Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISSP - 2020 > Domain 1 - Security and Risk management > Flashcards

Domain 1 - Security and Risk management Flashcards

Domain one of CISSP

1
Q

What are some of the controls to provide confidentiality?

A

Confidentiality refers to ensuring that information is only disclosed and accessilble to authorised individuals.

Controls to achieve:

  • Strict access control
  • Encrypt data at rest (Whole disk, database)
  • Encryption of data in transit (IPSec, SSH and etc)
  • Training users on proper data protection methods
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are some of the controls to provide integrity?

A

Integrity serves to ensure only authorised individuals are permitted to make changes to data.

Issues arise from: Intentional alteration, user error, software or hardware error, acts of nature.

Controls:

  • Hashing, Non-repudiation/Digital Signatures
  • IDS
  • Access control
  • Change management/ Configuration management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some of the controls to provide availability?

A

Availability ensures reliable and timely access to data and resources for authorised users.

Common threats: Malicious attackers, Component failures, application failures, utility failures.

Controls:

  • Redundant components. i.e power, RAID
  • High Availability
  • Fault tolerence
  • Patching of OS/Application vulnerabilities and flaws
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the relationship between vulnerability, threat, risk, exposure and control?

A
  • Vulnerability is a weakness in a system that allows a particular threat to comprimise security
  • Threat is the potential danger associated with the exploitation of a vulnerability.
  • Risk is the likelihood and the corresponding impact.that a threat source exploiting a vulnerabilty.
  • Control is a countermeasure put into place to mitigate or reduce the potential risk.
  • Exposure is an instance of being exposed to losses from exploitation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the three types of controls?

A
  • Administrative: Soft or management controls
    • Security documentation, Data classification and labeling, backgroud checks.
  • Technical controls: Software or hardware components
    • Firewall, IDS, encryption
  • Physical control: Protect facilities, personel, and resources.
    • security guards, locks, fences
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the six functions of controls?

A
  • Preventative: Avoid an incident from occuring. e.g. locks, encryption
  • Detective: Identifies an incident occuring, e.g IDS, cameras
  • Corrective: Fixes components or systems after an incident. e.g server images
  • Deterrent: Intended to discourage attackers e.g. fences, login banner
  • Recovery: Bring the environment back up. e.g. offsite faciilty, backups
  • Compensating: Alternative measure of control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the principles of COBIT?

A
  • Security controls framework.
  • Framework for governance and management developed by ISACA
  • Five key principles:
    • Meeting Stakeholder needs
    • Covering the enterprise end to end
    • Applying a single integrated framework
    • Enabling a holistic approach
    • Seperating governance from management
  • Ultimately linked to the stakeholders through a series of transforms or cascading goals.
  • Specifies 17 enterprise and 17 IT related goals - remove guesswork
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the principles of NIST SP 800-53?

A
  • Security controls framework.
  • Used in the government (US) sector, Cobit commerical sector
  • Outlines the controls that agencies need to be compliant with FISMA.
  • Control categories to protect CIA include:
    • Management
    • Operational
    • Technical
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is enterprise architecture?

A
  • Conceptual construct to help individuals understand an organisation in digestable chunks.
  • When developing an architecture, stakeholders need to be identified, and then “views” need to be developed to provide the information specific to the perspective of the stakeholder.
  • Allows both business and technology people to view the same organisation in ways that make sense, reducing confusion, and optimise business functionality.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How does the Zachman Architecture framework work?

A
  • Enterprise Architecture
  • Two dimensional model that uses 6 communication interrogatives (What, How, Where, Who, When and Why?) intersecting with different perspectives (executives, developers) to give holistic view.
  • Each row should describe the enterprise completely from that perspective.
  • Not Security focused.
  • Understand an enterprise in a modular fashion
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the principles of the TOGAF framework?

A
  • Enterprise Architecture model
  • Used to develop the following architectures:
    • Business
    • Data
    • Applications
    • Technology
  • Uses the Architecture Development Method (ADM), which is an iterative and cyclic process that allows requirements to be reviewed and architectures to be updated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the principles of the DoDAF/MODAF framework?

A
  • Enterprise Architecture framework
  • Focus on the command, control, communications, surveillance, reconnaissance systems.
  • Different types of devices need to communicate using the same protocol and be interoperable with software components but also use the same data elements.
  • MODAF developed by the British MOD, another Enterprise architecutre, based on the DODAF
  • Get data in the right format to the right people as soon as possible enable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does Enterprise Security Architecture work?

A
  • Ensure security is aligned with business practices in a cost effective manner.
  • Define security strategy in layers of solutions, and processes across and enterprise strategically, tactically, and operationally.
  • Goal is to integrate technology-oriented and business centric security process by linking the administrative, technical and physical controls and integrate these processes into the IT infrastructure, business processes and the organisation culture.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does SABSA work?

A
  • Enterprise Security Architecure
  • Layered framework, 1st layer defining business requirements from a security perspective. Each layer decreases in abstraction and increases in detail and moves from policy to implementation.
  • Has a lifecycle model of improvement focusing on:
    • Strategic Alignment: Legal requirements met.
    • Business enablement: core business processes are integrated into security operating model.
    • Process enhancement: allow for process management to be redefined and calibrated.
    • Security Effectiveness: determine how security solutions are performing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the principles of COSO?

A
  • Controls Framework
  • COBIT was derived from COSO
  • Identifies 17 control principles grouped into five components:
    • Control environment
    • Risk Assessment
    • Control activies
    • Information and communication
    • Monitoring activies
  • COSO IC is a model for corporate governmance, COBIT for IT governance
  • COSO deals at the strategic level, while COBIT is operational.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the principles of ITIL?

A
  • Process management framework.
  • De facto standard of best practices for IT Service management.
  • Provides the goals, the general activies necessary to achieve the goals, as well as the input and output values for each process required to meet these goals.
  • Focus is toward internal SLAs between the IT department and the customers it serves.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the principles of Six Sigma?

A
  • Process management framework.
  • Improves process quality by using statiscal methods of measuring operation efficiency and reducing variation, defects and waste.
  • Used to measure the success factos of different controls and procedures.
  • Maturity of a process is described by a sigma rating, indicating the percentage of defects.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the principles of CMMI?

A
  • Process management standard
  • Determine the maturity of an organisations processes
  • Used within organisations to help lay out a pathway of how to make incremental improvements.
  • There are 5 levels of maturity ranging from 0 - Nonexistent management, to level 5, optimised process.
  • Each level represents an evolutionary stage.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the best approach to building a Security Program?

A
  • Must be Top down approach - initation, support and direction comes from top management.
  • Must utilise a cyclic that is always evaluated and improved, using:
    • Plan & Organise (Develop threat profile, architectures)
    • Implement (Assign roles, implement blueprints)
    • Operate & maintain (audits, execute tasks per blueprints, SLA)
    • Monitor &evaluate (Review SLAs, audits, develop improvement steps
  • 27000 series is like the description of a house, architecture is the layout of the house, blue prints are like security and electrical systems, and controls are the buildinng specifications and codes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the three categorises of computer crime?

A
  1. Computer assisted crime: where the computer was used as a tool to conduct the crime. eg attacking financial systems to steal funds or IP
  2. Computer targeted crime: where the computer was the victim of the crime. eg DDOS, capturing passwords, malware
  3. Computer is incidental: where a computer just happened to be involved when a crime was carried out. e.g child porn.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the types of legal systems?

A
  • Civil
    • Used mainly in continental Europen countries
    • rule based law and not precedent-based
    • most widespread legal system
  • Common law:
    • Based on previous interpretations of the law
    • consists of higher court, many intermediate, and many local courts. Precedent flows down this system.
    • Broken down into criminal, civil and administrative
  • Customary law:
    • Mainly with personal conduct and patterns of behaviour
    • used in regions of the world with mixed legal system (China, India)
  • Religious law:
    • Based on religious interpretation
    • Cover all aspects of human life including religious duties
  • Mixed law system:
    • Combination of two or more legal systems.
    • Most common is civil and common law, like Canada, holland
22
Q

What has the Organisation for Economic Coperation and Development (OECD) done to provide countries with guidance on privacy concerns?

A
  • Came up with guidelines for the various countries to follow so that data is protected.
  • Core principles include
    • Collection limitation: Collection should limited and known.
    • Data Quality: Kept complete, current and relevant as intended.
    • Purpose Specification: Subjects should be notified about the colleciton
    • Use Limitation: Only with consent of the subject can it disclosed
    • Security Safeguards: Reasable safeguards to protect data
    • Openness: Practices, policies regarding data should be open
    • Individual Partispation: Subjects must be able to find out who has their data
    • Accountibility: Organisations should be accountable for the data they keep.
23
Q

What are the main considerations of GDPR?

A
  • Defines 3 relevant parties: Subject, Controller and Processor
  • Regulation applies if any of the 3 entities is based in the EU
  • What constitues privacy data is beyond laws outside of the EU.
  • Key provisions:
    • Consent: Controllers and processors cannot use data.
    • Right to be informed: Musted inform subjects about the data use.
    • Right to restrict: Subjets can agree to collect data by the controller but disallow the processor.
    • Right to be forgotten: Request their personal data be removed.
    • Data breaches: report within 72 hours.
24
Q

What are the forms of intellectual property protections?

A
  • Trade Secret: is proprietary to a company and import for its survival. e.g formual for coke, ingredients for special sauce. Has no expiration date.
    • Require employees to sign NDAs
  • Copyright: protects the rights of the creater from unathorised copying and distribution. Protection for the life of the creater + 70 years.
  • Trademark: represents the brand identity. Protected for 10 years, but renewed indefinately
  • Patent: provided to inventions that are novel, useful and not obvious. Prevents others from using or copying the invention for 20 years.
  • Software licencing: applications usually licences the program instead of selling it outright:
    • Freeware: publically available
    • Shareware, or trialware: trial and then asked to purchase.
    • Commerical
    • Academic: Reduced costs for acadmeics.
25
What is PII and what are some approaches to protecting privacy?
* Personal Identifiable information (PII): data that can be used to uniquely identify or locate single person. * Full name, National ID number, vehicle plate number, drivers license number, credit card numbers and etc * Two approaches - generic approach accross all industries, regulation by industry is verticle enactment, such as financial or healthcare. * Need for privacy: * Data aggregation and retrieval advancement * Loss of boarders: business globalisation * Convergent technlogies advancement: gathering, mining
26
What are some privacy protection laws on US government?
* Federal privacy act: ensures agencies cannot disclose information about an individual without permission. medical, criminal, education. * FISMA: Requires every agengcy create a security program to provide protection on systems. NIST 800-37 helps ensure compliance. * VA ACT: Specifically for the department of VA because of a laptop theft incident that disclosed 26.5 million records. Was not compliant. * US Patiout ACT: eases restrictions on law enforement, foriegn intelligence in the USA.
27
What are some of the laws on corporations to deal with privacy?
* HIPPA: national standard for the storage, use, and transmission of personal medical information and healthcare. Also applies to any facility that creates, accesses, shares or destroys medical info * HITECH: addresses the privacy and security concerns of electronic transmission of health records, and the civil and criminal enforcement. * GLBA: Requires financial institutions to develop privacy notices, and enable customers to opt out of information sharing. Ensures directors are responsible for the security. * PIPEDA: main goal is oversee how th private sector collects, uses, and discloses personal information in regular business.
28
What are self regulation standards to protect privacy and security?
* PCI DSS is a proactive step the credit card industry took. * applies to any entity that processes, trasmits, stores or accepts credit card data. * made up of 12 requirements broken up into 6 categories: * Build and maintain a secure Network * Protect cardholder data * maintain a vulnerability management program * implement strong access control * Regularly monitor and test networks * maintain an information security policy.
29
What is a security policy?
* Overall general statement produced by senior management. * Need to be technology and solution independant * Can be: * Organisational: establishes how a security program will be set up, lays out the goals, assigns responsibility. * Issue-specific: specific issue that management feel need more attention to ensure its clear how to comply. Eg email policy * System specific: represents decisions that specific to the actual computers, networks and applications. eg. how a senstive database should be locked down or laptops locked down. * Types of policies: * Regulatory: applies to some regulation such as HIPPA, FISMA * Advisory: strongly advises employees what is acceptable * informative: not an enforceable policy.
30
What is a security standard?
* Mandatory activities, actions, or rules and gives a policy its support. * Ensures specific technologies, applications, and procedures are implemented in a uniform (Standardised) manner. * These rules are compulsory and must be enforced * For example, for issue-specific data classification policy "All confidential data must be protected". A corresponding standard "Confidential information must be protected with AES256 at rest & transit".
31
What is the difference between Baselines, Guidelines and procedures?
* Baselines are: * Refers to a point in time that is used as a comparison for future changes. * Used to define the minimum level of protection required. * Guidelines: * Recommended actions and operational guides to users, IT & Operation staff when a specific standard doesnt apply * Procedures: * Considered lowest level in the documentation chain because they are closest to the computers and users, and spell out how the policy, standards and guidelines will be implemented
32
What is Risk Management?
* Process of identifying and assessing risk, reducing it an acceptable level, and ensuring it remains at that level. * Requires skils in identifying threats, assessing probablility and the impact, and then taking the steps to reduce overall risk. * According to NIST SP 800-39: * Organisation: risks to the business as a whole * Business Process: risks to major functions of the organisation * Information systems: risks from a systems perspective * Information systems risk management policy requires commitment from senior management. Defines the level of risks, formal processes, mapping of risk to internal controls.
33
What is the Risk management process?
* NIST SP 800-39 describes four interrelated components: * Frame risk: defines the context within which all other risk activities takes place * Assess risk: * Respond to risk: matching our limited resources with our prioritized set of controls * Monitor risk: monitor the effectiveness of our controls against the risks.
34
What are the threat modeling concepts?
Information systems consists of information, processes and people. Information: * Data at rest: copied and given to unauthorised parties * Data in motion: modified and intercepting it on the network * Data in use: exploiting race condition, TOC/TOU Processes: Specific kind of software vulnerability, but should include business processes. People: Social enginering, Social networks, passwords - weak passwords.
35
What are threat modeling methodologies?
* Attack trees: Based on the observation that there are multiple ways to accomplish a given objective * Branches created by each decision point create what is known as an attack tree * Each of the leaf nodes represents a specific condition that must be met in order for the parent node to be effective. * Successful attack, is one in which the attacker traverses from a leaf node all the way to the root. * Reduction Analysis, two focal points: * One aspect is to reduce the number of attacks, and the other is to reduce the threat posed by the attack. * Closer you are to the root when you implement a mitigation, the more leaf conditions you will defeat.
36
Difference between Risk analysis and Assessment?
**Risk assessment** is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement controls. **Risk analysis** priortize their risks and shows management the amount of resources that should be applied to protecting against those risks. * Identify assests and their value * Determine the likelihood that a threat exploits vulnerability * Determine the business impact * Provide balance between impact of threat and cost of countermeasure - cost/benefit analysis
37
What the methodologies for Risk Assessments?
* NIST SP 800-30 * Prepare for the assessment * Conduct the assessment (identify threat sources, vulnerabilties, likeihood, impact, risk) * Communicate results * Maintain assessment * Faciliatated Risk Analysis Process (FRAP): inteded to analyze one system, application, or business process at a time. Scope of the assessment is small, and cannot use calculations such as ALE. * Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) is more in-depth assessement that requires workshops, to help ensure team members understand the methodology. Much wider in scope. * ISO 31000 developed by AUS/NZ, is broader approach to understand, financal, safety, and business decisions. * ISO 27005 is a standard for how risk management should be carried out in the framework of an ISMS, deals with IT and softer issues. * Failure Modes and effect Analysis (FMEA): method of determining functions, identifying functional failures, and assesing the causes of failure and their failure effects. Not as useful in complex environments. Involves the following steps: * Block diagram of a system or control * what happens if each block fails * In a table, identify which failures are paired with their effects and evaluation of the effects. * Adjust the table until the system is not known to have unacceptable problems * Several engineers review the FMEA. * Fault tree analysis is better at complex environments, by first having an undesired effect as the root, and then each situation that has the potential to cause that effect is added to the tree. * Central Computing and Telecommunications Agency Risk Analysis and management method (CRAMM) works in three stages: defines objectives, assess risks, and identify countermeaures. But, has questionnaires, asset dependency modeling, assessment formulas and etc) in an automated tool.
38
What are the steps of Quantitative Risk analysis?
* Use mathematical forumals for data interpretation. * Single loss expectancy: loss from a single instance * Asset Value x Exposure Factor (EF) = SLE, EF is % of loss * Annulaised loss Expectancy (ALE): Loss in a year. * SLE x Annualized Rate of Occurence (ARO) = ALE * Control selected \<= ALE * Considerations: Uncertanity is the degree to which you lack confidence in an estatimate. * Main issues are the calculations are complex, laborious without tools, more preliminary work is needed.
39
What are the steps of the Qualitative Analysis?
* Monetary values are NOT used, instead a matrix of likelihood vs consquences ranking from low to high or 1-5 on each axis, is used to represent the risk. * Once selected personnel agree on the findings, then this is presented to management to help make decisions. Benefited by the communication that must happen amongst the team to identify the risk. * Can use the delphi technique to ensure team members opinions are made anonymous to prevent people from being pressured to vote a certain way.
40
What are some risk Management frameworks (RMF)?
* RMF is a structed process that identifies, assess, reduces, and ensures it remains at the reduced level. * NIST SP 800-37: takes a systems life cycle approach. * ISO 31000: focusing on uncertainity that leads to unanticipated effects. Much broader framework covering more thant IT. * ISACA Risk IT: Bridges the gap between the generic ISO 31000 and the IT centric NIST. Very well integrated with COBIT. * NIST SP 800 37, specifies 6 steps: * Categorise information systems: define the system, subsystems and boundaries. Any legal requirements. * Select security controls: * Implement security controls * Assess Security controls * Authorise Information system:After examining the risk exposure, determine if the residual risk is acceptable. * Monitor Security controls: has any vulnerabilities been discovered?
41
What is the difference betweenDisaster Recovery Plan (DRP) and Business Continuity planning (BCP)?
* DRP is to handle an incident and its ramifications right after disaster hits. * Business Continuity Planning: include getting critical systems to another environment while repair of the original facilities is under way. Planning is getting the right people to the right places, documenting the neccessary configurations, establishing alternative communication channels, providing power and making sure all dependencies are properly understood. * Business continutity Management (BCM) is the holistic management of both DRP and BCP.
42
What are the BCP best practices and standards?
* NIST SP 800-34, steps * Develop the continuity planning statment: assigns authority to the neccessary roles * Conduct the Business Impact Analysis (BIA): Identifies critial systems/app and the associated vulnerabilies and risk * Identify preventitive controls: to minimize the risk * Create contingency strategies: methods to bring systems up quickly. * Develop an information system contingency plan: Write policies and procedures for how to be operational in critical state. * Ensure plan, testing, and exercises. * Ensure plan maintainence. * ISO 27031/2011: Guidelines for readiness for business continuity * ISO 22331:2012:
43
How do you make BCM Part of the Enterprise Security Program?
* Understanding the organisation first, using frameworks such as Zachmans framework as it allows you to understand the company's architecture and picies and components. * CBK is broken down into eight domains, which are top tier disciples, and thus each company should have at least 8 sets of policies, procedures. * Senior management must known the responsibility and has the view that extends beyond each functional manager's focus. * To get BCP support from management, business cases must be made include vulnerabilites, legal obligations, and current status of recovery. * Include a cost/benefits should include shareholder, stakeholder, regulatory, and legislative impacts.
44
What are the components of a BCP project?
* Setting up budget and staff for the program (BCP committee). * Assigning duties and responsibilties to the BCP coordinator and to the representatives. * Senior management kick-off the BCP program with formal annocement. * Awareness-raising activities to let employees known about the BCP program and to build internal support for it. * Establishment of skills training for the support of the BCP effort. * Start the data collection throughout the organisation to aid in crafting various continuity options. * Putting into effect quick wins and low hanging fruit
45
What is the purpose of a Business Impact Analysis?
* Is a functional analysis in which a team collects data through interviews and documentary sources; documents business function, develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function's criticality level. * BCP committee must identity the threats to the company and map them to the following: * Maxiumum tollerable downtime: Nonessential 30 days to Critical minutes to hours. * Operational disruption and productivity * FInancial considerations * Regulatory responsibilties * Reputation * BIA is conducted after the data gathering phases.
46
What are the responsbilities for the BCM from a management and BCP team perspective?
Managements responsibility: * Committing fully to the BCP * Setting policy and goals * Make available the neccessary funds and ressources * Taking responsibility for the outcome of the development of the BCP * Appointment a team for the process BCP team's responsbility are as follows: * Identifying regulatory and legal requirements * identifying all possible vulnerabilities and threats * Estimating the possibilties of these threats.
47
What are the personnel Security issues?
* HR Practices: Hiring qualified individual, conducting background checks, using detailed job descriptions, providing neccessary training, enforcing strict access controls and terminating individuals in way that parties involved. * Seperation of duties: make sure one individual cannot complete a critical tasks by themselves. Collusion must take place for fraud to be commited * Split knowledge: no one person knows everything. Two people need to combine their knowledge to complete some task * dual control. Two people need to be available and active to perform the operation * Rotation of duties: A detective control to uncover fraduelent activities that would have been hidden because they were doing the activity for so long.
48
What is Security Governance?
* A framework that allows for the security goals of an organisation to be set and expressed by senior management. * Oversight mechanisms developed, to ensure those that are responsible are constantly updated on the health and security of the organisation. * A system of integrated processes that helps ensure consistent oversight, accountability, and compliance. * Use of metrics: * assess the effectiveness of our work, identify deficiencies and prioritise the things that still need work * Measurement will need to happen on a continuous basis so the data collection methods are repeatable * Measurements compared with set values to determine performance. * Industry best practices for metrics include, 27004, NIST 800-55
49
What are the ISC^2 code of ethics?
* Protect society the common good, neccessary public trust and confidence and the infrastructure * Act honorably, Justly responsibly and legally * provide diligent and competent service to principals * advance and protect the profession.
50

CISSP - 2020 (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions