Wondershare EdrawMind
MindMap Gallery CISSP Study Notes-Domain 1 (Security and Risk Management)
- 170
CISSP Study Notes-Domain 1 (Security and Risk Management)
CISSP exam review, summary of knowledge points and important exercises in Domain 1 security and risk management, full of useful information, friends in need hurry up and collect it!
Edited at 2024-02-12 08:29:54
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP Study Notes-Domain 1 (Security and Risk Management)
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
CISSP Study Notes-Domain 1 (Security and Risk Management)
Knowledge points
1.2.CIA triplet
Confidentiality
Confidentiality refers to preventing access to information assets by unauthorized entities, whether people or processes.
Integrity (Intearitv)
Integrity protection prevents unauthorized changes to data.
Availability
Availability means that investing entities are granted timely and uninterrupted access to objects.
Authenticity (Authenticitv)
Authenticity is a security concept that data is authentic or genuine from the source it claims to contain: integrity and non-repudiation.
non-repudiation
Non-repudiation ensures that the subject of an activity or the person who caused an event cannot deny that the event occurred.
Balanced Security
Each organization will have different priorities for considering CIA based on their own circumstances.
1.3 Evaluate and apply security governance principles
Security functions are aligned with business strategies and goals
When building your organization's security function, you should first design a security strategy that is consistent with your organization's overall business strategy and mission statement. You should develop a set of specific, measurable, achievable, relevant and time-bound goals and objectives to help you effectively maintain the confidentiality, integrity and availability of Company systems and information without compromising your the organization's ability to achieve its business goals and objectives.
Running an effective security program requires careful consideration of business needs and organizational battle paths, as well as legal and compliance requirements, and requires governance across the organization to manage the effectiveness of security capabilities.
1.3.1. Organizational processes
security governance
Governance Committees
The Governance Council is composed of executives responsible for managing all risks to the organization, with the primary goal of providing oversight for the organization's security function while ensuring that the security function continues to serve the needs of both the organization and its stakeholders. They review ongoing and planned projects, remote metrics, and any other security matters that may concern the entire enterprise.
Mergers and Acquisitions (M&A)
Every acquisition brings a unique set of circumstances, and security experts from both organizations should come together to evaluate each organization's security controls and figure out how to eliminate redundancies and ensure the system's containment.
Possible risk points:
•Unknown content: How will IT facilities, security controls and processes be integrated with existing systems?
• New attack vectors: If the current organization only uses Windows and Linux systems, the acquired organization uses Macos systems.
•Impact on resources: Whether existing manpower can ensure the normal operation of existing functions. Can you successfully receive the new system?
•Disgruntled employees: Disgruntled employees are a serious insider threat
Countermeasures:
•Review company information security policies and procedures
•Review the company's data assets. and identify any applicable regulatory or compliance requirements (e.g., PCl, HIPAA, GDPR, etc.)
•Review the organization’s personnel security policy
•Identify any proprietary or custom applications managed by the company and require static and dynamic application security testing to demonstrate their security posture.
•Zhouqiu provides the results of recent penetration tests (pentest), including network, operating system, application and database tests.
•Review the organization's use of third-party and open source software to ensure the software is secure and properly licensed.
1.3.2. Divestiture
A divestiture is the separation of a part of a business into an independent organization
Actions that can be taken:
•Identify and classify all assets involved in the divestment; this includes hardware, software and information assets.
•Decouple affected systems from your remaining infrastructure.
•Review all access rights.
• Consult with your legal and compliance teams to ensure you are following all necessary regulatory and compliance requirements surrounding data retention, deletion, etc.
1.3.3. Organizational roles and responsibilities
1.3.3.1 Chief Information Security Officer (CISO)
The chief information security officer is the senior executive responsible for the overall management and oversight of the information security program within an organization.
The chief information security officer drives the organization's security strategy and vision and is ultimately responsible for the security of the company's systems and information.
1.3.3.2 Chief Security Officer (CSO)
The CSO is a senior executive within an organization and is typically responsible for all physical security and personnel security matters.
Many organizations have merged the responsibilities of the CSO into the role of the CISO
1.3.4. Security control framework
1.3.4.1 Security control framework
Are technical, operational, or administrative protective measures used by an organization to prevent, detect, reduce, or counter security threats.
1.3.4.2 Security control type:
Technical controls: System-based protections and countermeasures such as firewalls, I1DS/PS, and data loss prevention (DLP) •
Operational controls: Protective measures and countermeasures performed primarily by humans, such as security guards.
Management controls: include policies, procedures and other countermeasures to control information security risks.
1.3.4.3 Common security control framework:
1.3.5. Be prudent and responsible
1.3.5.1 Due Care
The principle of caution refers to reasonable and prudent behavior to protect information security, including maintaining the confidentiality, integrity and availability of information, and applies to all persons. This principle applies to any person or organization, regardless of their level of expertise in information security.
1.3.5.2 Due Diligence
Due diligence refers to a series of measures taken in information security to ensure that reasonable security measures have been implemented and work effectively. These include developing a formal security framework, developing security policies, standards, baselines, guidelines and procedures, and more. In this regard, it is the responsibility of senior management to ensure that due diligence is carried out.
1.4 Determine compliance and other requirements
1.4.1. Contractual, legal, industrial standards and regulatory requirements
CISSP defines compliance as compliance with mandates, including the set of activities an organization conducts to understand and meet all applicable laws, regulatory requirements, industry standards and contractual agreements. Security professionals should understand the different national, regional, and state laws that apply to their business.
1.4.1.1 "Computer Security Law"
Passed by the U.S. Congress in 1987, it has been removed and replaced by FISMA.
1.4.1.2 "FISMA"
Federal Information Security Management Act, all U.S. federal government agencies and non-governmental organizations that provide information services to these agencies are required to conduct risk-based security assessments consistent with the NIST Risk Management Framework (RMF)
1.4.1.3 "SOX"
Regulations related to the finance of listed companies
1.4.1.4 "PCI DSS"
Payment Card Industry Regulations
1.4.1.5 "SOC"
Stands for system and organizational control and is an audit framework with three commonly used SOC audit and reporting types, named SOC1, SOC2 and SOC3.
SOC1: Audit related to financial statements
SOC2: Detailed audit and compliance reports, generally not open to the public.
SOC3: A simplified version of SOC2, available to the public.
1.4.2. Privacy requirements
Privacy requirements refer to protecting the security and confidentiality of personal information during information processing and limiting access to personal information to the authorized use scope of the authorized party. In essence, privacy refers to the protection of personally identifiable information to protect an individual's right to privacy.
1.4.2.1PII
Personally identifiable information (PII), any information that can identify an individual, such as your name, address, phone number, bank card number, driver's license and social security number (ID card), etc.
1.5. Understand the legal and regulatory issues related to information security as a whole
1.5.1. Cybercrime and data breaches
1.5.1.1 Cybercrime
Cybercrime refers to criminal activities directly involving computers or the Internet, which mainly include:
1. Crimes against people, such as identity theft
2 Infringement of property, such as damaging computers and stealing intellectual property
3. Crimes against the government, such as stealing classified information
1.5.1.2 Data leakage
Data breaches are a special type of cybercrime where information is accessed or stolen by cybercriminals without authorization. Organizations affected by a data breach may face reputational damage, identity theft incidents, fines, or loss of intellectual property due to theft. Encryption is a simple way to protect your organization from data breaches.
1.5.1.3 Relevant US laws:
Computer Fraud and Abuse Act (CFAA): America’s first criminal law targeting cybercrime, making many types of hacking a federal crime. The CFAA amendments were met with resistance.
Electronic Communications Privacy Act (ECPA): Restricts the U.S. government from intercepting communications and storing information, and the government must meet strict requirements to obtain a search warrant for electronic communications.
Identity Theft and Presumption of Deterrence Act: Makes theft of a person’s worth a federal crime.
1.5.2. Licensing and Intellectual Property (IP) Requirements
1.5.2.1 Software License
Software is an important form of intellectual property. Organizations invest significant financial and human resources in developing software and then protecting the software through licensing agreements. There are four common types of license agreements:
1Contractual License: Use a written contract between the software vendor and customer outlining their respective responsibilities
2 Effective upon opening: They become effective when the user breaks the seal on the packaging.
3. Click Agreement: Customers only need to click an "I Agree" button when purchasing software or registering for services.
4. Cloud service license: click-through agreement for cloud migration
1.5.2.2 Intellectual property rights
A very important responsibility of information security professionals is to protect the intellectual property belonging to their organization from unauthorized use or disclosure.
1.Copyrights
Copyright protects creative works from being misappropriated. These works may include such categories as books, films, songs, poetry, artistic creations, and computer software.
Copyright protection is automatically given to the creator at the time of creation, but please note that creations that occur while you are employed belong to the employer. Copyright protection lasts for 70 years after the author's death. Copyright is represented by the C diagram symbol shown here.
2.Trademarks
Trademarks are used to protect the words and symbols you use to identify your products and services. Information protected by a trademark includes brand names, logos and slogans. Trademarks can exist indefinitely, but registration must be renewed every 10 years. Trademarks are represented by the ™M symbol, and once granted registration status by the government, they can be represented by the circled R symbol.
3.Patents
Patents protect inventions and provide the inventor with exclusive rights to use their invention for a period of time. Once granted, patent rights generally last 20 years after the filing date. In order to obtain a patent, inventors must demonstrate that their idea meets three criteria:
First, it must be novel;
Second, it must be useful;
Finally, it must be something that is not obvious;
4. Trade Secrets
With a trade secret, the owner tells no one about the invention and keeps the details secret. As long as the organization can protect the secret, it enjoys exclusive rights to the invention. The disadvantage is that if others discover how the invention works, they are free to use it. Restrict the knowledge of those within the organization who know trade secrets through a non-disclosure agreement (NDA).
1.5.3. Import and Export Controls
Many countries have requirements for the types of information and goods that may cross international borders. Information security professionals must understand the various import and export controls that apply to their industry and ensure that their activities comply with these regulations.
1.5.3.1 United States Import/Export Controls
The Traffic in Arms Regulations (TAR) is anything related to defense articles
The Export Administration Regulations (EAR) cover many broad technology categories, including sensitive electronics and computers, lasers, navigation, marine technology, and more.
1.5.4. Cross-border data flow
Cross-border data flows focus on circumventing national requirements that restrict certain data from entering or exiting a specific geographic location or jurisdiction. For example: China's "Cybersecurity Law" requires that the data of Chinese citizens collected in China must be kept in China and cannot be transferred abroad without the permission of the Chinese government.
1.5.5. Privacy
The two most common elements of private information are personally identifiable information, or Pll, and protected health information, or PHl.
1.5.5.1 Relevant privacy laws in the United States
1. "Privacy Act"
Primarily regulates and governs the collection, maintenance, use and dissemination of PII by U.S. government agencies.
2. Health Insurance Portability and Accountability Act (HIPAA)
Requires hospitals, physicians, insurance companies, and other organizations that handle or store PHI information to adopt strict security measures.
3.Children’s Online Privacy Protection Act (COPPA)
Strict guidelines are in place for online businesses to protect the privacy of children under 13 years of age.
4. Financial Services Modernization Act (GLBA)
Propose regulatory requirements for financial institutions to exchange customer information. Requires agencies to implement appropriate security controls to protect their customers' personal data.
5. Health Information Technology for Economic and Clinical Health (HITECH) Act
The bill expands HIPAA’s privacy protections and imposes harsher penalties. Breach notification rules have also been introduced, requiring disclosure to affected parties within 60 days of a breach.
1.5.5.2 Relevant EU privacy laws
1.《Data Protection Directive (DPD)>
It regulates the processing of personal data of European citizens. It is the first important privacy law in the European Union and is considered the basic privacy regulation throughout Europe. Has been replaced by the subsequent GDPR.
2. General Data Protection Regulation (GDPR)
It sets out seven principles for the processing of personal data:
1) Legality, fairness and transparency: Obtain and process personal data in accordance with applicable laws, and fully inform users how their data will be used.
2) Purpose limitation: Determine the "specific, clear and legitimate" purpose for collecting data and inform them of this purpose
3) Data Minimization: Collect and process the minimum amount of data necessary to provide the agreed services.
4) Accuracy: Ensure that personal data remains "accurate and, where necessary, updated."
5) Storage limitation: Personal data is stored only for the time necessary to provide the agreed services. Comply with the "right to be forgotten"
6) Integrity and confidentiality
7) Accountability: Data controllers (that is, the party that stores and processes personal data) must be able to demonstrate compliance with all requirements.
Note: If your organization stores or processes the personal data of EU citizens or residents, then the GDPR applies to you, regardless of whether your company is located in the EU. And requires data controllers to notify relevant parties within 72 hours after becoming aware of a personal data breach. For cross-border information sharing, standard contractual clauses or binding corporate rules must be used.
3. "Safe Harbor" and "Privacy Shield" are privacy protection agreements between the United States and the European Union, and they have expired.
1.6. Understand the requirements of the survey type
1.6.1. Adjustment type
1.6.1.1 Administrative investigation (Administrative)
An investigation within an organization to find the root cause of a problem and resolve it so that the business can resume normal operations.
1.6.1.2 Criminal investigation (Criminal)
An investigation conducted by a government agency that investigates violations of criminal laws.
Highest standard of proof: beyond a reasonable doubt.
1.6.1.3 Civil Investigation (Civil)
An investigation conducted by a government agency that investigates violations of criminal laws.
The highest standard of proof: beyond a reasonable doubt.
1.6.1.4 Regulatory
Investigations by government agencies into potential violations of administrative law, or independent regulators into violations of industry standards.
Regulatory investigations may be civil or criminal in nature.
1.7. Develop, document and implement security policies, standards, procedures and guidelines
1.7.1. Security Policy Framework
17.1.1 Security Policies (Policies)
A security policy is a set of statements that very carefully describes an organization's long-term security expectations and identifies the principles and rules that govern the protection of information systems and data in the organization.
•Compliance with policies is mandatory and policies are usually approved by the highest level of the organization.
Some common security policies: acceptable use policy, access control policy, change management policy, remote access policy, disaster recovery policy
1.7.1.2Safety standards (Standards)
Security standards specify the specific details of security controls that an organization must follow, such as organization-approved encryption protocols, where data is stored, configuration parameters, and other technical and operational details. When it comes to complex configuration standards, industry standards are often drawn upon, such as the Security Configuration Guide provided by the Center for Internet Security.
Compliance with safety standards is mandatory. The security baseline is related to standards, which establishes a minimum security level for a system, network, or device. If the baseline requirements are not met, it cannot go online.
1.7.1.3 Safety procedures (Procedures)
Safety procedures are step-by-step instructions that employees can follow when performing specific safety tasks.
1.7.1.4Safety Guidelines (Guidelines)
Guides are where security professionals provide advice to other members of the organization, including best practices for information security. Compliance with safety guidelines is optional.
1.8 Identify, analyze and prioritize business continuity (BC) requirements
1.8.1. Business Impact Analysis (BIA)
Business impact analysis helps an organization identify its essential business functions, using quantitative or qualitative risk assessments, and understand the impact of a disaster on each function; business impact analysis provides the primary basis for the business continuity plan (BCP) and its requirements.
BlA helps an organization determine which of its business functions are more resilient and which are more vulnerable.
1.8.1.1 Process:
1. Start by establishing your BC project team, scope and budget
2. Identify critical business foundations (CBFs) and other essential business elements, including
personnel
Business Process
Information Systems and Applications
Other assets
3. Conduct risk analysis on key businesses:
Identify any vulnerabilities that exist
•Potential of adverse events
influence level
1.8.1.2 Methods to determine the degree of impact
1. Maximum Tolerable Downtime (MTD) or Maximum Acceptable Downtime (MAO) represents the total length of time that critical business functions are unavailable. The MTD must be determined by the system owner, who has ultimate responsibility for the proper functioning of the organization's CBF.
2. Recovery Time Objective (RTO) is the maximum period of time that critical business must resume after an outage to avoid unacceptable business consequences. RTO must be less than or equal to MTD.
3. Recovery Point Objective (RPO) is a measurement of tolerable data loss, expressed in time periods.
1.8.2. Develop and document scope and plan
1.8.2.1 Business Continuity Plan (BCP)
A business continuity plan is designed to protect an organization's critical business functions and customers and ensure that the organization can continue to operate effectively within specified service levels and time periods to meet legal and regulatory requirements, as well as the MTD, RTO, and RPO set by the organization.
Business Continuity Plan BCP Phase
Project Scope and Plan
organizational analysis
Identify departments and people with a stake in the BCP process
Operations department responsible for delivering core business to customers
Key support services such as IT, facilities and maintenance staff, other teams
Corporate security team responsible for physical security
Senior managers and persons important to the ongoing operations of the organization
This analysis is the basis for selecting the BCP team and, after confirmation by the BCP team, is used to guide subsequent stages of BCP development.
Choose a BCP team
The department's technical experts, physical and IT security personnel with BCP skills, legal representatives familiar with the company's legal, regulatory and contractual responsibilities, and representatives from senior management. Other team members depend on the structure and nature of the organization.
Resource requirements
Legal and regulatory requirements
business impact analysis
BIA is the core part of BCP and is divided into 5 steps
Prioritize
Business feature priority list
Determine MTD, maximum allowed interruption time
Determine RTO, RTO<MTD
Recovery point objective, RPO
Risk Identification
Possibility assessment
Determine ARO for each risk
Impact Analysis
Resource prioritization
continuity plan
strategy development
Preparation and processing
personnel
Building/Facility
infrastructure
Plan approval and implementation
plan approval
Plan implementation
training and education
BCP documentation
1.8.2.2 General scope of BCP
Although there is no universal BCP standard, most plans typically include the following:
critical business functions
Threats, Vulnerabilities and Risks
Data backup and recovery plan
FBCP related personnel
communication plan
BCP testing requirements
1.8.2.3 Requirements and techniques for protecting people, processes and technology
1. Personnel:
Ensuring the safety of people inside and outside the organization during emergencies is the primary goal of BCP. Provide appropriate training and education so employees know how to act in an emergency.
2 •Process:
Assess critical business functions and determine resources needed in the event of a disaster. Develop backup site plans for critical data processing facilities and capabilities to ensure continued operations.
3. Technology:
Anticipate software and hardware failures and develop controls to reduce risk. Implement data backup and redundant systems, including infrastructure such as power, water, communications and network connectivity.
1.9 Promote and enforce personnel safety policies and procedures
1.9.1 Screening and recruitment of candidates
Employees may be the most vulnerable link in the safety chain. It’s important to note that not all employees will put the organization’s best interests first. Insider attacks often lead to highly damaging security breaches. Therefore, personnel security should be an important foundation of a cybersecurity plan:
•Hiring managers should work with Human Resources to clearly and accurately document job responsibilities and descriptions.
•Determine the sensitivity or classification of roles to assign appropriate permissions.
1.9.1.1 Background Check
Education background
work experience
-citizenship
-Criminal record
drug testing
Grade
Credit and financial history
social media activity
Note: Foreign companies generally do not pay attention to physical examinations (ordinary physical health examinations)
1.9.2. Employment Agreements and Policies
1.9.2.1 Confidentiality Agreement and Competitive Agreement
The most common employee agreements are non-disclosure agreements (NDA) and non-competition agreements (NCA)
1• Non-Disclosure Agreement (NDA)
is an agreement that limits the disclosure of sensitive information obtained by an employee or contractor (or other person who may be exposed to sensitive information) in the course of their employment or relationship with an organization. A nondisclosure agreement is designed to maintain the confidentiality of organizational data (such as trade secrets or customer information) and is typically a lifetime agreement (even after the employee leaves the company).
2 • Non-Competition Agreement (NCA)
It is an unfair competition that restricts an employee from directly competing with an organization while he or she is employed and, in most cases, for a certain period of time after leaving the company. Competing Agreements. A non-compete is a one-way agreement designed to protect an organization from former employees or contractors
1.9.2.2 Organizational requirements
In addition to NDAs and NCAs, employees may be required to sign other requirements of the organization, such as an acceptable use policy (AUP), code of conduct, or conflict of interest policy.
1.9.2.3 Onboarding: Employment Agreements and Strategies
After joining the company, you must first sign an employment agreement. Depending on the position, you may need to sign a non-disclosure agreement (NDA) and a non-competition agreement (NCA). System access rights are assigned according to the employee's position. Then, provide training to employees, including organizational culture, strategies, processes, skills, etc.
1.9.2.4 Employee supervision
Managers should periodically review or evaluate each employee's job description, tasks, authorities, and responsibilities throughout an employee's position to ensure they are still meeting the requirements of the position.
•Privilege creep (privilege drift): As employees' work content increases, they may obtain permissions that exceed the requirements of the position.
•Mandatory vacations: Require employees to be away from their jobs for 1-2 weeks and replaced by other employees to detect abuse, fraud or negligence.
•Collusion: Reduce the likelihood that employees will be willing to cooperate in an illegal or abusive scheme through measures such as segregation of duties, forced leave, job rotation, and cross-training because of the higher risk of detection.
•User and Entity Behavior Analytics (UEBA): Analysis of users and entities to help optimize people management plans.
1.9.2.5 Resignation, job transfer and termination process
When employees resign, they should pay attention to the following points:
•Disable, but not delete, an employee's user account at the same time or before the employee receives notice of termination for audit purposes.
•Emphasis on NDA and NCA responsibilities during exit interviews.
. Ensure employees return company assets, including but not limited to keys, access cards, cell phones, computers, etc.
•Assign security personnel to accompany employees in work areas to recycle personal belongings.
•Notify all relevant personnel of the employee's separation.
1.9.2.6 Supplier, Consultant and Contractor Agreements and Controls
Supplier, Consultant and Contractor Agreements and Controls Multiparty risk exists when multiple entities or organizations are involved in a project. The service level agreement (SLA) ensures that the supplier's product or service level meets expectations. If it fails to meet expectations, compensation will be involved to ensure service quality. Suppliers, consultants and contractors are sometimes referred to as outsourcing. Organizations can also improve the efficiency of outsourcing management through a vendor management system (VMS).
1.9.2.7 Compliance policy requirements
Personnel security management needs to meet legal and regulatory requirements, such as PCI DSS.
1.9.2.8 Privacy Policy Requirements
Personnel security management also needs to meet the requirements of privacy policies, such as GDPR.
1.9.3. Personnel, job transfer and resignation procedures
Recruitment, transfer and separation are the three stages of employment, and each stage has its own security considerations.
1.9.3.1 Onboarding training
Remind employees of their obligation to protect information and guard against threats, and should be aware that their actions may be scrutinized.
1.9.3.2 Job transfer
Remove access rights that are no longer needed when reassigning, and follow the principle of least privilege.
1.9.3.3 Resignation
Resignation is divided into voluntary and involuntary. When an employee leaves on good terms, it is enough to go through the organization's separation process.
If the separation is involuntary, appropriate actions should be taken to protect the assets of the organization
•Exit interview, reminder of signed NDA and other relevant agreements
•Closing access to the system while notifying employees of termination and conducting separation checklist checks
•Inform the remaining employees that the terminated employee will no longer be allowed into the organization
The separation checklist includes: revoking access rights, recovering keys, badges, equipment and documents.
1.9.4. Supplier, Consultant and Contractor Agreements and Controls
Organizations often outsource functions such as data center hosting and application development. Signing NDAs and other agreements with these outsourcing or partner organizations can increase their compliance burden and try to avoid third parties from causing sensitive information to be leaked. Here are some suggestions Safety measures:
-Implement access control
Oral review of document exchange
Manage and monitor maintenance hooks (backdoors)
Conduct on-site assessment
Review processes and policies
Develop service level agreement
19.5.2 Policy training and punishment
•Employee training: Provide initial and recurring training to employees and other relevant personnel to ensure policy compliance.
•Security Awareness: Improve attention and understanding of information security.
•Job-related training: Provide specific training based on employees’ job requirements.
•Make policy consequences clear: State in the policy the potential consequences of non-compliance, such as disciplinary action, suspension or dismissal.
1.9.5. Comply with policy requirements
1.9.5.1 Organizational policy requirements
•Compliance with laws and regulations: Ensures that organizational policies comply with applicable laws, regulations and other legal obligations.
•Policy Consistency: The organization's requirements, controls and procedures must be consistent with policy.
1.9.6. Privacy Policy Requirements
Organizations need to follow legal and ethical responsibilities to protect the privacy of their employees when handling sensitive information. This information may include background checks, Social Security numbers (ID numbers), salary information and health information. To ensure information
For security, organizations should cover the following principles in their privacy policy:
•Minimization principle: Only collect information necessary to complete the legitimate employment process.
•Restricted Access: Provide access only to those who need to know such information.
•Use encryption: Use encryption technology as much as possible to prevent information from being read through abnormal channels.
1.10 Understand and apply risk management concepts
1. 10.1 Identify threats and vulnerabilities
Risk is the likelihood that a potential threat will exploit a vulnerability to negatively impact an organization, objectives, or assets, including people, systems, and data.
1.10.1.1 Risk classification
•Inherent risks are those that exist before any control measures are implemented
•Residual risk is the level of risk that remains after controls are in place
1.10.1.2 Threat:
A person or entity that may intentionally or unintentionally breach the security of an asset, such as a hacker, a disgruntled employee, or a natural disaster.
1.10.1.3 Vulnerabilities
Weaknesses or vulnerabilities in the system may create risks if exploited by threat actors.
1.10.1.4 Assets
An asset is anything of value, which may include people, property, and information.
1.10.2.Risk assessment and analysis
1.10.2.1 Definition of risk assessment
Risk is the intersection between threats, vulnerabilities and assets. Risk assessment is a series of activities that includes identifying potential threats and vulnerabilities and determining the impact and likelihood of those threats exploiting the identified vulnerabilities.
1.10.2.2 Steps to assess risk:
1. Risk Identification: Identifying assets and their value to the organization
2. Risk analysis: Determine the likelihood that a threat will exploit a vulnerability
3. Risk Assessment: Determine the business impact of these potential threats
4. Risk treatment: Provide an economic balance between the impact of the threat and the cost of countermeasures
1.10.2.3 Risk identification
It begins by identifying the organization's assets and determining the value of those assets, then identifying and describing the vulnerabilities and threats that pose risks to the assets.
1.10.2.4 Risk analysis
Risk analysis starts with vulnerability assessment and threat analysis, calculating the likelihood of risks occurring and ranking them according to their impact.
1.10.2.4.1 Qualitative risk analysis
In many cases, the value cannot be quantified, such as the reputation of the organization and the value of data, so I can only decide based on my brain. Contents such as asset value and risk level are identified by levels, such as high, medium, low, 0-10, hundred-point system, etc.
Qualitative risk analysis techniques include: brainstorming, storyboarding, focus groups, surveys, questionnaires, interviews, scenarios, and Delphi techniques
1.10.2.4.2 Quantitative risk analysis
The main processes of quantitative risk analysis:
•Inventory assets, assign value (AV)
•Match assets with threats
•Calculate the Exposure Factor (EF) for each asset-threat pairing, which is the percentage of loss an asset would suffer if a specific threat breached it
• Calculate the Single Loss Expectation (SLE) for each asset threat pair, which is the amount of money lost by a specific threat once destroying the asset (SLE=AV*EF)
•Calculate the annualized rate of occurrence (ARO) for each threat. That is, the probability of a specific threat occurring to an asset within a year
• Calculate the Annualized Loss Expectation (ALE) for each asset-threat pairing, i.e., the damage to the asset within one year by a specific threat
Money lost (ALE=SLE*ARO)
•Develop possible countermeasures for each asset threat pair and calculate changes in annualized cost of protection (ACS), ARO, EF and ALE
•Conduct a cost/beneit evaluation of each countermeasure. Select the most appropriate response for each threat, i.e. ALE_per-ALE_post-ACS, with the result being that regular protection measures have value and the result that responsible protection measures have no value.
1.10.3. Risk response
There are four main categories of risk treatment:
1.10.3.1 Risk avoidance (Avoid)
Eliminate identified risks by stopping or removing the activities or technologies that contribute to the risk.
1.10.3.2 Risk Mitigation (Mitigate)
Reduce the harm that risks can cause by implementing policy and technical measures.
1.10.3.3 Risk transfer (Transfer)
Also called risk assignment (Risk Assignmen0), the responsibility and potential losses related to risks are transferred to a third party.
Common way: buy insurance.
1.10.3.4 Risk Acceptance (Accept)
Accepting a risk becomes an option when the cost of avoiding, mitigating, or transferring the risk exceeds the expected losses from the realized threat.
1.10.4. Selection and implementation of countermeasures
1.10.4.1 Countermeasure considerations:
•Personnel related:
Hiring (or firing), organizational restructuring, and awareness training are some common people-related responses. Background checks, employment practices, security awareness and training, etc.
•Management related
Policies, procedures, and other “workflow-based” mitigation measures generally fall under this category. Quantity, procedures, data classification and labeling, reporting and review, work supervision.
•Technology related:
Encryption, configuration changes and other hardware or software changes, etc. Authentication methods, encryption, restricted interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems, and pruning levels.
•Physics related:
Guards, National Barriers, Motion Detectors, Locked Doors, Sealed Windows, Lighting, Cable Protection, Laptop Locks, Badges, Swipe Cards, Dogs, Cameras, Access Control Lobby and Alarms.
1.10.42 Effectiveness of countermeasures
Examine perceptions from the perspectives of prevention, detection, and correction to ensure the effectiveness of risk countermeasures. For example, if encryption cannot solve a specific risk, try another approach, such as considering backup.
1.10.4.3 Cost-effectiveness of countermeasures
Make sure the cost of security measures is commensurate with the value of the assets being protected.
1.10.4.4 Business Impact
Consider whether the implementation and use of countermeasures is too difficult to avoid increasing risks due to incorrect use.
1.10.5. Applicable control types
1.10.5.1 Control type
•Prevention: Prevent incidents from happening, such as firewalls, system backups, IPS.
•Detection: Identify event activity and potential intruders, such as 1DS.
•Correction: Repairing a component or system after an incident occurs, such as patching.
•Threats: Dissuade potential attackers, such as fences, police dogs.
•Recovery: Returning the environment to normal operating status, such as system and data backups, disaster recovery sites.
•Compensation: Provide alternative control measures.
1.10.6. Control assessment (security and privacy)
Organizations should conduct regular security control assessments (SCA) to ensure that security and privacy controls remain effective.
SCA can use self-assessment or external assessment by a third party.
1.10.6.1 SCA Assessment Method
•Inspection: The assessor usually requires the organization to provide a list of security policies, configuration files, etc. for review, review, observation, research or analysis, and to form a preliminary opinion.
•Interviews: Assessors meet with key stakeholders to learn more about the security controls in place and how they operate.
. Testing: Testing confirms that security controls are implemented as documented, are effective, and operate as expected.
1.10.7. Monitoring and measurement
•Security controls should be continuously monitored and quantified to measure their effectiveness and provide suggestions for improvements.
- A set of key performance indicators (KPIs) should be developed to quantify and control long-term performance.
1.10.8. Reporting
Create formal reports to report key findings or indicators to executives, regulators, and other stakeholders detailing the results for each control evaluated. Reports may include the following:
Internal audit (e.g. self-assessment)
•External audits (e.g. regulators or other third party audits)
•Significant changes in the organization’s risk profile
•Major changes to security or privacy controls
•Related or confirmed security breaches (or other incidents)
1.10.9. Continuous improvement
As threats and vulnerabilities change, the security program should maintain continuous improvement, tighten controls and improve the organization's overall information security posture. Enterprise risk management (ERM) can be assessed using the risk maturity model (RMM) to assess a mature, sustainable and repeatable risk management process.
1.10.9.1 Risk Maturity Model (RMM)
Usually contains five levels:
. Ad hoc: Use of ad hoc practices with poor control.
•Preliminary: Attempt to follow the risk management process, but each department may conduct risk assessments independently.
•Defined: Adopt a common or standardized risk framework across the organization.
•Integrated: Risk management operations are integrated into business processes, using metrics to collect effectiveness data, and treating risk as an element of strategic business decisions.
•Optimized: Focus on risk management to achieve goals, not just to respond to external threats; Increase strategic planning to achieve business success, not just to avoid accidents: Incorporate lessons learned back into the risk management process.
1.10.10.Risk Framework
1.10.10.1NIST Risk Management Framework
The six stages of the Risk Management Framework (RMF) in NIST800-37Rev.2:
•Categorize:
Classify all information systems based on their potential impact on the organization in terms of confidentiality, integrity, and availability.
Select:
Select a baseline set of controls based on classification and impact.
•Implement
Implement selected controls.
•Assess:
Evaluate whether controls are implemented correctly, operate as planned, and produce the expected safety required results.
•Authorize:
After the assessment, organizational leadership decides whether to authorize use of the system, based on the controls' ability to operate the system within risk tolerance and acceptance of residual risk.
•Monitor:
Continuously monitor the effectiveness of controls to ensure that the system operates within the organization's risk tolerance. If major problems are discovered, the cycle may start over from step one.
1.11. Understand and apply threat modeling concepts and methodologies
1.11.1. Threat Modeling
1.11.1.1 Threat modeling methods
The earlier threat modeling is performed, the more cost-effective it is. Generally from the following three aspects
•Attacker-focused
Determine potential attacker characteristics, skill sets and motivations, and identify attackers who may carry out specific attacks. Develop a defense strategy.
•Asset-focused:
Identify assets of value to the organization and potential attackers, and assess how attackers might compromise the assets.
•Software-centric:
Use architectural diagrams (such as data flow diagrams or composition diagrams) to represent the system, evaluate potential attacks against each component, and determine the necessity, presence, and effectiveness of security controls.
1.11.1.2 Threat Modeling Framework
1.
STRIDE (Microsoft)
2.
PASTA (Process for Attack Simulation and Threat Analysis)
3.
NIST 800-154 (Guidelines for Threat Modeling of Data-Centric Systems)
4. DREAD (deprecated, quantitative risk ranking of vulnerabilities from damage, replicability, exploitability, affected users, discoverability)
5. Other Threat Modeling Methods
•OCTAVE: Focuses on operational risk, security controls and security technology in organizations.
•Trike: is an open source threat modeling method and tool that focuses on using threat models as risk management tools.
•CORAS: Also open source, it mainly relies on Unified Modeling Language (UML) to visualize threats on the front end
•VAST: Visual, Agile and Simple Threat Modeling, an approach that leverages agile concepts
1.11.1.3 STRIDE detailed explanation
•Spoofing identity
An attacker gains unauthorized access by impersonating someone else's identity to gain access to an application or system
•Tampering with data(Tampering with data)
An attacker attempts to alter or corrupt data in an application or system to cause unexpected or malicious results
•Repudiation
The attacker denies certain operations or transactions performed in the system so that he or she can avoid responsibility or cause disputes.
•Information disclosure
Attackers can steal or access confidential information from the system, including user passwords, credit card information, company secrets, and more.
•Denial of service
Attackers attempt to prevent or slow down normal user access to a system by making it unavailable or crashing.
•Elevation of privilege
An attacker can elevate themselves from a normal user to an administrator or other privileged user by exploiting an application or system vulnerability.
1.11.1.4 PASTA detailed explanation
PASTA is a risk-based approach to threat modeling that combines business objectives with technical requirements, making the output more understandable to senior management. Unlike STRIDE, the PASTA approach is strictly a threat identification framework that provides a powerful process for identifying and mitigating threats.
The PASTA process consists of the following seven stages:
1. Set goals
Business objectives and needs are identified to better understand the organization's overall risk tolerance and critical business processes and assets that may be at risk.
2. Determine the technical scope
The scope of technology and the architecture of the application are defined in order to understand the systems and components that may be vulnerable to attack
3. Application decomposition
Applications are broken down into smaller components to better understand each component's functionality, data flow, and
4. Threat Analysis
and relationships with other components. This helps identify possible attack paths and potential threats. Analyze the threats that may impact your organization, including internal and external threats. This can include identifying potential attackers, their motivations and capabilities, and possible means of attack.
5. Vulnerability analysis
Conduct a vulnerability analysis of the system to identify potential weaknesses and security vulnerabilities. This can include code reviews, penetration testing, and other security assessment methods to find and fix security issues.
6. Attack enumeration
According to the previous analysis, Lieyang may attack the system. This helps to better understand the attack vectors and paths attackers may exploit.
7. Risk and impact analysis
Assess the risk and impact of each potential threat to prioritize and develop appropriate mitigation measures and security policies. This can help organizations effectively allocate resources and focus on focus areas while mitigating risk
1.12 Applying Supply Chain Risk Management (SCRM) Concepts
1.12.1. Risks related to hardware, software and services
Suppliers play a critical role in an organization's information technology operations. They are indispensable to customers' factory services by providing hardware, software or cloud computing services. Security professionals need to pay close attention to their business partnerships with vendors to protect the confidentiality, integrity, and availability of the organization's information and systems. This process, known as vendor due diligence, is designed to circumvent issues related to the procurement of hardware, software, and Risks Related to the Services.
1.12.1.1 Possible risks of hardware:
Image of defective parts or parts that do not meet standards
Counterfeit or counterfeit parts
Image of an electronic component containing firmware-level malware
1.12.1.2 Possible risks of software:
Trojan horse was implanted
There are vulnerabilities in the component library used
1.12.1.3 Possible risks in the service:
data leakage
1.12.2. Third-party assessment and monitoring
Governance and oversight activities should include on-site security investigations, formal security audits of third-party systems, and penetration testing where feasible. For new third-party partners, it is critical to assess them against the organization's security requirements, and gaps should be documented and closely monitored.
1.12.3. Minimum security requirements
Similar to baselines, organizations should establish minimum security requirements (MSRS) to determine the minimum acceptable security standards that suppliers and other participants in the supply chain must meet.
MSRS shall cover all applicable legal, contractual or regulatory requirements. At the same time, it is critical to audit and evaluate third parties' performance in complying with established and communicated MSRS.
1.12.4. Service level requirements
A Service Level Agreement (SLA) is a contractual agreement that stipulates that a service provider guarantees a certain level of service, such as:
Performance metrics, service availability, response times and other relevant quality criteria. If services are not delivered to agreed levels, there will be consequences for the service provider (usually financial)
1.12.5. Framework
1.12.5.1 Framework for addressing supply chain risks:
1.NIST IR 7622
This document outlines 10 key practices that should be considered when dealing with supply chain risks.
2.ISO 28000
15028000.2007 is heavily based on the Plan-Do-Check-Act (PDCA) process improvement model to optimize safety management systems and ensure organizational compliance with safety practices.
3. UK National Cyber Security Center (NCSC) Guidance
Divided into 4 stages (including 12 principles)
•evaluate risk
•Establish controls
•Check existing arrangements
•keep improve
1.13. Establish and maintain a security awareness, education and training program
1.13.1. Propose awareness and training methods and techniques
A security awareness program is a formal program designed to educate users to identify and respond to potential threats to an organization's information and systems, typically including new employee training, lectures, computer-assisted training, and printed materials, and through social engineering simulations, security advocates, and gamification to increase attention to critical safety issues.
1.13.1.1 Social Engineering
Social engineering is a manipulation tactic in which an attacker pretends to be someone else in an attempt to obtain sensitive information.
Phishing is the most common form of social engineering and a major source of security risks.
1.13.1.2 Security Guard
Safety champions are advocates for safety best practices, and these are employees who don't make safety their primary job.
1.13.1.3 Gamification
Gamification is the application of game elements to non-game situations to engage and educate a target audience.
1.13.2. Regular content review
Information security is an evolving field, with threats and vulnerabilities constantly changing. Therefore, to ensure content is relevant, you need to regularly review and update the content of your safety awareness, education, and training programs. It is recommended that this be reviewed and updated at least annually to avoid outdated or irrelevant technology and terminology.
1.13.3. Program effectiveness evaluation
1.13.3.1 Training indicators
Such as training completion rate, number of participants and other brief indicators.
1.13.3.2 Quiz
Quizzes are an effective way to evaluate the effectiveness of training.
1.13.3.3 Security Awareness Day
Security Awareness Days are designed to increase security awareness while collecting employee opinions and suggestions on security programs through anonymous questionnaires.
1.13.3.4 Internal Assessment
Assessment methods include collecting increases or decreases in the number of security incidents or reported suspected phishing incidents following the training.
Key exercises
You are responsible for your organization's security awareness program. Due to concerns that changes in technology may render content obsolete, what controls can be put in place to prevent this risk: A Gamification B Computer-based training C content review D Implement training
Correct answer: C Textbook Volume 1 P76 Effectiveness Assessment
Froneme- is a security expert for an American online service provider. She recently received complaints from copyright owners who had stored information on her service that infringed on third-party copyrights. Which law dictates the action Francine must take? A. Copyright Law B. Lamb's Law C. Digital Millennium Copyright Act D. Gramm-Leach-Bulley Act
Correct answer: C P115 Copyright and Digital Millennium Copyright Act, you need to remember the detailed name of each law
Just one question at the moment
FyAway Travel has offices in the European Union (EU) and the United States and frequently transfers personal information between these offices. They recently received a request from an EU customer to terminate their account. Which requirement for the processing of personal information under the General Data Protection Regulation (GDPR) provides that an individual can request that his or her data no longer be disseminated or processed? A. Access rights B. Privacy by design C. Right to be forgotten D. Right to data portability
Correct answer: C did not find
Remee is in the boardroom: explaining their responsibility for reviewing cybersecurity controls, which rule holds senior executives personally accountable for information security matters A. Due Diligence Rules B.Personal Responsibility Rules C.Prudent man rule D. Due process rules
Correct answer: C did not find The prudent man's rule holds senior managers responsible for ensuring that appropriate attention is maintained in their day-to-day work.
Zhang San recently assisted a colleague in preparing for the CISSP exam. During the process, Zhang San leaked confidential information about the exam, violating Article 4 of the Ethical Standards: Advancing and Protecting the Profession. Who can file ethics charges against Zhang San? A Anyone can bring charges. B Any professional who holds a certification or license can file a charge. C Only Zhang San’s employer can press charges. D Only the affected employee may file a pushback.
Correct answer: B did not find
Yolanda is the Chief Privacy Officer of a financial institution and is researching the private and public requirements related to customer checking accounts. Which of the following laws is most likely to apply to this situation? AGLBA Act B. SOX Act C.HIPAA Act D.FERPA Act
Correct answer: A did not find The prudent man's rule holds senior managers responsible for ensuring that appropriate attention is maintained in their day-to-day work.
Exporting which technologies is most likely to trigger export control laws and regulations? A. Memory chip B. Office Production Applications C hard drive D encryption software
Correct answer: D P119
After completing your business continuity planning efforts and deciding to accept one of the risks, you should next report What? A Implement new security controls to reduce risk levels. B Design a disaster recovery plan. C. Re-conduct the business impact assessment. D Document your decision-making process.
Correct answer: D
When conducting a review of the controls used by your organization's media storage facilities, you want to properly categorize each control that is currently in place. Which of the following control categories accurately describes the fencing around a facility? (Select all that apply.) A. Physical control B.Detection control C. Deterrence control D. Preventive control
Correct answer: ACD
Which of the following principles imposes on individuals a standard of care commensurate with that which a reasonable person would expect in the particular circumstances? A. Due diligence B. Segregation of duties C. Due care D. Least privilege
Correct answer: C
kelly believes an employee used computing resources for a side project without authorization. with management What? Following consultations, she decided to launch an administrative investigation. The burden of proof she must meet in this investigation is A. Preponderance of the evidence B.Beyond reasonable doubt C. Undoubtedly D. There is no standard
Correct answer: D Administrative investigation is not civil, criminal, or administrative law, so there are no standards
Keenan Systems recently developed a new microprocessor manufacturing process. The company hopes to license the technology to other companies but wants to prevent unauthorized use of the technology. Which type of intellectual property protection is most appropriate for this tax situation? A.Patent B. Trade secrets C.Copyright D.Trademark
Correct answer: A
Wike recently implemented an intrusion prevention system that has had an impact on preventing common cyberattacks on his organization. What type of risk management strategy is Mike pursuing? A. Risk acceptance B.Risk avoidance C.Risk Mitigation D. Risk transfer
C
Carl is a federal agent investigating a computer crime. He identified an attacker who was engaging in illegal conduct and wanted to bring a case against the individual that could lead to a prison sentence. What standard of proof must Carl meet? A. Undoubtedly B. Preponderance of the evidence C.Beyond reasonable doubt D.Preponderance of evidence
C
The following organizations that engage in electronic transactions are not automatically subject to HIPAA’s privacy and security requirements: A healthcare provider B Health and Fitness App Developer C Health Information Clearinghouse D health insurance plan
B Requires hospitals, doctors, insurance companies and other organizations that process or store private medical information No program developers
Acme Bridges is developing new controls for its accounting department. Management was concerned that a crooked accounting firm could create a false vendor and issue a check to that vendor as payment for services not performed. Which security control would best help prevent this from happening? A. Compulsory leave B. Segregation of duties C. Defense in depth D. Job rotation
A P35
Which of the following individuals is typically responsible for performing operational data protection responsibilities delegated by senior management, such as verifying data integrity, testing provision, and managing security policies? A. Data Keeper B. Data owner C.User D. auditor
A P157
Alan works for an e-commerce company and recently had some content stolen from another website and republished without permission. The polyseed type of intellectual property protection is the best way to protect Alen’s company’s income. A.Trade secrets B. Copyright C.Trademark D.Patent
B
Tom has enabled an application firewall from his cloud infrastructure service provider, which is designed to prevent many types of application attacks. From a risk management perspective, which metric is Tom trying to reduce with this countermeasure? A.Influence B. RPO C. MTO D. Possibility
D
Beth, a human resources specialist, is preparing to assist in terminating an employee. Here are some things that are not typically part of the termination process: A Exit interview B Property recovery C Account Termination D Sign an NCA (non-compete agreement)
D
An accounting clerk for Doolittle Industries was recently arrested for his role in an embezzlement scheme. The employee transferred war funds into his personal account and then transferred funds between other accounts every day to cover up the digital fraud for several months. Which of the following controls might best detect this fraud in advance? A Segregation of duties B. Least privilege C defensive depth D compulsory leave
D
Who in an organization should receive initial business continuity planning training? A. Senior Executive B. Personnel in specific business continuity roles C. Everyone in the organization D. First aid personnel
C
James is conducting a risk assessment for his organization and is trying to assign an asset value to the servers in the data center. An organization's primary concern is ensuring that sufficient funds are available for reconstruction in the event a data center is damaged or destroyed. Which of the following asset valuation methods would be most appropriate in this situation? A. Purchase cost B. Depreciation cost C. Replacement cost D.opportunity cost
C
Roger's organization suffered a breach of customer credit card records. Which of the following organizations might choose to investigate this matter under the terms of PCIDSS? A. Federal Bureau of Investigation (FBI) B. Local Law Enforcement Agencies C bank D PCI SSC
C
John invited key employees from each business unit to assist with his security awareness program. They are responsible for sharing security information with their peers and answering questions related to cybersecurity. Which term best describes this relationship? A Safety Champion B security expert C. Residue of travel D. Peer review
A
Silanco discovered a keylogger hidden on the company's CEO's laptop. Which information security principle is the keypad most likely designed to undermine? A Confidentiality B. Completeness C. Availability D. Deny
A
Alice is helping her organization prepare to evaluate and adopt a new cloud-based HR management (HRM)) System Provider. What are the minimum security standards that best suit the requirements for possible suppliers? A Comply with all laws and regulations B. Process information in the same way as the organization C. Eliminate all identified security risks D. Comply with the supplier’s own policy
B
.HAL Systems recently decided to stop providing public NTP services due to concerns that its NTP servers could be used to amplify large-scale DDOS attacks. What type of risk management approach has HAL adopted for its NTP services? A.Risk Mitigation B. Risk acceptance C.Risk transfer D.Risk avoidance
D Risk avoidance, a method of risk response, refers to the elimination of risks or the conditions for risk occurrence through changes in plans to protect targets from the impact of risks. Risk avoidance does not mean the complete elimination of risks. What we want to avoid is the losses that risks may cause us. Risk mitigation, the control of risk losses, is to reduce the degree of loss by reducing the probability of loss. Adopt measures to reduce the probability of risk occurrence, mitigate the consequences of risk occurrence, and reduce the severity of risk to an acceptable level
Which of the following components should be included in an organization's emergency response guidelines? A. List of emergency personnel who should be notified B. Long-term business continuity agreement C Start the process of organizing the cold standby site D Contact information for ordering equipment
A Emergency Response Guide: 1. Corresponding procedures 2. List of persons notified of the incident (executives, BCP members) 3. Secondary response procedures for first responders while waiting for the BCP team to assemble
Becka recently signed a contract with a backup data processing facility to provide space for her company in the event of a disaster. The facility includes HVAC, electrical and communications circuits but no spare parts equipment. What type of facility does Becka use? A cold standby site B. Warm standby site C hot standby site D Mobile backup site
A
Greg's company recently experienced a major data breach involving many customers' personal data. What breach regulations should they review to ensure appropriate measures are taken? A Disclosure regulations in the state where they are headquartered. B. Disclosure regulations of the states in which they do business. C. Federal disclosure regulations only. D. Breach regulations apply only to government agencies, not private businesses.
B
Ben is looking for a control objectives framework that is widely accepted globally and focused on information security controls. Which of the following frameworks is best suited to meet his needs? A.ITIL B. ISO 27002 C CMM D PMBOK
B Confusion between CMM and RMM
ISC2's Code of Ethics applies to all cissP certified personnel. Which of the following is not a criterion One of the four mandatory codes in ? A. Protect society, the public interest, necessary public trust and infrastructure. B. Disclosure of breaches of privacy, trust and ethics. C Provide diligent and competent services to the client. D. Advance and protect the profession.
B
Which principle of information security states that organizations should implement overlapping security controls whenever possible? A The principle of least privilege B Separation of duties C. Defense in depth D. Security through obfuscation
C
Ryan is a CIssP certified cybersecurity professional working in non-profit organizations. Which of the following ethical obligations apply to his job? (select all that apply) A.(SC)2’s Code of Ethics B. Organization’s Code of Ethics C. Federal Code of Ethics D. RFC 1087
AB
Ben is responsible for protecting the security of payment card information stored in the database. Policy required him to forcefully delete the information from the database, but for operational reasons he was unable to do so. He obtained an exception to the policy and is looking for an appropriate compensating control to mitigate the risk. What's his best option? A. Purchase insurance B. Encrypt database contents C. Delete data D. Oppose exceptions
B
In her role as an online banking developer, Lisa had to submit her code for testing and review. After going through this process and getting approval, another employee moves the code to production. What kind of security management does this shorthand describe? A. Regression testing B. Code review C.Change Management D. Fuzz testing
C
Which of the following is not typically included in the pre-employment screening process? A. Drug Testing B. Background Check C. Social media censorship D.Health assessment
D P34 Skills Challenge, Drug Test, Credit Check, Driving Record Check and Personality Test/Assessment
Which of the following are typically considered supply chain risks? (Select all that apply.) A. Adversary tampering with hardware before delivery to end customer B. An adversary compromises an organization's web server running in a laas environment C Adversaries used social engineering attacks to target employees of ompromisoa Saas vendor to gain access to customer accounts D Adversaries use botnets to conduct denial-of-service attacks
AC