CISMP REVISION QUESTIONS AND ANSWERS WITH COMPLETE
SOLUTIONS VERIFIED LATEST UPDATE
What is protective monitoring?
Ensuring that system owners are provided with a real-time feed of information regarding
the status of ICT systems, providing awareness of activities of the threat sources and
enabling security incidents to be detected, investigated and effectively remediated
Define information security
The protection of information and information systems from unauthorised access, use,
disclosure, disruption, modification, or disruption.
Outline what ISO27000, ISO27001, ISO27005 and ISO Guide 73 are for.
ISO27000: Overview and vocab
ISO27001: Internationally recognised specification for an Information Security
Management System
ISO27005: Information Security Risk Management
ISO Guide 73: Risk Management
What type of assets are protected? (name 6)
Information, software, physical, services, people, intangible.
What is the CIA triad in security?
Confidentiality - non disclosure, access on a need to know basis, least privilege
Integrity - protecting the accuracy and completeness of assets
,Availability - reliability and timely access to data or IT resources by appropriate people
What is non repudiation?
The ability to prove the occurrence of a claimed event or action and its originating
entities.
What is defence in depth?
Layering security to provide redundancy and to buy time to detect and enact a
response.
Examples include SSO, firewall, TLS, fences, walls, badges, data classification,
password strength
What is IAAA?
Identity - usernames, etc, who a user is
Authentication - proving the user is who they say they are, using a password, etc
Authorisation - ensuring that user can only access what they are authorised to access
Accounting/ Auditing - record of actions taken and can be traced back
What are the three primary strands of security governance?
Governance, Risk Management, Compliance
How does security as an enabler work?
Delivering value rather than cost
Enable new ways of working
,Improve working practices
Minimise costs
What is compliance?
Conforming to:
rules
policies
standards
law
legal contracts
What is risk defined as?
The effect of uncertainty on objectives.
How is risk calculated?
Risk = likelihood x impact
Identify a vulnerability and evaluate the likelihood of it being exploited by a threat and
the impact that a successful exploit would have.
What is a vulnerability?
A weakness that could be triggered accidentally or exploited intentionally to cause a
security breach.
Examples include improper configurations, misuse of software or communication
protocols, untested software and firmware patches, poorly designed network
architecture, insecure password usage, design flaws, etc.
, What is a threat?
The potential for someone or something to exploit a vulnerability and breach security.
May be intentional or unintentional.
Examples include hackers, cyberterrorists, criminal gangs, earthquakes, floods,
hurricanes, etc.
What are the five threat categories?
External, internal, deliberate, multiparty and accidental.
Multiparty is relevant to third party or supplier issues which can arise from the impact to
multiple organisations.
Accidental could be an engineer accidentally cutting important cables for power supply
while doing his job.
What are some examples of vulnerabilities?
General:
Lack of physical controls
Lack of pre-employment checks
Information specific:
Lack of security patches
No firewall on a website
Out of date antivirus software
What is the difference between quantitative and qualitative in risk evaluation?
SOLUTIONS VERIFIED LATEST UPDATE
What is protective monitoring?
Ensuring that system owners are provided with a real-time feed of information regarding
the status of ICT systems, providing awareness of activities of the threat sources and
enabling security incidents to be detected, investigated and effectively remediated
Define information security
The protection of information and information systems from unauthorised access, use,
disclosure, disruption, modification, or disruption.
Outline what ISO27000, ISO27001, ISO27005 and ISO Guide 73 are for.
ISO27000: Overview and vocab
ISO27001: Internationally recognised specification for an Information Security
Management System
ISO27005: Information Security Risk Management
ISO Guide 73: Risk Management
What type of assets are protected? (name 6)
Information, software, physical, services, people, intangible.
What is the CIA triad in security?
Confidentiality - non disclosure, access on a need to know basis, least privilege
Integrity - protecting the accuracy and completeness of assets
,Availability - reliability and timely access to data or IT resources by appropriate people
What is non repudiation?
The ability to prove the occurrence of a claimed event or action and its originating
entities.
What is defence in depth?
Layering security to provide redundancy and to buy time to detect and enact a
response.
Examples include SSO, firewall, TLS, fences, walls, badges, data classification,
password strength
What is IAAA?
Identity - usernames, etc, who a user is
Authentication - proving the user is who they say they are, using a password, etc
Authorisation - ensuring that user can only access what they are authorised to access
Accounting/ Auditing - record of actions taken and can be traced back
What are the three primary strands of security governance?
Governance, Risk Management, Compliance
How does security as an enabler work?
Delivering value rather than cost
Enable new ways of working
,Improve working practices
Minimise costs
What is compliance?
Conforming to:
rules
policies
standards
law
legal contracts
What is risk defined as?
The effect of uncertainty on objectives.
How is risk calculated?
Risk = likelihood x impact
Identify a vulnerability and evaluate the likelihood of it being exploited by a threat and
the impact that a successful exploit would have.
What is a vulnerability?
A weakness that could be triggered accidentally or exploited intentionally to cause a
security breach.
Examples include improper configurations, misuse of software or communication
protocols, untested software and firmware patches, poorly designed network
architecture, insecure password usage, design flaws, etc.
, What is a threat?
The potential for someone or something to exploit a vulnerability and breach security.
May be intentional or unintentional.
Examples include hackers, cyberterrorists, criminal gangs, earthquakes, floods,
hurricanes, etc.
What are the five threat categories?
External, internal, deliberate, multiparty and accidental.
Multiparty is relevant to third party or supplier issues which can arise from the impact to
multiple organisations.
Accidental could be an engineer accidentally cutting important cables for power supply
while doing his job.
What are some examples of vulnerabilities?
General:
Lack of physical controls
Lack of pre-employment checks
Information specific:
Lack of security patches
No firewall on a website
Out of date antivirus software
What is the difference between quantitative and qualitative in risk evaluation?
