100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
CISSP Exam Review. 100% Mastery of concepts. Approved. $10.49   Add to cart

Exam (elaborations)

CISSP Exam Review. 100% Mastery of concepts. Approved.

 2 views  0 purchase
  • Course
  • Institution

CISSP Exam Review. 100% Mastery of concepts. Approved. CIA Triangle - -Cornerstone of infosec. Confidentiality, Integrity, Availability Confidentiality (CIA Triangle) - -prevention of unauthorized disclosure of information; prevention of unauthorized read access to data Integrity (CIA Tr...

[Show more]

Preview 4 out of 31  pages

  • February 21, 2023
  • 31
  • 2022/2023
  • Exam (elaborations)
  • Questions & answers
avatar-seller
CISSP Exam Review. 100% Mastery of
concepts. Approved.

CIA Triangle - ✔✔-Cornerstone of infosec. Confidentiality, Integrity, Availability



Confidentiality (CIA Triangle) - ✔✔-prevention of unauthorized disclosure of information; prevention of
unauthorized read access to data



Integrity (CIA Triangle) - ✔✔-prevention of unauthorized modification of data; prevention of
unauthorized write access to data



Availability (CIA Triangle) - ✔✔-ensures data is available when needed to authorized users



Opposing forces to CIA - ✔✔-DAD: disclosure, alteration, destruction



identification - ✔✔-the process by which a subject professes an identity and accountability is initiated;
ex: typing a username, swiping a smart card, waving a proximity device (badging in), speaking a phrase,
etc - always a two step process with authenticating



authentication - ✔✔-verification that a person is who they say they are; ex: entering a password or PIN,
biometrics, etc - always a two step process with identifying



authorization - ✔✔-verification of a person's access or privileges to applicable data



auditing (monitoring) - ✔✔-recording a log of the events and activities related to the system and
subjects



accounting (accountability) - ✔✔-reviewing log files to check for compliance and violations in order to
hold subjects accountable for their actions

,non-repudiation - ✔✔-a user cannot deny having performed a specific action



subject - ✔✔-an entity that performs active functions to a system; usually a person, but can also be
script or program designed to perform actions on data



object - ✔✔-any passive data within the system



ISC2 Code of Ethics Canons (4) - ✔✔-1. protect society, commonwealth, infrastructure

2. act honorably, justly, responsibly, legally

3. provide diligent and competent service

4. advance and protect the profession



strictly applied in order; exam questions in which multiple canons could be the answer, choose the
highest priority per this order



policy - ✔✔-mandatory high level management directives; components of policy



1. purpose: describes the need for policy

2. scope: what systems, people, facilities, organizations are covered

3. responsibilities: specific duties of involved parties

4. compliance: effectiveness of policy, violations of policy



procedure - ✔✔-low level step by step guide for accomplishing a task



standard - ✔✔-describes the specific use of technology applied to hardware or software; mandatory



guideline - ✔✔-discretionary recommendations (e.g. not mandatory)

,baseline - ✔✔-a uniform way of implementing a standard



3 access/security control categories - ✔✔-1. administrative: implemented by creating org policy,
procedure, regulation. user awareness/training also fall here

2. technical: implemented using hardware, software, firmware that restricts logical access to a system

3. physical: locks, fences, walls, etc



preventive access control

(can be administrative, technical, physical) - ✔✔-prevents actions from occurring by applying restrictions
on what a user can do. example: privilege level



detective access control

(can be administrative, technical, physical) - ✔✔-controls that alert during or after a successful attack;
alarm systems, or closed circuit tv



corrective access control

(can be administrative, technical, physical) - ✔✔-repairing a damaged system; often works hand in hand
with detective controls (e.g. antivirus software)



recovery access control

(can be administrative, technical, physical) - ✔✔-controls to restore a system after an incident has
occurred;



deterrent access control

(can be administrative, technical, physical) - ✔✔-deters users from performing actions on a system



compensating access control

(can be administrative, technical, physical) - ✔✔-additional control used to compensate for weaknesses
in other controls as needed

, risk formula - ✔✔-risk = threat x vulnerability x impact



market approach (for calculating intangible assets) - ✔✔-assumes the fair value of an asset reflects the
price which comparable assets have been purchased in transactions under similar circumstances



income approach (for calculating intangible assets) - ✔✔-the value of an asset is the present value of the
future earning capacity that an asset will generate over the rest of its lifecycle



cost approach (for calculating intangible assets) - ✔✔-estimates the fair value based on cost of
replacement



exposure factor (EF) - ✔✔-percentage of value the asset lost due to incident



single loss expectancy (SLE) - ✔✔-asset value (AV) times exposure factor

AV x EF = SLE

expressed in a dollar value



annual rate of occurrence (ARO) - ✔✔-number of losses suffered per year



annualized loss expectancy (ALE) - ✔✔-yearly cost due to risk

SLE x ARO = ALE



legally defensible security - ✔✔-to obtain legal restitution a company must demonstrate a crime was
committed, suspect committed that crime, and took reasonable efforts to prevent the crime



files are accurate, policy in place, proper authentication, compliance with laws and regulation



layering (defense in depth) - ✔✔-the use of multiple controls in a series (one after another, linearly); no
one control can protect against all possible threats;

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller QuickPass. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $10.49. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

77254 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$10.49
  • (0)
  Add to cart