Domain 1: Security and Risk Management

Question 1

IAAAA

Answer 1

• Identification
• Authentication
• Authorization
• Accountability
• Auditing

Question 2

The ISC2 Code of Professional Ethics
Cannons:

Answer 2

PAPA
-Protect society, the common good, necessary public trust and confidence, and the infrastructure
-Act honorably, honestly, justly, responsibly, and legally
-Provide diligent and commitment service to principals
-Advance and protect the profession

Question 3

The ISC2 Code of Professional Ethics Preamble

Answer 3

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code of Ethics is a condition of certification.

Question 4

CIA Triad

Answer 4

Confidentiality
Integrity
Availability

Question 5

Confidentiality

Answer 5

Only authorized subjects should access and read information.

The opposite is disclosure, and the risk to manage is unauthorized disclosure.

Question 6

Integrity

Answer 6

Ensuring that information is accurate and complete, only authorized subjects should access and change information.

The opposite is alteration, and the risk is to manage unauthorized alteration.

Question 7

Availability

Answer 7

Information should be available to authorized users when it’s wanted/needed.

The opposite is destruction, and the risk is to manage unauthorized destruction.

Question 8

Accountability

Answer 8

Actions of an entity may be traced uniquely to that entity.
NIST 800-33

Question 9

Assurance

Answer 9

Security measures work as intended
NIST 800-33

Question 10

Authenticity

Answer 10

The proper attribution of the person who created the information
(Parkerian Hexad)

Question 11

Utility

Answer 11

The usefulness of the information
(Parkerian Hexad)

Question 12

Possession of Control

Answer 12

The physical state where the information is maintained
(Parkerian Hexad)

Question 13

M&A Risks

Answer 13

not knowing, “buying a breach”, introduction of new attack vectors, disgruntled employees, etc.

Question 14

Security Governance

Answer 14

Set of responsibilities, policies, and procedures related to defining, managing, and overseeing security practices at an organization.

Question 15

Applying security governance principles

Answer 15

• Aligning information security with the company’s business strategy, goals, mission, and objectives.
• Defining and managing organizational processes to involve information security (e.g., acquisitions, divestitures, and governance committees)
• Developing roles and responsibilities throughout the organization.
• Identifying one or more security control frameworks to align the organization with (the book says so anyway).
• Practice due diligence and due care always.

Question 16

Security Control Frameworks

Answer 16

o ISO/IEC 27001
o NIST 800-53
o NIST Cybersecurity Framework (CSF)
o CIS Critical Security Controls v7.1

Question 17

ISO/IEC 27001 - 14 Domains

Answer 17

• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development, and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

Question 18

NIST 800-53 18 Control Families

Answer 18

• Access control (AC)
• Awareness and training (AT)
• Audit and accountability (AU)
• Security assessment and authorization (CA)
• Configuration management (CM)
• Contingency planning (CP)
• Identification and authentication (IA)
• Incident response (IR)
• Maintenance (MA)
• Media protection (MP)
• Physical and environmental protection (PE)
• Planning (PL)
• Personnel security (PS)
• Risk assessment (RA)
• System and services acquisition (SA)
• System and communications protection (SC)
• System and information integrity (SI)
• Program management (PM)

Question 19

NIST Cybersecurity Framework (CSF) – 5 Core Functions

Answer 19

• Identify (ID): Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
• Protect (PR): Develop and implement appropriate safeguards to ensure delivery of critical services.
• Detect (DE): Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
• Respond (RS): Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
• Recover (RC): Develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.

Question 20

CIS Critical Security Controls v7.1 (20 Controls)

Answer 20

CIS Control 1: Inventory and Control of Hardware Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Continuous Vulnerability Management
CIS Control 4: Controlled Use of Administrative Privileges
CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
CIS Control 7: Email and Web Browser Protections
CIS Control 8: Malware Defenses
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
CIS Control 10: Data Recovery Capabilities
CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
CIS Control 12: Boundary Defense
CIS Control 13: Data Protection
CIS Control 14: Controlled Access Based on the Need to Know
CIS Control 15: Wireless Access Control
CIS Control 16: Account Monitoring and Control
CIS Control 17: Implement a Security Awareness and Training Program
CIS Control 18: Application Software Security
CIS Control 19: Incident Response and Management
CIS Control 20: Penetration Tests and Red Team Exercises

Question 21

Due Care

Answer 21

Refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

Regarding information security, due care relates to the conduct that a reasonable person would exercise to maintain the confidentiality, integrity, and availability.

Question 22

Due Diligence

Answer 22

Continually ensuring that behavior maintains due care.

In relation to information security, due diligence relates to the ongoing actions that an organization and its personnel conduct to ensure organizational assets are reasonably protected.

Question 23

U.S. Computer Security Act of 1987

Answer 23

• Objective of improving the security and privacy of sensitive information stored on U.S. federal government computers.
• Establishes that the National Institute for Standards and Technology (NIST) is responsible for setting computer security standards for unclassified, nonmilitary government computer systems.
• Establishes that the National Security Agency (NSA) is responsible for setting security guidance for classified government and military systems and applications.

Question 24

U.S. Federal Information Security Management Act (FISMA) of 2002

Answer 24

• Repeals the U.S. Computer Security Act of 1987
• Requires all government agencies and information service providers to risk-based security assessments that align with the NIST Risk Management Framework (RMF).

Question 25

U.S. Sarbanes–Oxley Act of 2002 (SOX)

Answer 25

• Companies must implement a wide range of controls intended to minimize conflicts of interest, provide investors with appropriate risk information, place civil and criminal penalties on executives for providing false financial disclosures, and provide protections for whistleblowers.
• Public Company Accounting Oversight Board (PCAOB) was established as a nonprofit organization responsible for overseeing the implementation of SOX.
  o PCAOB’s “Auditing Standards” identify the role that information systems play in maintaining financial records and requires auditors to assess the use of IT as it relates to maintaining and preparing financial statements.

Question 26

System and Organization Controls (SOC)

Answer 26

• Three types of SOC audits and reports, SOC 1, SOC 2, and SOC 3.
• Audit and report types align with standards outlined in Statement on Standards for Attestation Engagements (SSAE) 18, published by the American Institute of Certified Public Accountants (AICPA) in 2017 (with amendments made via SSAE 20 in 2019).

Question 27

SOC 1

Answer 27

Audit and compliance report focusing strictly on financial statements and
controls that can impact financial statements.

Question 28

SOC 2

Answer 28

Audit and compliance report that evaluates an organization based on AICPA’s five “Trust Services principles”: privacy, security, availability, processing integrity, and confidentiality.

Question 29

SOC 3

Answer 29

This is a “lite” version of a SOC 2 report and abstracts or removes all sensitive details. The report generally indicates whether an organization has demonstrated each of the five Trust Services principles without
disclosing specifics.

Question 30

STRIDE

Answer 30

Risk Framework
- Spoofing: Malicious party assumes the identity of an authorized party.
- Tampering: Maliciously altering data (compromise integrity)
- Repudiation: The ability to deny that a malicious actor is performing an action.
- Information Disclosure: Sharing information with an unauthorized party.
- Denial of Service: Denying access to resources for legitimate users.
- Elevation of Privileges: Upgrading an unprivileged user to a privileged user.

Question 31

PASTA (7 Steps)

Answer 31

The Process for Attack Simulation and Threat Analysis - Seven Stages:
1 - Define Objectives
2 - Define Technical Scope
3 - Application Decomposition
4 - Threat Analysis
5 - Vulnerability Analysis
6 - Attack Enumeration
7 - Risk and Impact Analysis

Question 32

NIST 800-154
Guide to Data-Centric System Threat Modeling

Answer 32

Guide to Data-Centric System Threat Modeling:
1 - Identify and characterize the system and data of interest
2 - Identify and select the attack vectors to be included in the model.
3 - Characterize the security controls for mitigating the attack vectors.
4 - Analyze the threat model.

Question 33

DREAD

Answer 33

Quantitative Risk Rating
- Damage
- Reproducibility
- Exploitability
- Affected users
- Discoverability