CISSP – Domain 1 – Information Security Governance and Risk Management – Flashcards
79 test answers
Unlock all answers in this set
Unlock answers 79question
Define Risk
answer
A matched threat and vulnerability
Unlock the answer
question
Define Safeguard
answer
A measure taken to reduce risk
Unlock the answer
question
Define Total Cost of Ownership
answer
The cost of a safeguard
Unlock the answer
question
Define Return on Investment
answer
Money saved by deploying a safeguard
Unlock the answer
question
What does "CIA" stand for.
answer
Confidentiality, Integrity, and Availability
Unlock the answer
question
Define Confidentiality
answer
Confidentiality seeks to prevent the unauthorized disclosure of information.
Unlock the answer
question
Confidentiality protects against...
answer
Disclosure
Unlock the answer
question
Define Integrity
answer
Integrity seeks to prevent unauthorized modification of information.
Unlock the answer
question
Integrity protects against...
answer
Alteration
Unlock the answer
question
What are the two types of Integrity?
answer
1. Data Integrity 2. System Integrity
Unlock the answer
question
Define Availability
answer
Availability ensures that information is available when needed.
Unlock the answer
question
Availability protects against...
answer
Distruction.
Unlock the answer
question
What does DAD stand for?
answer
Disclosure Alteration and Destruction
Unlock the answer
question
What does AAA stand for?
answer
Authentication, Authorization, and Accountability
Unlock the answer
question
What is the first step usually left out of AAA?
answer
Identity
Unlock the answer
question
What are examples of Identification and Authentication commonly used together.
answer
A username is the identity and a password is the authentication.
Unlock the answer
question
Define Nonrepudiation
answer
Nonrepudiation means a user cannot deny (repudiate) having performed a transaction.
Unlock the answer
question
What two things does Nonrepudiation require?
answer
You must have both authentication and integrity to have nonrepudiation.
Unlock the answer
question
Define Least Privilege
answer
Users should be granted the minimum amount of access (authorization) required to do their jobs, but no more.
Unlock the answer
question
Define Need to Know in relation to Least Priviledge.
answer
Need to know is more granular than least privilege: the user must need to know that specific piece of information before accessing it.
Unlock the answer
question
Define Defense in Depth
answer
______________ (also called layered defenses) applies multiple safeguards (also called controls: measures taken to reduce risk) to protect an asset.
Unlock the answer
question
Define Assets
answer
Assets are valuable resources you are trying to protect. Assets can be data, systems, people, buildings, property, and so forth.
Unlock the answer
question
Name three examples of a threat.
answer
1. Earthquake 2. Power Outtage 3. Network Worm
Unlock the answer
question
Name three examples of a vulnerability.
answer
1. Buildings in a quake zone not up to code. 2. No UPS in data center. 3. Unpatched systems.
Unlock the answer
question
What is the equation for Risk?
answer
Risk = Threat x Vulnerability
Unlock the answer
question
Define Impact
answer
Impact is the severity of potential damage, sometimes expressed in dollars.
Unlock the answer
question
What is a synonym for impact?
answer
Consequences.
Unlock the answer
question
Where is Impact used.
answer
As a modifier in the Risk = Threat x Vulnerability equation. Risk = Threat x Vulnerability x Impact.
Unlock the answer
question
ALE
answer
Annualized Loss Expectancy
Unlock the answer
question
What does Annualized Loss Expectancy (ALE) provide?
answer
Allows you to determine the annual cost of a loss due to a risk.
Unlock the answer
question
Define Asset Value (AV).
answer
The value of the asset you are trying to protect.
Unlock the answer
question
Define Exposure Factor (EF).
answer
The percentage of value an asset lost due to an incident.
Unlock the answer
question
Define Single Loss Expectancy (SLE).
answer
The cost of a single loss. AV x EF = SLE
Unlock the answer
question
Define Annual Rate of Occurrence (ARO).
answer
The number of losses you suffer per year.
Unlock the answer
question
Define Annualized Loss Expectancy (ALE).
answer
Your yearly cost due to a risk. SLE x ARO = ALE
Unlock the answer
question
What are the four Risk Choices
answer
1. Accept the Risk 2. Mitigate or eliminate the Risk 3. Transfer the Risk 4. Avoid the Risk
Unlock the answer
question
What is the difference between Qualitative and Quantitative Risk Analysis?
answer
Quantitative Risk Analysis uses hard metrics, such as dollars. Qualitative Risk Analysis uses simple approximate values.
Unlock the answer
question
What is an example of a Quantitative Risk Analysis?
answer
An ALE is an example of Quantitative Risk Analysis.
Unlock the answer
question
What is an example of a Qualitative Risk Analysis?
answer
A Risk Analysis Matrix is and example of a Qualitative Risk Analysis.
Unlock the answer
question
What are the nine steps of the Risk Management guide (Special Publication 800-30) from NIST?
answer
1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation
Unlock the answer
question
Define Information Security Governance
answer
Information security at the organizational level: senior management, policies, processes, and staffing.
Unlock the answer
question
Define Policy.
answer
High-level management directives; Mandatory.
Unlock the answer
question
What are the four basic components of a Policy.
answer
1. Purpose 2. Scope 3. Responsibilities 4. Compliance
Unlock the answer
question
What are the three policy types specified in NIST Special Publication 800-12?
answer
1. Program policy 2. Issue-specific policy 3. System-specific policy
Unlock the answer
question
Define Procedure.
answer
A step-by-step guide for accomplishing a task. They are low level and specific.
Unlock the answer
question
Define Standards.
answer
Describes the specific use of technology, often applied to hardware and software.
Unlock the answer
question
Are Standards mandatory or discretionary?
answer
Mandatory
Unlock the answer
question
Are policies mandatory or discretionary?
answer
Mandatory.
Unlock the answer
question
Define Guidelines.
answer
Reccomended actions; discretionary.
Unlock the answer
question
Define Baseline
answer
Uniform ways of implementing a safeguard.
Unlock the answer
question
Are Baselines mandatory or discretionary?
answer
Discretionary.
Unlock the answer
question
Are Procedures mandatory or discretionary?
answer
Mandatory.
Unlock the answer
question
What's the difference between Security Awareness and Training?
answer
Security Awareness - modifies user behavior Training - provides a skill set
Unlock the answer
question
What are the four primary information security roles?
answer
1. Senior Management 2. Data Owner 3. Custodian 4. User
Unlock the answer
question
What is the role of Senior Management in information security?
answer
To create the information security program and ensures that is properly staffed, funded, and has organizational priority.
Unlock the answer
question
Who is the Data Owner in informaiton security?
answer
A management employee responsible for ensuring that specific data is protected.
Unlock the answer
question
What is the Custodians role in information security?
answer
Provide hands-on protection of assets such as data. They perform data backups and restoration, patch systems, configure antivirus software, etc.
Unlock the answer
question
What is the role of the User in information security?
answer
They must follow the rules: they must comply with mandatory policies procedures, standards, etc.
Unlock the answer
question
Define Privacy.
answer
The protection of the confidentiality of personal information.
Unlock the answer
question
What's the relationshp between Due Care and Due Diligence?
answer
Due care is doing what a reasonable person would do. Due diligence is the management of due care.
Unlock the answer
question
Which of Due Care and Due Dilligence is informal? Which is process driven?
answer
Due Care - Informal Due Dilligence - Process Driven
Unlock the answer
question
Define Gross Negligence.
answer
The opposite of due care, and legally an important concept.
Unlock the answer
question
Define Best Practice
answer
A consensus of the best way to protect the confidentiality, integrity, and availability of assets.
Unlock the answer
question
What's the difference between Outsourcing and Offshoring?
answer
Outsourcing is the use of a third party to provide Information Technology support services which were previously performed in-house. Offshoring is outsourcing to another country.
Unlock the answer
question
What's the problem with Offshoring as described by the book?
answer
When you offshore data, laws pertinent to that data (HIPPA) may no longer apply in the new country.
Unlock the answer
question
What are the 11 ISO 17799 security control areas?
answer
1. Policy 2. Organization of information security 3. Asset management 4. Human resources security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Information systems acquisition, development, and maintenance 9. Information security incident management 10. Business continuity management 11. Compliance
Unlock the answer
question
Name three Auditing and Control Frameworks.
answer
1. OCTAVE 2. ISO 27002 3. COBIT
Unlock the answer
question
What are the differences between Certification and Accreditation?
answer
Certification is a detailed inspection that verifies whether a system meets the documented security requirements. Accreditation is the Data Owner's acceptance of the risk represented by that system.
Unlock the answer
question
Does a certifier have the ability to approve a system for operation?
answer
No, only the Data Owner (Accreditor) does.
Unlock the answer
question
What are the four C&A steps as layed out in NIST SP 800-37?
answer
1. Initiation Phase 2. Security Certification Phase 3. Security Accreditation Phase 4. Continuous Monitoring Phase
Unlock the answer
question
What happens in the Initiation Phase of the NIST SP 800-37?
answer
The information security system and risk mitigation plan is researched.
Unlock the answer
question
What happens durring the Security Certification Phase of the NIST SP 800-37?
answer
The security of the system is assessed and documented.
Unlock the answer
question
What happens in the Security Accreditation Phase of the NIST SP 800-37?
answer
The decision to accept the risk represented by the system is made and documented.
Unlock the answer
question
What happens during the Continuous Monitoring Phase of NIST SP 800-37.
answer
Once accredited, the ongoing security of the system is verified.
Unlock the answer
question
What are the four Code of Ethics Canons?
answer
1. Protect society, the commonwealth, and the infrastructure. 2. Act honorably, honestly, justly, responsibly, and legally. 3. Provide diligent and competent service to principals. 4. Advance and protect the profession.
Unlock the answer
