SSCP Flashcards

SSCP

1
Q

Mitigation

A

Implement Security Controls to protect the assets to mitigate the risk to an acceptable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Assignment or Transferring

A

Transfer the risk to a third party like an insurance company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Avoidance

A

Eliminate the complete risk by eliminating the assets to be protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Acceptance

A

Accept the risk associated with a potential threat - not prudent but usually done when control is more expensive than the possible impact of the threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Policy Standard Procedure Guideline Baseline

A

Mandatory Mandatory Mandatory Discretionary Discretionary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Areas of Law

A

Regulatory Law Criminal Law Civil Law Religious Law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Ownership

A

Data Custodians - IT Department, handles, protects, backups data daily. Receives instructions from Data Owner. Data Processor - Someone who works under the direction of the owner. Data Steward / User / Controller- Those who use data for business purposes. Data Owner - Collector and Creator of Data. Legally responsible and accountable for protecting it and educating others on how to protect it. Data subject - The entity who the data is about. Auditors - They check that everyone is doing what they are supposed to be doing. Ensure compliance, and see that the procedures are followed. System Owner - Person who owns the Responsibility for Hardware and Software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Information Life Cycle

A

Acquisition -> Use Archival -> Disposal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Commercial Label Model

A

Public -Team Members Sensitive -Financial Information Private -Medical Information Confidential -Trade Secrets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Military Label Model

A

Unclassified -Recruiting Information Sensitive but classified -Tests -Medical Records Secret -Deployment plans for troop Top Secret -Weapon Blueprints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

-Clearances -Need-To-Know

A

-Determines what the users can and cannot access -Necessity for the user to know the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Certification

A

Certification is used for verifying that personnel have adequate credentials to practice certain disciplines, as well as for verifying that products meet certain requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Accreditation

A

Accreditation is used to verify that laboratories have an appropriate quality management system and can properly perform certain test methods (e.g., ANSI, ASTM, and ISO test methods) and calibration parameters according to their scopes of accreditation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Model Types

A

Non-Interference Model -Under a non-interference provision, a computer is seen as a machine having inputs and outputs. These are categorized in terms of their sensitivity as low (not classified information, or having a low sensitivity) or high (sensitive, and not to be viewed by individuals or resources without the necessary clearance). According to the conditions laid down by the model, any sequence of low sensitivity inputs will produce outputs that are correspondingly low, regardless of any high-level inputs that may also exist. So if a user with a low or no security clearance is working on a system it will respond in exactly the same manner on low sensitivity inputs, irrespective of there being a high-level user with greater security clearance working with sensitive data on the same machine. The low-sensitivity user won’t be able to glean any information about the high-level user’s activities. State Machine Model -State machine models monitor the condition of a system to prevent it from moving into an insecure state. Any system supporting a state machine model must at all times have the possible states of its processes examined to verify that they are controlled. Multi-Level Lattice Model A latticed security model, each of the lattice elements is a security label that consists of a security level and a set of categories. Information Flow Model -An extension of the state machine model concept, the information flow model consists of objects, state transitions, and lattice states which govern data flow policy. Its primary objective is to prevent the flow of unauthorized and insecure data in any direction across the system. Matrix Based Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Bell-LaPadula Model

A

Concerned with Confidentiality Top Secret Secret Unclassified No Read UP - Simple Security Property * (star) Property - No Write Down Strong * Property - Read/Write only on the same Level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Biba Model

A

Concerned with Integrity Higher Integrity Medium Integrity Lower Integrity No Read Down - Simple Integrity Axiom No Write UP - * Integrity Axiom

17
Q

Clark - Wilson Model

A

Concerned with Integrity -Commercial Use -Aiming to Avoid Fraud -Separation of Duties and Well-Formed Transactions -The Access Triple 1. Authorized users are not allowed to make unauthorized changes. 2. Unauthorized users are not allowed to make any changes. 3. Verify internal and external consistency.

18
Q

Brewer Nash Model - Chinese Wall

A

Defend Against Conflicts of Interests -Commercial Use -What Matters is the context not the content of the information -Subjects can access all the information but if access one, he/she cannot access the other

19
Q

Graham-Denning Model

A

-How to securely create/delete an object -How to securely create/delete a subject -How to securely provide the read/grant/delete/transfer access right

20
Q

Harrison-Ruzzo-Ullman Model

A

Similar to Grahm-Denning Model -Deals with access rights of subjects and integrity of these -Subjects have a finite number of operation on an object

21
Q

Take-Grant Model

A

Rules govern the interaction between subjects and objects Rules are: Take, Grant, Create and Remove

22
Q

Trusted Computer Base

A

Level of Trust of a computer -The source of the breach is not the computer -Protects the CIA of the protected information -Orange Book Document created by the US government

23
Q

Orange Book

A

-Includes secure design, manufacture, delivery, installation, maintenance, and end of life of a system -Establishes a perimeter of the trusted component -Everything outside the perimeter is considered not trusted

24
Q

Trusted Computer Base System Requirements

A

-Isolate Subjects from Objects -Reference Monitor -Protected Memory -Kernel Self Protection 1. User Mode 2. Kernel Mode 3. Ring Architecture -Trusted Recovery

25
Q

Trusted Computing Security Evaluation Criteria

A

Orange book - Standalone Security for Computer Red book - Security for Computers that talk with each other Certification -Functionality - Working as expected -Assurance - Functionality is insured for long-term, real-time, multiple time (3rd Party Assurance) Accreditation

26
Q

TCSEC Certification level

A

D- Minimal Protection C1- Discretionary Protection (DAC) C2- Controlled Access Protection (DAC) B1- Labeled Security Protection (MAC) B2- Structured protection (MAC) B3- Security Domains (MAC) A1- Verified Design (MAC)

27
Q

Types of Security Risks

A

normal - standard benign operations

guarded - accepted or tolerable risk

elevated - detection of potential threat realization (i.e. compromise attempts)

substantial - security violations have occurred, but have not interrupted mission-critical functions

severe - mission-critical functions have been significantly affected or interrupted

28
Q

Security Policy

A

A security policy must be in alignment with the mission, objectives, nature, and culture of a business. Organizational policies are not based on best practices.

29
Q

Service pack

A

Service packs are issued by a manufacturer to correct many software or hardware deficiencies and to upgrade the product. They may combine a large number of patches.

30
Q

Disaster Recovery Plan

A

A disaster recovery plan (DRP) is a documented set of procedures used to recover and restore IT infrastructure, data, applications, and business communications after a disaster event.

31
Q

Business Continuity Plan

A

The business continuity plan (BCP) is a documented set of procedures used to continue business operations in some form to enable the organization to maintain its business capacity during some event.

32
Q

Business Impact Analysis

A

A business impact analysis is performed to determine the resulting impact to the business of the full or partial loss of an operational functional unit of the business.

33
Q

Maximum Tolerable Downtime

A

Maximum tolerable downtime (MTD) is the total amount of time the organization can be without the department or business function before irreparable harm is done to the organization.

34
Q

Recovery Time Objective

A

Recovery point objective (RPO) specifies a point in time to which data can be restored. The recovery point could be the last full backup plus any completed incremental or differential backups that might’ve taken place after the full backup.

35
Q

Enterprise Risk Management

A

An enterprise risk management (ERM) program should be implemented to establish a proactive risk response strategy. Only with properly managed risk is any organization able to get ahead of the attack-react cycle.

36
Q

Code of Ethics (ISC)^2

A

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.