Skip to content

Page060

Summary of Exam Objectives

Information security governance assures that an organization has the correct information structure, leadership, and guidance. Governance helps assure that a company has the proper administrative controls to mitigate risk. Risk Analysis (RA) helps ensure that an organization properly identifies, analyzes, and mitigates risk. Accurately assessing risk, and understanding terms such as Annualized Loss Expectancy, Total Cost of Ownership, and Return on Investment will not only help you in the exam, but also help advance your information security career.

An understanding and appreciation of legal systems, concepts, and terms are required of an information security practitioner working in the information-centric world today. The impact of the ubiquity of information systems on legal systems cannot be overstated. Whether the major legal system is Civil, Common, Religious, or a hybrid, information systems have made a lasting impact on legal systems throughout the world, causing the creation of new laws, reinterpretation of existing laws, and simply a new appreciation for the unique aspects that computers bring to the courts.

Finally, the nature of information security and the inherent sensitivity therein makes ethical frameworks an additional point requiring attention. This chapter presented the IAB’s RFC on Ethics and the Internet, the Computer Ethics Institute’s Ten Commandments of Computer Ethics, and The (ISC)² Code of Ethics. The CISSP® exam will, no doubt, emphasize the Code of Ethics proffered by (ISC)², which presents an ordered set of four canons that attend to matters of the public, the individual’s behavior, providing competent service, and the profession as a whole.

Self-Test

Note:
Please see the Self-Test Appendix for explanations of all correct and incorrect answers.

  1. Which of the following would be an example of a policy statement?
    A. Protect PII by hardening servers
    B. Harden Windows 11 by first installing the pre-hardened OS image
    C. You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols
    D. Download the CISecurity Windows benchmark and apply it

  2. Which of the following describes the money saved by implementing a security control?
    A. Total Cost of Ownership
    B. Asset Value
    C. Return on Investment
    D. Control Savings

  3. According to the General Data Protection Regulation (GDPR), what is the maximum fine for a breach?
    A. €20 million or 4% of global revenue (whichever is lower
    B. €20 million or 4% of global revenue (whichever is higher
    C. €20 million or 4% of global profit (whichever is lower
    D. €20 million or 4% of global profit (whichever is higher

  4. Which of the following proves an identity claim?
    A. Authentication
    B. Authorization
    C. Accountability
    D. Auditing

  5. Which of the following protects against unauthorized changes to data?
    A. Confidentiality
    B. Integrity
    C. Availability
    D. Alteration

Use the following scenario to answer questions 6 through 8:
Your company sells Apple iPhones online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000/month. You have tested this service and believe it will mitigate the attacks.

  1. What is the Annual Rate of Occurrence in the above scenario?
    A. $20,000
    B. 40%
    C. 7
    D. $10,000

  2. What is the Annualized Loss Expectancy (ALE) of lost iPhone sales due to the DoS attacks?
    A. $20,000
    B. $8000
    C. $84,000
    D. $56,000

  3. Is the DoS mitigation service a good investment?
    A. Yes, it will pay for itself
    B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy
    C. No, the annual Total Cost of Ownership is higher than the Annualized Loss Expectancy
    D. No, the annual Total Cost of Ownership is lower than the Annualized Loss Expectancy

  4. Which of the following steps would be taken while conducting a Qualitative Risk Analysis?
    A. Calculate the Asset Value
    B. Calculate the Return on Investment
    C. Complete the Risk Analysis Matrix
    D. Complete the Annualized Loss Expectancy

  5. What is the difference between a standard and a guideline?
    A. Standards are compulsory and guidelines are mandatory
    B. Standards are recommendations and guidelines are requirements
    C. Standards are requirements and guidelines are recommendations
    D. Standards are recommendations and guidelines are optional