1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 90
Выбрать главу

“Instant Messaging, Security Technical Implementation Guide (STIG), Version 1, Release 2,” Developed by Defense Information Systems Agency (DISA) for the Department of Defense (DOD), February 2008.

“Network Infrastructure, Security Technical Implementation Guide (STIG), Version 6, Release 2.1,” Developed by Defense Information Systems Agency (DISA) for the Department of Defense (DOD), May 2005.

“P2P File-Sharing Technology,” Federal Trade Commission (FTC), June 2005 (www.ftc.gov/reports/index.shtm).

“Peripheral, Security Technical Implementation Guide (STIG), Version 1, Release 0 (Draft),” Developed by Defense Information Systems Agency (DISA) for the Department of Defense (DOD), October 2004.

“Security Considerations for Voice Over IP systems (NIST SP800-58),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, January 2005.

“Secure Domain Name System Deployment (NIST SP800-81),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2006.

Spyware Workshop, Federal Trade Commission (FTC), March 2005 (www.ftc.gov/reports/index.shtm).

“Technical Guide to Information Security Testing (NIST SP800-115 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2007.

“Security Architecture for Internet Protocol (IETF RFC 2401),” Kent & Atkinson, Internet Engineering Task Force (IETF), November 1998.

“Securing Microsoft’s Cloud Infrastructure,” a white paper published May 2009 by Microsoft Global Foundation Services.

Tanenbaum, Andrew S. 2003. Computer Networks, Fourth Edition, Chapter 5: Upper Saddle River, New Jersey: Prentice Hall PTR.

Domain 3

Information Security Governance and Risk Management

Traditional Questions, Answers, and Explanations

1. For information systems security, a penetration is defined as which of the following combinations?

a. Attack plus breach

b. Attack plus threat

c. Threat plus breach

d. Threat plus countermeasure

1. a. A penetration is the successful act of bypassing the security mechanisms of a computer system. An attack is an attempt to violate data security. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion could result in penetration of the system. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data, or denial-of-service. A countermeasure is any action, control, device, procedure, technique, or other measure that reduces the vulnerability of a threat to a system.

2. Which of the following is not a basic objective of computer-based information systems security?

a. Protection of system assets from loss, damage, and misuse

b. Accuracy of data and reliability of application processes

c. Availability of information and application processes

d. Control of data analysis

2. d. The control of information protection, accuracy, availability, and dissemination, not the control of data analysis, is one of the basic objectives of computer-based information systems security. Data analysis determines whether security objectives were achieved.

3. Which of the following is the primary purpose of plan of action and milestones document?

a. To reduce or eliminate known vulnerabilities

b. To use findings from security control assessments

c. To apply findings from security impact analyses

d. To implement findings from continuous monitoring activities

3. a. The primary purpose of a plan of action and milestones (POA&M) document is to correct deficiencies and to reduce or eliminate known vulnerabilities. The POA&M document updates are based on findings from security control assessment, security impact analyses, and continuous monitoring activities.

4. For information systems security, an exposure is defined as which of the following combinations?

a. Attack plus breach

b. Threat plus vulnerability

c. Threat plus attack

d. Attack plus vulnerability

4. d. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks (i.e., attack plus vulnerability). An attack is an attempt to violate data security. Vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system. Note that vulnerability comes first and breach comes next.

5. The benefits of good information security include which of the following?

1. Reduces risks

2. Improves reputation

3. Increases confidence

4. Enhances trust from others

a. 1 and 2

b. 2 and 3

c. 1, 2, and 3

d. 1, 2, 3, and 4

5. d. All four items are benefits of good information security. It can even improve efficiency by avoiding wasted time and effort in recovering from a computer security incident.

6. For risk mitigation, which of the following technical security controls are pervasive and interrelated with other controls?

a. Supporting controls

b. Prevention controls

c. Detection controls

d. Recovery controls

6. a. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls are, by their nature, pervasive and interrelated with many other controls such as prevention, detection, and recovery controls. Supporting controls must be in place to implement other controls, and they include identification, cryptographic key management, security administration, and system protection.

Preventive controls focus on preventing security breaches from occurring in the first place. Detection and recovery controls focus on detecting and recovering from a security breach.

7. Information security must follow which of the following?

a. Top-down process

b. Bottom-up process

c. Top-down and bottom-up

d. Bottom-up first, top-down next

7. a. Information security must be a top-down process requiring a comprehensive security strategy explicitly linked to the organization’s business processes and strategy. Getting direction, support, and buy-in from top management sets the right stage or right tone for the entire organization.

~ 90 ~