Cissp Chapters

provide availability, integrity, and confidentiality protection to data and resources.

is a weakness in a system that allows a threat source to compromise its security.

is the possibility that someone or something would exploit a vulnerability, either intentionally or accidentally, and cause harm to an asset.

is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.

also called a safeguard or control, mitigates the risk.

administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection.

is an alternative control that is put into place because of financial or business functionality reasons.

is a framework of control objectives and allows for IT governance.

is the standard for the establishment, implementation, control, and improvement of the information security management system.

series were derived from BS 7799 and are international best practices on how to develop and maintain a security program.

are used to build individual architectures that best map to individual organizational needs and business drivers.

is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\ IEC 27001.

is a subset of business architecture and a way to describe current and future security processes, systems, and sub units to ensure strategic alignment.

functional definitions for the integration of technology into business processes.

is an enterprise architecture framework

is a security enterprise architecture framework.

is a governance model used to help prevent fraud within a corporate environment.

is a set of best practices for IT service management.

is used to identify defects in processes so that the processes can be improved upon.

is a maturity model that allows for processes to improve in an incremented and standard approach.

strategic alignment, business enablement, process enhancement, and security effectiveness.

technical, management, and operational.

• Uses prewritten rules and is not based on precedence. • Is different from civil (tort) laws, which work under a common law system.

Made up of criminal, civil, and administrative laws.

• Addresses mainly personal conduct and uses regional traditions and customs as the foundations of the laws. • Is usually mixed with another type of listed legal system rather than being the sole legal system used in a region.

Laws are derived from religious beliefs and address an individual's religious responsibilities; commonly used in Muslim countries or regions.

Uses two or more legal systems.

an individual's conduct that violates government laws developed to protect the public.

wrongs committed against individuals or companies that result in injury or damages. Civil law does not use prison time as a punishment, but usually requires financial restitution.

standards of performance or conduct expected by government agencies from companies, industries, and certain officials.

ownership and enables that owner to legally enforce his rights to exclude others from using the invention covered by the patent.

protects the expression of ideas rather than the ideas themselves.

protect words, names, product shapes, symbols, colors, or a combination of these used to identify products or a company. These items are used to distinguish products from the competitors' products.

deemed proprietary to a company and often include information that provides a competitive edge. The information is protected as long as the owner takes the necessary protective actions.

Crime over the Internet has brought about jurisdiction problems for law enforcement and the courts.

dictate that data collected by government agencies must be collected fairly and lawfully, must be used only for the purpose for which it was collected, must only be held for a reasonable amount of time, and must be accurate and timely.

the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.

is a statement by management dictating the role security plays in the organization.

detailed step-by-step actions that should be followed to achieve a certain task.

rules that are compulsory in nature and support the organization's security policies.

a minimum level of security.

recommendations and general approaches that provide advice and flexibility.

a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.

the top down (from senior management down to the staff).

transferred, avoided, reduced, or accepted.

Total Risk

Residual Risk

1-Identify assets and assign values to them 2- Identify vulnerabilities and threats, 3- Quantify the impact of potential threats 4- Provide an economic balance between the impact of the risk and the cost of the safeguards.

1- Determining functions 2- Identifying functional failures 3- Assessing the causes of failure and their failure effects through a structured process.

detect failures that can take place within complex environments and systems.

monetary values to components within the analysis.

is not possible because qualitative items cannot be quantified with precision.

it indicates the level of confidence the team and management should have in the resulting figures.

reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.

annualized loss expectancy (SLE × ARO = ALE)

judgment and intuition instead of numbers.

the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.

a group decision method where each group member can communicate anonymously.

detective administrative control to detect fraud.

a detective administrative control type that can help detect fraudulent activities.

no single person has total control over a critical activity or task. It is a preventative administrative control.

two aspects of separation of duties.

security management, provide support, appoint a security team, delegate responsibility, and review the team's findings.

individuals from different departments within the organization, not just technical personnel.

is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.

is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected.

a framework that provides oversight, accountability, and compliance.

is an international standard for information security measurement management.

is a standard for performance measurement for information security.

is the overarching approach to managing all aspects of BCP and DRP.

contains strategy documents that provide detailed procedures that ensure critical business functions are maintained and that help minimize losses of life, operations, and systems.

emergency responses, extended backup operations, and post-disaster recovery.

an enterprise-wide reach, with individual organizational units each having its own detailed continuity and contingency plans.

critical applications and provide a sequence for efficient recovery.

support for initiating the plan and final approval.

personnel turnover, reorganizations, and undocumented changes.

are not developed and used.

natural, manmade, or technical.

initiating the project; performing business impact analyses; developing a recovery strategy; developing a recovery plan; and implementing, testing, and maintaining the plan.

getting management support, developing the scope of the plan, and securing funding and resources.

one of the most important first steps in the planning development.

gathered, analyzed, interpreted, and presented to management.

the most critical elements in developing the BCP.

This is done by explaining regulatory and legal requirements, exposing vulnerabilities, and providing solutions.

the people who will actually carry them out.

all departments or organizational units.

such as the reporters, shareholders, customers, and civic officials.

quickly and honestly, and should be consistent with any other organizational response.

describes the concepts and principles of information and communication technology (ICT) readiness for business continuity.

is the standard for business continuity management (BCM).