CISSP-ISSMP Domain 1 - Security Leadership & Management ||
Faultless Answers 100%.
Provided by senior management to give overall direction and focus for the organization's
activities. Must be understood and supported by the ISSMP. correct answers Mission Statement
The ISSMP's role in supporting the organization's mission correct answers Along with system
managers, determine specific mission, goals and objectives that apply to the system(s) being
secured
Specific to internal organization elements. Statements that tell what the system is intended to
accomplish. Can define purpose and include timelines and metrics. correct answers
Organizational Goals
Internal groups that support different business functions. Have unique goals and objectives, and
therefore, different security requirements. correct answers Functional Groups
(i.e. Sales, Accounting, HR, etc.)
The ISSMP must be aware of the following for each functional group correct answers 1.
Business processes 2. Types of information
The ISSMP must know the answer to these questions regarding business processes correct
answers Who is in charge/responsible? How is information entered, changed, consolidated,
deleted, stored, transmitted, etc.? Who are our providers/customers? Who provides oversight?
Identifying where the concepts of "least privileges" and "role based security" can be applied
correct answers Identity Management
Meeting legal and regulatory restrictions and demands. Can result in major fines and impact to
reputation if not met correct answers Compliance
,Places restrictions on government agencies as to what they can do with personal information.
Mandates security requirements to prevent unauthorized release of the information correct
answers Privacy Act of 1974
U.S. Congress declared that improving security and privacy of sensitive information in federal
computer systems was in the public interest and established the means to create minimum
acceptable security practices for such systems correct answers Computer Security Act of 1987
European Union (EU) issued directive to protect individuals with regard to the processing and
free movement of their personal data correct answers EU Directive of 1995 (95/46/EC)
Act to protect healthcare information from being used in an unethical and fraudulent manner.
Mandates that organizations related to healthcare deploy safeguards to ensure the integrity and
confidentiality of healthcare information, violations punishable by fines and jail time correct
answers Health Insurance Portability and Accountability Act of 1996 (HIPPA)
Mandates privacy and security related to electronic transmission of health information and
strengthens rules beyond HIPPA. Subtitle D addresses information relevant to the ISSMP correct
answers The Health Information Technology for Economic and Clinical Health (HITECH) Act
A Canadian law supporting and promoting electronic commerce by protecting personal
information that is collected, used, or disclosed by providing for use of electronic means to
communicate or record information or transactions correct answers Personal Information
Protection and Electronic Document Act of 2000) (PIPEDA)
To protect investors by improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws, and for other purposes correct answers Sarbanes-Oxley Act of
2002 (SOX)
Title III of this act is to provide a comprehensive framework for ensure effectiveness of
information security controls over information resources that support federal operations and
assets, effective government-wide management and oversight of related information security
, risks and of federal agency information security programs correct answers Federal Information
Security Management Act of 2002 (FISMA)
Federal Financial Institutions Examination Council (FFIEC) correct answers Regulatory body
which has issued several security-related guidances to financial institutions.
A group of people's shared behaviors, languages, attitudes, systems, values, practices, goals, etc.
correct answers Culture
Is "felt" and not well-defined. Individual and organizational personalities, people's interpersonal
communication dynamics and styles, corporate values, specifics of how an enterprise manages its
locations and its technological architecture correct answers "Soft" nature of culture
Examples of how culture can impact security correct answers 1. Attitudes/level of security-
consciousness 2. Open work environments 3. Social media 4. Telecommuting/Bring your own
device
The ISSMP needs to be aware of each group's cultural differences regarding security including:
correct answers Perceptions and Expectations
External influences of a system's security program correct answers 1. Customers (clients) 2.
Competitors
The ISSMP needs to be aware of this in regards to customers: correct answers 1. Capabilities
(computer and technical,) 2. Expectations
The ISSMP needs to know this about its competitors: correct answers Reputation for ethics,
espionage capabilities, technical capabilities, competiveness, success obtaining clients, type of
security used with clients
Faultless Answers 100%.
Provided by senior management to give overall direction and focus for the organization's
activities. Must be understood and supported by the ISSMP. correct answers Mission Statement
The ISSMP's role in supporting the organization's mission correct answers Along with system
managers, determine specific mission, goals and objectives that apply to the system(s) being
secured
Specific to internal organization elements. Statements that tell what the system is intended to
accomplish. Can define purpose and include timelines and metrics. correct answers
Organizational Goals
Internal groups that support different business functions. Have unique goals and objectives, and
therefore, different security requirements. correct answers Functional Groups
(i.e. Sales, Accounting, HR, etc.)
The ISSMP must be aware of the following for each functional group correct answers 1.
Business processes 2. Types of information
The ISSMP must know the answer to these questions regarding business processes correct
answers Who is in charge/responsible? How is information entered, changed, consolidated,
deleted, stored, transmitted, etc.? Who are our providers/customers? Who provides oversight?
Identifying where the concepts of "least privileges" and "role based security" can be applied
correct answers Identity Management
Meeting legal and regulatory restrictions and demands. Can result in major fines and impact to
reputation if not met correct answers Compliance
,Places restrictions on government agencies as to what they can do with personal information.
Mandates security requirements to prevent unauthorized release of the information correct
answers Privacy Act of 1974
U.S. Congress declared that improving security and privacy of sensitive information in federal
computer systems was in the public interest and established the means to create minimum
acceptable security practices for such systems correct answers Computer Security Act of 1987
European Union (EU) issued directive to protect individuals with regard to the processing and
free movement of their personal data correct answers EU Directive of 1995 (95/46/EC)
Act to protect healthcare information from being used in an unethical and fraudulent manner.
Mandates that organizations related to healthcare deploy safeguards to ensure the integrity and
confidentiality of healthcare information, violations punishable by fines and jail time correct
answers Health Insurance Portability and Accountability Act of 1996 (HIPPA)
Mandates privacy and security related to electronic transmission of health information and
strengthens rules beyond HIPPA. Subtitle D addresses information relevant to the ISSMP correct
answers The Health Information Technology for Economic and Clinical Health (HITECH) Act
A Canadian law supporting and promoting electronic commerce by protecting personal
information that is collected, used, or disclosed by providing for use of electronic means to
communicate or record information or transactions correct answers Personal Information
Protection and Electronic Document Act of 2000) (PIPEDA)
To protect investors by improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws, and for other purposes correct answers Sarbanes-Oxley Act of
2002 (SOX)
Title III of this act is to provide a comprehensive framework for ensure effectiveness of
information security controls over information resources that support federal operations and
assets, effective government-wide management and oversight of related information security
, risks and of federal agency information security programs correct answers Federal Information
Security Management Act of 2002 (FISMA)
Federal Financial Institutions Examination Council (FFIEC) correct answers Regulatory body
which has issued several security-related guidances to financial institutions.
A group of people's shared behaviors, languages, attitudes, systems, values, practices, goals, etc.
correct answers Culture
Is "felt" and not well-defined. Individual and organizational personalities, people's interpersonal
communication dynamics and styles, corporate values, specifics of how an enterprise manages its
locations and its technological architecture correct answers "Soft" nature of culture
Examples of how culture can impact security correct answers 1. Attitudes/level of security-
consciousness 2. Open work environments 3. Social media 4. Telecommuting/Bring your own
device
The ISSMP needs to be aware of each group's cultural differences regarding security including:
correct answers Perceptions and Expectations
External influences of a system's security program correct answers 1. Customers (clients) 2.
Competitors
The ISSMP needs to be aware of this in regards to customers: correct answers 1. Capabilities
(computer and technical,) 2. Expectations
The ISSMP needs to know this about its competitors: correct answers Reputation for ethics,
espionage capabilities, technical capabilities, competiveness, success obtaining clients, type of
security used with clients
