CISSP-Security and Risk Management-Domain 1 Flashcards
(110 cards)
1
Q
What does SPOF stand for?
A
Single Point Of Failure
2
Q
What does the acronym SOX stand for?
A
Sarbanes-Oxley Act of 2002
3
Q
What is Due Care?
A
Due Care is the care a reasonable person would exercise under given circumstances.
4
Q
What is CSMA/CA
A
Carrier Sense Multiple Access with Collision Avoidance
Uses acknowledgements, if no acknowledgement, sends information again.
5
Q
Definition of Security Analyst
A
Works at the high level of security, helping develop policies and standards.
6
Q
Definition of Data Owner
A
Usually a member of management who is ultimately responsible for the protection and use of a specific subset of information.
7
Q
ISO/IEC 27799 is for?
A
Health Informatics - Information Security Management in Health
8
Q
ISO/IEC 27004 is for?
A
Guideline for information security management measurement and metrics framework
9
Q
What Protocol uses Port 80?
A
HTTP
10
Q
Describe ISO 31000 - Risk Management
A
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Ssandardization.
11
Q
What does MTD stand for?
A
Maximum Tolerable Downtime
12
Q
What are the 8 CISSP domains?
A
Security and Risk Management Asset Security Security Engineering Communications and Network Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security
13
Q
What are the OSI layers?
A
Physical Data Network Transport Session Presentation Application
14
Q
LANs, WANs, MANs, GANs, PANs
A
Local Area Network Wide Area Network Metropolitan Area Network Global Area Network Personal Area Network
15
Q
What Protocol uses Port 110?
A
POPv3
16
Q
Definition of Data Custodian
A
Responsible for maintaining and protecting the data.
17
Q
What is COBIT?
A
Set of control objectives for IT management.
Control OBectives for Information and related Technology
18
Q
What does the acronym ISMS stand for?
A
Information Security Management System
19
Q
What is Due Dilligence?
A
Due Diligence is a preemptive measure made to avoid harm to other persons or their property.
20
Q
What layer is IP on?
A
Layer 3
21
Q
What Protocol uses Port 53?
A
DNS UDP and TCP
22
Q
What does BIA stand for?
A
Business Impact Analysis
23
Q
Definition of a Control
A
A Safeguard that is put in place to reduce a risk, also called a countermeasure.
24
Q
What does the acronym FMEA stand for?
A
Failure Mode and Effect Analysis
25
What Protocol uses Port 443?
HTTPS
26
What Protocol uses Port 143?
IMAP
27
ISO/IEC 27002 is for?
Code of practice for information security management
28
What is Fullduplex
Sends and receives communications simultaneously
29
What is ARP
Address Resolution Protocol
| Used to translate layer 2 MAC addresses to layer 3 IP Addresses. Used to find the the MAC address
30
Analog vs Digital definition
Analog communications are a continuous wave of information. Digital communications are on and off (true and fale, 1's and 0's)
31
What is the Delphi Technique
A group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be.
32
What does the acronym MODAF stand for?
British Ministry Of Defense Architecture Framework
33
For door security, fail-secure defaults to?
| Unlocked or Locked
Locked
34
What is SOMAP?
SOMAP is a Swiss nonprofit organization whose goal is to run an open information security management project and maintain free and open tools and document under the GNU license
35
What layer is TCP and UDP on?
Layer 4
36
What is RARP
Reverse Address Resolution Protocol
| Used to translate layer 3 IP addresses to layer 2 MAC addresses. Used to find the IP Address
37
What is the difference between tangible and intangible assets?
Tangible assets have a physical presence.
| Intangible assets do not have a physical presence.
38
What is CSMA/CD
Carrier Sense Multiple Access with Collision Detection
| Waits until the network is idle before transmitting
39
Definition of Vulnerability
A lack of a countermeasure or weakness in a countermeasure that is in place.
40
What is the definition of Half-duplex
Sends and receives communication, one way at a time (not simultaneously)
41
Circuit Switch Network vs Packet Switch Network
Circuit Switch Networks holds the dedicated circuit up until the communication is over. Packet switch networks break communications down on packets, and send over many circuits.
42
What equation do you use to get Single Loss Exposure?
Asset Value x Exposure Factor (EF)
43
What are the three types of Network Address Translation
Static NAT: one to one
Pool NAT: Reserved and assigned as needed.
Port Address Translation: one to many private IP Addresses, uses port numbers
44
Single Loss Exposure (SLE) x Annualized Rate of Occurrence = ?
Annual Loss Expectancy?
45
What does RPO stand for?
Recovery Point Objectives
46
What is RFC 1918?
Used for internet traffic that does not route across the Internet. Private Email Addresses.
10. 0.0.0/8
172. 16.0.0/12
192. 168.0.0/16
47
What does the acronym OCTAVE stand for?
Operationally Critical Threat, Asset, and Vulnerability Evaluation.
48
Example of Protocol Data Units (PDUs) encapsulation
```
Data, Segments, Packets, Frames, Bits
Bits are Layer One
Frames are Layer Two
Packets are Layer Three
Segments and Data are Layer Four
```
49
What is SABSA?
Model and Methodology for development of information security enterprise architectures.
50
ISO/IEC 27006 is for?
Guidance for bodies providing audit and certification of information security management systems
51
What are the 3 types of controls
Administrative
Physical
Logical/Technical
52
For door security, fail-secure means?
To default the locking mechanism during a failure in a way to keep information secure.
53
Baseband Networks vs Broadband Networks
Baseband networks have one Channel (ethernet). Broadband networks have multiple channels and can send multiple signals at a time (cable TV)
54
ISO/IEC 27000 Series was formally
British Standard 7799 (BS7799)
55
What Protocol uses Port 21?
FTP Control
56
Describe NIST Risk Management Framework
The NIST Risk Management Framework is a methodology for implementing risk management at the information systems tier.
57
What Protocol uses Port 25?
SMTP
58
What are the three functional types of policies?
Regulatory
Advisory
Informative
59
What does the acronym FRAP stand for?
Facilitated Risk Analysis Process
60
ISO/IEC 27005 is for?
Guideline for information security risk management
61
Definition of an Enterprise Security Architecture
A subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally.
62
What is Six Sigma?
Business Management strategy that can be used to carry out process improvement
63
What equation do you use to get Annual Loss Expectancy?
Single Loss Exposure (SLE) x Annualized Rate of Occurrence
64
What is CMMI?
Organizational development for process improvement.
| Capability Maturity Model Integration.
65
What does RTO stand for?
Recovery Time Objective
66
What is COSO?
Set of internal corporate controls to help reduce the risk of financial fraud.
Committee of Sponsoring Organizations of the Treadway Comission
67
What are COBIT's four domain's?
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
68
What are the 4 main goals of a Risk Anlaysis
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of those potential threats.
Provide and economic balance between the impact of the threat and the cost of the countermeasure.
69
What Protocol uses Port 23?
Telnet
70
For door security, fail-safe defaults to?
| Unlocked or Locked
Unlocked
71
The SOX Act is based upon what framework model?
COSO
72
Definition of an Exposure
An instance of being exposed to losses.
73
Describe the Facilitated Risk Analysis Process (FRAP).
A qualitative methodology to focus only on the systems that need assessing to reduce cost and time obligations of the risk assessment. It is used to analyze one system, application or business process at a time. Does not use exploitation values such as annual loss expectancy. Experience of the Risk Assessors are used to determine the criticality of risks. Very narrow scope.
74
What is the difference between qualitative and quantitative assessments?
A qualitative assessment uses descriptive results.
| A quantitative assessment uses measurable results.
75
A Fault Tree Analysis identifies failures that take place within more complex environments and systems, vs the Failure Mode and Effect Analysis (FMEA).
True or False
TRUE
76
Describe the risk analysis process of Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE).
People inside the organization have the power to address risks, by going through rounds of facilitated workshops. Very wide scope. Octave assess all systems, applications, and business processes.
77
What does the acronym SOMAP stand for?
Security Officers Management and Analysis Project
78
ISO/IEC 27003 is for?
Guideline for ISMS implementation
79
Threat x Vulnerability x Asset Value = ?
Total Risk
80
What is the definition of Simplex
One way communication
81
What Protocol uses Port 20?
FTP Data
82
Definition of a Risk
The likelihood of a treat agent exploiting a vulnerability and the corresponding business impact.
83
Describe Failure Mode and Effect Analysis (FMEA)
A method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
84
Describe Central Computing and Telecommunications Agency Risk Analysis and Management Method (CRAMM)
```
Developed by United Kingdom and tools sold by Sieman.
Works in three distinct stages:
Define Objectives
Assess Risks
Identify Countermeasures
```
85
What does the acronym CMMI stand for?
Capability Maturity Model Integration
86
(Threat x Vulnerability x Asset Value) x control gaps = ?
Residual Risk
87
What does the acronym CRAMM stand for?
Central Computing and Telecommunications Agency Risk Analysis and Management Method.
88
What Protocol uses Port 67 and 68?
DHCP Port 67 for servers and 68 for Clients
89
Describe Risk IT Framework - ISACA
The Risk IT Framework fills the gap between generic risk management frameworks and detailed IT risk management frameworks.
90
The byproduct of likelihood and impact of an exploit is?
| Likelihood x impact = ?
Risk
91
Definition of Threat
Any potential danger that is associated with the exploitation of a vulnerability.
92
What Protocol uses Port 69?
TFTP
93
What does the acronym OSI stand for?
Open Systems Interconnection
94
What does the acronym COSO stand for?
Committee of Sponsoring Organizations
95
What Protocol uses Port 22?
SSH
96
Describe Enterprise Risk Management - Integrated Framework -- COSO
Enterprise Risks Management - Integrated Framework defines essential Enterprise Risk Management (ERM) components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management.
97
The ISO/IEC 27000 Series is used for?
Security Program Development
98
What are the two types of errors QA/QC mechanisms prevent?
Errors of Commission, which include those caused by data entry.
Errors of Omission, which include insufficient documentation of legitimate data.
99
What are the 7 functions of controls
```
Directive
Deterrent
Preventive
Detective
Corrective
Recovery
Compensating
```
100
Asset Value x Exposure Factor (EF) = ?
Single Loss Exposure (SLE)
101
What is the difference between strategic and tactical planning?
Strategic planning is aligning strategic business and information technology goals.
Tactical planning is providing the broad initiatives to support and achieve the goals specified in the strategic plan.
102
What does the acronym CISSP stand for?
Certified Information Systems Security Professional
103
Definition of System Owner
Responsible for one or more systems, each of which may hold and process data owned by different data owners.
104
What does the acronym ITIL stand for?
Information Technology Infrastructure Library
105
ISO/IEC 27001 is for?
ISMS Requirements
106
What is ITIL?
Processes to allow for IT Service management.
107
What are the four basic ways risk can be handled?
Transfer
Avoidance
Mitigate
Accept
108
Total Risk - Countermeasures = ?
Residual Risk
109
Threat Agent
An entity that can exploit a vulnerability
110
What are the 8 interrelated components of Enterprise Risk Management?
```
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
```
