Larry Greenblatt Kung Fu Magic

Question 1

What are the new 8 domains in CISSP?

Answer 1

1) Security and Risk Management,
2) Asset Security,
3) Security Engineering,
4) Communications and Network Security,
5) Identity and Access Management,
6) Security Operations,
7) Security Assessment and testing,
8) Software Development Security

Question 2

What are the 5 CMMI levels?

Answer 2

0) Non-existent,
1) Initial,
2) Repeatable
3) Defined
4) Quantitatively
5) Optimized

Question 3

What are the SDLCs?

Answer 3

1) Project Initiation
2) Functional Requirements
3) System Design
4) Develop/Acquire
5) Installation/Implement
6) Operation
7) Retirement

Question 4

Describe the Incident Response Life Cycle phases.

Answer 4

Preparation, Detection and analysis, Containment Eradication and Recovery, and Post-Incident Activity.

Question 5

How does a gap analysis work?

Answer 5

Figure out where we need to be, figure out where we are, and then close the gap between those two positions.

Question 6

What is ISO 27001

Answer 6

Requirements for Information Security Management Systems

Question 7

What is ISO/IEC 15498 ?

Answer 7

The evaluation criteria for IT security. Called the “Common Criteria”

Question 8

What are the three goals of Info Sec Governance and risk managemetn?

Answer 8

Confidentiality, Integrity, Availability

Question 9

What are the three processes of Info Sec Governance and Risk management?

Answer 9

prevention, detection, and response.

Question 10

What does the OECD (Organization for Economic Development)) help standardize?

Answer 10

International information exchange standards.

Question 11

SO/IEC 27001:2005 covers what?

Answer 11

11 control categories. Controls can be audited against Outlines a management responsibility for security.

Question 12

The information security officer is the quarterback of an company’s information security team.

Answer 12

They stay on top of security trends, identify weaknesses, communicate threats to higher levels, and coordinate between multiple departments to assess and improve an organizations security posture.

Question 13

What is the 1st maturity level of CMMI?

Answer 13

Initial

Question 14

What is the last maturity level of CMMI?

Answer 14

Optimized

Question 15

What do policies dictate?

Answer 15

Policies dictate the “what”.

Question 16

What is the most important feature of procedures?

Answer 16

That it works when followed.

Question 17

What’s a baseline?

Answer 17

a reference point for unacceptable risk.

Question 18

Who is ultimately responsible for data loss/issues?

Answer 18

Who is ultimately responsible for data loss/issues?

Question 19

RACI is what?

Answer 19

Describes roles and responsibilities in a system and change request: Responsible (the doer), Accountable (who gets the blame), Consult, and Inform.

Question 20

What is the the first phase of the NIST SDLC focused on?

Answer 20

Initiation - and the first step is a sensitivity assessment - how important is this data?

Question 21

What are the phases of the NIST SDLC?

Answer 21

Initiate, Develop/acquisition, Implementation, Operation maintenance, disposal.

Question 22

What is certification?

Answer 22

A document providing proof of something.

Question 23

How is accreditation different from certification?

Answer 23

Accreditation provides authorization - certification is the stamp.

Question 24

What is ISO/IEC 27001 Section 4.2 related to?

Answer 24

Establishing and maintaining the ISMS. (Establish, implement, monitor, maintain)

Question 25

What is due diligence?

Answer 25

Thinking before you act.

Question 26

What is due care?

Answer 26

Taking action! Not securing data could be criminal.

Question 27

What does the delphi technique involve?

Answer 27

Getting a group of people together to analyze a problem - a QUALitative method. Requ

Question 28

Impact is

Answer 28

Amount of Loss

Question 29

Likely hood is

Answer 29

frequency of threat

Question 30

exploit is

Answer 30

incident of actual loss event

Question 31

controls are

Answer 31

safeguards/measures/countermeasures to reduce exposure/likelihood/impact.

Question 32

What are the different types of threats?

Answer 32

1)Man-made (accidental or intentional), 2) natural, or 3) technical

Question 33

What does SP800-100 discuss?

Answer 33

Risk assessment.

Question 34

What are the three control categories?

Answer 34

reventative, detective, and responsive.

Question 35

What is residual risk?

Answer 35

The remaining risk after risk controls have been applied.

Question 36

What is the single loss expectancy?

Answer 36

asset value * exposure factor

Question 37

What is annualized loss expectancy?

Answer 37

SLE * Annualized rate of occurrence.

Question 38

What is residual risk?

Answer 38

Risk * control gap.

Question 39

What are the different ways we can handle risk?

Answer 39

Avoid, Reduce, transfer, accept, or reject.

Question 40

What does section five of ISO/IEC 27001 discuss?

Answer 40

Management responsibilities for the information management system.

Question 41

What does section 6 of 27001 require?

Answer 41

That an internal audit of control objectives, controls, etc.. occurs.

Question 42

What does section 7 of 27001 discuss

Answer 42

The management review of findings.

Question 43

What does the PCI security standards council attempt to secure?

Answer 43

Credit card transactions. Specifically, the council is setup to prevent fraud.