Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISC2 CISSP > Security Risk and Management > Flashcards

Security Risk and Management Flashcards

1
Q

What are the three pillars of Information Security? (Information Security Triad)

A

Confidentiality, Integrity and Availability (C.I.A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can you define Confidentiality?

A

Property that information is not made available or disclosed to unauthorised individuals, entities or processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Can you define Integrity?

A

Property of accuracy and completeness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can you define Availability?

A

Property of being accessible and usable upon demand by an authorised entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an ISMS?

A

Information Security Management System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does PDCA stand for?

A

Plan, Do, Check, Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does IAAA stand for?

A

Identification, Authentication, Authorisation (Permissions) Auditing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define due care.

A

The care that are reasonable person would use in order to approach a problem or a concern. Under any given certain circumstances, what are the actions I would engage in, in order to deal with the concern of a problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

List five qualities a Control Framework must be?

A
  1. Consistent - In approach and application.
  2. Measurable - To determine progress and set goals.
  3. Standardised - Results can be compared within & between organisations.
  4. Comprehensive - Should cover minimum requirements and be extensible.
  5. Modular - Allow changes to be easily incorporated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

List five qualities a Control Framework must be?

A
  1. Consistent - In approach and application.
  2. Measurable - To determine progress and set goals.
  3. Standardised - Results can be compared within & between organisations.
  4. Comprehensive - Should cover minimum requirements and be extensible.
  5. Modular - Allow changes to be easily incorporated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Name an example of an ISMS?

A

ISO270001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does an ISMS consist of?

A

Policies, Procedures, Guidelines, and Associated Resources and Activities, in the pursuit of protecting its assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are missing words?

An ISMS is a systematic approach for establishing, _________, __________, ___________, ____________, __________ and ___________ an organisation’s information security to achieve business objectives.

A

implementing, operating, monitoring, reviewing, maintaining and improving

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain the difference between “due care” and “due diligence’.

A

Due Care
- Conduct that a reasonable and prudent person will exercise in a particular situation.

Due Dilidence

  • Similar to due care but usually pre-emptive
  • The processes undertaken to ensure that a course of action is prudent and within risk appetite before committing to the action
  • Will lead to due care being observed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Give some exmaples of due diligence?

A
  • Background checks for employees
  • Credit checks of business partners
  • Information system security assessments
  • Risk assessments of physical security systems
  • Penetration tests
  • Contingency testing of backup systems
  • Checking the availability of company IP on the internet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does GRC stand for?

A

Governance, Risk Management and Compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is COBIT and who is the entity that maintains it?

A

COBIT is a governance framework managed by ISACA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk Management is the systematic process used to identify, ________, _________, remedy and _________ risk.

A

analyse, evaluate, monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

As a result of risk management, what options does the organisation have to deal with risk?

A

The result of the risk management processes that an organisation will either mitigate, transfer, accept or avoid a particular risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define a computer crime?

A

The use of a computer to take or alter data, or to gain unlawful use of computers or services.
- The threat can be from internal or external sources

Examples include:

  • Sale of IP or personal information
  • Malware or Ransomware
  • Fraud
  • Hacking - attacking CIA of systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Provide a definition of a ‘patent’?

A

A patent is a legally enforceable right to exclude others from practising the invention for some length of time - usually 20 years.
- Must make the invention public during the patent process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Provide a definition of a ‘trademark’?

A

A trademark is a recognisable sign, design or expression which identifies products or services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is copyright?

A

A copyright covers the expression of ideas rather than the ideas themselves and usually protects artistic property such as writing, recordings, databases and computer programs.
- Usually protected for life of the author, plus 50-100 years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a trade secret?

A

A trade secret usually refers to the proprietary business or technical information, processes, designs, practices, etc., that are confidential and critical to the business.
- The Coca-Cola formula

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Does copyright grant the creator territorial or international copyright?

A

Territorial

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Briefly, explain the Wassenaar Arrangement?

A

The Wassenaar Arrangement was established to contribute to regional and international security and stability by transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the risks to Trans-Border Data Flow? List a few.

A
  1. Personally identifiable information such as ID cards, driving license, enhanced passport, etc., leave data trails that may create risks in countries unless there is adequate data protection.
  2. There are major concerns about the security and misuse of information which has been transferred to countries whose laws do not offer the same level of data protection.
  3. Rapidly increasing trans-border data flows are creating new and complex challenges for security professionals and organisations responsible for overseeing privacy and data protection laws.
  4. Technologies and applications (search engines, RFID, VoIP, etc) generate huge amounts of data and create data trails that can survive long after the transaction or conversation has taken place.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following describes an “incident”?

a. A breach for which it was confirmed that data was actually disclosed to an unauthorised party.
b. A security event that compromises the integrity, confidentiality, or availability of an information asset.
c. An incident that results in the disclosure or potential exposure of data.

A

Answer: b

A security event that compromises the integrity, confidentiality, or availability of an information asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following describes a “breach”?

a. A breach for which it was confirmed that data was actually disclosed to an unauthorised party.
b. A security event that compromises the integrity, confidentiality, or availability of an information asset.
c. An incident that results in the disclosure or potential exposure of data.

A

Answer: c

An incident that results in the disclosure or potential exposure of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following describes “data disclosure”?

a. A breach for which it was confirmed that data was actually disclosed to an unauthorised party.
b. A security event that compromises the integrity, confidentiality, or availability of an information asset.
c. An incident that results in the disclosure or potential exposure of data.

A

Answer: a

A breach for which it was confirmed that data was actually disclosed to an unauthorised party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Can you list any of the four Code of Ethics Canons?

A
  1. Protect society, the common good, necessary public trust and confidence and the Infrastructure.
  2. Act honourably, honestly, justly, responsibly and legally.
  3. Provide diligent and compentent service to principals.
  4. Advance and protect the profession.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the four Code of Ethics Canons does the following description best fit?

“Tell the truth; make all stakeholders aware of your actions on a timely basis. Observe all contracts and agreements, expressed or implied.”

A

Answer: Act honourably, honestly, justly, responsibly and legally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the four Code of Ethics Canons does the following description best fit?

“Promote and preserve public trust and confidence in information and systems. Promote the understanding and acceptance of prudent information security measures.”

A

Answer: Protect society, the common good, necessary public trust and confidence and the Infrastructure.

34
Q

Which of the four Code of Ethics Canons does the following description best fit?

“Sponsor for professional advancement those best qualified.”

A

Answer: Advance and protect the profession.

35
Q

What supports the implementation of the security policy?

A

Procedures, Standards, Guidelines and Baselines.

36
Q

Define a [security] “Policy”?

A

A policy is a high-level statement of values, goals and objectives.

  • Contains the general approach for achieving values, goals and objectives
  • Obligatory compliance
  • Relatively long-lived
37
Q

Define a [security] “Standard”?

A

A standard quantifies actions to support the policy

  • Contains prescriptive language.
  • Can be general or technical
  • Obligatory compliance
38
Q

Define a [security] “Procedure”?

A

A procedure is a set of detailed instructions

  • Supports policies and standards
  • Obligatory
39
Q

Define a [security] “Guideline”?

A

A guideline contains suggestions

- Not obligatory

40
Q

What are the goals for a Business Impact Analysis?

A
  1. Determine the criticality of organisation functions.
  2. Determine the Maximum Tolerable Downtime (MTD).
  3. Assess the exposure to Outages.
    - External and Internal Threats and Vulnerabilities

The recovery priority for functions will be identified during the Business Impact Analysis (BIA) process.

41
Q

What is the protection of intellectual property that must be novel, provide utility and can be produced?

a. Copyright
b. Trademark
c. Patent
d. Service Mark
e. Registered Trademark

A

Answer: c

A Patent

42
Q

What is the BIA process?

A
  1. Gather information
  2. Analyse Information
  3. Perform a threat analysis
  4. Document results and present recommendations
43
Q

Match “Risk Avoidance” with one of the correct descriptions below:

a. Shifting all of the liability or consequences
b. Implementing additional controls or countermeasures
c. Shifting a portion of the liability or consequences
d. Ceasing the activity associated with the risk
e. Accepting the consequences of a given activity or process

A

Answer: d

Ceasing the activity associated with the risk

44
Q

Match “Risk Transference” with one of the correct descriptions below:

a. Shifting all of the liability or consequences
b. Implementing additional controls or countermeasures
c. Shifting a portion of the liability or consequences
d. Ceasing the activity associated with the risk
e. Accepting the consequences of a given activity or process

A

Answer: a

Shifting all of the liability or consequences

45
Q

Match “Risk Mitigation” with one of the correct descriptions below:

a. Shifting all of the liability or consequences
b. Implementing additional controls or countermeasures
c. Shifting a portion of the liability or consequences
d. Ceasing the activity associated with the risk
e. Accepting the consequences of a given activity or process

A

Answer: b

Implementing additional controls or countermeasures

46
Q

Define the Maximum Tolerable Downtime (MTD)?

A

Time after which an unavailable service causes irreversible consequences

  • The MTD of functions will be identified during the Business Impact Analysis (BIA) process.
47
Q

_________ is the maximum period of time before function restored to function.

A

Recovery Time Objective (RTO)

  • This must be less than MTD
48
Q

Define the Recovery Point Objective (RPO)?

A

Amount of data that can be lost in the disaster
e.g. Point between last data backup and disaster.

  • The backup strategy dependant on RPO
  • RPO decided by Business Impact Analysis
49
Q

What are the principal approaches for achieving separation of duties (SOD)?

A
  1. Sequential separation
    - Two signatures principles
  2. Individual separation
    - Four eyes principles
  3. Spatial separation
    - Separate action in separate location
  4. Factorial separation
    - Several factors contribute to completion
50
Q

Can you name other types of Employee Policies that protect the employee and organisation?

A

Code of Conduct
Conflict of Interest
Gift-handling Policies
Ethics Agreements

51
Q

Least Privilege aka _______ __ ______

A

Need to know

52
Q

Define “Risk Management”?

A

…the technique or profession of assessing, minimising, and preventing accidental loss to a business, as through the use of insurance, safety measures, etc.

53
Q

A risk assessment must evaluate the following: (fill in the blanks)

  • ________ to its assets
  • __________ present in the evironment
  • The likelihood that a _______ will be realised by taking advantage of an ________
  • The impact that the _______ being realised will have on the organisation
  • ______________ available that can _______ the threat’s ability to _______ the exposure or that can lessen the impact to the organisation when a _______ is able to _________ a ___________
  • The __________ risk (the amount of risk that is left over when appropriate controls are properly applied to lessen or remove the vulnerability)
A
  • Threats to its assets
  • Vulnerabilities present in the environment
  • The likelihood that a threat will be realised by taking advantage of an exposure
  • The impact that the exposure being realised will have on the organisation
  • Countermeasures available that can reduce the threat’s ability to exploit the exposure or that can lessen the impact to the organisation when a threat is able to exploit a vulnerability
  • The residual risk (the amount of risk that is left over when appropriate controls are properly applied to lessen or remove the vulnerability)
54
Q

Risk is determined as the byproduct of __________ and _______.

A

Risk is determined as the byproduct of likelihood and impact.

55
Q

When identifying assets as part of a risk assessment, what could qualify as an asset?

A

Information, information systems, processes, or people (anything that has value to an organisation)

56
Q

What are the two types of risk assessments are there?

A

Qualitative and Quantitative (or a hybrid of the two)

57
Q

Qualitative risk assessments use a ________ _________.

A

Risk Matrix

58
Q

How do qualitative risk assessments define risk in relative terms?

A

High, moderate (medium) or low

59
Q

According to the NIST Risk Assessment Process, what are the four steps

A
  1. Prepare for Assessment
  2. Conduct Assessment
  3. Communicate Results
  4. Maintain Assessment
60
Q

What specific tasks are involved in step two of the NIST Risk Assessment Process, conducting the risk assessment?

A
  1. Identify Assets
  2. Identify vulnerabilities in assets
  3. Identify threat sources
  4. Identify threat events
  5. Determine the likelihood of risk occurring
  6. Determine magnitude of impact
  7. Determine the overall risk
61
Q

Can you list other Risk Management Frameworks?

A
  • ISO 31000 Risk Management
  • COBIT
  • NIST SP 800-37
  • COSO (ERM)
  • The Risk Management Framework (ISACA)
  • ISO 27003:2013
62
Q

Countermeasures (controls, security measures) reduce the ___________ or ___________ of, or prevent, a risk event

A

Likelihood and Impact

63
Q

Considerations for selecting appropriate countermeasures or controls include: (list some)

A
  • Accountability (someone held responsible)
  • Auditability (can it be tested)
  • Cost effective
  • Reliable
    Ease of use
    Secure
    *Automation
  • important criteria
64
Q

Which type of controls can you list?

A 
Directive
Deterrent
Preventative
Compensating
Detective
Corrective
Recovery
65
Q

Define a “Preventative” control?

A

Controls implemented to prevent a security incident or information breach

66
Q

Define a “Detective” control?

A

Controls designed to signal a warning when a security control has been breached

67
Q

Define a “Directive” control?

A

A policy control designed to specify acceptable rules of behaviour

68
Q

What are the three control categories?

A
  1. Physical
    e. g. Doors, locks, windows, guards, etc.
  2. Administrative
    e. g. Policies and Procedures, privilege management, monitoring, etc.
  3. Logical (Technical)
    e. g. Remote Access, cryptography, application access, malware controls, etc.
69
Q

What are the three steps for vulnerability assessment?

A
  1. Vulnerability scanning
    e. g nmap, zenmap, Metasploit, etc
  2. Analysis
  3. Communicate results
70
Q

What are the five stages of penetration test methodology?

A
  1. Reconnaissance
  2. Enumeration
  3. Vulnerability Analysis
  4. Execution/Exploitation
  5. Document Findings
71
Q

The minimum security requirements must be documented and clearly defined in the ____________ of ___________?

A

Statement of Requirements (SoR)

72
Q

What do the acronyms SLA and SLR stand for?

A

Service Level Agreement

Service Level Requirements

73
Q

The terminology associated with this type of risk assessment is scenario based and descriptive.

a. Subjective
b. Qualitative
c. NIST Compliant
c. Quantitative

A

Answer: b

Qualitative

74
Q

Which of the following formulas is correct?

a. ARO = EF * SLE
b. AV = EF * Cost of Asset
c. ALE = SLE * ARO
d. SLE = EF * ARO

A

Answer: c

ALE = SLE * ARO

75
Q

In a quantitative risk assessment, __________ describes likelihood and __________ describes impact.

Possible choices:
cost, ARO, probability, magnitude, exposure factor

A

Answer: ARO and exposure factor

76
Q

Which of the following choices best describes a risk management activity?

a. identifying associated vulnerabilities
b. calculating annualised rate of occurrence
c. authorising risk acceptance
d. reviewing previous risk assessments

A

Answer: authorising risk acceptance

77
Q

The cost/benefit calculation for a new control is -$9,000. Assuming that ALE1 is $30,000 and ALE2 is $19,000, what is the cost of the new control?

a. $20,000
b. $11,000
c. $19,000
d. $9,000

A

Answer: a

$20,000

Cost Benefit Calculation:
(ALE1 - ALE2) - Cost of new control

($30,000 - $19,000) - ?? = -$9,000

$11,000 - ?? = -$9,000 (11,000 - -9000)

= $20,000

78
Q

SLE = ________ __ __________

Possible choices:
AV, ARO, *, Exposure Factor, Replacement Cost, +, ALE, /, Impact Factor

A

Answer: AV * Exposure Factor

79
Q

Anytown Booksellers has determined that they would lose customers if their e-commerce website was unavailable for more than 3mins. Loss or corruption of more than 2mins of data is unacceptable. Which of the following best describes their requirements?

a. RTO = 3, RPO = 0
b. MTD = 2, RPO = 3
c. RPO = 2, RTO = 0
d. RPO = 2, MTD = 3

A

Answer: d

RPO = 2, MTD = 3

80
Q

Arrange the following items in the correct order:

  1. Report to Management
  2. Identify Essential Services and MTD
  3. Determine the RPO
  4. Identify Infrastructure and Dependencies
  5. Determine Current RPO, RTO and WRT
  6. Conduct a Gap Analysis
A

Answer: 2, 3, 4, 5, 6, 1

Identify Essential Services and MTD
Determine the RPO
Identify Infrastructure and Dependencies
Determine Current RPO, RTO and WRT
Conduct a Gap Analysis
Report to Management
81
Q

Which of the following is least relevant to a BIA discussion?

a. Current restore and recovery time frames
b. Non-essential business processes
c. Infrastructure
d. Dependencies

A

Answer: b

Non-essential business processes

ISC2 CISSP (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions