Domain 1 - Security and Risk Management

Question 1

Annualized Loss Expectancy, ALE

Answer 1

SLE x ARO, single loss expectancy x annual rate of occurence

Question 2

Define Privacy

Answer 2

Confidentiality of Personal information, Personally identifiable information, PII

Question 3

PII

Answer 3

Personally identifiable information

Question 4

Procurement

Answer 4

Process of aquiring product from 3rd party. Security peeps should be involved early.

Question 5

Vendor Governance, AKA Vendor managment

Answer 5

Ensures the organization is getting consistently good quality from the vendor

Question 6

Acquisitions

Answer 6

a. Risk assessment should be conducted on the purchased company before merging networks.

Question 7

Divesture

Answer 7

Splitting up one existing business into many. Very complex in terms of determining risk and ensuring security.

Question 8

IAAA

Answer 8

Identity, Authentication, Authorization, Auditing

Question 9

Information Security Governance

Answer 9

IS at the organizational level, senior management, policies, and processes, and staffing. Organizational priority as defined by leadership.

Question 10

Policies

Answer 10

Describe the ‘why’ and the ‘when’ of an action.

High level mgmt directives. This is MANDATORY

Question 11

Example Policies

Answer 11

NIST - 800-12

Question 12

Procedures

Answer 12

step by step guide for accomplishing a task. Low level and specific. MANDATORY.

Question 13

Standards

Answer 13

Describe the specific use of a technology. Example “All employess will use an Asus brand XYZ model PC,” or “All PCs will use Microsoft Office version ABC”

MANDATORY

Question 14

Guidelines

Answer 14

Discretionary, NOT mandatory. Soft recommendations. i.e. “To create a strong password take the first letter of a sentance, and mix in some numbers and symbols.”

The Standard version of this would be - “All passwords must be at least 10 characters long, with upper case letters, lower case letters, numbers, and special characters.” The guideline example above is just suggesting an easy way to meet this standard, and also remember a password.

Question 15

Baselines

Answer 15

Discretionary, NOT mandatory.

Uniform way of implementing a standard.

Example.

Standard = harden the system for security
Baseline = harden the system by applying hte Cneter for Internet Security Linux Benchmarks.

Question 16

Security Awareness

Answer 16

Awareness changes user behavior, to increase security.

Question 17

security training

Answer 17

Provides a skillset to increase security.

Question 18

Employee termination

Answer 18

firing an employee after a ladder of discipline has been exhasted.

Question 19

Ladder of discipline

Answer 19

1. coaching
2. formal discusison
3. verbal warning meeting w/ HR
4. written warning w/ HR
5. termination

Question 20

Vendor, consultant, and contractor security

Answer 20

Vendors/contractors/consultants can introuduce more risk. Should be vetted/risk managed in a simliar way to an acquisition or new hire.

Question 21

outsourcing/offshoring

Answer 21

thorough and accurate risk analysis must be performed. Again in a similar way to acquisition, vendors, contractors, etc.

Question 22

Preventive access control

Answer 22

i. Prevent an action from occurring
ii. Examples
1. Limited priveleges of employees
2. Admin preventive control = background checks, drug screening

Question 23

Detective Access Control

Answer 23

i. Alert someone during or after an attack
1. Intrusion detection system
2. Camera system
3. Door alarms

Question 24

Corrective AC

Answer 24

i. Corrects a damaged system

1. Antivirus system that detects and quarantines bad files or deletes them

Question 25

Recovery Access control

Answer 25

Restores functionality of system and organization. - snapshots - backups - restoring files

Question 26

Deterrent Access control

Answer 26

Scares threat actors away - guard - dog

Question 27

Compensating Access control

Answer 27

Compensates for a weakness in another control

Question 28

AC Type: Admin

Answer 28

AKA directive. implemented by creating and following organizational policy, procedrue. etc

Question 29

Technical Controls

Answer 29

Software, hardware, firmware, that restricts logical access

Question 30

Physical control

Answer 30

lock, fence, guard, dog, etc

Question 31

Asset

Answer 31

valuable resource to protect.

Question 32

Threat

Answer 32

potentially harmful occurence.

Question 33

vulnerability

Answer 33

weakness that allows a threat to take place and/or cause harm.

Question 34

Risk Formulas

Answer 34

threat x vulnerability = or Threat x vulnerability x impact =risk

Question 35

AV

Answer 35

asset value

Question 36

ARO

Answer 36

Annual rate of occurence

Question 37

SLE

Answer 37

single loss expectancy

Question 38

ALE

Answer 38

Annual loss expectancy

Question 39

ALE =

Answer 39

SLE x ARO

Question 40

market approach

Answer 40

way to value a tangible asset. Price = price of comparable assets in transactions under similar circumstances

Question 41

income approach

Answer 41

value of earning capacity over life of the asset

Question 42

cost approach

Answer 42

fair value = cost to replace. tangible asset

Question 43

EF

Answer 43

exposure factor. percentage of asset lost due to an incident.

Question 44

TCO

Answer 44

total cost of ownership. cost of a mitigating safeguard. combines upfront costs plus annual cost of maintenance.

Question 45

ROI

Answer 45

return on investment. | If TCO is less than ALO your are saving

Question 46

metrics

Answer 46

measurements used in risk analysis

Question 47

Risk Choices (AMTA)

Answer 47

Accept the risk Mitigate the risk Transfer the risk (insurance) Avoid Risk

Question 48

Quantitative risk analysis

Answer 48

Calulated, cost analysis

Question 49

Qualitative risk analysis

Answer 49

comparative/relative. Risk matrix

Question 50

RPO

Answer 50

Recovery Point Objective. the maximum targeted period in which data can be lost without severely impacting the recovery of operations For example, if a business process could not lose more than one day's worth of data, then the RPO for that information would be 24 hours.

Question 51

RTO

Answer 51

recovery time objective | planned earliest possible recovery time.

Question 52

MTD

Answer 52

Maximum Tolerable Downtime (MTD) Maximum tolerable downtime, also sometimes referred to as Maximum Allowable Downtime (MAD), represents the total amount of downtime that can occur without causing significant harm to the organization's mission.

Question 53

Internet Activities Boards code of ethics IAB

Answer 53

RFC 1087 - quick 5 point description of unethical behavior on the internet.

Question 54

Six access Control Types

Answer 54

``` Preventive Detective Corrective Recovery Deterrent Compensating ```

Question 55

Three Access Control Categories - Commercial

Answer 55

Administrative Technical Physical

Question 56

Categories of Computer Crime

Answer 56

``` Military/Inteligence attacks Business Attacks Financial attacks terrorist attacks Grudge attacks Thrill attacks Hacktivist Attacks ```

Question 57

Shoulder Surfing

Answer 57

Viewing another persons monitor or keyboard

Question 58

data diddling

Answer 58

making small incremental changes to files that go un-noticed in the short term.

Question 59

Fault

Answer 59

Momentary loss of power

Question 60

Blackout

Answer 60

complete loss of power

Question 61

sag

Answer 61

momentary low voltage

Question 62

brownout

Answer 62

prolonged low voltage

Question 63

spike

Answer 63

momentary high voltate

Question 64

surge

Answer 64

prolonged high voltage

Question 65

Inrush

Answer 65

Initial surge of power associated with connecting to a power source

Question 66

ground

Answer 66

Ground wire

Question 67

Electronic vaulting

Answer 67

transfer of backup data to an off-site location. This is primarily a batch process of dumping backup data through communications lines

Question 68

remote journaling

Answer 68

arallel processing of transactions to an alternate site

Question 69

Database shadowing

Answer 69

Similar to remote journaling, but creates even more redundancy by duplicating the database sets to multiple servers

Question 70

Data Clustering

Answer 70

In clustering, two or more “partners” are joined into the cluster and may all provide service at the same time.

Question 71

Industrial IP

Answer 71

Intellectual property pertaining to busines. Patents, trademarks, industrial designs, geographical indications of source

Question 72

Copyright

Answer 72

Literary works, artistic works.

Question 73

Digital signature

Answer 73

Encrypted message digest used to verify a message hasn't been altered.

Question 74

Three Access Control Categories - Govt

Answer 74

Management Technical Operational

Question 75

Threat Analysis

Answer 75

Proactively monitoring and analyzing new threats, and how they can endanger your network.

Question 76

Threat

Answer 76

Person or event that has the potential for impacting a resource in a negative manner.

Question 77

Vulnerability

Answer 77

quality of a resource that allows a threat to be realized.

Question 78

Warm Site

Answer 78

Between a hot and cold site. Typically dont' have copies of data but do have necessary equipment. Activation is less than 12 hours.

Question 79

Cold Site

Answer 79

Standby facilities large enough to handle processing load of an org, and equipped with necessary electrical/environmental systems. Large lag time between outage and spinning up, often weeks.

Question 80

Hot site.

Answer 80

Backup facility is maintained and in constant working order. Less than an hour or two to full functionality.

Question 81

ISC2 Code of Ethics - Canon 1

Answer 81

Protect Society, The Commonwealth, and the infrastructure

Question 82

ISC2 Code of Ethics - Canon

Answer 82

Act honorably, honestly, justly, responsibly, and legally

Question 83

ISC2 Code of Ethics - Canon 3

Answer 83

Provide diligent and competent service to principals.

Question 84

ISC2 Code of Ethics - Canon 4

Answer 84

Advance and protect the profession.

Question 85

ISC2 Code of Ethics - Preamble Statement 1

Answer 85

Safety and welfare of society/common good, principles, and each other requires we adhere to high ethical standards

Question 86

ISC2 Code of Ethics - Preamble Statement 2

Answer 86

Strict adherence to this code is a condition of certification.