SSCP

Question 1

Mitigation

Answer 1

Implement Security Controls to protect the assets to mitigate the risk to an acceptable level

Question 2

Assignment or Transferring

Answer 2

Transfer the risk to a third party like an insurance company

Question 3

Avoidance

Answer 3

Eliminate the complete risk by eliminating the assets to be protected

Question 4

Acceptance

Answer 4

Accept the risk associated with a potential threat - not prudent but usually done when control is more expensive than the possible impact of the threat.

Question 5

Policy Standard Procedure Guideline Baseline

Answer 5

Mandatory Mandatory Mandatory Discretionary Discretionary

Question 6

Areas of Law

Answer 6

Regulatory Law Criminal Law Civil Law Religious Law

Question 7

Data Ownership

Answer 7

Data Custodians - IT Department, handles, protects, backups data daily. Receives instructions from Data Owner. Data Processor - Someone who works under the direction of the owner. Data Steward / User / Controller- Those who use data for business purposes. Data Owner - Collector and Creator of Data. Legally responsible and accountable for protecting it and educating others on how to protect it. Data subject - The entity who the data is about. Auditors - They check that everyone is doing what they are supposed to be doing. Ensure compliance, and see that the procedures are followed. System Owner - Person who owns the Responsibility for Hardware and Software.

Question 8

Information Life Cycle

Answer 8

Acquisition -> Use Archival -> Disposal

Question 9

Commercial Label Model

Answer 9

Public -Team Members Sensitive -Financial Information Private -Medical Information Confidential -Trade Secrets

Question 10

Military Label Model

Answer 10

Unclassified -Recruiting Information Sensitive but classified -Tests -Medical Records Secret -Deployment plans for troop Top Secret -Weapon Blueprints

Question 11

-Clearances -Need-To-Know

Answer 11

-Determines what the users can and cannot access -Necessity for the user to know the information

Question 12

Certification

Answer 12

Certification is used for verifying that personnel have adequate credentials to practice certain disciplines, as well as for verifying that products meet certain requirements.

Question 13

Accreditation

Answer 13

Accreditation is used to verify that laboratories have an appropriate quality management system and can properly perform certain test methods (e.g., ANSI, ASTM, and ISO test methods) and calibration parameters according to their scopes of accreditation.

Question 14

Security Model Types

Answer 14

Non-Interference Model -Under a non-interference provision, a computer is seen as a machine having inputs and outputs. These are categorized in terms of their sensitivity as low (not classified information, or having a low sensitivity) or high (sensitive, and not to be viewed by individuals or resources without the necessary clearance). According to the conditions laid down by the model, any sequence of low sensitivity inputs will produce outputs that are correspondingly low, regardless of any high-level inputs that may also exist. So if a user with a low or no security clearance is working on a system it will respond in exactly the same manner on low sensitivity inputs, irrespective of there being a high-level user with greater security clearance working with sensitive data on the same machine. The low-sensitivity user won’t be able to glean any information about the high-level user’s activities. State Machine Model -State machine models monitor the condition of a system to prevent it from moving into an insecure state. Any system supporting a state machine model must at all times have the possible states of its processes examined to verify that they are controlled. Multi-Level Lattice Model A latticed security model, each of the lattice elements is a security label that consists of a security level and a set of categories. Information Flow Model -An extension of the state machine model concept, the information flow model consists of objects, state transitions, and lattice states which govern data flow policy. Its primary objective is to prevent the flow of unauthorized and insecure data in any direction across the system. Matrix Based Model

Question 15

Bell-LaPadula Model

Answer 15

Concerned with Confidentiality Top Secret Secret Unclassified No Read UP - Simple Security Property * (star) Property - No Write Down Strong * Property - Read/Write only on the same Level

Question 16

Biba Model

Answer 16

Concerned with Integrity Higher Integrity Medium Integrity Lower Integrity No Read Down - Simple Integrity Axiom No Write UP - * Integrity Axiom

Question 17

Clark - Wilson Model

Answer 17

Concerned with Integrity -Commercial Use -Aiming to Avoid Fraud -Separation of Duties and Well-Formed Transactions -The Access Triple 1. Authorized users are not allowed to make unauthorized changes. 2. Unauthorized users are not allowed to make any changes. 3. Verify internal and external consistency.

Question 18

Brewer Nash Model - Chinese Wall

Answer 18

Defend Against Conflicts of Interests -Commercial Use -What Matters is the context not the content of the information -Subjects can access all the information but if access one, he/she cannot access the other

Question 19

Graham-Denning Model

Answer 19

-How to securely create/delete an object -How to securely create/delete a subject -How to securely provide the read/grant/delete/transfer access right

Question 20

Harrison-Ruzzo-Ullman Model

Answer 20

Similar to Grahm-Denning Model -Deals with access rights of subjects and integrity of these -Subjects have a finite number of operation on an object

Question 21

Take-Grant Model

Answer 21

Rules govern the interaction between subjects and objects Rules are: Take, Grant, Create and Remove

Question 22

Trusted Computer Base

Answer 22

Level of Trust of a computer -The source of the breach is not the computer -Protects the CIA of the protected information -Orange Book Document created by the US government

Question 23

Orange Book

Answer 23

-Includes secure design, manufacture, delivery, installation, maintenance, and end of life of a system -Establishes a perimeter of the trusted component -Everything outside the perimeter is considered not trusted

Question 24

Trusted Computer Base System Requirements

Answer 24

-Isolate Subjects from Objects -Reference Monitor -Protected Memory -Kernel Self Protection 1. User Mode 2. Kernel Mode 3. Ring Architecture -Trusted Recovery

Question 25

Trusted Computing Security Evaluation Criteria

Answer 25

Orange book - Standalone Security for Computer Red book - Security for Computers that talk with each other Certification -Functionality - Working as expected -Assurance - Functionality is insured for long-term, real-time, multiple time (3rd Party Assurance) Accreditation

Question 26

TCSEC Certification level

Answer 26

D- Minimal Protection C1- Discretionary Protection (DAC) C2- Controlled Access Protection (DAC) B1- Labeled Security Protection (MAC) B2- Structured protection (MAC) B3- Security Domains (MAC) A1- Verified Design (MAC)

Question 27

Types of Security Risks

Answer 27

normal - standard benign operations

guarded - accepted or tolerable risk

elevated - detection of potential threat realization (i.e. compromise attempts)

substantial - security violations have occurred, but have not interrupted mission-critical functions

severe - mission-critical functions have been significantly affected or interrupted

Question 28

Security Policy

Answer 28

A security policy must be in alignment with the mission, objectives, nature, and culture of a business. Organizational policies are not based on best practices.

Question 29

Service pack

Answer 29

Service packs are issued by a manufacturer to correct many software or hardware deficiencies and to upgrade the product. They may combine a large number of patches.

Question 30

Disaster Recovery Plan

Answer 30

A disaster recovery plan (DRP) is a documented set of procedures used to recover and restore IT infrastructure, data, applications, and business communications after a disaster event.

Question 31

Business Continuity Plan

Answer 31

The business continuity plan (BCP) is a documented set of procedures used to continue business operations in some form to enable the organization to maintain its business capacity during some event.

Question 32

Business Impact Analysis

Answer 32

A business impact analysis is performed to determine the resulting impact to the business of the full or partial loss of an operational functional unit of the business.

Question 33

Maximum Tolerable Downtime

Answer 33

Maximum tolerable downtime (MTD) is the total amount of time the organization can be without the department or business function before irreparable harm is done to the organization.

Question 34

Recovery Time Objective

Answer 34

Recovery point objective (RPO) specifies a point in time to which data can be restored. The recovery point could be the last full backup plus any completed incremental or differential backups that might’ve taken place after the full backup.

Question 35

Enterprise Risk Management

Answer 35

An enterprise risk management (ERM) program should be implemented to establish a proactive risk response strategy. Only with properly managed risk is any organization able to get ahead of the attack-react cycle.

Question 36

Code of Ethics (ISC)^2

Answer 36

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.