cissp secure-u

  1. what is the definition of countermeasure?
    A control put into place to mitigate potential losses
  2. What is the definition of vulnerability?
    Weakness in a mechanism that can threaten the confidentiality, integrity, or availability of an asset.
  3. What is the definition of threat?
    Someone uncovering a vulnerability and exploiting it
  4. What is the definition of risk?
    Probability of a threat becoming real, and the corresponding potential damages.
  5. What is the definition of exposure?
    When a threat agent exploits a vulnerability
  6. What are the three control types?
    • Administrative
    • Managements responsibilities necessary to protect assets
    • "soft" controls

    • Technical
    • Logical protection mechanisms
    • Built in software and hardware
    • Physical
    • Controls to protect the facility's perimeter and internal resources
  7. What does the CIA triad acronym mean?
    • Confidential
    • Integrity
    • Availability
  8. What are the two approaches to security management?
    • 1. top down
    • 2. bottom up
  9. Explain top down security approach
    Security is directed, driven, and supported by senior management
  10. explain bottom up security approach
    staff member or group drives initiative
  11. What is the industry best practice standard?
    • BS/ISO 7799 / ISO 27001
    • ISO 17799 also
  12. How many sections are in the industry best practice?
    There are 10

    • 1. Security policy
    • 2. Security Organization
    • 3. assets classification and control
    • 4. personnel security
    • 5. physical and environmental security
    • 6. computer and network management
    • 7. system access control
    • 8. system development and maintenance
    • 9. business continuity planning
    • 10. compliance
  13. What is senior managements role in Security?
    • Defines the scope, objectives, priorities, and strategies of the company's security program
    • Provides vision, funds, visibility, and enforcement
    • ultimately liable
    • without management's support, efforts can be doomed from the start
  14. What are the four security roles?
    • Data owner
    • system owner
    • data custodian
    • user
  15. Define the security role "data owner"
    • Responsible for the subset(s) of data and data classification
    • Sets security requirements for data protection
  16. define the security role "system owner"
    • Responsible for specific computer system(s)
    • One system will have one system owner
    • Can hold data from several data owners
  17. define the security role "data custodian"
    • is delegated data maintenance tasks
    • required to implement and maintain controls to provide the protection level dictated by data owner
  18. define the security role "user"
    person who routinely uses company data for work-related tasks
  19. Information classification criteria
    • Usefulness and value of information
    • how long information will hold this protection requirement
    • the level of damage possible if the data was disclosed, modified, or corrupted
    • Laws, regulations, or liability responsibilities pertaining to the data
    • who should be accessing this data?
    • who should maintain this data?
    • who should monitor and audit the use of this data?
  20. What is the main rule for "liability and its ramifications"?
    Prudent person rule - Perform duties that prudent and responsible people would exercise in similar circumstances
  21. What is SLE?
    Single Loss Expectancy
  22. What is the SLE formula?
    SLE = Asset value X exposure factor
  23. What is ALE?
    Annualized Loss Expectancy
  24. What is the ALE formula?
    ALE = SLE X Annualized rate of occurence
  25. Calculate the ALE for the following: Facility is worth 650,000 and a fire is expected once every 10 years that will damage 35% of the facility.
    • Answer:
    • 650,000 x 0.35 x 0.10 = 22,750
  26. Define total risk
    total risk is defined by the following formula.

    threats x vulnerability x asset value
  27. define residual risk
    residual risk is defined by the following formula.

    (threats x vulnerability x asset value) x control gap
  28. What are the different memory types?
    • primary memory
    • real memory
    • cache memory
    • virtual memory
  29. what are the seven memory management responsibilities?
    • 1. keep track of used and unused memory segments
    • 2. assign memory segments to processes
    • 3. manage swapping between main memory and secondary storage
    • 4. memory protection
    • 5. access control
    • 6. keeping track of software and virtual addressing schemes
    • 7. multi-user OS requires more complex memory manager
    • dos and windoes 9x are single-user OSes
  30. What are the four process states?
    • 1. Stopped
    • 2. Waiting
    • 3. Running
    • 4. Ready
  31. What is the order of the best process states?
    • Running
    • Ready/Waiting
    • Stopped
  32. What does TCB mean?
    Trusted Computing Base
  33. What are Access Control Models?
    • Provides rules and structures used to control access and shows how access decisions are made
    • The main components are subjects, objects, operations and their relationships
    • The goal is to control how objects are accessed and ensure one security principle or another (confidentiality, integrity)
  34. What is the main state machine model characteristic?
    If a system comes up in a secure state (all state transitions are secure; including failing) and shuts down in a secure state, the system is secure.
  35. What is the Rule of "Bell-LaPadula"?
    no write up and no read down - the strong star property
  36. what does "* star property" mean
    strong star property
Card Set
cissp secure-u
Flash cards to help with CISSP