CISSP EXAM QUESTIONS AND CORRECT ANSWERS ALREADY PASSED

CISSP EXAM QUESTIONS AND CORRECT ANSWERS
ALREADY PASSED

/. CIA Triangle - Answer-Cornerstone of infosec. Confidentiality, Integrity, Availability

/.Confidentiality (CIA Triangle) - Answer-prevention of unauthorized disclosure of
information; prevention of unauthorized read access to data

/.Integrity (CIA Triangle) - Answer-prevention of unauthorized modification of data;
prevention of unauthorized write access to data

/.Availability (CIA Triangle) - Answer-ensures data is available when needed to
authorized users

/.Opposing forces to CIA - Answer-DAD: disclosure, alteration, destruction

/.identification - Answer-the process by which a subject professes an identity and
accountability is initiated; ex: typing a username, swiping a smart card, waving a
proximity device (badging in), speaking a phrase, etc - always a two step process with
authenticating

/.authentication - Answer-verification that a person is who they say they are; ex:
entering a password or PIN, biometrics, etc - always a two step process with identifying

/.authorization - Answer-verification of a person's access or privileges to applicable data

/.auditing (monitoring) - Answer-recording a log of the events and activities related to
the system and subjects

/.accounting (accountability) - Answer-reviewing log files to check for compliance and
violations in order to hold subjects accountable for their actions

/.non-repudiation - Answer-a user cannot deny having performed a specific action

/.subject - Answer-an entity that performs active functions to a system; usually a person,
but can also be script or program designed to perform actions on data

/.object - Answer-any passive data within the system

/.ISC2 Code of Ethics Canons (4) - Answer-1. protect society, commonwealth,
infrastructure
2. act honorably, justly, responsibly, legally
3. provide diligent and competent service

,4. advance and protect the profession

strictly applied in order; exam questions in which multiple canons could be the answer,
choose the highest priority per this order

/.policy - Answer-mandatory high level management directives; components of policy

1. purpose: describes the need for policy
2. scope: what systems, people, facilities, organizations are covered
3. responsibilities: specific duties of involved parties
4. compliance: effectiveness of policy, violations of policy

/.procedure - Answer-low level step by step guide for accomplishing a task

/.standard - Answer-describes the specific use of technology applied to hardware or
software; mandatory

/.guideline - Answer-discretionary recommendations (e.g. not mandatory)

/.baseline - Answer-a uniform way of implementing a standard

/.3 access/security control categories - Answer-1. administrative: implemented by
creating org policy, procedure, regulation. user awareness/training also fall here
2. technical: implemented using hardware, software, firmware that restricts logical
access to a system
3. physical: locks, fences, walls, etc

/.preventive access control
(can be administrative, technical, physical) - Answer-prevents actions from occurring by
applying restrictions on what a user can do. example: privilege level

/.detective access control
(can be administrative, technical, physical) - Answer-controls that alert during or after a
successful attack; alarm systems, or closed circuit tv

/.corrective access control
(can be administrative, technical, physical) - Answer-repairing a damaged system; often
works hand in hand with detective controls (e.g. antivirus software)

/.recovery access control
(can be administrative, technical, physical) - Answer-controls to restore a system after
an incident has occurred;

/.deterrent access control
(can be administrative, technical, physical) - Answer-deters users from performing
actions on a system

, /.compensating access control
(can be administrative, technical, physical) - Answer-additional control used to
compensate for weaknesses in other controls as needed

/.risk formula - Answer-risk = threat x vulnerability x impact

/.market approach (for calculating intangible assets) - Answer-assumes the fair value of
an asset reflects the price which comparable assets have been purchased in
transactions under similar circumstances

/.income approach (for calculating intangible assets) - Answer-the value of an asset is
the present value of the future earning capacity that an asset will generate over the rest
of its lifecycle

/.cost approach (for calculating intangible assets) - Answer-estimates the fair value
based on cost of replacement

/.exposure factor (EF) - Answer-percentage of value the asset lost due to incident

/.single loss expectancy (SLE) - Answer-asset value (AV) times exposure factor
AV x EF = SLE
expressed in a dollar value

/.annual rate of occurrence (ARO) - Answer-number of losses suffered per year

/.annualized loss expectancy (ALE) - Answer-yearly cost due to risk
SLE x ARO = ALE

/.legally defensible security - Answer-to obtain legal restitution a company must
demonstrate a crime was committed, suspect committed that crime, and took
reasonable efforts to prevent the crime

files are accurate, policy in place, proper authentication, compliance with laws and
regulation

/.layering (defense in depth) - Answer-the use of multiple controls in a series (one after
another, linearly); no one control can protect against all possible threats;

/.top down approach - Answer-senior management responsible for initiating and defining
policies; middle management fleshes out policy into standards, baselines, guidelines,
and procedures; end users must comply with all policies

/.strategic plan - Answer-long term plan that is fairly stable; defines the org's security
purpose; useful to forecast about 5 years and serves as a planning horizon - long term
goals and vision (high level)