Quick Tips

  • A vulnerability is the absence of a safeguard (in other words, it is a weakness) that can be exploited.

  • A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.

  • A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.

  • Reducing vulnerabilities and/or threats reduces risk.

  • An exposure is an instance of being exposed to losses from a threat.

  • A countermeasure, also called a safeguard, mitigates the risk.

  • A countermeasure can be an application, software configuration, hardware, or procedure.

  • If someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if a security breach takes place.

  • Security management has become more important over the years because networks have evolved from centralized environments to distributed environments.

  • The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.

  • Strategic planning is long term, tactical planning is midterm, and operational planning is day to day. These make up a planning horizon.

  • ISO 17799 is a comprehensive set of controls comprising best practices in information security and provides guidelines on how to set up and maintain security programs.

  • Security components can be technical (firewalls, encryption, and access control lists) or nontechnical (security policy, procedures, and compliance enforcement).

  • Asset identification should include tangible assets (facilities, hardware) and intangible assets (corporate data, reputation).

  • Project sizing, which means to understand and document the scope of the project, must be done before a risk analysis is performed.

  • Assurance is a degree of confidence that a certain security level is being provided.

  • CobiT is a framework that defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.

  • CobiT is broken down into four domains; Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

  • ISO 17799:2005 is the newest version of BS7799 Part 1.

  • ISO 27001:2005 is the newest version of BS7700 Part II.

  • ISO 27001:2005 provides the steps for setting up and maintaining a security program.

  • ISO 17799:2005 provides a list of controls that can be used within the framework outlined in ISO 27001:2005.

  • Security management should work from the top down, from senior management down to the staff.

  • Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.

  • Which security model a company should choose depends on the type of business, its critical missions, and its objectives.

  • The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy.

  • Risk can be transferred, avoided, reduced, or accepted.

  • An example of risk transference is when a company buys insurance.

  • Ways to reduce risk include improving security procedures and implementing safeguards.

  • Threats × vulnerability × asset value = total risk

  • (Threats × vulnerability × asset value) × controls gap = residual risk

  • The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.

  • Information risk management (IRM) is the process of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.

  • Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.

  • A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.

  • A quantitative risk analysis attempts to assign monetary values to components within the analysis.

  • A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.

  • Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.

  • When determining the value of information, the following issues must be considered: the cost to acquire and develop data; the cost to maintain and protect data; the value of the data to owners, users, and adversaries; the cost of replacement if the data is lost; the price others are willing to pay for the data; lost opportunities; and the usefulness of the data,

  • Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.

  • Single loss expectancy (SLE) is the amount that could be lost if a specific threat agent exploited a vulnerability.

  • Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE)

  • Qualitative risk analysis uses judgment and intuition instead of numbers.

  • Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.

  • The Delphi technique is a group decision method where each group member can communicate anonymously.

  • When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.

  • A security policy is a statement by management dictating the role security plays in the organization.

  • Procedures are detailed step-by-step actions that should be followed to achieve a certain task.

  • A standard specifies how hardware and software are to be used. Standards are compulsory.

  • A baseline is a minimum level of security.

  • Guidelines are recommendations and general approaches that provide advice and flexibility.

  • Job rotation is a control to detect fraud.

  • Mandatory vacations are a control type that can help detect fraudulent activities.

  • Separation of duties ensures no single person has total control over an activity or task.

  • Split knowledge and dual control are two aspects of separation of duties.

  • Data is classified to assign priorities to data and ensure the appropriate level of protection is provided.

  • Data owners specify the classification of data.

  • Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.

  • The security program should be integrated with current business objectives and goals.

  • Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings.

  • The risk management team should include individuals from different departments within the organization, not just technical personnel.

  • A qualitative rating would be expressed in high, medium, or low, or on a scale of 1 to 5 or 1 to 10. A quantitative result would be expressed in dollar amounts and percentages.

  • Safeguards should default to least privilege, and have fail-safe defaults and override capabilities.

  • Safeguards should be imposed uniformly so everyone has the same restrictions and functionality.

  • A key element during the initial security planning process is to define reporting relationships.

  • The data custodian (information custodian) is responsible for maintaining and protecting data.

  • A security analyst works at a strategic level and helps develop policies, standards, and guidelines, and also sets various baselines.

  • Application owners are responsible for dictating who can and cannot access their applications, as well as the level of protection these applications provide for the data they process and for the company.

Questions

Please remember that these questions are formatted and asked in a certain way for a reason. You must remember that the CISSP exam is asking questions at a conceptual level. Questions may not always have the perfect answer, and the candidate is advised against always looking for the perfect answer. The candidate should look for the best answer in the list.

1.Who has the primary responsibility of determining the classification level for information?

  1. The functional manager

  2. Senior management

  3. The owner

  4. The user

2.Which group causes the most risk of fraud and computer compromises?

  1. Employees

  2. Hackers

  3. Attackers

  4. Contractors

3.If different user groups with different security access levels need to access the same information, which of the following actions should management take?

  1. Decrease the security level on the information to ensure accessibility and usability of the information.

  2. Require specific written approval each time an individual needs to access the information.

  3. Increase the security controls on the information.

  4. Decrease the classification label on the information.

4.What should management consider the most when classifying data?

  1. The type of employees, contractors, and customers who will be accessing the data.

  2. Availability, integrity, and confidentiality.

  3. Assessing the risk level and disabling countermeasures.

  4. The access controls that will be protecting the data.

5.Who is ultimately responsible for making sure data is classified and protected?

  1. Data owners

  2. Users

  3. Administrators

  4. Management

6.What is a procedure?

  1. Rules on how software and hardware must be used within the environment

  2. Step-by-step directions on how to accomplish a task

  3. Guidelines on how to approach security situations not covered by standards

  4. Compulsory actions

7.Which factor is the most important item when it comes to ensuring security is successful in an organization?

  1. Senior management support

  2. Effective controls and implementation methods

  3. Updated and relevant security policies and procedures

  4. Security awareness by all employees

8.When is it acceptable to not take action on an identified risk?

  1. Never. Good security addresses and reduces all risks.

  2. When political issues prevent this type of risk from being addressed.

  3. When the necessary countermeasure is complex.

  4. When the cost of the countermeasure outweighs the value of the asset and potential loss.

9.What are security policies?

  1. Step-by-step directions on how to accomplish security tasks

  2. General guidelines used to accomplish a specific security level

  3. Broad, high-level statements from the management

  4. Detailed documents explaining how security incidents should be handled

10.Which is the most valuable technique when determining if a specific security control should be implemented?

  1. Risk analysis

  2. Cost/benefit analysis

  3. ALE results

  4. Identifying the vulnerabilities and threats causing the risk

11.Which best describes the purpose of the ALE calculation?

  1. Quantifies the security level of the environment

  2. Estimates the loss possible for a countermeasure

  3. Quantifies the cost/benefit result

  4. Estimates the loss potential of a threat in a span of a year

12.Tactical planning is:

  1. Midterm

  2. Long term

  3. Day-to-day

  4. Six months

13.What is the definition of a security exposure?

  1. An instance of being exposed to losses from a threat

  2. Any potential danger to information or systems

  3. An information security absence or weakness

  4. A loss potential of a threat

14.An effective security program requires a balanced application of:

  1. Technical and nontechnical methods

  2. Countermeasures and safeguards

  3. Physical security and technical controls

  4. Procedural security and encryption

15.The security functionality defines the expected activities of a security mechanism, and assurance defines:

  1. The controls the security mechanism will enforce

  2. The data classification after the security mechanism has been implemented

  3. The confidence of the security the mechanism is providing

  4. The cost/benefit relationship

16.Which statement is true when looking at security objectives in the private-business sector versus the military sector?

  1. Only the military has true security.

  2. Businesses usually care more about data integrity and availability, whereas the military is more concerned with confidentiality.

  3. The military requires higher levels of security because the risks are so much higher.

  4. The business sector usually cares most about data availability and confidentiality, whereas the military is most concerned with integrity.

17.How do you calculate residual risk?

  1. Threats × risks × asset value

  2. (Threats × asset value × vulnerability) × risks

  3. SLE × frequency = ALE

  4. (Threats × vulnerability × asset value) × controls gap

18.Which of the following is not a purpose of doing a risk analysis?

  1. Delegating responsibility

  2. Quantifying the impact of potential threats

  3. Identifying risks

  4. Defining the balance between the impact of a risk and the cost of the necessary countermeasure

19.Which of the following is not a management role in the process of implementing and maintaining security?

  1. Support

  2. Performing risk analysis

  3. Defining purpose and scope

  4. Delegating responsibility

20.Why should the team that will perform and review the risk analysis information be made up of people in different departments?

  1. To make sure the process is fair and that no one is left out.

  2. It shouldn’t. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable.

  3. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible.

  4. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.

21.Which best describes a quantitative risk analysis?

  1. A scenario-based analysis to research different security threats

  2. A method used to apply severity levels to potential loss, probability of loss, and risks

  3. A method that assigns monetary values to components in the risk assessment

  4. A method that is based on gut feelings and opinions

22.Why is a truly quantitative risk analysis not possible to achieve?

  1. It is possible, which is why it is used.

  2. It assigns severity levels. Thus, it is hard to translate into monetary values.

  3. It is dealing with purely quantitative elements.

  4. Quantitative measures must be applied to qualitative elements.

23.If there are automated tools for risk analysis, why does it take so much time to complete?

  1. A lot of data must be gathered and input into the automated tool.

  2. Management must approve it and then a team must be built.

  3. Risk analysis cannot be automated because of the nature of the assessment.

  4. Many people must agree on the same data.

24.Which of the following is a legal term that pertains to a company or individual taking reasonable actions and is used to determine liability?

  1. Standards

  2. Due process

  3. Due care

  4. Downstream liabilities

Answers

1.C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it.
2.A. It is commonly stated that internal threats comprise 70–80 percent of the overall threat to a company. This is because employees already have privileged access to a wide range of company assets. The outsider who wants to cause damage must obtain this level of access before she can carry out the type of damage internal personnel could dish out. A lot of the damages caused by internal employees are brought about by mistakes and system misconfigurations.
3.C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.
4.B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.
5.D. The key to this question is the use of the word “ultimately.” Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.
6.B. Standards are rules that must be followed; thus, they are compulsory. Guidelines are recommendations, while procedures are step-by-step instructions.
7.A. Without senior management’s support, a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.
8.D. Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.
9.C. A security policy captures senior management’s perspectives and directives on what role security should play within the company. Security policies are usually general and use broad terms so they can cover a wide range of items.
10.B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D are inserted into a cost/benefit analysis.
11.D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.
12.A. Three types of goals make up the planning horizon: operational, tactical, and strategic. Tactical goals are midterm goals that must be accomplished before the overall strategic goal is accomplished.
13.A. An exposure is an instance of being exposed to losses from a threat agent. A vulnerability can cause an organization to be exposed to possible damages. For example, if password management is lax and password rules are not enforced, the company can be exposed to the possibility of having users’ passwords captured and used in an unauthorized manner.
14.A. Security is not defined by a firewall, an access control mechanism, a security policy, company procedures, employee conduct, or authentication technologies. It is defined by all of these and how they integrate together within an environment. Security is neither purely technical nor purely procedural, but rather a mix of the two.
15.C. The functionality describes how a mechanism will work and behave. This may have nothing to do with the actual protection it provides. Assurance is the level of confidence in the protection level a mechanism will provide. When systems and mechanisms are evaluated, their functionality and assurance should be examined and tested individually.
16.B. Although answer C may seem correct to you, it is a subjective answer. Businesses will see their threats and risks as being more important than another organization’s threats and risks. The military has a rich history of having to keep its secrets secret. This is usually not as important in the commercial sector relative to the military.
17.D. The equation is more conceptual than practical. It is hard to assign a number to a vulnerability and a threat individually. This equation enables you to look at the potential loss of a specific asset, as well as the controls gap (what the specific countermeasure cannot protect against). What remains is the residual risk, which is what is left over after a countermeasure is implemented.
18.A. The other three answers are the main reasons to carry out a risk analysis. An analysis is not carried out to delegate responsibilities. Management will take on this responsibility once the results of the analysis are reported to it and it understands what actually needs to be carried out.
19.B. The number one ingredient management must provide when it comes to security is support. Management should define the role and scope of security and allocate the funds and resources. Management also delegates who does what pertaining to security. It does not carry out the analysis, but rather is responsible for making sure one is done and that management acts on the results it provides.
20.C. An analysis is only as good as the data that goes into it. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. Each department understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the company.
21.C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.
22.D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.
23.A. An analysis usually takes a long time to complete because of all the data that must be properly gathered. There are generally many different sources for this type of data, and properly extracting it is extremely time-consuming. In most situations, it involves setting up meetings with specific personnel and going through a question-and-answer process.
24.C. A company’s or individual’s actions can be judged by the “Prudent Person Rule,” which looks at how a prudent or reasonable person would react in similar situations. Due care means to take these necessary actions to protect the company and its assets, customers, and employees. Computer security has many aspects pertaining to practicing due care. If management does not ensure these things are in place, it can be found negligent.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset