Security Concepts

Question 1

New Topic: Ethics

Answer 1

Ethic is set of moral principles

Question 2

Code of Ethics (COE)

Answer 2

Principles of professional conduct, . AS ISC2 members are required to commit fully to the COE

Question 3

Violation of COE

Answer 3

Subject to peer review panel and revocation of Certificate. Failure of COE is breach of code Canon IV

Question 4

Canon means

Answer 4

Values

Question 5

Canons in Practice are

Answer 5

PAPA: Protect everything you are responsible for , Act with good intentions . Provide your best efforts, Advance your knowledge skills

Question 6

Protect the Society

Answer 6

SAfeguard information and systems
Consider societal impact
Do your best
Thoroughky analyze policies
Provide or recommend

Question 7

Act Honorably

Answer 7

Any leakages, dont lose integrity. If a mistake is made then take ownership.Lead by example

Question 8

Provide diligent and competent service

Answer 8

Be good at your job, by staying up to date with current technology services

Question 9

Advance and protect profession

Answer 9

Growth and maturity of Cyber Security practices
Share knowledge, mentoring
Keep on current threats, vulnerabilities and attacks

Question 10

Summary of Cannons

Answer 10

Understand the importance of integrity and accountability in ethical decision making

Question 11

New Topic: Information Security Concepts

Answer 11

CIA =
Confidentiality - Can the data be given to unauthorised persons
Integrity - Can these users change the data
Availabilty - How quickly the data need to be made available

Question 12

Confidentiality

Answer 12

Can all users see all of the data? Who can?
Can this data be release outside of the company?
How do we protect data from unauthorised access?

Question 13

Integrity

Answer 13

Who can change data in these file?
Can all users change update all of the data?
How does the file need to be protected from unauthorised changes?

Question 14

Availability

Answer 14

How important is this data to the company?
Does it need to be made available quickly or can it be stored somewhere safe?
How do we make sure data can be used when its needed?

Question 15

Authenticity

Answer 15

Data , action coming from legitimate subject. Don’t need a proof of this. E.g. Login. Username and password. Authenticity can be spoofed or maligned.

Question 16

Non Repudiation

Answer 16

Data actions originated from a specific subject but cannot be disputed. If some one makes a change to data and they cannot dispute it. Its done by cryptography. Digital Signatures.

Question 17

New Topic: Security and the Organisation

Answer 17

Security Goverance

Question 18

Security Governance?

Answer 18

Defines Aligning ethically the business objectives to laws, regulations and standards

Question 19

what does security must not impact?

Answer 19

Business Processes

Question 20

What should security must support in an organisation?

Answer 20

1- Business objectives
2- Standards
3- principles and strategies of organisation

Question 21

Who should be supporting security?

Answer 21

Senior Management buy-in is essential

Question 22

What processes in an organisation security must account for?

Answer 22

1- System development
2- Change Management
3- Software development
4- DevOps
5-Operations

Question 23

What is Top Down approach in Security?

Answer 23

1- Senior Management - Set the vision, Define policies for security
2- Middle Management - Document Artefacts, standards
3- All other personnel - Work on the implementation of security standards

Question 24

What is Security Planning and what are the different plans?

Answer 24

Strategic plan - 3-5 years

Tactical plan - 1 year (e.g. migrating a local IS to a Cloud based )

Operational plan - 1-3 months (e.g. migration project)

Question 25

Examples of aligning Security objectives to organisational processes

Answer 25

Purchase and Sale of an organisation must ensure the security objectives align to the organisation's policies.

Question 26

New Topic: Organisation Roles and Responsibilities - What are the 4 key roles in an organisation?

Answer 26

(ESDS) Executive Security Data System

Question 27

What are Executive roles?

Answer 27

CEO- responsible for everything but may delegate responsibility to other CIO - responsible for Information systems visions and changes. Responsible for security and may delegate this to a CISO CISO - responsible for the Security implementation in organisation and security mission CFO - CISO will speak to CFO for budget for buying assets

Question 28

What are the Security general roles?

Answer 28

1- Security Manager - Management of Security personnel, vulnerabilities etc 2-Security Officer - implements security vision, ensures CIA is not impacted as part of the process 3- Security Analyst - Identify and resolve Threats 4- Security Engineer - Design and Implement security solutions

Question 29

What are the Data roles? IMPORTANT FOR CISSP EXAM

Answer 29

1- Data Owner - Responsible for classification and protection of data 2- Data custodian - They are the ones who configure the systems that protect the data 3- Data Steward - Provide SME for specific data. CEO might not know how to protect HR data therefore SME is required. (Is it sensitive, etc)

Question 29

What are the System roles?

Answer 29

1- System and Network Administrators - They can also become Data custodians. Previledged personnels. Responsible for maintaining the systems 2- Auditors - Responsible for auditing the compliance with Security policy - SYstem Level - WOrking with Admins to define configs 3- Users -Subject with access to the information

Question 30

New topic: Security Awareness Education and Training- Etablishment and maintenance of Security Awareness and training - Goals, Methods, Content and how to guage the effectiveness, reasons for effectiveness and udates to our training

Answer 30

Create change in behaviour by Senior Management Teach personnel their Security Responsibilities Comply with governance regulation and compliance requirements

Question 31

What value does Security Awareness and training add to the organisation?

Answer 31

Drives reduction of risks Ensures compliance and regulatory requirements are met

Question 32

Security Training examples

Answer 32

Training teaches people how to do their work according to Security policy Exampless:Access compoents, data, assets, what to do in event of emergency, how to login remotely

Question 33

Education?

Answer 33

Education is more like Certification. to satisfy work requirements Examples: CBT, Seminars, Live class

Question 34

Awareness Examples

Answer 34

Post banners, flyers, posters and put them to breakout areas, pubs etc Weekly security Newsletters Website or blog updates Seminars, webinars Educational videos or organisation website

Question 35

Methods of Encouragement

Answer 35

Assign Security Champion - Encouragement and motivated person Gamification - Attainable and achievable and fun.

Question 36

Program Evaluations

Answer 36

Monitoring - Participation, Feedback Watch for behaviour changes as a result of trainin Example Phisiing Emails.

Question 37

New Topic: Social Engineering

Answer 37

Manipulating trust, Creating guilt in a person for them to cooperate in a SOcial Engineering attack.

Question 38

Types of Social Engineering

Answer 38

Pretexting? Quid Pro Quo? Phishing Attacks

Question 39

Phishing Attacks (Virtual)

Answer 39

Spearing - targetted to an individual or a group of individuals Whaling - Target is high value individual such as CIO, CISO. Vishing - Over voice based communication SPIT - SPam over Internet Telephony - Prerecorded call Smishing - Phishing using SMS SPIM - Spam over Instant messaging - to collect data from a victim Shoulder Surfing - Someone looking over shoulder and getting your password Dumpster diving - Discovering unauthorised materials from bins

Question 40

Social Engineering (Physical)

Answer 40

Tailgating - person follows authorised person to a protected area Piggybacking - Person follows authorised person to a protected area and ask them for help to gain access to that protected area.

Question 41

New Topic: Personal Security Policies and Procedures

Answer 41

Reduce security risk of personnel accessing organisational information. HIre Candidates,Onboarding, Personnel are wekaest link but are also an assett. Enforce good policies and setting them up for success

Question 42

New Topic: Due Care Due Diligence

Answer 42

Concept focus on taking reasonable steps for protecting assets to meet legal and ethical standards

Question 43

Personnel Control Principles

Answer 43

Separation of duties: divide critical functions amongst multiple individuals Least privilege : Only giving them necessary privilege to do their tasks Need to Know: Access to data only need to perform their duties

Question 44

Candidate Screening

Answer 44

- Job Description - Minimum and preferred qualification for the position - Knowledge skills and attributes - Candidate screening - Criminal History - Social media history - Drug Testing

Question 45

Candidate Screening

Answer 45

- Ask Premlinary questions = Review CV, cover letter - Compliance Laws so be careful on the different types of questions asked are complied Screen Interview - F2F, Virtual, Real time questions, Body language

Question 46

Candidate Hiring

Answer 46

Non Disclosure Agreement - requires then protection sensitive information within the organisation. Also it will preevent them to disclose even after they leave . Penalties, acknowledgement and signatureNon Repudiation that they agree to it SHould include Emplpyement details what is the proprietorshipp Employement agreement Regulations - HIPPA, PCISDSS, FISMA

Question 47

Non Compete Agreement (NCA)

Answer 47

prevent employees from working for a competing organisation for a certain amount of time

Question 48

Acceptable use policies

Answer 48

define how employees are to use orgnisatioal assets in compliant manner

Question 49

Gift Policies

Answer 49

define the limit and how giifts are provided and recieved within the org. TO avoid blackmail,

Question 50

Conflict of Interest policies

Answer 50

situations that conflict with the organisation best interest. e.g. broher makign software and asking them to buy their software.

Question 51

Onboarding Process

Answer 51

Training on Security Policies and practices Acknowledge Authorise after training and agreements acknowledged

Question 52

Offboarding

Answer 52

Termination Policy - Volunteery and IN volunteery terminations Require the immediate termination - Revoke access, collect belongings (keys, Id cards) Shared access or passwords are changed after termination It depends on org and sensitivity of data that you are working with. All NDAs are signed an in place before personnel leaves

Question 53

New Topic: Personal Safety and Security -

Answer 53

Protect personnel from harm, injury or loss of life

Question 54

What is ensured during a personnel travelling?

Answer 54

- Ensure they are travelling to safe and secure areas Ensure their wifi is protected Ensure their equipment is protected Ensure their Bluetooth is protected Ensure their network and remote access secuity protections are enabled They must know who to contact in an Emergency situation This needs to be in the policy and personnel to be trained.

Question 55

What is ensured during Duress?

Answer 55

- When peron is held hostage or forced to provide facility access - Training on how to respond - e.g. How to egress the facility in terms of break-in. Duress code words - E.g. enter pin incorrect three times Duress numbers - Have a pin number- Enter pin number in case in a duress situation. It shoudl include in the BCDR plan

Question 56

What to do in an Emergency?

Answer 56

- How to contact organisation in an emergency - Organisational policy must include this information It should be in the BCDR plan

Question 57

For Exam

Answer 57

Understand personnel travel processes Understand personnel duress processes Understand emergency management process

Question 58

What is Due Care?

Answer 58

Cornell law school: Due care is reasonable efforts to prevent harm and risk in an organisation. e.g customers clients etc

Question 59

What is Due Deligence

Answer 59

Activities done to avoid liability. Activities are researching requirements. Ongoing assessments and evaluations. Installing , evaluating, making sure a firewall works is Due Diligence

Question 60

Due Diligence Flow

Answer 60

1- Requirement - Employ Guards 24/7/365 for Data Centre 2- Due Diligence - Research Requirement - Research guard companies to find a reputable company where history is to guard DCs 3- Due Care - Compliant implementation to satisfy requirement - Employ guard and put them on exit points 4- Due Deiligence - Making sure the implementation works continuously - Training to Guards to improve and educate them on security risks

Question 61

New Topic: Important Laws and Regulations

Answer 61

FTC (Federal Trade Commission Act)

Question 62

FTC( Federal Trades Commission) Act

Answer 62

To protect the consumers from unfair competition and includes protection of personally identifiable information (pii)

Question 63

GLBA (Gramme Leach Billey Act)

Answer 63

Focusses on safeguarding financial data and preventiing it from sharing to 3P organisations without customer consent. Normally used in Banks where customer financial data is used for lending applications.

Question 64

ECPA (Electronic Communication Privacy Act)

Answer 64

Defines the collection of Electronic information and how US government can access it. In US where it covers anyone'data to be accessed by the US government via telephone, email etc

Question 65

HIPAA (Health Insurance Portability and Accountability Act)

Answer 65

protects privacy related to Health data like Medical records

Question 66

HITECH (Health Information Technology for Economic and Clinical Health)

Answer 66

mandates how organisations that handle protected health information (PHI) on behalf of HIPAA covered entity

Question 67

GINA (Genetic Information Non Discrimination Act)

Answer 67

Protects individuals from the unauthorised use, disclosure and sale of genetic related information

Question 68

SOX (Sarbanes Oxley Act)

Answer 68

Protects investors against the accounting frauds and requires reporting of the financial information to company investors

Question 69

PCI DSS (Payment Card Industry Data Security Standard)

Answer 69

Global standard aimed at preventing credit card fraud for the card holder. Not a regulation or law but is there under user terms and conditions

Question 70

PCI DSS requirements

Answer 70

Install and maintain protective asset Dont use vendor supplied username passwords. Change them Protect stored cardholder data Encrypt the data transmission on open and public networks Protect against malware Develop and maintain secure systems and applications Restrict access to cardholder data identify authentication for system components Restrict physical access to cardholder data Track and Monitor and Audit Regularly Test -Security Assessments Maintain a policy that addresses information security for all personnel

Question 71

GDPR (General Data Protection Regulations)

Answer 71

GDPR in 2016, Came into Effect in 2018- Applies to organisation collecting data from EU data subjects

Question 72

GDPR Roles

Answer 72

Controller: Determines the purpose and means of collecting the personal data Processor: Processes personal data on behalf of the controller.