Domain 1

Question 1

Mindset of the CISSP Exam

Answer 1

1) Think like a CEO - an ethical CEO. answer is policies
2) Safety is the most important concept - no loss of data is worth risks loss of life - safety is always a good choice
3) Ethics are critical
- — protect society, the common good, necessary public trust and confidence and the infrastructure
- — act honorably, honestly, justly, responsibly, and legally
- — provide diligent and competent service to principals
- — advance and protect the profession
4) Business continuity: protect the organization
5) Increase profits by reducing the risk of financial loss

Question 2

Information Security is:

Answer 2

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity and availability (CIA triad)

Opposites:
Confidentiality – Disclosure
Integrity – Alteration
Availability – Destruction

Question 3

____ provides a weak and unproven claim of identity

Answer 3

Identification - providing a username

Question 4

____ serves as proof that a users identity claim was legitimate

Answer 4

authentication - password. The stronger the authentication it implies a higher integrity - e.g., multifactor authentication

Something you know
Something you have
Something you are
Someplace you are (such as GPS)

two or more of these is two factor or multifactor

Question 5

____ proceeds after successful authentication and determines what an authenticated user can do

Answer 5

authorization - roles and access in a system. which users or group of users should have access to what group of information. Need to know.

Question 6

____ details the interactions performed by individuals. Makes you responsible for your actions.

Answer 6

accountability / accounting - audit logs could be generated, which could be used to hold users accountable for their actions. However, this is not enough. Someone must actually review the logs and identify violations

Question 7

____ is the confidentiality and protection of personally identifiable information

Answer 7

privacy

Question 8

____ is acting as any reasonable person would

Answer 8

Due Care - important concept to the legal matter of negligence, and therein potential liability. Sometimes referred to as Prudent Man Rule

Base level of protection

Question 9

____ are practices or processes that ensure the decided upon standard of care is maintained

Answer 9

Due Diligence - followed to ensure that an organization is exercising their duty of care

Question 10

Access Control Measures: What are the major types of controls and how are they implemented?

Answer 10

Major types of controls:

• Preventive (the most important and cost-effective)
• Detective (assumes an attack has begun and detects after the attach occurs) - e.g., IDS, rotating duties, background check, cameras
• Corrective - reacts to an attack and takes corrective action for data recovery (run spyware and fix an issue)
• Deterrent - discourage security violations (beware of dog)
• Recovery - restores the operating state back to normal after an attack or system failure - mitigate more sever impacts compared to corrective. reimages a system to remove an infection
• Compensating - provides alternatives to other controls

Implemented Via:
- Administrative (directive): 
    ---- Background checks
    ---- Policies and procedures
- Physical
    ---- locks
    ---- securing laptops
    ---- securing magnetic media
    ---- the protection of cable
Technical
    ---- Encryption
    ---- Smart Cards

Defense in depth is critical

Question 11

Definition of risk and the formula is

Answer 11

Risk = threat x vulnerability

to mitigate risks we must understand both threats and vulnerabilities, as well as their interaction

Risk analysis is the application process of applying the risk formula

Must also:

• Understand threats and their motivations
• Understand particular vulnerabilities and the likelihood of exploitation
• Understand CIA impacts if exploited
• Understand controls that could limit impact or decrease likelihood
• Perform this calculation for each particular vulnerability on each system
• Aggregated the scores and determine overall risk

Question 12

A ____ is anything that can cause harm to an information system or the potential for a threat-agent to cause harm by exploiting a particular vulnerability

Answer 12

Threat

• Threat-agents or threat-sources are what is behind a particular threat. They are organized crime and are considered as part of the “likelihood” component based on the motivation and capabilities of the threat source.
• understanding motivation and capabilities of threat sources is important.

Question 13

A ____ is a weakness in a system that could potentially be exploited

Answer 13

Vulnerability

• Without an applicable vulnerability, threats cannot introduce risk
• There is no risk, even if there are numerous motivated threat agents, if there is no vulnerability.

Question 14

A ____ is a vulnerability that is not publicly known and there is no patch that currently exists.

Answer 14

Zero-day vulnerability

Question 15

____ is the process of a threat taking advantage of a vulnerability or the means by which a threat exercises a vulnerability.

Answer 15

Exploitation / exploit

• Actions triggered by the exploit are called the payload
• An attacker (threat agent or threat source) exploits a vulnerability.

Question 16

____ is source or binary code that eases the ability for an attacker to exploit a vulnerability

Answer 16

Exploit code

The existence of publicly available exploit code is one item that can increase a vulnerability’s overall score

Question 17

The ____ is what action the attacker wants to carry out as a result of the exploitation

Answer 17

Payload

• Actions triggered by the exploit are called the payload

Question 18

In order to perform risk assessments, you must also understand the ___ and ____ of an attack.

Answer 18

Likelihood - how likely it is that the threat will exercise the vulnerability

Impact - what the outcome of successful exploitation would be

Question 19

What are the two primary approaches to Risk Analysis?

Answer 19

Quantitative (tied to dollar amounts) and Qualitative risk analysis

Risk analysis is the application process of the risk formula (risk = threat x vulnerability)

Question 20

What are some factors of Quantitative Risk Analysis

Answer 20

• More desirable and likely to sway stakeholders
• Tied to dollars - Attempts to provide a precise numerical value to risk statements but honest calculation can be cumbersome.
• Not as subjective
• Established practices and calculations
• Single Loss Expectancy (SLE) = AV x EF
• Annualized Rate of Occurrence (ARO) - (frequency of the threat occurrence per year
• Annualized Loss Expectancy (ALE) = SLE x ARO
• Total Cost of Ownership (TCO)
• Return on Investment (ROI)
• Cost/Benefit Analysis

Question 21

What are the Quantitative Risk Analysis / Management Key Formulas?

Answer 21

• Asset Value (AV) = Value of the Asset
• Exposure Factor (EF) = % of asset value at risk due to a threat
• Annualized Rate of Occurrence (ARO) = Frequency of threat occurrence per year
• Single Loss Expectancy (SLE) = AV x EF
• Annualized Loss Expectancy (ALE) = SLE x ARO

Question 22

What are some factors of Qualitative Risk Analysis

Answer 22

• Not as overly tied to dollar amounts associated with potential losses
• Easier to calculate
  May not be considered as valuable because of the lack of explicit dollar amounts
• Useful for prioritization of risks to be addressed
• Strong starting point

**Risk Matrix - Common approach for qualitative analysis. Plotting likelihood and impact associated with a threat vulnerability pair (high medium and low rankings)

Question 23

____ means that the level of risk is unacceptable to the decision makers

Answer 23

Excessive Risk - does not necessarily mean a lot of risk, only past the acceptable levels

If risk exceeds acceptable levels, the org. must determine how to proceed and the response

Question 24

How do you respond to excess risk?

Answer 24

1) Risk Mitigation - reduce the risk to an acceptable level by taking actions to decrease the risk
- — Most common approach to responding to excessive risk
- — Mitigation comes in many flavors:
- — threat-oriented - focused on reducing motivation of threat agents (increase fines)
- — Vulnerability oriented - reducing the vulnerabilities a threat can exploit (patching)
- — Impact oriented - reducing overall impact that an exploitation entails
- — Likelihood oriented - reducing the likelihood that the threat can exploit the vulnerability
- — Must identify current existing controls before identifying additional controls

2) Risk Avoidance - deciding not to move forward with a project that introduces a risk or decommissioning a system. (maybe deciding to do nothing or choose a different project).

3) Transferring Risk - aka risk sharing, involves a third party to help address the excess risk
- — e.g., insurance, outsourcing a risky system to a third party

4) Accepting Risk - there will always be residual risk and some risk ultimately needs to be accepted

Question 25

Control Assessments are used to:

Answer 25

Determine both the cost of the control or countermeasure as well as efficacy of the control at reducing risk. Effectively, you must perform a cost benefit analysis to determine which countermeasures to employ or if they should be adopted at all.

Metrics to determine this are:

• — Total cost of ownership (TCO) - attempts to capture the true cost of adopting something beyond merely capital expense (includes run and resource cost)
• — Return on Investment (ROI) - attempts to determine how financially worthwhile something is based on how much money will be made (prevention of future losses) based on money spent.

First you must identify the current controls in place. Once you determine if those are not sufficient, you must identify countermeasures and controls. Then you perform a control assessment.

Question 26

A ____ is used to determine providers / suppliers capabilities and allow for questions and tuning. This is made to gather information about the available providers of the item or service being procured

Answer 26

Request for Information (RFI) - used to also identify who will be included/excluded from a subsequent RFP/RFQ.

Question 27

A ____ is to determine which providers will bid for a project and what it will look like.

Answer 27

Request for Proposal (RFP) - might include an RFI and RFQ as a part of it. will include who will bid, what their proposal looks like and commonly how much it will cost

Question 28

A ____ is focused on determining the cost a supplier would charge

Answer 28

Request for Quote (RFQ) - can be included as part of RFP but can also be standalone but typically for less complex solutions.

Question 29

A ____ is used when a business operates legally as a partnership

Answer 29

Business Partnership Agreement (BPA) - addresses things like ownership, profits/losses, partner contributions. A formal written BPA is not required, it could address things like ownership, profits/losses and contributions.

Question 30

A ____ is used when two organizations interconnect information systems / networks

Answer 30

Memorandum of Understanding / Agreement (MOU / MOA) - goal is to establish basic roles, responsibilities and requirements for interconnection. It refers to the Interconnection Security agreements (ISA).

Question 31

____ dictates the technical security requirements associated with two organizations connecting information systems/networks and supports the MOU/MOA

Answer 31

Interconnection Security Agreement (ISA) - formal ISA document is most commonly found in governments. NIST 800-47: Security Guide for Interconnecting Information Technology Systems. This supports the MOU/MOA

Question 32

____ details the expectations a customer has for their service provider and is used to force service providers to agree to provide an acceptable level of security

Answer 32

Service Level Agreement (SLA) - determines breaches of contract

Question 33

____ is an internal agreement that supports the SLA and is between groups internally (e.g., IT and HR)

Answer 33

Operating Level Agreement (OLA) - if internal cannot be aligned we will not be able to ensure that the service provider can honor their SLA. OLA is like an internal SLA

Question 34

____ governs how an organization that licenses a large volume of software is allowed to use that software.

Answer 34

Enterprise Level Agreement (ELA) - the BSA (Software Alliance) watchdogs license violations and the use or pirated or unlicensed software. Virtualization can make this difficult to identify.

Question 35

Third party governance includes:

Answer 35

1) On-site assessment
2) Document exchange and review
3) Process/policy review

Question 36

What are important steps in assessing the security of third-party products?

Answer 36

1) Gather requirements before reviewing products
2) Perform a bake-off to compare products that already meet requirements
3) Look for integration with existing infrastructure
4) Consider the TCO of the product, not just the capital expense and annual maintenance (e.g., additional user provisioning, and operating expenses, not just capex

Question 37

___ is similar to risk analysis but is more closely associated with software or application development (SDLC) to achieve a more securely designed application

Answer 37

Threat modeling

Seeks to understand threats and consider how they might negatively impact security.

Requires identification of various threats that could exercise vulnerabilities. Threat identification involves:

• — understanding various threat sources
• — appreciating threat source motivations and estimating capabilities
• — recognizing actions taken by threat sources

Question 38

____ are the methods attackers use to touch or exercise vulnerabilities

Answer 38

Threat vectors

Eliminating or limiting vectors is a way of reducing risk, even if a vulnerability exists. The mere presence of a threat an vulnerability does not mean that there is a way that the threat can exploit the vulnerability. There must be a means for the threat to exercise the vulnerability in order for there to be a risk.

Question 39

____ represents all of the ways in which an attacker could attempt to introduce data to exploit a vulnerability

Answer 39

Attack Surface

Reducing this is another way to limit risk (e.g., disabling unneeded services or not listening to unnecessary ports.)

Question 40

Two types of methods for vulnerability scoring systems are:

Answer 40

1) Common Vulnerability Scoring System (CVSS) - standardize scores while also allowing organizational customization. Based on three groups of metrics - Base (access vector, access complexity, authentication, CIA impacts), temporal (changes over time) and environmental.

Base metrics are the standard score and temporal and environmental are for additional precision

2) OCTAVE - Operationally critical threat, asset and vulnerability evaluation - less employed method

Note that likelihood and impact should always be considered

Question 41

A ____ occurs when a programmer fails to perform bounds checking and a user or an attacker overwrites adjacent memory with arbitrary data to the stack, including machine code (malicious code).

Answer 41

Buffer Overflow

e.g., there is a 20-byte limit but it is not enforced. Anything written over 20 bytes is overwritten to the stack and can overwrite executable code and replace it with malicious code - the malicious code can cause disruption, crashing, or even taking over the computer and extracting data

Question 42

A ____ exploits the gap between a security check and execution of code (aka time of check / time of use (TOC/TOU)).

Answer 42

Race Condition

*multi-user and multi-tasking systems.

A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect.

Setuid (Set user ID upon execution) programs are prime targets.

Example:
Program Logic:
- Is my config file secure? (TOC)
**Attacker changes config file
  ---- If no, abort
  ---- If yes, read file and execute contents (TOU)

between TOC and TOU - the system will TOC - check the config file and confirm it is secure. At that moment, the attacker will then go in and change the config file to no longer be secure. The system however, already checked and confirmed it was secure so it will not check again. When it executes, it will then execute the new config that is not secure during the small gap between TOC and TOU. The system was already committed to action

Question 43

___ are used to share information that should not be shared and through normal system resources to signal information

Answer 43

Covert Channels

There are two kinds in a system:
1) Timing Channel - use the network bandwidth utilization - someone else can see how much CPU you are using. Tell them if you burst CPU every 5 seconds it means X and if you see every 1 second it means YY

2) Storage Channel - use the hard drive storage - You cannot see my files or file names but you can see my storage quota. Someone can see how much storage you are using. If you use 50% of quota that means X and if you use 75% of quota that means Y

Question 44

What is a man-in-the middle attack and what are the types?

Answer 44

Man-in-the-middle attacks involve a suitably positioned adversary coming between two endpoints communicating. the attacker injects themselves in the middle of communication and sees (and possibly manipulates) all traffic going across the wire

Types are:

1) Replay Attack - simply sniffing traffic could allow for playing back recorded traffic at a later point in time
2) Spoofing - Impersonation of one endpoint to another
3) Session hijacking - allow for sull-session hijaking
4) Masquerading

Question 45

Types of DOS attacks include

Answer 45

1) Crafted Packet attacks
2) Resource Exhaustion
3) Traditional Flooding (e.g., SYN flood)
4) Fork Bomb

Question 46

A ____ DOS exploits TCP/IP stack implementations/poor network configuration to achieve DOS

Answer 46

Crafted Packet Attack:

Types:
1) Ping of Death: Send a packet that was larger than what can be handled (Maximum transmission Units (MTU) - how large a packet can be (1,500 bytes))

2) LAND Attack: Spoofed packet attack with source IP and source port matching the destination IP and port of the victim
3) Teardop: fragmented packet attack that employs large overlapping fragments that could DOS on reassembly

Question 47

A ____ DOS targets availability, may be able to force systems to “fail open” and seeks to exhaust computer or network resources (e.g., bandwidth, memore, CPU, disk, swap, etc.)

Answer 47

Resource Exhaustion

Example:
CAM Flood - attacker attempts to fill the CAM table. Once the table is filled, some switches will fail open and act as a hub, sending all frames to all switch ports. This allows an attacker to sniff all traffic and also simplify man in the middle attacks

Question 48

A ____ is malware that requires a carrier such as being carried from on computer to another via removable flash media

Answer 48

Virus

A virus is a form of malware and requires a carrier to spread. They typically infect mobile media such as floppy drive or USB flash media which may then be carried by a human to another system where the infection may spread

Question 49

A ____ is malware that self-propagates. It infects one host, and then attempts to spread automatically

Answer 49

Worm

A worm spread independently. It infects one system and then pivots via that system to infect others.

Question 50

A ____ is software that has two functions and is a related form of malware. The two functions are overt and covert.

Answer 50

Trojan

Overt benign appearing function - it is usually innocuous, such as a greeting card or game.

Covert malicious function - hidden and is typically malicious like a keystroke logger

Question 51

Server/Service side vs. Client side attack is:

Answer 51

Server side attack: initiated by the attacker. Attacker tries to come into the system

Client side attack: victim initiates the attack by downloading malicious content

Question 52

Types of phishing attacks include

Answer 52

1) Regular generic phishing
2) Spear phishing - more targeted attempts at social engineering
3) whaling - targeted phishing attempts against executives or senior members
4) Business email compromise (BEC) - CEO impersonation with goal of convincing employee to inappropriately make wire transer

Question 53

Emanations are:

Answer 53

Every time a CPU does something it broadcasts it magnetically - this is called EMI - electronic magnetic interference.

Electromagnetic information leaves the system and has been protected with tempest, which involves shielding. If you can read this EMI, you can read the CPU remotely and break encryption

Out things in a faherty (metal container) which the EMI cannot go through.

Question 54

____ governs individual conduct as it pertains to laws, both federal and state, that were designed to protect the public.

Answer 54

Criminal laws/proceedings

Examples: unauthorized use of a system, DOS attack, website defacement.

Violation can result in monetary penalties and/or imprisonment

Victim is society and law enforcement must take the case. An individual or company cannot take criminal charges against someone. Criminal charges are the only laws in which someone can get jail time.

Burden of Proof: To determine if someone is guilty, the burden of proof says you have to prove beyond a reasonable doubt that someone committed a crime.

Question 55

____ refers to an action against a company that causes damage or financial loss.

Answer 55

Civil law

Examples: worm attacks, DOS, or any other attach that affects the availability of a system.

Violation can result in punitive or compensatory damages (monetary). No jail time. Damages are the primary outcome for defendants found liable.

*** Deals with civil actions initiated by individuals or organizations. Mostly associated with torts, contracts, and property and associated loss experienced by an individual/business

Burden of Proof: preponderance of evidence (greater than 50% chance the claim is true)

Question 56

____ deals with the governing regulations of a particular country and is especially important for government workers or those computer professionals in highly regulated environments, such as banking, finance, healthcare and pharma.

Answer 56

Administrative / Regulatory law

Example = HIPAA

Question 57

____ protects inventions and is the grant of a property right to the investor, issued by the ____ and Trademark Office.

Answer 57

Patent

Term of a new patent is 20 years from the date on which the application for the patent was filed in the IS. US patent grants are only effective in the US.

Gives you the right to exclude others from making, using, offering for sale, selling or importing the invention

Question 58

____ is a form of protection provided to the authors of original works of authorship including literary, dramatic, musical, artistic and certain other intellectual works, both published and unpublished.

Answer 58

Copyright

Gives the owner the exclusive right to reproduce the copyrighted work to prepare derivative works, to distribute copies or phonorecords, to perform the copyrighted work publicly, or to display the copyrighted work publicly. The copyright protects the form of expression rather than the subject matter of the writing.

Authors life +70 or so years

E.g., song by the beatles, mickey mouse cartoon

Watch out for piracy

Question 59

A ____ is a word, name, symbol or device that is used in trade with goods to indicate the source of the goods and to distinguish them from the goods of others.

Answer 59

Trademark

E.g., the word velcro or xerox or the red triangle for bass ale.

Mark is also used to describe trademark. A servicemark is the same as a trademark but it identifies and distinguishes the source of a service rather than a product.

Watch out for counterfeiting and dilution

Question 60

____ consists of information and can include a formula, pattern, compilation, program, device, method, technique or process. It protects critical intellectual property that is not publicly available

Answer 60

Trade Secret

You do not file for a trade secret but you must show due care in keeping the asset protected and secret in order to claim the item as a trade secret. You are expected to exert overt protection and control of trade secrets and they are normally covered by an NDA or other contracts.

E.g., coca cola recipe

Question 61

___ is software with limited functionality (software company wants to let people try out a piece of software but in order to entice them to buy the software, they give them only limited functionality

Answer 61

Crippleware

Question 62

___ is when you download the software byt only pay for the software if you use it

Answer 62

Shareware

Question 63

Privacy Acts in the US:

Answer 63

US Privacy Act of 1974
- covers federal gov. collection, use and transmission of citizen data and allows citizens to gain access to most data held about them

FTC: Fair information practice principles (FIPPs)

• OECD
• Notice / Awareness
• Choice / Consent
• Access / Participation
• Integrity / Security
• Enforcement / Redress

Private Sector guidance is considered lax by international standards - e.g., HIPAA/HITECH

Question 64

International Privacy Acts:

Answer 64

OECD - Organization for economic co-operation and development

• info sec and security party that develops non-binding guidance (member countries do not have to implement the recommendations
• not a standard but a collection of countries.
• develops highly regarded security guidance

European union - data protection directive

• required to translate into individual law (binding)
• represents stringent privacy requirements that must be adhered to

General Data Protection Regulation (GDPR)

• Supersedes EU Data Protection Directive
• requires appointment of data protection officer
• extremely high sanctions for non-compliance

Question 65

ISC2 Code of ethics - Canon 1 is:

Answer 65

1) Protect society, the common good, necessary public trust and confidence, and the infrastructure
- — Promote and preserve public trust and confidence in information and systems
- — Promote the understanding and acceptance of prudent information security measures
- — Preserve and strengthen the integrity of the public infrastructure
- — Discourage unsafe practice

Question 66

ISC2 Code of ethics - Canon 2 is:

Answer 66

2) Act honorably, honestly, justly, responsibly and legally
- — Tell the truth; make all stakeholders aware of your actions on a timely basis
- — Observe all contracts and agreements, express or implied
- — Treat all members fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order
- — Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious and within your competence
- — When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction where you render your service

Question 67

ISC2 Code of ethics - Canon 3 is:

Answer 67

3) Provide diligent and competent service to principals
- — Preserve the value of their systems, applications and information
- — Respect their trust and the privileges they grant you
- — Avoid conflicts of interest or the appearance thereof
- — Render only those services for which you are fully competent and qualified

Question 68

ISC2 Code of ethics - Canon 4 is:

Answer 68

4) Advance and protect the profession
- — Sponsor for professional advancement the best qualified. All other things equal, prefer those who are certified and who adhere to these anons. Avoid professional association with those whose practices or reputation might diminish the profession
- — Take care not to injure the reputation of other professionals through malice of indifference
- — Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others

Question 69

What are the attributes of a security policy:

Answer 69

Information security policies provide high-level guidance regarding expected conditions, outcomes, and behaviors. Goal is to ensure that well-meaning employees understand organizational expectations.

They are fundamentally dependent upon organizational security posture and corporate culture - they cannot just be a cut and paste from a book/website

Policies can exist on different levels (e.g., enterprise-wide, division-wide, local, issue-specific), and must always be in accordance with laws and other regulations.

Policies are high level and will likely not change drastically on a regular basis. Can change due to new laws, new technologies, user behavior, or changes to the threat or vulnerability landscape

They provide the what and the why.

Contents include:

1) purpose
2) related documents
3) cancellation
4) background
5) scope
6) policy statement
7) responsibility
8) ownership

Question 70

What are attributes of a security procedure:

Answer 70

Security procedures are focused on how to achieve what security policies mandate. Procedures allow for processes to include security control points and integrate security controls into processes/procedures that can serve as preventative or detective controls.

They are much more detailed than policies and provide detailed guidance for carrying out tasks.

They support the what and the why by detailing the how.

They should be constantly updated or developed anew.

Question 71

What are the attributes of a standard:

Answer 71

Standards are applied to the organization as a whole. They are mandatory and provide additional definition to the policies and tailor them to specific technologies. They do not state what is expected of a user but instead, specify a certain way something should be done or a certain brand or type of equipment that must be used. e.g., all computers must be a certain model from a certain vendor.

They are organizational, specify uniform use of specific technologies, compulsory, refers to specific hardware and software

Question 72

What are the attributes of a baseline:

Answer 72

A baseline definition is essentially a more specific implementation of a standard. It usually gets into specific technical details of how a system should be configured from either a software or hardware standpoint. Starts as a guideline until it has been properly modified to meet the needs of the organization.

Hardening rules for setting up a new server is an example of something that starts as a guideline and turns into a baseline.

Question 73

What are the attributes of a guideline:

Answer 73

These are suggestions, not mandatory. Best practices are examples of guidelines that many organizations try to achieve. It is more of a recommendation of the way that something should be done.

Assists users, systems personnel, and others in effectively securing a system.

Question 74

Documentation review and example:

Answer 74

Policy: Password must be changed every 90 days

Standard: Administrators must use Windows Server 2012 as the base OS

Procedures: Follow these step by step instructions to build the server

Baseline: the specific settings for windows server 2012 should match those in the CIS security benchmark

Guidelines: To create a strong password, use the first letter of every word in a sentence

Question 75

Acceptable Use Policy (AUP) is:

Answer 75

A catchall policy that tries to define user behavior. The primary goal is to help well-meaning employees know what the company requires of computer use and to establish precedent for what types of behaviors are considered unacceptable.