CISMP

Confidentiality

⎻ Information not disclosed to unauthorised entities unless access is legitimate.

1 of 79

Integrity

⎻ Ensuring completeness and accuracy of information.

2 of 79

Availability

⎻ Accessible and usable when and where required.

3 of 79

Non-repudiation

⎻ Unforgeable proof that an action took place.

4 of 79

Cyber security

⎻ Ensuring networks, systems and information are protected in cyberspace.

5 of 79

Assets

⎻ Things that have value.

6 of 79

Asset types

⎻ Information, physical and software.

7 of 79

Asset value

⎻ Financial, reputational, public image

8 of 79

Asset valuation

⎻ The process of establishing the value of assets.

9 of 79

Threat

⎻ Something having the potential to do harm.

10 of 79

Vulnerability

⎻ A weakness in an asset or control.

11 of 79

Control

⎻ Something used to manage (treat) risk.

12 of 79

Impact

⎻ The damage a threat can cause (also consequence).

13 of 79

Likelihood

⎻ The chance that something will happen.

14 of 79

Risk

⎻ The combination of impact and likelihood.

15 of 79

Risk appetite and risk tolerance

⎻ The amount of risk an organisation is willing to bear.

16 of 79

Information security policy

⎻ Document detailing how an organisation views the management of its
information.

17 of 79

The types, uses and purposes of controls

1) Strategic
• Avoid/Terminate; Share/Transfer, Reduce/Modify, Accept, Tolerate.

2) Tactical
• Detective, Corrective, Preventative, Directive.

3) Operational
• Physical, Procedural/People, Technical.

18 of 79

Defence in depth

⎻ Multiple methods of protection within a system rather than a single method.

19 of 79

Defence in breadth

⎻ Security at the application level.

20 of 79

Identity, authentication, authorisation and accounting

⎻ Who are you? Prove it; What are you allowed to access; Show an audit trail.

21 of 79

Accountability

⎻ Tracing actions to a unique entity.

22 of 79

Audit

⎻ A process for objective evaluation.

23 of 79

Compliance

⎻ Ensuring policy is being followed.

24 of 79

Information security professionalism and ethics

⎻ The expectations, behaviours and standards expected of people working in
information security.

25 of 79

The Information Security Management System (ISMS) concept

⎻ A systematic approach used to establish, implement, operate, monitor, review,
maintain and improve an organisation’s information security.

26 of 79

Information assurance

⎻ Confidence that information systems can protect an organisation’s information
security.

27 of 79

Information governance

⎻ The overarching strategy for information management based on understanding
risks.

28 of 79

Risk = ? * ?

Risk = Impact * Likelihood

29 of 79

Threats and vulnerabilities help determine what?

the likelihood that an
impact will occur.

30 of 79

Fill in the blanks:

? act on the ? of ?, resulting in ? or
?.

Threats act on the vulnerabilities of assets, resulting in impacts or
consequences.

31 of 79

Threat intelligence and sharing allows organisations to do what?

allows organisations to discover and share threat and vulnerability
information, but must take account of the speed of change of threats and the
need for a timely response.

32 of 79

What does WARPs and CERTs stand for? Also what are they used for?

Sources such as Warning, Advice & Reporting Points (WARPs) and Computer
Emergency Response Teams (CERTs) are typical freely available sources. They are used in gathering threat intelligence information.

33 of 79

Threat categorisation

- Understanding the difference between different types of
threats, such as accidental, deliberate, internal and external threats and to
anticipate that threats may arise from unexpected sources.

34 of 79

Accidental threats

- Hazards, which are generally environmental in nature, e.g.
pandemics; human errors; simple failures of systems and software; fires, floods
and power failures. Accidental threats are frequently things that the organisation
cannot avoid, but must antic

35 of 79

Deliberate threats

- Hacking; malicious software, sabotage, e.g. DDoS attacks
and cyber terrorism, whether by individual groups or nation states; high-tech
crime, either by individuals, corporations or criminal gangs. Again, anticipation is
the key factor.

36 of 79

3 other sources of threats?

Dark Web, vulnerabilities of Big Data and IoT

37 of 79

What threats and why/how do Dark Web, vulnerabilities of Big Data and IoT pose?

1) threaten our privacy and security
2) Some of these arise from poor application security, whilst others are simply an
attractive target for attackers.
3) As with accidental threats, they can introduce new threats which may not have
been previously exp

38 of 79

Sources of unintentional threat

– internal employees and contractors, trusted
partners; poor software design, weak procedures and processes, managed services
and social media. Unintentional threats are frequently the result of failing to follow
procedures or cutting corners in order

39 of 79

Sources of deliberate threat

– internal (possibly disgruntled) employees and
contractors, trusted partners, random attackers, targeting attackers, especially where
there is a strong motive. Part of the art of risk management is understanding the likely
motivations of attackers, wh

40 of 79

Vulnerability categorisation

– such things as weaknesses or design failures in
both software and hardware, location of or poor design of buildings and facilities,
people who may be susceptible to coercion and undocumented, poorly written or
unenforced procedures. As with threats,

41 of 79

What specific information types pose vulnerabilities to security?

1) personal computers,
2) laptops
3)hand held devices such as tablets and smartphones
4) uncontrolled ‘Bring
Your Own Device’ usage
5)system servers
6) network devices
7) wireless systems,
8)web servers and email systems.

42 of 79

Do you treat all vulnerabilities of specific information types the same? If so why? If not, why not?

All specific information types pose quite specific
vulnerabilities, many of which can be treated in similar ways, although one size
rarely fits all.

43 of 79

If there is no threat or vulnerabilities there is no what?

Risk

44 of 79

3 things contribute to overall risk what are they?

Threats, Vulnerabilities and Asset Value

45 of 79

All threats should be impact assessed in terms of the loss of confidentiality, integrity,
or availability. This is to avoid what 4 things?

leading to service failures, financial loss, brand damage or loss of
customer confidence.

46 of 79

Impact and assessments should be conducted with who and why?

Impact assessments should be conducted with the information owner to ensure that
the true impacts are identified, not what another person thinks they may be.

47 of 79

What are the 5 steps in the risk management process?

⎻ Define the context in which the organisation
operates.
⎻ Identify the risks.
⎻ Analyse them for level of risk.
⎻ Evaluate them for criticality.
⎻ Treat them.

48 of 79

After the 'Risk management process' what other two steps are required for best practice for understanding and managing information risk?

• Communicate (reporting) with stakeholders
throughout.
• Monitor and review regularly.

49 of 79

Avoid or terminate the risk means?

don’t do it or
stop doing it – but this may introduce
additional risks.

50 of 79

Share or transfer the risk to whom? Who retains ownership?

to a third party
e.g. insurance, but retain overall
ownership.

51 of 79

How do you reduce or modify the risk?

use controls
to change the impact or the likelihood.

52 of 79

Why would you accept the risk?

if none of the other
options are workable or if they cannot
reduce it further. Review the risk
periodically, but never ignore the risk.

53 of 79

Detective controls

Discovering what has happened or is
happening, such as antivirus software, CCTV.

54 of 79

Preventative controls

Measures to prevent something from happening,
such as barriers, guards.

55 of 79

Directive controls

Issuing instructions to prevent or respond, such
as policies and procedures.

56 of 79

Corrective controls

Measures to fix a problem, such as installing a Corrective controls software.

57 of 79

Tactical methods of risk treatment?

1) Detective controls
2) Preventative controls
3) Directive controls
4) Corrective controls

58 of 79

Operational types of controls?

1) Physical controls
2) Procedural/personal controls
3) Technical controls

59 of 79

Physical controls

Such as security barriers and access control systems.

60 of 79

Procedural/personal controls

Such as enforced password updates, firewall rule sets.

61 of 79

Technical controls

Such as intrusion detection/prevention systems, file or disk level
encryption.

62 of 79

Types of impact assessment and likelihood assessments?

• Qualitative (subjective assessment) – using terms such as low, medium, high.
• Quantitative (objective assessment) - using numerical values such as
currency, number of customers lost, time to recover.
• Semi-quantitative –relating each of the terms low

63 of 79

Governance

oversight is a high-level activity which must be undertaken by senior
management, and also be seen to be undertaken, since a lack of this will reduce the
effectiveness of the whole process.

64 of 79

Data protection has been enshrined in law in the UK
since ? and updated in ?

1998
2018

65 of 79

What does Data protection define 'personal data' as?

name,
age, address; and ‘sensitive personal data’ e.g. racial or
ethnic origin, religious beliefs.

66 of 79

GDPR needs to understand what about 'personal data'?

GDPR needs to understand how 'personal data' is protected whether in
use or at rest.

67 of 79

Can employers monitor surveil employee activity and intercept and record communications?

Yes they can. However, it must either be documented in employees contracts, acceptable use policies, to satisfy regulatory requirements,
especially when financial transactions are taking place.

68 of 79

Are employees and customers entitled to know they are being monitored?

Yes, employees (and customers) are entitled to know if they are
being monitored, why, and what happens to the information.

69 of 79

What requirements can cause record retention?

financial services, and communications data for satisfying
the requirements of law enforcement agencies.

70 of 79

Why was the Computer Misuse Act 1990 introduced?

It was introduced following the hacking of the Duke of Edinburgh’s Prestel mailbox by
Steve Gold and Robert Schifreen.

71 of 79

What Act did Steve Gold and Robert Schifreen get charged under originally?

All charges were of 'Forgery' contrary to Section 1 of the Forgery & Counterfeiting
Act 1981. They were convicted, but cleared on appeal.

72 of 79

Who paved the way for the Computer Misuse Act 1990 and how?

John Austen of the Metropolitan Police set up the Met’s Computer Crime Unit which
paved the way for the Computer Misuse Act 1990.

73 of 79

What are the common concepts of computer misuse under the 1990 Act?

hacking, identity theft, fraudulent
communications and unauthorised use of computers and systems.

74 of 79

Why do Intellectual Property Rights (IPR) exist and whom and what do they protect?

Intellectual Property Rights (IPR) exist to protect authors or creative
artists against fraudulent use of their work, such as literary, dramatic
musical and artistic works.

75 of 79

Copyright and registered trade marks are used to identify what?

They are used to identify that the material is legally protected.

76 of 79

What is the definitive legal
instrument for the UK for copyright laws?

77 of 79

What does FAST stand for?

the Federation Against Software Theft (FAST)

78 of 79

What are the aims of FAST?

The Federation Against Software Theft (FAST) aims are to
ensure that organisations and individuals use only licensed software as this is considered to be literary work.

79 of 79

Get Revising

CISMP

Other cards in this set

Card 2

Front

Back

Card 3

Front

Back

Card 4

Front

Back

Card 5

Front

Back

Comments

Similar Other resources: