Domain 1

Question 1

Due Diligence (Definition)

Answer 1

Practicing the activities that maintain the due care effort

Question 2

Due care (Definition)

Answer 2

Doing what a reasonable person would do in a given situation. Sometimes called the prudent man rule

Question 3

Due Diligence

Answer 3

Research
Planning
Evaluation
Increases understanding and reduces risk
Largely done before the decision (Think before you act)
Do Detect

Question 4

Due Care

Answer 4

Implementation
Operation (upkeep)
Reasonable measures
Doing after the decision
Action speak louder than words
Do Correct

Question 5

Due diligence examples

Answer 5

Related to knowledge and research
Laws and regulations
Industry standards
Best practices

Question 6

Due care examples

Answer 6

Related to delivery or execution
Reporting security incidents
Security awareness training
Disabling access in a timely way

Question 7

Incident Management Framework

Answer 7

Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons learned
Mnemonic DRMRRRL

Question 8

Confidentiality

Answer 8

Access controls help ensure that only authorized subjects can access objects

Question 9

Integrity

Answer 9

Ensures that data or system configurations are not modified without authorization

Question 10

Availability

Answer 10

Authorized requests for objects must be granted to subjects within a reasonable amount of time

Question 11

ISC2 Code of Ethics

Answer 11

1. Protect society the commonwealth and the infrastructure
2. Act honorably honesty justly responsibly and legally
3. Provide diligent and competent service to principals
4. Advance and protect the profession

Question 12

4 levels of security policy development

Answer 12

Security procedures- detailed step by step
Security guidelines- offer recommendations
Security baselines - define minimum levels
Acceptable use policy- assign roles and responsibilities

Question 13

Risk Categories

Answer 13

Group of potential causes of risk
Damage- result in physical loss of an asset or the inability to access the assets
Disclosure- disclosing critical information regardless of where or how it was disclosed
Losses- these might be permanent or temporary including altered data or inaccessible data

Question 14

Risk Factors

Answer 14

Something that increases risk or susceptibility
Physical damage- natural disaster power loss or vandalism
Malfunctions- failure of systems networks or peripherals
Attacks- purposeful acts whether from the inside or outside such as unauthorized disclosure
Human errors- usually considered accidental incidents whereas attacks are purposeful incidents
Application errors- Failures of the application including the operating system

Question 15

Strategic

Answer 15

Security planning type that is long term stable plan that should include a risk assessment
5 year horizon with annual updates

Question 16

Tactical

Answer 16

Security planning type that is a midterm plan developed to provide more details on goals of the strategic plan. Usually a 1 horizon

Question 17

Operational

Answer 17

Security planning type that is a short term highly detailed plan based on the strategic and tactical plans. Usually monthly or quarterly horizon

Question 18

Risk acceptance

Answer 18

A response to risk where you do nothing and you must accept the risk and potential loss if threat occurs

Question 19

Risk Mitigation

Answer 19

A response to risk where you implementing a countermeasure and accepting the residual risk

Question 20

Risk assignment

Answer 20

A response to risk where it is transfer (assign) to 3rd party like by purchasing insurance against damage

Question 21

Risk avoidance

Answer 21

A response to risk where the costs of mitigating or accepting are higher than benefits of the service

Question 22

Risk deterrence

Answer 22

Response to risk where implementing deterrents to would be violators of security and policy

Question 23

Risk Rejection

Answer 23

A response to risk that is unacceptable response to risk. Also known as ignore risk

Question 24

NIST 800-37

Answer 24

Risk management framework has 7 steps
1. Prepare to execute the RMF
2. Categorize information systems
3. Select security controls
4. Implement security controls
5. Assess the security controls
6. Authorize the system
7. Monitor security controls
Mnemonic PCSIAAM

Question 25

Operationally critical threat asset and vulnerability evaluation

Answer 25

OCTAVE is a risk management framework

Question 26

Factor analysis of information risk

Answer 26

FAIR is a risk management framework

Question 27

Threat Agent Risk Assessment

Answer 27

TARA is a risk management framework

Question 28

Residual Risk

Answer 28

Is a risk type that remains even with all conceivable safeguards in place
Risk management has chosen to accept rather than mitigate
After safeguards

Question 29

Inherent Risk

Answer 29

Newly identified risk not yet addressed with risk management strategies
The amount of risk exists in the absence of controls
Before safeguards

Question 30

Total Risk

Answer 30

The amount of risk an organization would face if no safeguards were implemented
Without safeguards

Question 31

Total risk calculation

Answer 31

Threats * Vulnerabilities * asset value = total risk

Question 32

Risk calculation

Answer 32

Risk= threat * vulnerability

Question 33

Quantitative Risk Analysis

Answer 33

Assigns a dollar value to evaluate effectiveness of countermeasures
Objective

Question 34

Quantitative risk analysis steps

Answer 34

1. Inventory assets (asset value or AV)
2. Identify threats (EF and SLE)
3. Perform a threat analysis (ARO)
4. Estimate the potential loss (ALE)
5. Research countermeasures for each threat (calculate changes to ARO and ALE)
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset

Question 35

Qualitative risk analysis

Answer 35

Uses a scoring system to rank threats and effectiveness of countermeasures
Subjective

Question 36

Delphi Technique

Answer 36

An anonymous feedback and response process used to arrive at a consensus
An example of Qualitative Risk Analysis

Question 37

Loss potential

Answer 37

What would be lost if the threat agent is successful in exploiting a vulnerability

Question 38

Delayed loss

Answer 38

This is the amount of loss that can occur over time

Question 39

Threat Agents

Answer 39

What cause the threat by exploiting vulnerabilities

Question 40

Exposure Factor (EF)

Answer 40

Percentage of loss that an organization would experience if a specific asset were violated by a realized risk

Question 41

Single Loss Expectancy (SLE)

Answer 41

Represents the cost associated with a single realized risk against a specific asset

Question 42

Single Loss Expectancy calculation

Answer 42

SLE= Asset Value (AV) * Exposure Factor (EF)

Question 43

Annualized Rate of Occurrence (ARO)

Answer 43

The expected frequency with which a specific threat or risk will occur within a single year

Question 44

Annualized Loss Expectancy (ALE)

Answer 44

The possible yearly cost of all instances of a specific realized threat against a specific asset

Question 45

Calculation of Annualized Loss Expectancy

Answer 45

ALE=single loss expectancy (SLE) * annualized rate of occurrence (ARO)

Question 46

Safeguard Evaluation

Answer 46

Good security controls mitigate risk, are transparent to the users, difficult to bypass, and are cost effective

Question 47

Safeguard evaluation calculation

Answer 47

ALE before safeguard - ALE after safeguard - annual cost of safeguard= value of safeguard
ALE1-ALE2-ACS=value of safeguard

Question 48

Control Gap

Answer 48

The amount of risk reduced by implementing safeguards
Total risk- control gap = residual risk

Question 49

Supply chain

Answer 49

Most services are delivered through a chain of multiple entities. A secure supply chain includes vendors who are secure, reliable, trustworthy, reputable

Question 50

Supply Chain Evaluation

Answer 50

Onsite Assessment- visit, interview, and observe their operating habits
Document Exchange and Review-Investigate dataset and doc exchange review
Process/Policy Review- request copies of their security policies, processes, procedures
Third Party Audit-Having an independent auditor provide an unbiased review of an entity’s security infrastructure

Question 51

Threat Modeling

Answer 51

Can be proactive or reactive but in either case goal is to eliminate or reduce threats

Question 52

3 approaches to threat modeling

Answer 52

Focus on Assets- uses asset valuation results to identify threats to the valuable assets
Focused on Attackers- identify potential attackers and identify threats based on the attacker’s goals
Focus on Software- considers potential threats against the software the organization develops

Question 53

STRIDE

Answer 53

A threat model developed by Microsoft that focuses on software
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege

Question 54

PASTA

Answer 54

Threat model that focuses on developing countermeasures based on asset value
Stage 1- definition of objectives
Stage 2- definition of technical scope
Stage 3- app decomposition and analysis
Stage 4- Threat Analysis
Stage 5- Weakness & Vulnerability Analysis
Stage 6- Attack Modeling & Simulation
Stage 7- Risk Analysis & Management

Question 55

VAST

Answer 55

Threat model based on Agile Project Management principles. Diagrams threat from attackers perspective
Visual
Agile
Simple
Threat

Question 56

DREAD

Answer 56

Threat model that is based on the answer to 5 questions
Damage Potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 57

TRIKE

Answer 57

Focused on acceptable risk therefore it is risk focus.
An open source threat modeling process that implements a requirement model. Ensures the assigned level of risk for each asset is acceptable to stakeholders

Question 58

COBIT

Answer 58

A security control framework; framework for IT management and governance framework
Principle 1: Meeting Stakeholders needs
Principle 2: Covering the Enterprise end to end
Principle 3: applying a single integrated framework
Principle 4: Enabling a holistic approach
Principle 5: separating governance from management

Question 59

Diagramming Potential Attacks

Answer 59

Determining potential attack concepts is often achieved through diagramming

Question 60

Reduction Analysis

Answer 60

Breaks a system down into its parts which makes it much easier to identify the essential components of each element and take notice of there might be vulnerabilities and likely point of attacks

Question 61

Components of Reduction Analysis Diagram

Answer 61

Trust Boundaries- any location where the level of trust or security changes
Data Flow Paths- the movement of data between locations
Input Points- location where external input is received
Privileged Operations - Any activity that requires greater privileges than of a standard user account
Details about security stance and approach- declaration of security policy, security foundations and security assumptions

Question 62

Prioritization and Response

Answer 62

Treats are ranked or rated using DREAD threat model rate high/medium/low

Question 63

Security Contols

Answer 63

Security measures for countering and minimizing loss or unavailability of services or apps due to vulnerabilities

Question 64

Safeguards

Answer 64

Are proactive

Question 65

Countermeasures

Answer 65

Are reactive

Question 66

Security Control Categories

Answer 66

Technical- aka logical, involves the hardware or software mechanisms used to manage access
Administrative- policies and procedures defined by org’s security policy, other regulations and requirements
Physical- are items you can physically touch

Question 67

Security control types

Answer 67

Deterrent- deployed to discourage violation of security policies
Preventative- deployed to thwart or stop unwanted or unauthorized activity from occurring
Detective- deployed to discover or detect unwanted or unauthorized activity
Compensating- provides options to other existing controls to aid in enforcement of security policies
Corrective- modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred
Recovery- an extension of corrective controls but have more advanced or complex abilities
Directive- direct, confine or control the action of subjects to force or encourage compliance with security policies

Question 68

Examples of control types

Answer 68

Deterrent- audit policies, security awareness training, locks, fences, security badges
Preventative- firewalls, ids, fence, gate or man trap
Detective-motion detection, cctv, cameras audit trails, honey pot, mandatory vacation, job rotation
Corrective- backup software that t automatically restores missing files
Recovery- server clustering, vm shadowing, hot site, warm site
Directive- security policy requirement, posted notifications

Question 69

Criminal Law

Answer 69

Type of law that contains prohibitions against acts such as murder, assault, robbery, and arson

Question 70

Civil law

Answer 70

Type of law that includes contract disputes real estate transactions employment estate and probate

Question 71

Administrative law

Answer 71

Type of law that government agencies have some leeway to enact administrative law

Question 72

Computer Fraud and Abuse Act

Answer 72

A law that was the first piece of US cybercrime specific legislation

Question 73

Federal Sentencing Guidelines

Answer 73

Provided punishment guidelines to help federal judges interpret computer crime laws

Question 74

Federal information security management act(FISMA)

Answer 74

Required a formal infosec operations for federal gov’t

Question 75

Copyright and the digital millennium copyright act

Answer 75

Covers literary, musical, and dramatic works

Question 76

Trademarks

Answer 76

Covers words, slogans, and logos used to identify a company and its products or services

Question 77

Patents

Answer 77

Protect the intellectual property rights of investors

Question 78

Trade Secrets

Answer 78

Intellectual property that is absolutely critical to their business and must not be disclosed

Question 79

Licensing

Answer 79

4 types you should know are contractual, shrink wrap, click through, and cloud services.

Question 80

Computer Export Controls

Answer 80

US companies can’t export to Cuba, Iran, North Korea, Sudan, and Syria

Question 81

Encryption Export Controls

Answer 81

Dept of Commerce details limitations on export of encryption products outside the US

Question 82

Privacy(US)

Answer 82

The basis for privacy rights is in the fourth amendment to the US Constitution

Question 83

Privacy(EU)

Answer 83

General Data Protection Regulation (GDPR) is not a US law but very likely to be mentioned. Applies to any company with customers in the EU!

Question 84

Health Insurance Portability and Accountability Act (HIPAA)

Answer 84

Strict privacy and security rules on handling of PHI (protected health information)

Question 85

Health Information Technology for Economic and Clinical Health(HITECH)

Answer 85

Addresses the privacy and security concerns associated with electronic transmission of health information

Question 86

Gramm-Leach Bliley Act

Answer 86

Applies to financial institutions driven by federal financial institutions

Question 87

Children’s Online Privacy Protection Act (COPPA)

Answer 87

Imposes certain requirements on operators of websites or online services directed to children under 13 years of age

Question 88

Electronic Communication Privacy Act (ECPA)

Answer 88

Protection of electronic communications against warrantless wiretapping. Weakened by patriot act

Question 89

Communications Assistance for Law Enforcement Act (CALEA)

Answer 89

Requires telecommunication carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built in capabilities for for targeted surveillance.

Question 90

Business Continuity Planning

Answer 90

Issues that pertain to information security in
1. Strategy development
2. Provisions and processes
3. Plan approval
4. Plan implementation
5. Training and education

Question 91

Security Awareness Training

Answer 91

Establish and maintain a security awareness, education, and training program
Methods and techniques to present awareness and training
Periodic content reviews
Program effectiveness evaluation