CISSP: 11 Answers to Domain 1 Questions

Updated: Sep 15, 2020

Have controls to support the mission of the organization; decisions should be based on risk tolerance of organization, cost and benefit.


Question #1 What is the final step of a quantitative risk analysis?

  • Determine the asset value.

  • Assess the annualised rate of occurrence.

  • Derive the annualised loss expectancy.

  • Conduct a cost-benefit analysis.


The six major steps or phases in quantitative risk analysis are as follows:

  1. Inventory assets, and assign a value (asset value, or AV).

  2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE). SLE is the cost associated with a single realised risk against a specific asset. EF represents the percentage of loss that an organisation would experience if a specific asset were violated by a realised risk.

  3. Perform a threat analysis to calculate the likelihood of each threat being realised within a single year - that is, the annualised rate of occurrence (ARO). ARO is the expected frequency with which a specific threat or risk will occur within a single year.

  4. Derive the overall loss potential per threat by calculating the annualised loss expectancy (ALE). The ALE is the possible yearly cost of all instances of a specific realised threat against a specific asset.

  5. Research countermeasures for each threat, and then calculate the changes in ARO and ALE based on the applied countermeasure.

  6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat. A cost benefit analysis (also known as a benefit cost analysis) is a process by which organizations can analyze decisions, systems or projects, or determine a value for intangibles. The model is built by identifying the benefits of an action as well as the associated costs, and subtracting the costs from benefits. When completed, a cost benefit analysis will yield concrete results that can be used to develop reasonable conclusions around the feasibility and/or advisability of a decision or situation.

Answer

  • Determine the asset value.

  • Assess the annualised rate of occurrence.

  • Derive the annualised loss expectancy.

  • Conduct a cost-benefit analysis.




Question #2 Match the following numbered wireless attack terms with their appropriate descriptions:


Descriptions

  • An attack that relies on an access point to spoof a legitimate access point's SSID and MAC address.

  • The process of using detection tools to find wireless networks.

  • An access point intended to attract new connections by using an apparently legitimate SSID.

  • An attack that retransmits captured communication to attempt to gain access to a targeted system.

Terms

  • Rogue access point

  • Replay

  • Evil twin

  • War driving


Answer

  • Rogue access point: An access point intended to attract new connections by using an apparently legitimate SSID.

  • Replay: An attack that retransmits captured communication to attempt to gain access to a targeted system.

  • Evil twin: An attack that relies on an access point to spoof a legitimate access point's SSID and MAC address.

  • War driving: The process of using detection tools to find wireless networks.



Question #3 Under the Digital Millennium Copyright Act (DMCA), what type of offences do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder?

  • Storage of information by a customer on a provider’s server

  • Caching of information by the provider

  • Transmission of information over the provider’s network by a customer

  • Caching of information in a provider search engine


The first major provision of the DMCA is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. This clause was designed to protect copy-prevention mechanisms placed on digital media such as compact discs (CD) and DVDs.


The DMCA also limits the liability of ISPs when their circuits are used by criminals violating the copyright law. It recognises that ISPs have a legal status similar to the "common carrier" status of telephone companies and does not hold them liable for the "transitory activities" of their users. To qualify for this exemption, the ISP's activities must meet the following requirements:

  • The transmission must be initiated by a person other than the provider.

  • The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider.

  • The service provider must not determine the recipients of the material.

  • Any intermediate copies must not ordinarily be accessible to anyone other than the anticipated recipients and must not be retained for longer than reasonably necessary.

  • The material must be transmitted with no modification to its content.


Answer


  • Storage of information by a customer on a provider’s server

  • Caching of information by the provider

  • Transmission of information over the provider’s network by a customer

  • Caching of information in a provider search engine



Question #4 CloudTAC has offices in both the European Union and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the GDPR, which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

  • The right to access

  • Privacy by design

  • The right to be forgotten

  • The right of data portability


Some of the key provisions of the GDPR include the following:

  • A data breach notification requirement that mandates that companies inform authorities of serious data breaches within 24 hours

  • The creation of centralised data protection authorities in each EU member state

  • Provisions that individuals will have access to their own data

  • Data portability provisions that will facilitate the transfer of personal information between service providers at the individual's request.

  • The "right to be forgotten" that allows people to require companies to delete their information if it is no longer needed.


Answer


  • The right to access

  • Privacy by design

  • The right to be forgotten

  • The right of data portability



Question #5 Which one of the following is not one of the three common threat modelling techniques?


  • Focused on assets

  • Focused on attackers

  • Focused on software

  • Focused on social engineering


Threat modelling is the security process where potential threats are identified, categorised, and analysed. Threat modelling can be performed as a proactive measure during design and development, or as a reactive measure once a product has been fully deployed. The process identifies

  • the potential harm

  • the probability of occurrence

  • the priority of concern; and

  • the means to eradicate or reduce the threat.


There's an almost infinite possibility of threats, so it is important to use a structured approach to accurately identify relevant threats. For example, some organisations use one or more of the following three approaches:

  • Focused on assets: This method uses asset valuation results and attempts to identify threats to the valuable assets.

  • Focused on attackers: Some organisations are able to identify potential attackers and can identify the threats they represent based on the attacker's goals.

  • Focused on software: If an organisation develops software, it can consider potential threats against the software.


Answer

  • Focused on assets

  • Focused on attackers

  • Focused on software

  • Focused on social engineering



Question #6 Which one of the following elements of information is not considered personally identifiable information that would trigger most U.S. state data breach laws?


  • Student identification number

  • Social Security number

  • Driver’s license number

  • Credit card number


In the US, most state data breach notification laws are modelled after California’s law, which covers Social Security number, driver’s license number, state identification card number, credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), medical records, and health insurance information.


** In Germany and other member countries of the EU, IP addresses and MAC addresses are considered PII in some situations.


Answer


  • Student identification number

  • Social Security number

  • Driver’s license number

  • Credit card number




Question #7 In 1991, the Federal Sentencing Guidelines formalised a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule?

  • Due diligence rule

  • Personal liability rule

  • Prudent man rule

  • Due process rule


The Federal Sentencing Guidelines released in 1991 provided punishment guidelines to help federal judges interpret computer crime laws. Three major provisions of these guidelines have had a lasting impact on the information security community.

  • The guidelines formalised the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. This rule, developed in the realm of fiscal responsibility, now applies to information security as well.

  • The guidelines allowed organisations and executives to minimise punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties.

  • The guidelines outlined three burdens of proof for negligence.

  • First, the person accused of negligence must have a legally recognised obligation.

  • Second, the person must have failed to comply with recognised standards.

  • Finally, there must be a causal relationship between the act of negligence and subsequent damages.


Answer

  • Due diligence rule

  • Personal liability rule

  • Prudent man rule

  • Due process rule



Question #8 Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multi-factor authentication?


  • Username

  • PIN

  • Security question

  • Fingerprint scan


Multi-factor authentication is any authentication using two or more factors. The three basic methods of authentication are also known as types or factors. They are as follows:

  • Type 1: A Type 1 authentication factor is something you know. Examples include a password, personal identification number (PIN), or passphrase.

  • Type 2: A Type 2 authentication factor is something you have. Physical devices that a user possesses can help them provide authentication. Examples include a smart-card, hardware token, memory card, or USB drive.

  • Type 3: A Type 3 authentication factor is something you are or something you do. It is a physical characteristic of a person identified with different biometrics. Examples in the something you are category include fingerprints, voice prints, retina patterns, iris patterns, face shapes, palm topology, and hand geometry. Examples in the something-you-do category include signature and keystroke dynamics, also known as behavioural biometrics.

These types are progressively stronger when implemented correctly, with Type 1 being the weakest and Type 3 being the strongest.


In addition to the three primary authentication factors, there are some others:

  • Somewhere You Are: Identifies a subject's location based on a specific computer, a geographic location identified by an IP address, or a phone number identified by caller ID.

  • Context-Aware Authentication: Many mobile device management (MDM) systems use context-aware authentication to identify mobile device users. It can identify multiple elements such as the location of the user, the time of day, and the mobile device.


Answer

  • Username

  • PIN

  • Security question

  • Fingerprint scan



Question #9 What United States government agency is responsible for administering the terms of privacy shield agreements between the European Union and the United States under the EU GDPR?

  • Department of Defence

  • Department of the Treasury

  • State Department

  • Department of Commerce


The GDPR restricts data transfers to countries outside the EU. Organisations must comply with all of the requirements within the GDPR.

The European Commission and the U.S. government developed the EU-US Privacy Shield program to replace a previous program, which was known as the "Safe Harbor program".


Organisations can self-certify, indicating that they are comlying with the Privacy Shield principles through the U.S. Department of Commerce. These principles are summarised as follows:

  • Notice: An organisation must inform individuals about the purposes for which it collects and uses information about them.

  • Choice: An organisation must offer individuals the opportunity to opt out.

  • Accountability for Onward Transfer: Organisations can only transfer data to other organisations that comply with the Notice and Choice principles.

  • Security: Organisations must take reasonable precautions to protect personal data.

  • Data Integrity and Purpose Limitation: Organisations should only collect data that is needed for processing purposes identified in the Notice principle. Organisations are also responsible for taking reasonable steps to ensure that personal data is accurate, complete, and current.

  • Access: Individuals must have access to personal information an organisation holds about them. Individuals must also have the ability to correct, amend, or delete information, when it is inaccurate.

  • Recourse, Enforcement, and Liability: Organisations must implement mechanisms to ensure compliance with the principles and provide mechanisms to handle individual complaints.

Answer

  • Department of Defence

  • Department of the Treasury

  • State Department

  • Department of Commerce



Question #10 You are the chief privacy officer for a financial institution and are researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

  • GLBA

  • SOX

  • HIPAA

  • FERPA


GLBA (Gramm-Leach-Bliley Act)

  • Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

  • The privacy notice must also explain to the customer the opportunity to 'opt out'. Opting out means that the client can say "no" to allowing their information to be shared with nonaffiliated third parties. The client cannot opt out of:

  • Information shared with those providing priority service to the financial institution

  • Marketing of products or services for the financial institution

  • When the information is deemed legally required.

  • When entering into a financial transaction, the institution providing said transaction must provide the customer a secure room with the ability to close in order to better protect the clients personal information.

SOX (Sarbanes-Oxley Act)

  • Applies to all public companies that have registered equity or debt securities with the Securities and Exchange Commission (SEC). The U.S. government passed it in response to several high-profile financial scandals that resulted in the loss of billions of shareholder dollars.

  • A segregation of duties policy, for example, is highly relevant for any company that must abide by the Sarbanes-Oxley Act (SOX).

HIPAA (Health Insurance Portability and Accountability Act of 1996)

  • This act made numerous changes to laws governing health insurance and health maintenance organisations (HMOs). Among the provisions of HIPAA are privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organisations that process or store private medical information about individuals.

  • HIPAA also clearly defines the rights of individuals who are the subject of medical records and requires organisations that maintain such records to disclose these rights in writing.


FERPA (Family Educational Rights and Privacy Act)

  • FERPA is another specialised privacy bill that affects any educational institution that accepts any form of funding from the federal government. It grants certain privacy rights to students older than 18 and the parents of minor students. Specific FERPA protections include the following:

  • Parents/students have the right to inspect any educational records maintained by the institution on the student.

  • Parents/students have the right to request correction of records they think are erroneous and the right to include a statement in the records contesting anything that is not corrected.

  • Schools may not release personal information from student records without written consent, except under certain circumstances.


Answer

  • GLBA

  • SOX

  • HIPAA

  • FERPA

76 views0 comments

Recent Posts

See All

© 2021 by CloudTAC