Questions from the following topics are included in this domain:
To pass the Certified Information Systems Security Professional (CISSP) exam, you have to score high in the Security and Risk Management domain. Domain 1 has a 15% weighting on the exam and requires you to understand professional ethics, apply security concepts, understand how to apply security governance principles, and look at the big picture when it comes to compliance and other regulations, industry standards, or contractual and legal obligations. There is huge importance in understanding privacy security and keeping your customers' data protected.
If there are any corporate investigations due to a breach, these can follow administrative, criminal, civil, or regulatory investigations, and the security professional must be prepared. Management policies help reduce the risk of damage and litigation from incidents and other security threats.
Understanding how to implement business impact analysis (BIA) and knowing business continuity requirements are also important for Domain 1. Mastering this domain puts you a step ahead in preparing to pass the entire exam because it summarizes the other seven domains.
A. Confidentiality
B. Integrity
C. Availability
D. Safety
A. Shareholders
B. Management
C. Users
D. Humanity
A. Password
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address
A. Data owner
B. Data subject
C. Data custodian
D. Data processor
A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.
A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing ethics@isc2.org
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter
A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements
A. Policies
B. Procedures
C. Standards
D. Guidelines
A. The IT Infrastructure Library (ITIL)
B. The Committee of Sponsoring Organizations (COSO)
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)
A. The National Institute of Standards and Technology (NIST)
B. ITIL
C. COSO
D. The Payment Card Industry Data Security Standard (PCI-DSS)
A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.
A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004
A. Collusion
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income
A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)
A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule
A. Common access card (CAC)
B. Password
C. Mother's maiden name
D. His birthday
A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.
A. Non-disclosure agreement (NDA)
B. Contract
C. Intellectual property (IP)
D. Acceptable use policy (AUP)
A. The Federal Trade Commission (FTC)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
A. The PCI-DSS is a contractual agreement between the store owner and the credit card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5 years in federal prison.
C. The PCI-DSS is an industry standard. At worst, the owner will lose their credit card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5 years in state prison.
A. Key risk indicator (KRI)
B. KGI
C. KPI
D. Service-level agreement (SLA)
A. Malware
B. Ransomware
C. Denial of Service (DoS)
D. Man in the Middle (MitM)
A. Social engineering
B. Sextortion
C. Ransomware
D. Spam
A. Disable File Transfer Protocol (FTP) and Telnet services
B. Install the latest security update patches
C. Remove default logins and passwords
D. Implement security-hardening standards
A. Have employees sign an NDA
B. Install DLP
C. Install an internal proxy server
D. Have guards scan workers' briefcases when they leave for the day
A. Add radio-frequency identification (RFID) to books.
B. Security guards
C. Dummy cameras
D. Security cameras
A. Chosen plaintext
B. Known ciphertext
C. Chosen ciphertext
D. Known plaintext
A. Privacy policy (PP)
B. Terms of service (ToS)
C. Guard dog
D. Beware of dog sign
A. Risk mitigation
B. Risk transference
C. Risk avoidance
D. Risk acceptance
A. $10,000
B. $5,000
C. $2,000
D. $1,000
A. Quantitative
B. Qualitative
C. Likelihood
D. Impact
A. Senior management
B. Security director
C. Security personnel
D. Systems administrator
A. Use stronger watermarking procedures so that her images are not cloned.
B. Consider that the SGI News posting gives her free publicity.
C. Contact her lawyer to take immediate legal action.
D. Submit a Digital Millennium Copyright Act (DMCA) takedown request to the hosting provider.
A. Phishing
B. Spear phishing
C. Business email compromise (BEC)
D. Whaling
A. Email account compromise (EAC)
B. Spear phishing
C. Phishing
D. Whaling
A. Add additional firewall rules
B. Implement training on spam and phishing attacks
C. Modify the SpamAssassin rules
D. Modify the external proxy server
A. RPO
B. RTO
C. Maximum tolerable downtime (MTD)
D. Work recovery time (WRT)
A. Business Continuity Planning (BCP)
B. Disaster Recovery Planning (DRP)
C. Incident Response Planning (IRP)
D. BIA
A. MitM
B. DoS
C. Social engineering
D. Doxxing
A. Mandatory vacation as part of a healthy worker campaign
B. Mandatory vacation to help expose fraud
C. Mandatory vacation because she clicked a phishing email
D. Mandatory vacation as part of a disaster recovery (DR) simulation
A. Risk = Likelihood * Exposure
B. Risk = Threat/Vulnerability
C. Risk = Threat * Vulnerability
D. Risk = Exposure * Impact
A. Mirrored site
B. Hot site
C. Warm site
D. Cold site
B. Use of physical controls
C. Proper use of technical controls
D. Combining administrative, technical, and physical controls
A. Recovery
B. Deterrent
C. Detective
D. Preventative
A. Implement the website once certain there is no risk of attack.
B. Implement the website after the CMO collects research on securing websites.
C. Implement the website and secure it within acceptable risk levels.
D. Listen to the CSO and do not implement the website.
A. 800-50
B. 800-51
C. 800-52
D. 800-53
A. Advanced persistent threat (APT)
B. Script kiddie
C. Ethical hacker
D. Internal threat
A. Arms Agreement
B. Wassenaar Arrangement
C. Dual-Use Agreement
D. Import/Export Law
A. Contract
B. Administrative
C. Civil
D. Criminal
A. Trade secret
B. Patent
C. Copyright
D. Trademark
A. Shareware
B. Commercial
C. End-user license agreement (EULA)
D. Academic
A. DMCA
B. EULA
C. Privacy Act
D. Business Software Alliance (BSA)
A. Policies
B. Procedures
C. Standards
D. Guidelines
A. Support costs
B. Cost to replace the unit
C. Cost of maintenance
D. Asset cost
A. Safeguards
B. Vulnerabilities
C. Exposure factor
D. Risk
A. Management
B. Operational
C. Technical
D. Logical
A. Procedures are the same as written directions.
B. Strategic documents would be considered policies.
C. Guidelines contain step-by-step instructions that must be followed.
D. Standards can define KPIs.
A. Mitigation
B. Avoidance
C. Transfer
D. Acceptance
A. Requirements, planning, design, test, develop, production, disposal
B. Planning, requirements, design, develop, test, production, disposal
C. Design, develop, requirements, planning, test, production, disposal
D. Planning, design, requirements, test, develop, production, disposal
A. Configure switch settings
B. Maintain the firewall
C. Encrypt transmission of credit card transactions
D. Use antivirus software
A. Report the supervisor to human resources (HR).
B. File a civil lawsuit.
C. Nothing—she waived her rights to phone privacy while at work.
D. Contact the police or federal authorities and open a criminal case.
A. Health and Human Services (HHS)
B. Health Information Technology for Economic and Clinical Health Act (HITECH)
C. HIPAA
D. Personal health information (PHI)
A. The government will press charges against the CEO.
B. Conflicts are managed under PCI-DSS agreements, not the government.
C. Conflicts are managed under ISO or NIST certification, not the government.
D. Conflicts are managed under GDPR laws, so there will only be fines.
A. Transfer
B. Acceptance
C. Division
D. Avoidance
A. Patent
B. Trade secret
C. Copyright
D. Trademark
A. Conclusive
B. Admissible
C. Hearsay
D. Best evidence
A. Auditor
B. Chief information security officer (CISO)
C. Information security manager (ISM)
D. Data owner
A. Evidence handling
B. Security information and event management (SIEM)
C. Intrusion detection system (IDS)
D. Incident response policy
A. Full interruption test
B. Parallel test
C. Tabletop test
D. Checklist test
A. Confidential, private, sensitive, public
B. Top-secret, secret, confidential, unclassified
C. Highly sensitive, sensitive, classified, unclassified
D. Top-secret, secret, classified, unclassified
A. Data owner
B. Data custodian
C. Data subject
D. Data auditor
A. DLP system
B. Fencing
C. Security guards
D. NDA
A. Fuzzing
B. DoS
C. Malware
D. Input validation
A. SoD
B. Collusion
C. Privilege creep
D. Least privilege
A. Retinal scan
B. Username
C. Palm vein scan
D. CAC
A. Risk assessment
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance
A. Consultant
B. Contractor
C. Employee
D. Computer
A. Financial credit for downtime
B. Alpha services
C. Covered service
D. Service-level objectives (SLOs)
A. Fingerprinting
B. Encryption
C. Non-repudiation
D. Hashing
A. Computer users
B. Everyone
C. Senior executives
D. Security teams
A. Make sure prospects pass lie-detector screening.
B. Conduct thorough background checks.
C. Follow the employment candidate-screening process.
D. Perform drug screenings.
A. NCAs are illegal.
B. Courts value a citizen's right to earn a reasonable income.
C. Competition is covered in the NDA.
D. NCAs are always enforceable.
A. HR
B. Security
C. Engineering
D. Finance
A. Last week's paycheck
B. Smart card
C. Corporate smartphone
A. Sunk costs
B. Computer
C. Trademark
D. Staff
A. Safeguard
B. Exposure
C. Risk
D. Breach
A. Pandemics
B. Malware
C. Clear text
D. Disgruntled employees
A. Can assist in defining the scope and purpose of risk assessments
B. Categorizes and prioritizes assets
C. Helps in defining acceptable levels of risk
D. Years of experience in bringing organizations' risk to zero
A. Annual rate of occurrence (ARO)
B. Single loss expectancy (SLE)
C. ALE
D. Annual cost of a safeguard (ACS)
A. Cost versus benefit analysis
B. Educated guesses
C. Opinions considered
D. Multiple experts
A. 800-35
B. 800-36
C. 800-37
D. 800-38
A. When risk reaches an acceptable level
B. When the asset becomes unusable
C. After purchasing insurance for the asset
D. When the risk is reduced to zero
A. Malware
B. Phishing attacks
C. Shadow IT
D. Password management
A. Self-help
B. Delegation of IT
C. Policy violation
D. Shadow IT
A. Zed trust
B. No trust
C. Zero trust
D. Null trust
A. Awareness
B. Education
C. Training
D. Birds of a feather (BOAF) sessions
A. People
B. Network
C. Server room
D. Cash
A. Contact the electric company.
B. Check the fuse box.
C. Follow the DRP plan.
D. Follow the BCP plan.
Reference: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST Special Publication 800-122, McCallister, Grance, Scarfone, Apr 2010.
SLE = AV * EF = $2,000 * 50% = $1,000
ARO = 5
ALE = SLE * ARO = $1,000 * 5 = $5,000
Reference: Contingency Planning Guide for Federal Information Systems, NIST Special Publication 800-34 Revision 1, Swanson et al., May 2010.
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.