CISSP Domain 1 - Flashcards

Question

Security Frameworks - ISO 27000 Series - BS7799

Answer 1

* Created in 1995
* Published by British Standards Institute
* Outlines how an ISMS should be created and maintained
* Part 1
Describes controls
* Part 2
Shows how an ISMS can be setup

Answer 2

```

ISO 27000
Overview and vocabulary for the rest of the 27000 series
ISO 27001
Standard for creation, implementation, control and improvement of ISMS
ISO 27002
General guidelines for implementing an ISMS
ISO 27003
ISMS implementation
ISO 27004
ISMS measurement
ISO 27005
Risk management
ISO 27006
Certification body requirements
ISO 27007
ISMS auditing
ISO 27008
Guidance for auditors
ISO 27011
Telecommunications organizations
ISO 27014
Information security governance
ISO 27015
Financial sector
ISO 27031
Business continuity
ISO 27032
Cybersecurity
ISO 27033
Network security
ISO 27034
Application security
ISO 27035
Incident management
ISO 27037
Digital evidence collection and preservation
ISO 27799
Health organizations

```

Answer 3

Overview and vocabulary for the rest of the 27000 series

Answer 4

Standard for creation, implementation, control and improvement of ISMS

Answer 5

General guidelines for implementing an ISMS

Answer 6

ISMS implementation

Answer 7

ISMS measurement

Answer 8

Risk management

Answer 9

Certification body requirements

Answer 10

ISMS auditing

Answer 11

Guidance for auditors

Answer 12

Telecommunications organizations

Answer 13

Information security governance

Answer 14

Financial sector

Answer 15

Business continuity

Answer 16

Cybersecurity

Answer 17

Network security

Answer 18

Application security

Answer 19

Incident management

Answer 20

Digital evidence collection and preservation

Answer 21

Health organizations

Answer 22

* Addresses the structure and behavior of an organization
* It's a guidance on how to build an architecture
* Allows each group of people within an organization to view the business in terms they can understand

Answer 23

* Created by John Zachman in the 80s
* This framework is not security oriented, but it is a good template to work with because it offers direction on how to understand an actual enterprise in a modular fashion
* 2-dimensional matrix
X-axis
5 different audiences
Y-axis
6 different views

Answer 24

Audiences:
* Executives
* Business Managers
* System Architects
* Engineers
* Technicians
* Entire enterprise

Views
* What
* How
* Where
* Who
* When
* Why

Answer 25

* Created by US DoD
* Architecture types
Business
Data
Application
Technology
* Architecture Development Method (ADM)
Used to create each type
The last step feeds back into the first step
After each iteration, the process has been improved to reflect changing requirements
Each iteration addresses each of the four views

Answer 26

* Department of Defense Architecture Framework:
- Involves things as command, control, surveillance and reconnaissance
- One of its primary objectives is to ensure a common communication protocol and standard payloads
* Ministry of Defence Architecture Framework
- British version of DoDAF

Answer 27

```

* It's an Enterprise Security Architecture: Ensures an organization has an effective ISMS in place
* Similar to Zachman
* Views:
- Assets (What)
- Motivation (Why)
- Process (How)
- People (Who)
- Location (Where)
Time (When)
* Y-Axis from wide to narrow
- Contextual
- Conceptual
- Logical
- Physical
- Component
- Operational
* Difference between SABSA and the others
- It is also a methodology
- Provides an actual process to follow
- It is geared toward security

```

Answer 28

* Strategic Alignment: An architecture is strategically aligned when it meets the needs of the business and all legal or regulatory requirements
* Business Enablement: A good security architecture must enable the business to thrive by not getting in the way, but still providing proper security
* Process Enhancement: Security forces us to take a closer look at existing processes. This could lead us to improve them
* Security Effectiveness: Most quantifiable of the attributes. Examples: ROI, SLA achievements

Answer 29

* COSO Internal Control
* COBIT
* NIST SP 800-53

Answer 30

```

* Identifies 17 control principles grouped into 5 categories
* Created in the 80s as a result of financial fraud
* Provides Corporate Governance
* Categories
- Control Environments
- Risk Assessments
- Control Activities
- Information and Communication
- Monitoring Activities

```

Answer 31

* Created by ISACA and ITGI
* Defines 17 enterprise and 17 IT goals
* It's not strictly security related
* It is an IT related subset of COSO IC
* Principles
Meeting stakeholder needs
Covering the enterprise end-to-end
Applying a single integrated framework
Enabling a holistic approach
Separating governance from management

Answer 32

* Created by the US government
* Specifies the control that federal agencies must implement
* If an agency doesn't comply, they are violating the FISMA (Federal Information Security Management Act of 2002)
* Contains a list of 18 control categories

Answer 33

```

Administrative = Management
Technical = Technical
Physical = Operational

```

Answer 34

* ITIL
* Six Sigma
* Capability Maturity Model Integration (CMMI)

Answer 35

* Developed in the UK in the 80s
* De facto standard for IT management best practices
* Focuses on achieving SLAs between the IT department and its customer
* Stages
- Design
- Transition
- Operation
* Each stage has between 3 and 5 steps

Answer 36

* Measures process quality by using statistical calculations
* A sigma rating is applied to a process to indicate the percentage of defects it contains

Answer 37

* Created by Carnegie Mellon for US DoD
* Determines the maturity of an organization's processes
* Designed to make improvements in an incremental and standard manner
* Levels:
- Level 0: Nonexistent Management
- Level 1: Unpredictable Processes
- Level 2: Repeatable Processes
- Level 3: Defined Processes
- Level 4: Managed Processes
- Level 5: Optimized Processes

Answer 38

* Focuses on how to keep processes up-to-date and healthy
* Four steps, and the last one feeds right back into the first one to start a new iteration
* Steps: Plan, Implement, Operate, Evaluate

Answer 39

- Establish MGMT and oversight committees
- Identify business drivers and threats
- Perform a risk assessment
- Create security architectures for the business, data, application and infrastructure
- Select possible solutions for the problems identified
- Get mgmt approval to move to the next steps

Answer 40

- Assign duties
- Establish baselines
- Put security policies into operation
- Identify data that needs to be secured
- Create blueprints
- Implement controls based on the blueprints
- Implement solutions to monitor the controls based on the blueprints
- Establish goals, SLAs and metrics based on the blueprints

Answer 41

- Follow established procedures to ensure baselines met the blueprints
- Execute audits
- Execute tasks defined by the blueprints
- Ensure SLAs are met

Answer 42

- Review logs, audit results, metrics and SLAs
- Determine if the blueprint goals have been met
- Hold quarterly meetings with the steering committee
- Identify actions to improve as an input into the first step

Answer 43

Any law that deals with computer-based crime

Answer 44

* Computer-assisted: Computer is a tool
- Example: Stealing money from a bank across the Internet
* Computer-targeted: Computer is the victim
- Example: DoS attack
* Computer is incidental: Computer is involved but didn't play a significant role in the crime
- Example: If a computer is used to temporarily store stolen or illegal goods

Answer 45

* Script Kiddies: Unsophisticated individuals who know just enough about pre-built hacking tools
*Types of serious hackers
1- The ones who randomly sniff around
2- APT (Advanced Persistent Threats)
- Most dangerous
- They target specific persons or organizations

Answer 46

```

* OECD has issued guidelines on how to deal with data that is transfered between countries
* Core principles:
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability

```

Answer 47

```

* They deal with US and EU data transfer requirements
* Rules:
- Notice
- Choice
- Onward Transfer
- Security
- Data Integrity
- Access
- Enforcement

```

Answer 48

* Each country has its own laws regarding import and export of goods
* Wassenaar Agreement
- Followed by 41 countries including the US
- Goal: To prevent the buildup of further military capabilities
- The Information Security part deals with the exchange of cryptography

Answer 49

* Civil (Code) Law System: Lower courts are not compelled to follow the decisions made by upper courts
* Common Law System: Based on precedence
* Customary Law System: deals with personal conduct and behavior,
* Religious Law System: Based on religious beliefs of that region
* Mixed Law System: Two or more of the previously mentioned systems used together

Answer 50

* Criminal
- To be convicted, guilt beyond reasonable doubt must be established
- Cases are usually brought about by government prosecutors with a guilty or not guilty verdict
* Civil/Tort
- Offshoot of Criminal Law
- Deals with wrongs commited against an individual or company that has resulted in injury or damages
- If found liable, monetary reparations are usually made by the defendant, but loss of freedom is never a result
* Administrative
It addresses issues such as international trade, manufacturing, environment and immigration

Answer 51

```

* Law that allows individuals or companies to protect what is rightly theirs from illegal duplication or use
* IP types:
- Trade Secret
- Copyright
- Trademark
- Patent

```

Answer 52

* Something a company creates or owns that is crucial to its survival and profitability
* Doesn't expire until it's not a trade secret
* Most companies with trade secrets make their employees sign an NDA
* Example: Coca-Cola formula

Answer 53

* Gives the author of a work the rights to control the display, adaptation, reproduction or distribution of that original work
* Protects the expression of the idea rather than the idea itself
* Expires after a limited amount of time
* Specific to the computer industry
- Protects source code and object code
- Protects user interfaces

Answer 54

* Protects a name, symbol, word, sound, shape, color or any combination thereof
* Represents a company's brand identity to its potential consumers
* WIPO (World Intellectual Property Organization) oversees International Trademark Law

Answer 55

* Given to individuals or companies to protect an invention
* Strongest form of IP protection
* The invention must be novel, useful and non-obvious
* Has an expiration date (20 years)
* Specific to computer industry
- Algorithms are commonly patented
- Patent infringement prosecution is a matter of everyday life
- Patent trolls buy patents only to sue infringing companies

Answer 56

* A company must properly classify the data and implement sufficient protection (Due care)
* If Due Care is not taken, litigation will fail
* Software Piracy: Occurs whem protected works or data is duplicated or used without permission or compensation to the author
* Software Licensing: Freeware, Shareware, Commercial, Academic
* EULA: Used for communicating the licensing requirements
* FAST/BSA: Promote enforcement of software rights in order to combat piracy
* DMCA:
- Prohibits attempts to circumvent copyright protection mechanisms
- In Europe, a similar law is the Copyright Directive

Answer 57

```

* Any data that can be used to identify, contact or locate an individual
* It's sensitive data because it can be used for identity theft
* Typical PII components
Full Name
ID Number
Biometrics
Digital Identities
Birthdate

```

Answer 58

* Federal Privacy Act of 1974
* Federal Information Security Management Act of 2002 (FISMA)
* Department of Veterans Affairs Information Security Protection Act
* Health Insurance Portability and Accountability Act (HIPAA)
* Health Information Technology for Economic and Clinical Health Act (HITECH)
* USA Patriot Act
* Gramm-Leach-Bliley Act (GLBA)
* Personal Information Protection and Electronic Documents Act (PIPEDA)
* Payment Card Industry Data Security Standard (PCI DSS)
* Economic Espionage Act of 1996

Answer 59

Federal agencies could collect and store info about an individual's academic, medical, financial, criminal and employment history only if the agency had a necessary and relevant need to

Answer 60

```

* Requires high-level officials of each agency to hold annual reviews of the information security programs and report the results to the Office of Management and Budget (OMB), which in turn reports to congress on the level of compliance achieved
* Requirements
- Inventory of Information Systems
- Categorization of the information and information systems according to risk
- Security controls
- Risk Assessment
- System security plan
- Certification and accreditation
- Continuous monitoring

```

Answer 61

* FISMA + Additional requirements on that agency alone
* Due to an incident in 2006

Answer 62

* PHI (Patient Health Information): PII+specific health details
* Defines rules for any facility that creates, accesses, shares or destroys patient data
* Works with fines
* Does not require notification of data breaches

Answer 63

* Created in 2009
* Subtitle D
- Electronic transmission of health information
- Helps enforce HIPAA rules
* It directs the US Secretary of Health and Services (HHS) to provide guidance on effective controls to protect data
* Companies that comply with this guidance do not have to report data breaches. Otherwise, they have 60 days to report to HHS and the affected individuals

Answer 64

* Reduces restrictions on law enforcement when searching electronic records
* Allows greater foreign intelligence gathering within the US
* Gives the Secretary of Treasury greater power to regulate financial transactions
* Broadens the ability to detain or deport immigrants suspected of terrorism
* Expands the definition on terrorism to include domestic terrorism
* Now the government can monitor individual's electronic communications at will

Answer 65

* aka Financial Services Modernization Act
* Requires financial institutions to create privacy notices and give their customers the ability to opt out of sharing their information with third parties
* In the event of a data breach the institution must report it to the federal regulators, law enforcement and affected customers

Answer 66

Canadian protection of privacy law regarding e-commerce

Answer 67

* It's a standard for data security created by the major credit companies
* Credit companies will not work with a company that it's not PCI compliant

Answer 68

* Passed in 1996
* Defines who can investigate data breaches
* Protects IP

Answer 69

USA: Has a number of laws on the book
| EU data protection regulation: Standardized data breach notification

Answer 70

High-level statement that describes how security works within the organization.

Answer 71

* Organizational Security Policy:
- Dictates how a security program will be constructed and describes how enforcement will be implemented.
- Sets the various goals.Addresses laws and regulations. Provides direction on the amount of risk management it's willing to accept.
- Should be periodically reviewed and updated.
- Documentation should be version-controlled and applicable for several years into the future.
* Issue-specific policy: Provides more detail on an area that needs further explanation. Must not be technology-specific. Examples: E-mail policy
* System-specific policies: Contain details that are specific to a system. Sufficiently generic to allow for other technologies and solutions

Answer 72

* Informative:Informs employees on a broad range of topics in an unenforceable manner
* Regulatory: Addresses regulatory requirements for a specific industry such as GLBA, PCI or HIPAA
* Advisory: Advises employees on enforceable rules governing actions and behaviors

Answer 73

* Provide instruction on how to meet the policy
| * Standards must always be enforced

Answer 74

* Point in time that is used as a comparison for future changes
* A baseline results in a consistent reference point

Answer 75

Reflect recommendations and guides for employees when a specific standard does not really apply

Answer 76

Where policies tell us where we want to go and standards provide the tools, procedures give us the step-by-step instructions on how to do it

Answer 77

* Organizational
* Business Process
* Information Systems (Our focus)

Answer 78

ISRM policy should address the following elements
- The objectives of the ISRM team
- What is considered an acceptable level of risk
- How risks will be identified
- How the ISRM policy fits within the organization's strategic planning
- Roles and responsibilities for the ISRM
- Mapping of risk to controls, performance targets and budgets
- How staff behavior and resource allocation will be modified
- How the effectiveness of controls will be monitored

Answer 79

* It can be a single person or more
| * Usually not 100% of their time in ISRM

Answer 80

* Frame: Define the assumptions, constraints, priorities and the amount of risk the organization can tolerate
* Assess: Determine threats, vulnerabilities and attack vectors
* Respond: Match the available resources against a prioritized list of risks
* Monitor: Continuously watch the controls to assess their effectiveness against the risk each was designed to protect the organization from

Answer 81

* Information: Data at rest / Data in motion / Data in use
* Processes: Blocks of code executing in-memory
* People: Usual attack vector / Social engineering / Social networks / Passwords

Answer 82

* Potential cause of an unwanted incident, which may result in harm to a system or organization
* Sources:
- Deliberate outsiders
- Deliberate insiders (The most dangerous group)
- Accidental insiders

Answer 83

* There are two ends to an attack
- Attacker
- Target
- Means to an attack
* Attack Tree: Steps and substeps in an attack
* Attack Chain: One path that can be contained in an attack tree

Answer 84

* Reduces the number of attacks to consider by identifying commonalities
* Reduces the threat posed by attackers: the closer to the root a mitigation is implemented, the more risks it is likely to control
Assessing and Analyzing Risk - Risk Assessment,* Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls
* Outputs a list of vulnerabilities and threats

Answer 85

* Prioritizes the list obtained through the Risk Assessment
* Assesses the amount of resources to properly mitigate the top threats
* Goals
- Identify and valuate assets
- Identify vulnerabilities and associated threats
- Quantify the likelihood of the threats
- Calculate an economic balance between each threat and the cost of a countermeasure
* Outputs a cost/benefit comparison

Answer 86

* Individuals from all departments * Good questions for this team to ask are 1. What could happen? 2. What would the impact be? 3. How often could it happen? 4. Do we really believe the first three answers?

Answer 87

* Calculating currency-based value for each asset
* Issues to be examined
- Cost to acquire or develop the asset
- Cost to maintain and protect the asset
- Value of the asset to owners and users
- Value of the asset to adversaries
- Price others are willing to pay for the asset
- Cost to replace the asset if lost
- Operational and production activities affected if the asset is unavailable
- Liability issues if the asset is compromised
- Usefulness and role of the asset in the organization
* Two questions should be asked:
- What is the cost to protect an asset?
- What is the cost if we did not protect an asset?
* Allows us to do the following
- Perform an effective cost/benefit analysis
- Select proper controls
- Determine the amount of insurance to purchase
- Define exactly what is at risk
- Comply with legal and regulatory requirements

Answer 88

* Threats can arise from seemingly innocuous sources such as our own applications and users
Examples:
- An application could have a logic flaw, known as illogical processing, which destroys or compromises data or resources. This can then lead to cascading errors wherein a small flaw is passed to another process, which can amplify the flaw
- A user can enter invalid data or even accidently delete important data
* Loss Potential:Each risk has it
* Delayed Loss: It happens after the vulnerability has been exploited. Example: Your company's reputation takes a hit

Answer 89

* NIST SP 800-30
* Facilitated Risk Analysis Process (FRAP)
* Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)
* AS/NZS 4360
* ISO 27005
* Failure Mode and Effect Analysis (FMEA)
* Central Computing and Telecommunications Agency
Risk Analysis and Management Method (CRAMM)

Answer 90

```

1- Prepare for the assessment
2- Conduct the assessment
a. Identify threats
b. Identify vulnerabilities
c. Determine likelihood
d. Determine magnitude
e. Calculate risk
3- Communicate the results
4- Maintain the assessment

```

Answer 91

Stresses a qualitative measurement of risk instead of trying to actually calculate a risk value

Answer 92

* The premise of this methodology is that the people involved with a system or process should be the only ones making the decisions on security, as opposed to higher-level or external influences
* Meant for entire organization

Answer 93

Focuses on the organization's overall health, but could be used in Security

Answer 94

Describes how RM should be carried out for ISMS

Answer 95

* Focuses on identifying functions, their failures and the causes of those failures
* Excels when examining a single system, but tends to break down when considering multiple systems
* Steps
1) Create a block diagram
2) Consider what happens when each block fails
3) Create a table of each failure and the corresponding impact
4) Correct the design and repeat #3 until the system no longer has unacceptable weaknesses
5) Have engineers review the design and table

Answer 96

* UK originated
* Siemens has an automated tool for it
* Stages
1) Define objectives
2) Assess risk
3) Identify countermeasures

Answer 97

* Asset Value (AV): Given by the Risk Assessment phase
* Exposure Factor (EF): The percentage of loss that a realized threat could have on that asset
Single Loss Expectancy (SLE): SLE=AVEF
* Annual Rate of Occurence (ARO): Number of times per year that we can expect the threat to take place
* Annualized Loss Expectancy (ALE):
- ALE=SLE*ARO
- We shouldn't expend more than the ALE in protecting that asset

Answer 98

Given by the Risk Assessment phase

Answer 99

The percentage of loss that a realized threat could have on that asset

Answer 100

Number of times per year that we can expect the threat to take place

Answer 101

ALE=SLE*ARO

Answer 102

* Various scenarios are discussed and threats and possible controls are ranked based on opinions
* Each threat is ranked
* A matrix is usually used to facilitate this discussion
- Y-Axis: Likelihood of occurrence
- X-Axis:The impact
* Delphi technique
- Each group member provides a written opinion on each threat and gives the answer to the risk assessment team
- The team then compiles the results and distributes it to the group who write down comments anonymously
- The results are then compiled and redistributed until a consensus is reached

Answer 103

- Each group member provides a written opinion on each threat and gives the answer to the risk assessment team
- The team then compiles the results and distributes it to the group who write down comments anonymously
- The results are then compiled and redistributed until a consensus is reached

Answer 104

VC = ALE_before - ALE_after

Answer 105

* The actual product
* Design and planning
* Implementation
* Environment modifications
* Compatibility with other controls
* Maintenance
* Testing
* Repair, replacement or upgrades
* Operating and support
* Negative impacts on productivity
* Subscription
* Time for monitoring and responding to alerts

Answer 106

* Can be installed without affecting other mechanisms
* Provides uniform protection
* Administrator can override
* Defaults to least privilege
* Ability to enable/disable as desired
* Does not distress users
* Differentiation between user and administrator roles
* Minimum human interaction
* Assets are still protected during a reset
* Easily updated
* Provide sufficient audit trail
* Not have heavy dependence on other components
* Does not introduce heavy barriers for users
* Produce human-readable output
* Easy reset to baseline configuration
* Testable
* Does not introduce compromises
* Does not impact system performance
* Does not require many exceptions across the environment
* Proper alerting
* Does not impact existing assets
* Is not highly-visible

Answer 107

* Total Risk: TR = threats x vulnerability x asset value
* Residual Risk: RR = total risk x controls gap
* You can't plug in numbers into these formulas, as they are conceptual
* How to deal with the risk
- Transfer the risk
- Risk avoidance
- Risk reduction
- Accept the risk

Answer 108

TR = threats x vulnerability x asset value

Answer 109

RR = total risk x controls gap

Answer 110

* Transfer the risk
* Risk avoidance
* Risk reduction
* Accept the risk

Answer 111

* Not a viable option unless you can verify how the partner handles risk
* An organization can still be found liable if an outsourcing partner failed to mitigate a risk

Answer 112

Allow an organization to:
1) Identify and assess risk
2) Reduce it to an acceptable level
3) Ensure the risk remains at an acceptable level

Answer 113

* NIST RMF (SP 800-37)
- Operates around a systems life-cycle
- Focuses on certification and accreditation
* ISO 31000:2009
- Acknowledges that there are things which we cannot control
- Focuses instead on managing the fallout
- It can be broadly applied to an entire organization
* ISACA Risk IT: Attempts to integrate NIST, ISO 31000 and COBIT
* COSO Enterprise Risk Management-Integrated Framework
- Generic framework
- Takes a top-down approach

Answer 114

* Identification of systems, subsystems and boundaries that the organization has
* This will give you the info you need to select the controls

Answer 115

* Assumptions
- Risk Assessment has been done
- Common controls across the organization have been identified
* When considering a new system
- Are there new risks specific to it or into your architecture by introducing this new system?
- Perform new Risk Asessment on the new system and its effect on the larger ecosystem
- Compare results to determine if we need to modify controls or new controls are needed

Answer 116

* Implementing is simple
* Documenting is important
- So everyone will understand the what, where and why of each control
- Allows the controls to be integrated into an overall assessment and monitoring plan

Answer 117

* The control must be assessed to see how effective it has been
* Should be done by individuals who did not implement the control
* Results should be added to the documentation to be referred during the next round of assessments

Answer 118

Forwarding all documentation and assessment results to the person or the group who can authorize integration of the system into the general architecture

Answer 119

* Once the system is in general operation, it must be monitored to ensure it remains effective
* If any changes in operation or threats are detected, the system must be updated

Answer 120

Is how an organization will minimize the effects of a disaster or disruption to business and return to some level of acceptable productivity

Answer 121

Goes into effect during the emergency

Answer 122

Addresses how the organization will return to full capacity, including backup data centers, spinning up new locations for people to work, or altering processes during the interim

Answer 123

* Encompasses both DR and CP
* Must address all CIA
* Much more than buildings and hardware: People run the systems and must know them
* Example: During a disaster, you can't just leave a sensitive server sitting in an abandoned building (Confidentiality), you can't assume storage media will remain safe and secure (integrity) and you have to make sure those resources are back up and running as soon as possible (availability)

Answer 124

* It's the way to implement BCM
* Contains strategy documents providing detailed procedures: To ensure critical functions are maintained that will minimize loss
* The procedures cover
- Emergency responses
- Extended backup operations
- Post-disaster recovery
* Can quickly become outdated due to turnover and undocumented changes

Answer 125

1) Write the continuity planning policy statement: Write a policy and assign authority to carry out the policy tasks
2) Conduct the business impact analysis (BIA):
- Identify critical functions and systems
- Prioritize the list
3) Identify preventative controls: Select and implement controls to address the BIA
4) Create contingency strategies: Make sure systems can be brought online quickly
5) Develop an information system contingency plan: Write procedures and guidelines on how the organization will remain functional in a crippled state
6) Ensure plan testing, training and exercises
7) Ensure plan maintenance: Put in place steps to ensure the BCP is updated regularly

Answer 126

* ISO 27031: Describes the concepts of information communication technology (ICT) readiness for business continuity
* ISO 22301: The ISO standard for BCM
* Business Continuity Institute's Good Practice Guidelines (GPG)
* DRI International Institute's Professional Practices for Business Continuity Planners

Answer 127

* BCM must be built upon a solid understanding of
- How the organization operates
- The organizational components that are critical to continuing its reason for being
* BCP
- Living entity that is continually revisited and updated as-needed
- Should define and prioritize the organization's critical mission and business functions, and provide a sequence for recovery
- Must have management's full support

Answer 128

* Leader for the BCP team
| * Will oversee the development, implementation, and testing of the business continuity and disaster recovery plans

Answer 129

* Specific, qualified people
* People who are familiar with the different departments within the company
* People from at least the following departments
- Business units
- Senior management
- IT department
- Security department
- Communications department
- Legal department

Answer 130

Should it cover one or all facilities? Should it encompass large threats or smaller ones as well?
This kind of decision is for Senior Executives

Answer 131

* Scope
* Mission
* Principles
* Guidelines
* Standards

Answer 132

1. Identify and document the components of the policy
2. Identify and define policies of the organization that the BCP might affect
3. Identify pertinent legislation, laws, regulations, and standards
4. Identify "good industry practice" guidelines by consulting with industry experts
5. Perform a gap analysis. Find out where the organization currently is in terms of continuity planning, and spell out where it wants to be at the end of the BCP process
6. Compose a draft of the new policy
7. Have different departments within the organization review the draft
8. Incorporate the feedback from the departments into a revised draft
9. Get the approval of top management on the new policy
10. Publish a final draft, and distribute and publicize it throughout the organization

Answer 133

* To ensure BCP doesn't run out of funds * SWOT analysis - Strengths: Characteristics of the project team that give it an advantage over others Weaknesses: Characteristics that place the team at a disadvantage relative to others Opportunities: Elements that could contribute to the project's success Threats: Elements that could contribute to the project's failure

Answer 134

* Due Dilligence
- Doing everything within one's power to prevent a disaster from happening
- Applicable to leaders
* Due Care
- Taking precautions that a reasonable and competent person would have done
- Applicable to everyone

Answer 135

* Activity at the beginning of BCP where interviews are executed and data collected to identify and classify business and individual functions
* Steps
1) Select individuals for interviewing
2) Create data-gathering techniques
3) Identify critical functions
4) Identify resources
5) Calculate how long functions can survive without resources
6) Identify vulnerabilities and threats
7) Calculate risk (risk = threat x impact x probability)
8) Document findings and report to management

Answer 136

Each critical system must be examined to see how long the organization can survive without it

Answer 137

* Committing fully to the BCP
* Setting policy and goals
* Ensuring the required funds and resources are available
* Taking responsibility of the outcome of the BCP
* Appointing a team

Answer 138

* Identifying legal and regulatory requirements
* Identifying vulnerabilities and threats
* Estimating threat likelihood and potential loss
* Perform a BIA
* Indicate which functions and processes must be running before others
* Identifying interdependencies
* Developing procedures and steps to resume business after a disaster
* Identify individuals who will interact with external players

Answer 139

Dictates who will step in until an absent executive returns or a permanent replacement can be found

Answer 140

* Process that ensures a single person cannot complete a critical task by himself
* Example: Before launching a nuclear missile, two people have to insert a key. This is an example of dual control
* In businesses, usually put into place to prevent fraud in the form of split knowledge
* Example: One person can create a named user in a system (authentication), but cannot assign rights to that user (authorization). Another user must assign authorization. To create a rogue account, two employees must collude with each other, thereby reducing the likelihood of this happening

Answer 141

* Administrative detection control to uncover fraudulent activities
* Goal: Move employees around so that each does not have control over the same business function for too long

Answer 142

For employees operating in sensitive areas, it should be implemented in order to detect fraud

Answer 143

* Before hiring new employees: HR should always look into the individual's background for character traits
* NDA's must be signed by new employees
* Background checks
- Social security number trace
- County/state criminal history
- Federal criminal history
- Sexual offender registry check
- Employment verification
- Education verification
- Reference verification
- Immigration check
- License or certification validations
- Credit report
- Drug screening

Answer 144

* Surrender of ID badges or keys
* Escort from the premises
* Immediate disabling of user accounts or other access
* Severance package dependent upon completion of an exit interview and surrender of company property. This encourages terminated employees to comply

Answer 145

* During the hiring process
* Attributes
- Repeats the most important messages in different formats
- Up-to-date
- Entertaining and positive
- Simple to understand
- Supported by senior management
* Audiences for this training
- Management: Short orientation that focuses on how security pertains to corporate assets and financial goals and losses
- Staff: Policies, procedures, standards and guidelines
- Technical employees: In-depth training on daily activities

Answer 146

Framework providing Oversight, Accountability and Compliance

Answer 147

* ISO 27004: How to measure Security Program effectiveness
* NIST SP 800-55: Government's version of ISO 27004

Answer 148

* Protect society, the common good, necessary public trust and confidence, and the infrastructure
* Act honorably, justly, responsibly and legally
* Provide diligent and competent service to principals
* Advance and protect the profession

Answer 149

1) Thou shalt not use a computer to harm other people
2) Thou shalt not interfere with other people's computer work
3) Thou shalt not snoop around in other people's computer files
4) Thou shalt not use a computer to steal
5) Thou shalt not use a computer to bear false witness
6) Thou shalt not copy or use proprietary software for which you have not paid
7) Thou shalt not use other people's computer resources without authorization or proper compensation
8) Thou shalt not appropriate other people's intellectual output
9) Thou shalt think about the social consequences of the program you are writing or the system you are designing
10) Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans

Answer 150

* Seeks to gain unauthorized access to the resources of the Internet * Disrupts the intended use of the Internet * Wastes resources (people, capacity, computer) through such actions * Destroys the integrity of computer-based information< * Compromises the privacy of users