This chapter explains the concepts covered in the first two domains of CISSP CBK in a snippet format that will reinforce the topics learned, and it will serve as exam cram. A mock test consisting of 10 questions from the first two domains is provided. Finally, further reading and references are also provided.

This chapter covers the following:

An overview of exam cram and practice questions

Presented here is revision for the concepts discussed in the previous four chapters. They are provided in bullet points in the form of snippets that are easy to revise. These snippets are for a quick revision and the reinforcement of knowledge learned:

CISSP CBK domain #1 – security and risk management

The following information consists of some of the important concepts. They are presented as bullet points that will serve as exam cram for this first domain:

• Assets are tangible or intangible in nature.
• Assets are used by the organization for business processes.
• Assets have quantitative value such as monetary or qualitative value such as corporate image.
• Examples of assets are computers, operating systems, data, processes, products, infrastructure, and so on.
• Assets are grouped as physical, hardware, software, information, and personnel assets.
• Risk is defined as an exposure of the asset to loss, injury, and damage due to threats, vulnerabilities, and attacks.
• Risk to assets is from threat sources.
• Asset protection means identifying and implementing security controls.
• Asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment.
• Risk analysis, risk evaluation, risk assessment, and risk mitigation strategies are the components of risk management.
• Risk analysis provides risk values in numeric terms, such as monetary values are quantitative.
• Risk analysis provides risk values in non-numeric terms, such as high-low-medium are qualitative.
• Security controls are identified through risk mitigation strategies.
• Identifying threats and vulnerabilities, attacks, estimating potential impact, and establishing and implementing suitable controls to treat the risk are functional steps in risk management.
• Risk treatment includes accepting, transferring, reducing, or avoiding risk.
• Monitoring, reviewing, communicating the results, and improving the security posture are continual improvement processes in the risk management cycle.
• Security posture is an overall plan of the organization pertaining to its security. It includes security governance, policies, procedures, and compliance.
• Information security and risk management are analogous to each other.
• Information security is a preservation of the Confidentiality, Integrity, and Availability (CIA) of assets:
  • Confidentiality: Unauthorized users should not view the information
  • Integrity: Unauthorized users should not modify the information
  • Availability: Authorized users are able to access the information
• Threat is an event that could compromise information security by causing loss or damage to assets.
• A threat is predominantly external to organizational.
• The examples of threats are fires, floods, hacking, and so on.
• Vulnerability is a hole or weakness in the system. In other words, a vulnerability is susceptible to threat.
• Threat can exploit vulnerabilities through threat agents.
• The threat agent exploiting a vulnerability is called an attack.
• The end result of an attack could be a security violation.
• Security violation is a compromise of the Confidentiality, Integrity, and Availability requirement of the asset.
• Information has a life cycle that includes handling, processing, transporting, storing, archiving, and destroying.
• Information protection includes risk management, risk reporting, and accountability.
• Senior management and the board should provide strategic oversight for the implementation of security controls and they should ensure continual effectiveness.
• Aligning and integrating information security with enterprise and IT governance frameworks is called information security strategy.
• Information security strategy includes the definition of the current state of security, goals, and objectives that align with the corporate mission.
• The goal of an information security strategy is to understand protection requirements.
• The objectives of an information security strategy include estimating the value of the information, the expected outcomes of the information security program, the benefits that are quantifiable, and the methods used to integrate information security practices with organizational practices.
• An information security mission defines security requirements, its purpose, focus on risk management, commitment to continual maintenance, and the improvement of information security program.
• Organizational processes need to be aligned to the mission.
• Organization security processes include defining the roles and responsibilities, establishing monitoring mechanisms, reporting, reviewing and approving the processes and management support.
• Management control is indicated through a policy, which states the views of the management and their position on information security.
• Information security policy states management intent, support, and direction for security.
• Administrative controls are used to implement policies.
• Procedures, guidelines, and standards are administrative controls.
• Technical controls support management and administrative initiatives for information systems.
• Firewall, intrusion detection systems, antiviruses, and so on are examples of technical controls.
• Due diligence is understanding the risk and estimating the risk values.
• Due care is implementing security governance.
• Compliance is an example of due care activities.
• Security awareness and training is one of the core components of the due care exercise.
• Common law is a law that is developed based on the decisions of courts and tribunals.
• Statutory law is a legal system that is set down by the legislature or the executive branch of the government.
• Religious laws are legal systems based on religious principles.
• Civil law is a legal system based on codes and legislative statutes as opposed to common law.
• Privacy is the protection of Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) of individuals.
• Privacy laws deal with protecting and preserving the rights of an individual's privacy.
• Intellectual property law is a legal domain that deals with Intellectual Property Rights (IPR).
• Copyright is an intellectual property right that grants exclusive rights to the creator of the original work.
• Patent is set of exclusive rights granted to the inventor of new, useful, inventive, and industry-applicable inventions.
• Trademark is a unique symbol or mark that is used by individuals or organizations to uniquely represent a product or a service.
• Trade secret is a formula, design, process, practice, or pattern that is not revealed to others.
• A computer crime is a fraudulent activity that is a crime committed using information technology assets.
• In computer crime, the term computer refers to the role it plays in different scenarios-crime committed against a computer, crime committed using the computer, and a computer incidental in the crime.
• Fraud is the manipulation of records for financial gain.
• Data diddling and Salami slicing are some examples of fraud.
• Hacking refers to discovering vulnerabilities, holes, or weaknesses in computer software and associated IT systems and exploiting them.
• Identity theft is to steal someone's identity.
• Intellectual property theft is stealing software code or designs for financial gain.
• Cyber stalking is to commit fraud by pretending as a legitimate entity.
• Malware is a malicious software.
• Viruses, worms, Trojan horses, and spyware, such as a Key logger, and so on, are examples of malware.
• Spyware is malicious code that tracks the user actions.
• Key loggers are a type of spyware that capture keystrokes and transmit them to an attacker's server.
• Cyber crimes are criminal activities that are perpetrated using communication networks, such as the Internet, telephone, wireless, satellite, and mobile networks.
• Cyber terrorism is a type of cyber crime perpetrated against computers and computer networks.
• Information warfare is a type of cybercrime used to destabilize the opponent, such as corporations and institutions, to gain competitive advantage.
• The Denial-of-Service (DoS) attack or Distributed Denial-of-Service(DDoS) attacks are cybercrimes where websites or the information systems of corporations are made inaccessible by way of multiple service requests to overload the web and application servers.
• Spamming is sending Unsolicited Commercial Email (UCE) and is called a cyber crime.
• Phishing is a type of cyber crime wherein a user is lured to an attacker-constructed illegitimate website that looks similar to the original website that a user intended to visit.
• Pharming is a type of cyber attack wherein a user is redirected to a malicious website constructed by the attacker.
• SMiShing is a type of cyber attack using mobile networks and is similar to phishing.
• Harassment is a crime that includes cyberstalking, cyber bullying, hate crime, online predating, and trolling.
• Transfer of computerized data across national borders or states or political boundaries called as transborder data flow.
• Data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, or used by an unauthorized entity.
• Laws concerned with data breaches are generally called security breach laws.
• Information security profession requires adherence to an ethically sound and consistently applied code of professional ethics.
• Code of ethics is based on the safety of the commonwealth, duty to principals, such as employers, contractors, and people whom a professional works for, and to each other.
• (ISC)² code of professional ethics includes four clauses. They are as follows:
  • Protect society, the commonwealth, and the infrastructure
  • Act honorably, honestly, justly, responsibly, and legally
  • Provide diligent and competent service to principals
  • Advance and protect the profession
• Security policies are high-level statements that provide management intent and direction for information security.
• Security standards provide prescriptive statements, control objectives and controls for enforcing security policies.
• Security procedures are step-by-step instructions to implement the policies and standards.
• Security guidelines provide best practice methods to support security controls, selection, and implementation.
• Personnel security policy concerns people associated with the organization, such as employees, contractors, consultants.
• Employment agreement and policies should include information security responsibilities and information handling procedures.
• Employee termination process has to be in accordance with the established security policies and practices.
• Third-party security includes screening, confidentiality, and non-disclosure agreements.
• Risk mitigation strategies to address risks in terms of the CIA of assets is addressed through business continuity management processes.
• An event that could impact regular operations for a prolonged period of time can be termed as a disruptive event.
• Business Impact Analysis (BIA) is a type of risk assessment exercise that tries to assess qualitative and quantitative impacts on the business due to a disruptive event.
• Addressing the risks by way of plans and procedures for the continuation of business operations during and after a disruptive event is called Business Continuity Planning (BCP.)
• The aim of BCP is to prevent interruptions to business operations.
• While designing BCP, availability should be considered the primary factor.
• BCP should be appropriate, adequate, and complete.
• Recovery Time Objective (RTO) is a timeframe within which the systems should be recovered.
• Recovery Point Objective (RPO) is the maximum period of time (or amount) of transaction data that the business can afford to lose during a successful recovery. In other words, with RPO the frequency of backups can be determined.
• Business continuity procedures consist of testing and updating plans.

CISSP CBK domain #2 – asset security

The following information is about some of the important concepts, presented as bullet points, that will serve as exam cram for this second domain:

• Asset security is based on asset classification and CIA values.
• Asset classification is used to identify the type of information based on its value, sensitivity, and the degree of assurance required.
• Asset value is based on the impact to the corporation in the event of unauthorized disclosure, alteration, or destruction.
• Asset classification helps to devise suitable security controls.
• The classification of assets is based on criteria such as value, age, useful life, and privacy.
• Assets have owners, custodians, and users.
• Governmental agencies classify information based on confidentiality requirements.
• The need-to-know principle establishes that one has to demonstrate a specific need to know or access to the information that is classified as sensitive. An individual will be granted access to the information only if it is required to perform the duties of their job.
• Information classification in the United States government is based on the effect of the compromise of the asset on national security.
• Core Secrets, Top Secret, Secret, Confidential, Public Trust, and unclassified are the types of information classifications in the US.
• Private and public sector corporate entities classify information under four categories: confidential, private, sensitive, and public.
• Information assets that contain personnel details of people are classified as private or personal data.
• In information security, requirement for data privacy is to share personal data in a secure manner to third parties on a need basis.
• In the USA, the Federal Trade Commission (FTC) classifies sensitive consumer data.
• In the UK, the Data Protection Act specifies sensitive personal data.
• Data owners that pertain to privacy are the personnel identified in the data.
• When a third-party vendor is engaged by the licensee to create, receive, maintain, or transmit personal information, such entities are called business associates or data processors.
• Data that remains even after erasing or formatting from digital media is called residual data and the property to retain such data is called data remanence.
• Privacy laws stipulate data collection limitations pertaining to personal data.
• Data collection, use, retention, and destruction should be in accordance with established principles and best practices.
• Storage controls are the primary means to protect data in storage media, such as hard disk, magnetic tapes, CDs, and so on.
• Theft is one of the most common threats that need to be addressed for personal computer, laptop, or media protection.
• PCI DSS is a data security standard pertaining to the payment of card transactions. PCI DSS is applicable to all the entities involved in payment card processing.
• Sarbanes-Oxley Act (SOX) is the US federal law that mandates the demonstration of internal controls over financial reporting systems.
• The segregation or separation of duties is a security control measure to ensure that mutually exclusive roles are not assigned to a single user concurrently.
• Gramm-Leach-Bliley Act (GLBA) is an act in the United Sates that mandates privacy rules for financial institutions.
• EU Data Protection Act (DPA) is an act in the European Union that mandates data protection pertaining to the privacy information of client data.
• Data can traditionally be grouped under three categories such as Personally Identifiable Information (PII), Intellectual Property (IP), and Non-Public Information (NPI).
• Data exists in three states: data in motion, data at rest, and data in use.
• Data in motion refers to the information as it moves around the organization.
• Information that is stored within the organization is considered to be data at rest.
• Data in use refers to the information that is used by the staff and the data that is available in endpoints.
• Strategies to prevent data loss are called Data Loss Prevention (DLP).
• Data Loss Prevention controls are based on who is causing the incident? What actions are carried out by the individual to cause such an incident? Who else is involved and where? What action is taken?
• Cryptographic methods are used in data security controls.
• Encryption means the data is scrambled with an appropriate key.
• Encryption is used for ensuring confidentiality.
• Hashing is a method in which cryptographic value is computed and periodically validated based on the contents of the document.
• Hashing is used for ensuring integrity. Hashes are generally one-way computed values.
• Establishing the identity of the sender in a digital communication is accomplished through digital signatures.
• Secure disposal of media, labeling, access restrictions, the formal record of authorized recipients, the storage of media, data distribution, marking, the review of distribution lists, and the control of publicly available information are a few of the data handling controls.