CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Gibson Darril

Читать онлайн.



Скачать книгу

and development or as a reactive measure once a product has been deployed. Key concepts include assets/attackers/software, STRIDE, diagramming, reduction/decomposing, and DREAD.

      Understand the need for security-minded acquisitions. Integrating cyber security risk management with acquisition strategies and practices is a means to ensure a more robust and successful security strategy in organizations of all sizes. When purchases are made without security considerations, the risks inherent in those products remain throughout their deployment lifespan.

      Written Lab

      1. Discuss and describe the CIA Triad.

      2. What are the requirements to hold a person accountable for the actions of their user account?

      3. Describe the benefits of change control management.

      4. What are the seven major steps or phases in the implementation of a classification scheme?

      5. Name the six primary security roles as defined by (ISC)2 for CISSP.

      6. What are the four components of a complete organizational security policy and their basic purpose?

      Review Questions

      1. Which of the following contains the primary goals and objectives of security?

      A. A network’s border perimeter

      B. The CIA Triad

      C. A stand-alone system

      D. The Internet

      2. Vulnerabilities and risks are evaluated based on their threats against which of the following?

      A. One or more of the CIA Triad principles

      B. Data usefulness

      C. Due care

      D. Extent of liability

      3. Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?

      A. Identification

      B. Availability

      C. Encryption

      D. Layering

      4. Which of the following is not considered a violation of confidentiality?

      A. Stealing passwords

      B. Eavesdropping

      C. Hardware destruction

      D. Social engineering

      5. Which of the following is not true?

      A. Violations of confidentiality include human error.

      B. Violations of confidentiality include management oversight.

      C. Violations of confidentiality are limited to direct intentional attacks.

      D. Violations of confidentiality can occur when a transmission is not properly encrypted.

      6. STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE?

      A. Spoofing

      B. Elevation of privilege

      C. Repudiation

      D. Disclosure

      7. If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _________________________ the data, objects, and resources.

      A. Control

      B. Audit

      C. Access

      D. Repudiate

      8. ____________ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed.

      A. Seclusion

      B. Concealment

      C. Privacy

      D. Criticality

      9. All but which of the following items requires awareness for all individuals affected?

      A. Restricting personal email

      B. Recording phone conversations

      C. Gathering information about surfing habits

      D. The backup mechanism used to retain email messages

      10. What element of data categorization management can override all other forms of access control?

      A. Classification

      B. Physical access

      C. Custodian responsibilities

      D. Taking ownership

      11. What ensures that the subject of an activity or event cannot deny that the event occurred?

      A. CIA Triad

      B. Abstraction

      C. Nonrepudiation

      D. Hash totals

      12. Which of the following is the most important and distinctive concept in relation to layered security?

      A. Multiple

      B. Series

      C. Parallel

      D. Filter

      13. Which of the following is not considered an example of data hiding?

      A. Preventing an authorized reader of an object from deleting that object

      B. Keeping a database from being accessed by unauthorized visitors

      C. Restricting a subject at a lower classification level from accessing data at a higher classification level

      D. Preventing an application from accessing hardware directly

      14. What is the primary goal of change management?

      A. Maintaining documentation

      B. Keeping users informed of changes

      C. Allowing rollback of failed changes

      D. Preventing security compromises

      15. What is the primary objective of data classification schemes?

      A. To control access to objects for authorized subjects

      B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity

      C. To establish a transaction trail for auditing accountability

      D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality

      16. Which of the following is typically not a characteristic considered when classifying data?

      A. Value

      B. Size of object

      C. Useful lifetime

      D. National security implications

      17. What are the two common data classification schemes?

      A. Military and private sector

      B. Personal and government

      C. Private sector and unrestricted sector

      D. Classified and unclassified

      18. Which of the following is the lowest military data classification for classified data?

      A. Sensitive

      B. Secret

      C. Proprietary

      D. Private

      19. Which commercial business/private sector data classification is used to control information about individuals within an organization?

      A. Confidential

      B. Private

      C. Sensitive

      D. Proprietary

      20. Data classifications are used to focus security controls over all but which of the following?

      A.