CISSP – Domain 1 – Information Security Governance and Risk Management

What is the title of Domain 1 of the CISSP?
Information Security governance and Risk Management
Define Annualized Loss Expectancy
The cost of loss due to a risk over a year
Define Threat
A potentially negative occurrence
Define Vulnerability
A weakness in a system
Define Risk
A matched threat and vulnerability
Define Safeguard
A measure taken to reduce risk
Define Total Cost of Ownership
The cost of a safeguard
Define Return on Investment
Money saved by deploying a safeguard
What does "CIA" stand for.
Confidentiality, Integrity, and Availability
Define Confidentiality
Confidentiality seeks to prevent the unauthorized disclosure of information.
Confidentiality protects against…
Disclosure
Define Integrity
Integrity seeks to prevent unauthorized modification of information.
Integrity protects against…
Alteration
What are the two types of Integrity?
1. Data Integrity
2. System Integrity
Define Availability
Availability ensures that information is available when needed.
Availability protects against…
Distruction.
What does DAD stand for?
Disclosure Alteration and Destruction
What does AAA stand for?
Authentication, Authorization, and Accountability
What is the first step usually left out of AAA?
Identity
What are examples of Identification and Authentication commonly used together.
A username is the identity and a password is the authentication.
Define Nonrepudiation
Nonrepudiation means a user cannot deny (repudiate) having performed a transaction.
What two things does Nonrepudiation require?
You must have both authentication and integrity to have nonrepudiation.
Define Least Privilege
Users should be granted the minimum amount of access (authorization) required to do their jobs, but no more.
Define Need to Know in relation to Least Priviledge.
Need to know is more granular than least privilege: the user must need to know that specific piece of information before accessing it.
Define Defense in Depth
______________ (also called layered defenses) applies multiple safeguards (also called controls: measures taken to reduce risk) to protect an asset.
Define Assets
Assets are valuable resources you are trying to protect. Assets can be data, systems, people, buildings, property, and so forth.
Name three examples of a threat.
1. Earthquake
2. Power Outtage
3. Network Worm
Name three examples of a vulnerability.
1. Buildings in a quake zone not up to code.
2. No UPS in data center.
3. Unpatched systems.
What is the equation for Risk?
Risk = Threat x Vulnerability
Define Impact
Impact is the severity of potential damage, sometimes expressed in dollars.
What is a synonym for impact?
Consequences.
Where is Impact used.
As a modifier in the Risk = Threat x Vulnerability equation. Risk = Threat x Vulnerability x Impact.
ALE
Annualized Loss Expectancy
What does Annualized Loss Expectancy (ALE) provide?
Allows you to determine the annual cost of a loss due to a risk.
Define Asset Value (AV).
The value of the asset you are trying to protect.
Define Exposure Factor (EF).
The percentage of value an asset lost due to an incident.
Define Single Loss Expectancy (SLE).
The cost of a single loss. AV x EF = SLE
Define Annual Rate of Occurrence (ARO).
The number of losses you suffer per year.
Define Annualized Loss Expectancy (ALE).
Your yearly cost due to a risk. SLE x ARO = ALE
What are the four Risk Choices
1. Accept the Risk
2. Mitigate or eliminate the Risk
3. Transfer the Risk
4. Avoid the Risk
What is the difference between Qualitative and Quantitative Risk Analysis?
Quantitative Risk Analysis uses hard metrics, such as dollars. Qualitative Risk Analysis uses simple approximate values.
What is an example of a Quantitative Risk Analysis?
An ALE is an example of Quantitative Risk Analysis.
What is an example of a Qualitative Risk Analysis?
A Risk Analysis Matrix is and example of a Qualitative Risk Analysis.
What are the nine steps of the Risk Management guide (Special Publication 800-30) from NIST?
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
Define Information Security Governance
Information security at the organizational level: senior management, policies, processes, and staffing.
Define Policy.
High-level management directives; Mandatory.
What are the four basic components of a Policy.
1. Purpose
2. Scope
3. Responsibilities
4. Compliance
What are the three policy types specified in NIST Special Publication 800-12?
1. Program policy
2. Issue-specific policy
3. System-specific policy
Define Procedure.
A step-by-step guide for accomplishing a task. They are low level and specific.
Define Standards.
Describes the specific use of technology, often applied to hardware and software.
Are Standards mandatory or discretionary?
Mandatory
Are policies mandatory or discretionary?
Mandatory.
Define Guidelines.
Reccomended actions; discretionary.
Define Baseline
Uniform ways of implementing a safeguard.
Are Baselines mandatory or discretionary?
Discretionary.
Are Procedures mandatory or discretionary?
Mandatory.
What’s the difference between Security Awareness and Training?
Security Awareness – modifies user behavior
Training – provides a skill set
What are the four primary information security roles?
1. Senior Management
2. Data Owner
3. Custodian
4. User
What is the role of Senior Management in information security?
To create the information security program and ensures that is properly staffed, funded, and has organizational priority.
Who is the Data Owner in informaiton security?
A management employee responsible for ensuring that specific data is protected.
What is the Custodians role in information security?
Provide hands-on protection of assets such as data. They perform data backups and restoration, patch systems, configure antivirus software, etc.
What is the role of the User in information security?
They must follow the rules: they must comply with mandatory policies procedures, standards, etc.
Define Privacy.
The protection of the confidentiality of personal information.
What’s the relationshp between Due Care and Due Diligence?
Due care is doing what a reasonable person would do. Due diligence is the management of due care.
Which of Due Care and Due Dilligence is informal? Which is process driven?
Due Care – Informal
Due Dilligence – Process Driven
Define Gross Negligence.
The opposite of due care, and legally an important concept.
Define Best Practice
A consensus of the best way to protect the confidentiality, integrity, and availability of assets.
What’s the difference between Outsourcing and Offshoring?
Outsourcing is the use of a third party to provide Information Technology support services which were previously performed in-house.
Offshoring is outsourcing to another country.
What’s the problem with Offshoring as described by the book?
When you offshore data, laws pertinent to that data (HIPPA) may no longer apply in the new country.
What are the 11 ISO 17799 security control areas?
1. Policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Information systems acquisition, development, and maintenance
9. Information security incident management
10. Business continuity management
11. Compliance
Name three Auditing and Control Frameworks.
1. OCTAVE
2. ISO 27002
3. COBIT
What are the differences between Certification and Accreditation?
Certification is a detailed inspection that verifies whether a system meets the documented security requirements. Accreditation is the Data Owner’s acceptance of the risk represented by that system.
Does a certifier have the ability to approve a system for operation?
No, only the Data Owner (Accreditor) does.
What are the four C&A steps as layed out in NIST SP 800-37?
1. Initiation Phase
2. Security Certification Phase
3. Security Accreditation Phase
4. Continuous Monitoring Phase
What happens in the Initiation Phase of the NIST SP 800-37?
The information security system and risk mitigation plan is researched.
What happens durring the Security Certification Phase of the NIST SP 800-37?
The security of the system is assessed and documented.
What happens in the Security Accreditation Phase of the NIST SP 800-37?
The decision to accept the risk represented by the system is made and documented.
What happens during the Continuous Monitoring Phase of NIST SP 800-37.
Once accredited, the ongoing security of the system is verified.
What are the four Code of Ethics Canons?
1. Protect society, the commonwealth, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.