A vulnerability is the absence of a safeguard (in other words, it is a weakness) that can be exploited.
A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
Reducing vulnerabilities and/or threats reduces risk.
An exposure is an instance of being exposed to losses from a threat.
A countermeasure, also called a safeguard, mitigates the risk.
A countermeasure can be an application, software configuration, hardware, or procedure.
If someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if a security breach takes place.
Security management has become more important over the years because networks have evolved from centralized environments to distributed environments.
The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
Strategic planning is long term, tactical planning is midterm, and operational planning is day to day. These make up a planning horizon.
ISO 17799 is a comprehensive set of controls comprising best practices in information security and provides guidelines on how to set up and maintain security programs.
Security components can be technical (firewalls, encryption, and access control lists) or nontechnical (security policy, procedures, and compliance enforcement).
Asset identification should include tangible assets (facilities, hardware) and intangible assets (corporate data, reputation).
Project sizing, which means to understand and document the scope of the project, must be done before a risk analysis is performed.
Assurance is a degree of confidence that a certain security level is being provided.
CobiT is a framework that defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.
CobiT is broken down into four domains; Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
ISO 17799:2005 is the newest version of BS7799 Part 1.
ISO 27001:2005 is the newest version of BS7700 Part II.
ISO 27001:2005 provides the steps for setting up and maintaining a security program.
ISO 17799:2005 provides a list of controls that can be used within the framework outlined in ISO 27001:2005.
Security management should work from the top down, from senior management down to the staff.
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.
Which security model a company should choose depends on the type of business, its critical missions, and its objectives.
The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy.
Risk can be transferred, avoided, reduced, or accepted.
An example of risk transference is when a company buys insurance.
Ways to reduce risk include improving security procedures and implementing safeguards.
Threats × vulnerability × asset value = total risk
(Threats × vulnerability × asset value) × controls gap = residual risk
The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
Information risk management (IRM) is the process of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.
Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.
A quantitative risk analysis attempts to assign monetary values to components within the analysis.
A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.
Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.
When determining the value of information, the following issues must be considered: the cost to acquire and develop data; the cost to maintain and protect data; the value of the data to owners, users, and adversaries; the cost of replacement if the data is lost; the price others are willing to pay for the data; lost opportunities; and the usefulness of the data,
Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
Single loss expectancy (SLE) is the amount that could be lost if a specific threat agent exploited a vulnerability.
Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE)
Qualitative risk analysis uses judgment and intuition instead of numbers.
Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.
The Delphi technique is a group decision method where each group member can communicate anonymously.
When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
A security policy is a statement by management dictating the role security plays in the organization.
Procedures are detailed step-by-step actions that should be followed to achieve a certain task.
A standard specifies how hardware and software are to be used. Standards are compulsory.
A baseline is a minimum level of security.
Guidelines are recommendations and general approaches that provide advice and flexibility.
Job rotation is a control to detect fraud.
Mandatory vacations are a control type that can help detect fraudulent activities.
Separation of duties ensures no single person has total control over an activity or task.
Split knowledge and dual control are two aspects of separation of duties.
Data is classified to assign priorities to data and ensure the appropriate level of protection is provided.
Data owners specify the classification of data.
Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
The security program should be integrated with current business objectives and goals.
Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings.
The risk management team should include individuals from different departments within the organization, not just technical personnel.
A qualitative rating would be expressed in high, medium, or low, or on a scale of 1 to 5 or 1 to 10. A quantitative result would be expressed in dollar amounts and percentages.
Safeguards should default to least privilege, and have fail-safe defaults and override capabilities.
Safeguards should be imposed uniformly so everyone has the same restrictions and functionality.
A key element during the initial security planning process is to define reporting relationships.
The data custodian (information custodian) is responsible for maintaining and protecting data.
A security analyst works at a strategic level and helps develop policies, standards, and guidelines, and also sets various baselines.
Application owners are responsible for dictating who can and cannot access their applications, as well as the level of protection these applications provide for the data they process and for the company.
Please remember that these questions are formatted and asked in a certain way for a reason. You must remember that the CISSP exam is asking questions at a conceptual level. Questions may not always have the perfect answer, and the candidate is advised against always looking for the perfect answer. The candidate should look for the best answer in the list.
1. | Who has the primary responsibility of determining the classification level for information?
|
2. | Which group causes the most risk of fraud and computer compromises?
|
3. | If different user groups with different security access levels need to access the same information, which of the following actions should management take?
|
4. | What should management consider the most when classifying data?
|
5. | Who is ultimately responsible for making sure data is classified and protected?
|
6. | What is a procedure?
|
7. | Which factor is the most important item when it comes to ensuring security is successful in an organization?
|
8. | When is it acceptable to not take action on an identified risk?
|
9. | What are security policies?
|
10. | Which is the most valuable technique when determining if a specific security control should be implemented?
|
11. | Which best describes the purpose of the ALE calculation?
|
12. | Tactical planning is:
|
13. | What is the definition of a security exposure?
|
14. | An effective security program requires a balanced application of:
|
15. | The security functionality defines the expected activities of a security mechanism, and assurance defines:
|
16. | Which statement is true when looking at security objectives in the private-business sector versus the military sector?
|
17. | How do you calculate residual risk?
|
18. | Which of the following is not a purpose of doing a risk analysis?
|
19. | Which of the following is not a management role in the process of implementing and maintaining security?
|
20. | Why should the team that will perform and review the risk analysis information be made up of people in different departments?
|
21. | Which best describes a quantitative risk analysis?
|
22. | Why is a truly quantitative risk analysis not possible to achieve?
|
23. | If there are automated tools for risk analysis, why does it take so much time to complete?
|
24. | Which of the following is a legal term that pertains to a company or individual taking reasonable actions and is used to determine liability?
|
1. | C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it. |
2. | A. It is commonly stated that internal threats comprise 70–80 percent of the overall threat to a company. This is because employees already have privileged access to a wide range of company assets. The outsider who wants to cause damage must obtain this level of access before she can carry out the type of damage internal personnel could dish out. A lot of the damages caused by internal employees are brought about by mistakes and system misconfigurations. |
3. | C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms. |
4. | B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place. |
5. | D. The key to this question is the use of the word “ultimately.” Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected. |
6. | B. Standards are rules that must be followed; thus, they are compulsory. Guidelines are recommendations, while procedures are step-by-step instructions. |
7. | A. Without senior management’s support, a security program will not receive the necessary attention, funds, resources, and enforcement capabilities. |
8. | D. Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure. |
9. | C. A security policy captures senior management’s perspectives and directives on what role security should play within the company. Security policies are usually general and use broad terms so they can cover a wide range of items. |
10. | B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D are inserted into a cost/benefit analysis. |
11. | D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat. |
12. | A. Three types of goals make up the planning horizon: operational, tactical, and strategic. Tactical goals are midterm goals that must be accomplished before the overall strategic goal is accomplished. |
13. | A. An exposure is an instance of being exposed to losses from a threat agent. A vulnerability can cause an organization to be exposed to possible damages. For example, if password management is lax and password rules are not enforced, the company can be exposed to the possibility of having users’ passwords captured and used in an unauthorized manner. |
14. | A. Security is not defined by a firewall, an access control mechanism, a security policy, company procedures, employee conduct, or authentication technologies. It is defined by all of these and how they integrate together within an environment. Security is neither purely technical nor purely procedural, but rather a mix of the two. |
15. | C. The functionality describes how a mechanism will work and behave. This may have nothing to do with the actual protection it provides. Assurance is the level of confidence in the protection level a mechanism will provide. When systems and mechanisms are evaluated, their functionality and assurance should be examined and tested individually. |
16. | B. Although answer C may seem correct to you, it is a subjective answer. Businesses will see their threats and risks as being more important than another organization’s threats and risks. The military has a rich history of having to keep its secrets secret. This is usually not as important in the commercial sector relative to the military. |
17. | D. The equation is more conceptual than practical. It is hard to assign a number to a vulnerability and a threat individually. This equation enables you to look at the potential loss of a specific asset, as well as the controls gap (what the specific countermeasure cannot protect against). What remains is the residual risk, which is what is left over after a countermeasure is implemented. |
18. | A. The other three answers are the main reasons to carry out a risk analysis. An analysis is not carried out to delegate responsibilities. Management will take on this responsibility once the results of the analysis are reported to it and it understands what actually needs to be carried out. |
19. | B. The number one ingredient management must provide when it comes to security is support. Management should define the role and scope of security and allocate the funds and resources. Management also delegates who does what pertaining to security. It does not carry out the analysis, but rather is responsible for making sure one is done and that management acts on the results it provides. |
20. | C. An analysis is only as good as the data that goes into it. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. Each department understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the company. |
21. | C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures. |
22. | D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish. |
23. | A. An analysis usually takes a long time to complete because of all the data that must be properly gathered. There are generally many different sources for this type of data, and properly extracting it is extremely time-consuming. In most situations, it involves setting up meetings with specific personnel and going through a question-and-answer process. |
24. | C. A company’s or individual’s actions can be judged by the “Prudent Person Rule,” which looks at how a prudent or reasonable person would react in similar situations. Due care means to take these necessary actions to protect the company and its assets, customers, and employees. Computer security has many aspects pertaining to practicing due care. If management does not ensure these things are in place, it can be found negligent. |