2
ISC2 CISSP Newest Exam with accurate detailed answers
|| || || || || || ||
CIA Triangle - ✔✔Cornerstone of infosec. Confidentiality, Integrity, Availability
|| || || || || || || ||
Confidentiality (CIA Triangle) - ✔✔prevention of unauthorized disclosure of information; || || || || || || || || || ||
prevention of unauthorized read access to data
|| || || || || ||
Integrity (CIA Triangle) - ✔✔prevention of unauthorized modification of data; prevention of
|| || || || || || || || || || || ||
unauthorized write access to data || || || ||
Availability (CIA Triangle) - ✔✔ensures data is available when needed to authorized users
|| || || || || || || || || || || ||
Opposing forces to CIA - ✔✔DAD: disclosure, alteration, destruction
|| || || || || || || ||
identification - ✔✔the process by which a subject professes an identity and accountability is
|| || || || || || || || || || || || || ||
initiated; ex: typing a username, swiping a smart card, waving a proximity device (badging in),
|| || || || || || || || || || || || || || ||
speaking a phrase, etc - always a two step process with authenticating
|| || || || || || || || || || ||
authentication - ✔✔verification that a person is who they say they are; ex: entering a password or
|| || || || || || || || || || || || || || || || ||
PIN, biometrics, etc - always a two step process with identifying
|| || || || || || || || || ||
authorization - ✔✔verification of a person's access or privileges to applicable data
|| || || || || || || || || || ||
auditing (monitoring) - ✔✔recording a log of the events and activities related to the system and
|| || || || || || || || || || || || || || || ||
subjects
accounting (accountability) - ✔✔reviewing log files to check for compliance and violations in
|| || || || || || || || || || || || ||
order to hold subjects accountable for their actions
|| || || || || || ||
,2
non-repudiation - ✔✔a user cannot deny having performed a specific action || || || || || || || || || ||
subject - ✔✔an entity that performs active functions to a system; usually a person, but can also be
|| || || || || || || || || || || || || || || || ||
script or program designed to perform actions on data
|| || || || || || || || ||
object - ✔✔any passive data within the system
|| || || || || || ||
ISC2 Code of Ethics Canons (4) - ✔✔1. protect society, commonwealth, infrastructure
|| || || || || || || || || || ||
2. act honorably, justly, responsibly, legally
|| || || || ||
3. provide diligent and competent service
|| || || || ||
4. advance and protect the profession
|| || || || ||
strictly applied in order; exam questions in which multiple canons could be the answer, choose the
|| || || || || || || || || || || || || || ||
highest priority per this order
|| || || || ||
policy - ✔✔mandatory high level management directives; components of policy
|| || || || || || || || ||
1. purpose: describes the need for policy
|| || || || || ||
2. scope: what systems, people, facilities, organizations are covered
|| || || || || || || ||
3. responsibilities: specific duties of involved parties
|| || || || || ||
4. compliance: effectiveness of policy, violations of policy
|| || || || || || ||
procedure - ✔✔low level step by step guide for accomplishing a task
|| || || || || || || || || || ||
standard - ✔✔describes the specific use of technology applied to hardware or software;
|| || || || || || || || || || || || ||
mandatory
guideline - ✔✔discretionary recommendations (e.g. not mandatory)
|| || || || || ||
,2
baseline - ✔✔a uniform way of implementing a standard
|| || || || || || || ||
3 access/security control categories - ✔✔1. administrative: implemented by creating org policy,
|| || || || || || || || || || || ||
procedure, regulation. user awareness/training also fall here
|| || || || || ||
2. technical: implemented using hardware, software, firmware that restricts logical access to a
|| || || || || || || || || || || || ||
system
3. physical: locks, fences, walls, etc
|| || || || ||
preventive access control || ||
(can be administrative, technical, physical) - ✔✔prevents actions from occurring by applying
|| || || || || || || || || || || ||
restrictions on what a user can do. example: privilege level
|| || || || || || || || ||
detective access control || ||
(can be administrative, technical, physical) - ✔✔controls that alert during or after a successful
|| || || || || || || || || || || || || ||
attack; alarm systems, or closed circuit tv
|| || || || || ||
corrective access control || ||
(can be administrative, technical, physical) - ✔✔repairing a damaged system; often works hand
|| || || || || || || || || || || || ||
in hand with detective controls (e.g. antivirus software)
|| || || || || || ||
recovery access control || ||
(can be administrative, technical, physical) - ✔✔controls to restore a system after an incident has
|| || || || || || || || || || || || || || ||
occurred;
deterrent access control || ||
(can be administrative, technical, physical) - ✔✔deters users from performing actions on a
|| || || || || || || || || || || || ||
system
, 2
compensating access control || ||
(can be administrative, technical, physical) - ✔✔additional control used to compensate for
|| || || || || || || || || || || ||
weaknesses in other controls as needed || || || || ||
risk formula - ✔✔risk = threat x vulnerability x impact
|| || || || || || || || ||
market approach (for calculating intangible assets) - ✔✔assumes the fair value of an asset reflects
|| || || || || || || || || || || || || ||
the price which comparable assets have been purchased in transactions under similar
|| || || || || || || || || || || || ||
circumstances
income approach (for calculating intangible assets) - ✔✔the value of an asset is the present value
|| || || || || || || || || || || || || || || ||
of the future earning capacity that an asset will generate over the rest of its lifecycle
|| || || || || || || || || || || || || || ||
cost approach (for calculating intangible assets) - ✔✔estimates the fair value based on cost of
|| || || || || || || || || || || || || || ||
replacement
exposure factor (EF) - ✔✔percentage of value the asset lost due to incident
|| || || || || || || || || || || ||
single loss expectancy (SLE) - ✔✔asset value (AV) times exposure factor
|| || || || || || || || || ||
AV x EF = SLE
|| || || ||
expressed in a dollar value || || || ||
annual rate of occurrence (ARO) - ✔✔number of losses suffered per year
|| || || || || || || || || || ||
annualized loss expectancy (ALE) - ✔✔yearly cost due to risk || || || || || || || || ||
SLE x ARO = ALE || || || ||
legally defensible security - ✔✔to obtain legal restitution a company must demonstrate a crime
|| || || || || || || || || || || || || ||
was committed, suspect committed that crime, and took reasonable efforts to prevent the crime
|| || || || || || || || || || || || ||
ISC2 CISSP Newest Exam with accurate detailed answers
|| || || || || || ||
CIA Triangle - ✔✔Cornerstone of infosec. Confidentiality, Integrity, Availability
|| || || || || || || ||
Confidentiality (CIA Triangle) - ✔✔prevention of unauthorized disclosure of information; || || || || || || || || || ||
prevention of unauthorized read access to data
|| || || || || ||
Integrity (CIA Triangle) - ✔✔prevention of unauthorized modification of data; prevention of
|| || || || || || || || || || || ||
unauthorized write access to data || || || ||
Availability (CIA Triangle) - ✔✔ensures data is available when needed to authorized users
|| || || || || || || || || || || ||
Opposing forces to CIA - ✔✔DAD: disclosure, alteration, destruction
|| || || || || || || ||
identification - ✔✔the process by which a subject professes an identity and accountability is
|| || || || || || || || || || || || || ||
initiated; ex: typing a username, swiping a smart card, waving a proximity device (badging in),
|| || || || || || || || || || || || || || ||
speaking a phrase, etc - always a two step process with authenticating
|| || || || || || || || || || ||
authentication - ✔✔verification that a person is who they say they are; ex: entering a password or
|| || || || || || || || || || || || || || || || ||
PIN, biometrics, etc - always a two step process with identifying
|| || || || || || || || || ||
authorization - ✔✔verification of a person's access or privileges to applicable data
|| || || || || || || || || || ||
auditing (monitoring) - ✔✔recording a log of the events and activities related to the system and
|| || || || || || || || || || || || || || || ||
subjects
accounting (accountability) - ✔✔reviewing log files to check for compliance and violations in
|| || || || || || || || || || || || ||
order to hold subjects accountable for their actions
|| || || || || || ||
,2
non-repudiation - ✔✔a user cannot deny having performed a specific action || || || || || || || || || ||
subject - ✔✔an entity that performs active functions to a system; usually a person, but can also be
|| || || || || || || || || || || || || || || || ||
script or program designed to perform actions on data
|| || || || || || || || ||
object - ✔✔any passive data within the system
|| || || || || || ||
ISC2 Code of Ethics Canons (4) - ✔✔1. protect society, commonwealth, infrastructure
|| || || || || || || || || || ||
2. act honorably, justly, responsibly, legally
|| || || || ||
3. provide diligent and competent service
|| || || || ||
4. advance and protect the profession
|| || || || ||
strictly applied in order; exam questions in which multiple canons could be the answer, choose the
|| || || || || || || || || || || || || || ||
highest priority per this order
|| || || || ||
policy - ✔✔mandatory high level management directives; components of policy
|| || || || || || || || ||
1. purpose: describes the need for policy
|| || || || || ||
2. scope: what systems, people, facilities, organizations are covered
|| || || || || || || ||
3. responsibilities: specific duties of involved parties
|| || || || || ||
4. compliance: effectiveness of policy, violations of policy
|| || || || || || ||
procedure - ✔✔low level step by step guide for accomplishing a task
|| || || || || || || || || || ||
standard - ✔✔describes the specific use of technology applied to hardware or software;
|| || || || || || || || || || || || ||
mandatory
guideline - ✔✔discretionary recommendations (e.g. not mandatory)
|| || || || || ||
,2
baseline - ✔✔a uniform way of implementing a standard
|| || || || || || || ||
3 access/security control categories - ✔✔1. administrative: implemented by creating org policy,
|| || || || || || || || || || || ||
procedure, regulation. user awareness/training also fall here
|| || || || || ||
2. technical: implemented using hardware, software, firmware that restricts logical access to a
|| || || || || || || || || || || || ||
system
3. physical: locks, fences, walls, etc
|| || || || ||
preventive access control || ||
(can be administrative, technical, physical) - ✔✔prevents actions from occurring by applying
|| || || || || || || || || || || ||
restrictions on what a user can do. example: privilege level
|| || || || || || || || ||
detective access control || ||
(can be administrative, technical, physical) - ✔✔controls that alert during or after a successful
|| || || || || || || || || || || || || ||
attack; alarm systems, or closed circuit tv
|| || || || || ||
corrective access control || ||
(can be administrative, technical, physical) - ✔✔repairing a damaged system; often works hand
|| || || || || || || || || || || || ||
in hand with detective controls (e.g. antivirus software)
|| || || || || || ||
recovery access control || ||
(can be administrative, technical, physical) - ✔✔controls to restore a system after an incident has
|| || || || || || || || || || || || || || ||
occurred;
deterrent access control || ||
(can be administrative, technical, physical) - ✔✔deters users from performing actions on a
|| || || || || || || || || || || || ||
system
, 2
compensating access control || ||
(can be administrative, technical, physical) - ✔✔additional control used to compensate for
|| || || || || || || || || || || ||
weaknesses in other controls as needed || || || || ||
risk formula - ✔✔risk = threat x vulnerability x impact
|| || || || || || || || ||
market approach (for calculating intangible assets) - ✔✔assumes the fair value of an asset reflects
|| || || || || || || || || || || || || ||
the price which comparable assets have been purchased in transactions under similar
|| || || || || || || || || || || || ||
circumstances
income approach (for calculating intangible assets) - ✔✔the value of an asset is the present value
|| || || || || || || || || || || || || || || ||
of the future earning capacity that an asset will generate over the rest of its lifecycle
|| || || || || || || || || || || || || || ||
cost approach (for calculating intangible assets) - ✔✔estimates the fair value based on cost of
|| || || || || || || || || || || || || || ||
replacement
exposure factor (EF) - ✔✔percentage of value the asset lost due to incident
|| || || || || || || || || || || ||
single loss expectancy (SLE) - ✔✔asset value (AV) times exposure factor
|| || || || || || || || || ||
AV x EF = SLE
|| || || ||
expressed in a dollar value || || || ||
annual rate of occurrence (ARO) - ✔✔number of losses suffered per year
|| || || || || || || || || || ||
annualized loss expectancy (ALE) - ✔✔yearly cost due to risk || || || || || || || || ||
SLE x ARO = ALE || || || ||
legally defensible security - ✔✔to obtain legal restitution a company must demonstrate a crime
|| || || || || || || || || || || || || ||
was committed, suspect committed that crime, and took reasonable efforts to prevent the crime
|| || || || || || || || || || || || ||
