from a different department at least

Question 9

Users

Answer 9

They may take assets home, but they must keep

them secure! This is why we have to convince them to take security seriously

Question 10

Due Care

Answer 10

Setting best or reasonable practices as a
responsible individual/organization should. “Doing the right
thing” (Similar to “The Prudent Person Rule”)
- The company did all that it could have reasonably done to
prevent the breach: They did exercise due care

Question 11

Due Diligence

Answer 11

Providing a record or history of compliance and
enforcement . Providing evidence that you
are doing the right thing. (the proof of following the policy)
- Auditors care about BOTH due care AND due diligence

Question 12

Legal standards: PCI - DSS

Answer 12

Payment Card Industry - Data Security Standard
- Security standard requiring businesses that accept, process,
transmit, or store credit or
debit card information to implement certain
controls in order to reduce credit card fraud.

Question 13

Sarbanes -Oxley Act (SOX)

Answer 13

Protects investors from fraudulent corporate
accounting activities (you can’t lie to your investors!)
- Section 302: CEO SIGN; CFO’s and CEO’s can go to jail if the info they sign is false
- Section 404: Internal controls assessment. Good auditing and security of accounting files

Question 14

Health Insurance Portability and Accountability Act (HIPAA)

Answer 14

Laws requiring the protection of: Personal Health Information (PHI)

Question 15

Federal Information Systems Management Act (FISMA)

Answer 15

US law for government agencies to secure their IT environments .

Question 16

Legal systems: Common Law

Answer 16

(US, Canada, UK, Australia, NZ, etc) Enforcement is based on
legal precedent. This includes:
1) Written law passed by legislators
2) Court decisions
3) Judges legal opinions (ex: judge says
"this is unconstitutional")

Question 17

Civil Law (Code Law)

Answer 17

(Europe, South America, etc.) Enforcement of the law is based on:
1) Written law
2) Abstract rules and concepts (ex:
democracy, property protection)
3) Academic writings on concepts of law by the
legal scholars

Question 18

Religious Law

Answer 18

(Vatican, Africa, Indonesia, Islamic law (Middle-East))
1) Religion is endorsed by the government
2) Perhaps with little or no separation between
religion and state

Question 19

Subdivisions of Common Law include:

Criminal Law

Answer 19

Punishing behavior harmful to society.

Punishments include: jail, death (capitol punishment), fines, losing certain rights as an individual

Question 20

Civil or Tort Law

Answer 20

(Law suits) Punishing wrongs against individuals or businesses
that result in harm . Punishments are usually
financial

Question 21

Administrative or Regulatory Law

Answer 21

Special rules that apply to particular industries.
Regulators check businesses to make sure they’re
compliant.

Question 22

USA branches of law:

Answer 22

Legislative : writes laws
Executive : enforces laws
Judicial : interprets laws

Question 23

Computer Crimes

Answer 23

For classification as a computer crime, computers:
1) Can be a tool of crime (ex: digital
manipulation)
2) Can be a target of crime (victim of digital
manipulation)
3) Can be incidental to the crime (not a tool or
target, but contains evidence) (Ex: logs on the router, or browser cache)

Question 24

Intellectual property includes:

Patents (strongest)

Answer 24

Protections awarded by the government for useful, novel, and non-obvious inventions. US patents last for
20 years from the date of registration/filing of the
patent.

Question 25

Trademarks (must be registered)

Answer 25

Any symbol, word, name, colors, musical tunes, or design to identify a product or service . You have to use it in commerce, and continue to use it to claim it’s still yours. Otherwise, it doesn’t expire.

Question 26

Copyrights

Answer 26

Protections for creative expressions of ideas .
(books, movies, songs, software) US copyrights last for
70 years after the death of the author.

Question 27

Trade Secrets

Answer 27

Any information, device, method, technique, or process that derives economic value from not being
generally known, and is kept a secret. Must continue to protect it as a secret.

Question 28

IP software licensing: Public Domain

Answer 28

Available for anyone to use

Question 29

Open Source

Answer 29

Source code available for free to study, modify, use, and distribute

Question 30

Freeware (Shareware)

Answer 30

Proprietary software available for free, but there are some restrictions on modifications and redistribution

Question 31

Site & Per-Seat licensing

Answer 31

Buy a license for entire org, or one license per-user or per- “seat”

Question 32

DRM (Digital Rights Management)

Answer 32

Uses encryption to enforce copyright restrictions on digital media. This is done to protect Intellectual Property

Question 33

Wassenaar Arrangement

Answer 33

An arms control treaty among 40 nations
(including the US) To control the export of weapons and controlled dual-use
technologies. (used by both commercial and military)
Ex: Strong encryption tools, such as LARGER KEY SIZES.
Controls key sizes larger than 56-bit (which means DES has now been de-controlled)

Question 34

7 European Union Privacy Directives

Answer 34

8 points (page 128) Study these!

• Created by OECD: Organization for Economic Cooperation and Development
• Remember the term EUROPEAN UNION PRINCIPALS

Question 35

General Data Protection Regulation (GDPR)

Answer 35

• Added “Right to be Forgotten Principal”
• If there is a security breach, you must inform the EU
  within 72 hours of the breach or be fined
• Orgs in breach of GDPR can be fined up to 4% of annual global turnover, or €20 million, whichever is greater!

Question 36

(ISC)² code of ethics canons.

Answer 36

1) Protect Society (safety first!)
2) Act honorably and legally .
3) Provide diligent service to principals .
4) Advance and protect the profession .

Question 37

Security planning Top-down approach

Answer 37

Driven by management . You must start here

for security.

Question 38

Bottom-up approach

Answer 38

Driven by IT, admins, helpdesk, etc.

- Lack of enforcement & authority if you only use bottom-up - Lack of funding & resources

Question 39

Policies

Answer 39

• First and highest level of documentation. Corporate “vision” statement reflecting management’s commitment to its goals

Question 40

What makes good, effective policy?

Answer 40

• clear, concise, understandable (universal interpretation)
• Relevant to the business. Current, and not obsolete
• Enforceable (need management backing), and doable
• Easily accessible by all employees
• Applied fairly and consistently .
  (this applies to management too, unless the policy has exceptions)
• Should be stable and enduring , with a long-term focus
• Should have consequences if violated (give incentive to comply

Question 41

Procedures

Answer 41

Step by step required actions

Question 42

Standards

Answer 42

Hardware, software, documents to be

deployed universally throughout the organization. Use of specific technologies in a uniform way

Question 43

Baselines

Answer 43

Minimum levels of protection for

specific platforms or environments (minimum settings)

Question 44

Guidelines

Answer 44

Recommendations, suggestions,

best-practices , advice

Question 45

Employee candidate screening

Answer 45

Check credit history, do a background check

Question 46

Policies for new employees include

Answer 46

Non-disclosure agreements (NDAs)- Still binding, even after you leave the company)
Acceptable-Use policies
.(network, phones, supplies, building, kitchen, etc)

Question 47

Separation of Duties

Answer 47

To reduce fraud or conflict of interest

Question 48

User Access Reviews

Answer 48

Periodically review and recertify privileged users

Question 49

Need to Know

Answer 49

KNOWLEDGE needed to do the job

info, skills, training

Question 50

Least Privilege

Answer 50

MINIMUM PERMISSIONS needed to
do the job. (extension on need-to-know into the realm of permissions) (ex: 20 people need to know it, but only 3 people have permissions to update the information)
- contractors, vendors, and consultants must be bound by these rules too!

Question 51

Security Training

Answer 51

• Structured training for all employees. Uses a classroom (or Webex), instructor, syllabus, start & end times, etc

Question 52

Security Awareness

Answer 52

• Much less structured: posters, blurb in newsletter

( nagging ) - serves as a constant reminder

Question 53

Privacy

Answer 53

If businesses monitor, they must monitor in a
legal fashion , including:
1) Need to inform those being monitored
(policy, signed agreements)
2) Monitor fairly &
consistently .
(No unfair targeting of individuals without just cause)
3) Monitor activities that are work-related .

Question 54

Risk management

Answer 54

To reduce or mitigate the
threats.- This includes: Risk analysis, cost/benefit analysis, deploying countermeasures or safeguards, auditing, insurance, Business Continuity Planning (BCP - more on this later), awareness,
education, training, etc.

Question 55

ISO 27005

Answer 55

• Standard risk management framework

Question 56

COSO - (Committee Of Sponsoring Organizations (of the Treadway Commission)):

Answer 56

• Framework for internal controls
  .organizations can use to assess compliance and risk
• works with SOX 404: joint initiative among accounting & auditing organizations to combat corporate fraud

Question 57

3 phases of Risk Management

Answer 57

1) Risk analysis & assessment . (Identify assets & the threats to
them)
2) Risk response - “solving” the threats
3) Evaluation and Assurance .
(Make sure solutions are still working via the use of tools like auditing, compliance monitoring, pen-tests, etc

Question 58

Risk analysis/assessment

Answer 58

To identify the assets & their threats

Question 59

Risk Assessment Process

Answer 59

1) Prepare for the assessment
2) Conduct the assessment (perform)
3) Communicate the results
4) Maintain the assessment
(update when needed)

Question 60

Terms: Asset

Answer 60

Something of value to the organization

people, data, systems, IP, etc.

Question 61

Threat

Answer 61

Something that could harm the asset

Question 62

Exposure

Answer 62

Actual or anticipated damage from a threat

Question 63

Vulnerability

Answer 63

Lack of or weakness in

a countermeasure that can be exploited

Question 64

Risk

Answer 64

The Impact & the likelihood of a threat

Question 65

) Second phase of risk management: Deciding how to deal with each risk (risk response):

Answer 65

Risk Avoidance . Removing the technology or activity to remove the risk
(ex: ban wifi) Coming up with ALTERNATIVES instead
Risk Transference . SHARING your risk with another entity
(ex: insurance, outsourcing)
Risk Mitigation . Deploying appropriate countermeasures.
Residual risk .is what smaller risk remains
after mitigation
- Controls Gap Amount of risk that is mitigated by implementing safeguards.
Total Risk - Controls Gap = Residual Risk
Risk Acceptance . Accepting the loss using no countermeasures

Question 66

Countermeasure selection decisions include:

Answer 66

1) Cost/benefit analysis Cost of countermeasure should be less than the
asset value
2) Accountability Who is in-charge of the safeguard?
3) Don’t rely on design secrecy Security through obscurity alone is not enough
4) Solutions are universally
applied
Especially for tools used in monitoring .
(fairly & consistently)
5) Defense in depth Multiple layers of protection, less reliance on just
one
6) Least common mechanism Don’t always place all solutions in one
location .
7) Acceptance by personnel Users struggle between security &
convenience .
8) Minimize human intervention For things that could be automated .
(ex: antivirus updates)
9) Avoid unintended
consequences
Activation of the safeguard should not accidentally
destroy the assets (ex: sprinkler system)

Question 67

Control TYPES Physical controls

Answer 67

ex: locks, fire sprinklers, etc.

(note: look for anti-shim and anti-bump technologies when buying padlocks!)

Question 68

Technical/logical controls

Answer 68

hardware & software , often controlling access

Question 69

hardware & software , often controlling access

Answer 69

policies, procedures, people-oriented controls

Question 70

Control CATEGORIES Directive

Answer 70

Administrative controls focusing on the
 management aspects (ex: policies, procedures, management sign-off, etc.)

Question 71

Compensating

Answer 71

Alternatives when the best controls are not

available or feasible

Question 72

Deterrent

Answer 72

Controls focusing on consequences

Question 73

Preventative

Answer 73

To stop unwanted activity or behavior

Question 74

Detective

Answer 74

To identify and monitor

Question 75

Corrective

Answer 75

To mitigate an incident and reduce the damage

Question 76

Recovery

Answer 76

Controls focusing on restoration . (bit of overlap with corrective)

Question 77

Preventative + technical controls:

Answer 77

ex: firewall, encryption, IDS/IPS, biometric access systems

Question 78

Detective + administrative:

Answer 78

Background checks, log files, camera footage

Question 79

Corrective + physical:

Answer 79

ex: security guards, audible alarm, electrified fence, fire sprinklers

Question 80

Scoping

Answer 80

When creating a baseline, scoping is removing those

recommendations that do not apply to our environment. They are “outside the scope” of what we’re trying to achieve