CISSP – Domain 1 – Information Security Governance and Risk Management – Flashcards

Unlock all answers in this set

Unlock answers
question
What is the title of Domain 1 of the CISSP?
answer
Information Security governance and Risk Management
question
Define Annualized Loss Expectancy
answer
The cost of loss due to a risk over a year
question
Define Threat
answer
A potentially negative occurrence
question
Define Vulnerability
answer
A weakness in a system
question
Define Risk
answer
A matched threat and vulnerability
question
Define Safeguard
answer
A measure taken to reduce risk
question
Define Total Cost of Ownership
answer
The cost of a safeguard
question
Define Return on Investment
answer
Money saved by deploying a safeguard
question
What does "CIA" stand for.
answer
Confidentiality, Integrity, and Availability
question
Define Confidentiality
answer
Confidentiality seeks to prevent the unauthorized disclosure of information.
question
Confidentiality protects against...
answer
Disclosure
question
Define Integrity
answer
Integrity seeks to prevent unauthorized modification of information.
question
Integrity protects against...
answer
Alteration
question
What are the two types of Integrity?
answer
1. Data Integrity 2. System Integrity
question
Define Availability
answer
Availability ensures that information is available when needed.
question
Availability protects against...
answer
Distruction.
question
What does DAD stand for?
answer
Disclosure Alteration and Destruction
question
What does AAA stand for?
answer
Authentication, Authorization, and Accountability
question
What is the first step usually left out of AAA?
answer
Identity
question
What are examples of Identification and Authentication commonly used together.
answer
A username is the identity and a password is the authentication.
question
Define Nonrepudiation
answer
Nonrepudiation means a user cannot deny (repudiate) having performed a transaction.
question
What two things does Nonrepudiation require?
answer
You must have both authentication and integrity to have nonrepudiation.
question
Define Least Privilege
answer
Users should be granted the minimum amount of access (authorization) required to do their jobs, but no more.
question
Define Need to Know in relation to Least Priviledge.
answer
Need to know is more granular than least privilege: the user must need to know that specific piece of information before accessing it.
question
Define Defense in Depth
answer
______________ (also called layered defenses) applies multiple safeguards (also called controls: measures taken to reduce risk) to protect an asset.
question
Define Assets
answer
Assets are valuable resources you are trying to protect. Assets can be data, systems, people, buildings, property, and so forth.
question
Name three examples of a threat.
answer
1. Earthquake 2. Power Outtage 3. Network Worm
question
Name three examples of a vulnerability.
answer
1. Buildings in a quake zone not up to code. 2. No UPS in data center. 3. Unpatched systems.
question
What is the equation for Risk?
answer
Risk = Threat x Vulnerability
question
Define Impact
answer
Impact is the severity of potential damage, sometimes expressed in dollars.
question
What is a synonym for impact?
answer
Consequences.
question
Where is Impact used.
answer
As a modifier in the Risk = Threat x Vulnerability equation. Risk = Threat x Vulnerability x Impact.
question
ALE
answer
Annualized Loss Expectancy
question
What does Annualized Loss Expectancy (ALE) provide?
answer
Allows you to determine the annual cost of a loss due to a risk.
question
Define Asset Value (AV).
answer
The value of the asset you are trying to protect.
question
Define Exposure Factor (EF).
answer
The percentage of value an asset lost due to an incident.
question
Define Single Loss Expectancy (SLE).
answer
The cost of a single loss. AV x EF = SLE
question
Define Annual Rate of Occurrence (ARO).
answer
The number of losses you suffer per year.
question
Define Annualized Loss Expectancy (ALE).
answer
Your yearly cost due to a risk. SLE x ARO = ALE
question
What are the four Risk Choices
answer
1. Accept the Risk 2. Mitigate or eliminate the Risk 3. Transfer the Risk 4. Avoid the Risk
question
What is the difference between Qualitative and Quantitative Risk Analysis?
answer
Quantitative Risk Analysis uses hard metrics, such as dollars. Qualitative Risk Analysis uses simple approximate values.
question
What is an example of a Quantitative Risk Analysis?
answer
An ALE is an example of Quantitative Risk Analysis.
question
What is an example of a Qualitative Risk Analysis?
answer
A Risk Analysis Matrix is and example of a Qualitative Risk Analysis.
question
What are the nine steps of the Risk Management guide (Special Publication 800-30) from NIST?
answer
1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation
question
Define Information Security Governance
answer
Information security at the organizational level: senior management, policies, processes, and staffing.
question
Define Policy.
answer
High-level management directives; Mandatory.
question
What are the four basic components of a Policy.
answer
1. Purpose 2. Scope 3. Responsibilities 4. Compliance
question
What are the three policy types specified in NIST Special Publication 800-12?
answer
1. Program policy 2. Issue-specific policy 3. System-specific policy
question
Define Procedure.
answer
A step-by-step guide for accomplishing a task. They are low level and specific.
question
Define Standards.
answer
Describes the specific use of technology, often applied to hardware and software.
question
Are Standards mandatory or discretionary?
answer
Mandatory
question
Are policies mandatory or discretionary?
answer
Mandatory.
question
Define Guidelines.
answer
Reccomended actions; discretionary.
question
Define Baseline
answer
Uniform ways of implementing a safeguard.
question
Are Baselines mandatory or discretionary?
answer
Discretionary.
question
Are Procedures mandatory or discretionary?
answer
Mandatory.
question
What's the difference between Security Awareness and Training?
answer
Security Awareness - modifies user behavior Training - provides a skill set
question
What are the four primary information security roles?
answer
1. Senior Management 2. Data Owner 3. Custodian 4. User
question
What is the role of Senior Management in information security?
answer
To create the information security program and ensures that is properly staffed, funded, and has organizational priority.
question
Who is the Data Owner in informaiton security?
answer
A management employee responsible for ensuring that specific data is protected.
question
What is the Custodians role in information security?
answer
Provide hands-on protection of assets such as data. They perform data backups and restoration, patch systems, configure antivirus software, etc.
question
What is the role of the User in information security?
answer
They must follow the rules: they must comply with mandatory policies procedures, standards, etc.
question
Define Privacy.
answer
The protection of the confidentiality of personal information.
question
What's the relationshp between Due Care and Due Diligence?
answer
Due care is doing what a reasonable person would do. Due diligence is the management of due care.
question
Which of Due Care and Due Dilligence is informal? Which is process driven?
answer
Due Care - Informal Due Dilligence - Process Driven
question
Define Gross Negligence.
answer
The opposite of due care, and legally an important concept.
question
Define Best Practice
answer
A consensus of the best way to protect the confidentiality, integrity, and availability of assets.
question
What's the difference between Outsourcing and Offshoring?
answer
Outsourcing is the use of a third party to provide Information Technology support services which were previously performed in-house. Offshoring is outsourcing to another country.
question
What's the problem with Offshoring as described by the book?
answer
When you offshore data, laws pertinent to that data (HIPPA) may no longer apply in the new country.
question
What are the 11 ISO 17799 security control areas?
answer
1. Policy 2. Organization of information security 3. Asset management 4. Human resources security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Information systems acquisition, development, and maintenance 9. Information security incident management 10. Business continuity management 11. Compliance
question
Name three Auditing and Control Frameworks.
answer
1. OCTAVE 2. ISO 27002 3. COBIT
question
What are the differences between Certification and Accreditation?
answer
Certification is a detailed inspection that verifies whether a system meets the documented security requirements. Accreditation is the Data Owner's acceptance of the risk represented by that system.
question
Does a certifier have the ability to approve a system for operation?
answer
No, only the Data Owner (Accreditor) does.
question
What are the four C&A steps as layed out in NIST SP 800-37?
answer
1. Initiation Phase 2. Security Certification Phase 3. Security Accreditation Phase 4. Continuous Monitoring Phase
question
What happens in the Initiation Phase of the NIST SP 800-37?
answer
The information security system and risk mitigation plan is researched.
question
What happens durring the Security Certification Phase of the NIST SP 800-37?
answer
The security of the system is assessed and documented.
question
What happens in the Security Accreditation Phase of the NIST SP 800-37?
answer
The decision to accept the risk represented by the system is made and documented.
question
What happens during the Continuous Monitoring Phase of NIST SP 800-37.
answer
Once accredited, the ongoing security of the system is verified.
question
What are the four Code of Ethics Canons?
answer
1. Protect society, the commonwealth, and the infrastructure. 2. Act honorably, honestly, justly, responsibly, and legally. 3. Provide diligent and competent service to principals. 4. Advance and protect the profession.
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New