CISSP Chapter 1 44 terms dreyth

What is data sensitivity? Refers to the quality of information, which could cause harm or 
damage if disclosed.

What is data concealment? Hiding data to prevent disclosure. Includes cover, obfuscation, and 
distraction. This is not the same as encryption.

What is data privacy? Refers to keeping specific data (PII) confidential so as not to expose 
people and their information.

How do the 3 points of the CIA triangle Without confidentiality, you have no integrity. Without both, you 
depend on each other? cannot guarantee availability.

What companies prioritize CIA points over Military and govt agencies tend to have confidentiality at the top. 
other CIA points? Private companies tend to have availability at the top.

What are the five elements of AAA Identification 

services? Authentication
Authorization
Accounting
Auditing

What initiates your accountability? Providing your identity. Computers track identities/user accounts, not 
subjects.

What does authorization look at? The permissions for the subject, object, and intended activity. 
What is the difference between auditing Auditing records actions. Also called monitoring. Leaves proof for 
and accounting? prosecution.
 Accounting reviews those actions for compliance and violations to
hold users accountable.

What is accountability dependent on? A strong authentication process. The reason is we must link the actions 
to a human. If authentication is weak, then we don't really know if the
log on was legitimate.

What is the least secure authentication Passwords. 

method?

Should we layer controls in parallel or in In series. 

series?

What is abstraction? Grouping elements together into concepts. This allows us to assign 
permissions to groups more easily.

What is a business case? A justification for a proposed project or undertaking. 

Describe the different levels of an Senior management initiates and defines security policies. 
organization and how security is
implemented by them. Middle management fleshes out standards, baselines, guidelines, and
procedures.

Operational managers and security professionals implement the

controls.

End users comply with it all.

Who is security management a Upper management, not the IT staff. It is a business operations issue. 
responsibility of? The InfoSec teams should be autonomous.

What does every organization's security Approval and commitment by senior management. It's up to the policy 
plan need? development team to educate management on why it's needed.
What's are strategic, tactical, and Long, medium, and short term plans. 5 years, 1 year, and day to day. 
operational plans?
Strategic plans defines the organization's security purpose and aligns
it to the company's goals. Updated yearly.

Tactical plans include projects, budgeting, and development plans.

Can be ad hoc based on unexpected events.

Operational plans include scheduling, hiring, product designs, etc.

Highly detailed.

How can acquisitions and mergers pose Data can be lost, co-mingled, or disclosed. In addition, downtime can 
security risks? occur that takes away from availability.

Why is change management important? Changes can introduce loopholes or oversights leading to new 
vulnerabilities or damage to CIA triangle.

What is the main goal of change Ensuring changes to not lead to compromised security. Also offers 
management? What is its primary purpose? rollback procedures. The primary purpose is to provide
documentation for review and scrutiny by management.

What is a parallel run? Change management test that tests functionality on a new and old 
system simultaneously to check if new system supports all required
business functionality.

What is the purpose of data classification? Don't put too much effort into what doesn't need much protection 
and vice versa. Leads to efficiency. Can put data in groups for easy
security controlling.

What are the seven steps to implement a Identify the custodian and his responsibilities. 
classification scheme?
Specify evaluation criteria.
 Classify and label based on criteria.

Document exceptions to classification and integrate them into

evaluation criteria.

Select security controls for each classification.

Specify prodedures to declassify or transferring custody to an

external entity.

Create an organizational awareness plan and instruct all about the

classification system.

What are the five government data Top Secret 

classifications? Secret
Confidential
Sensitive
Unclassified

What are the four business data Confidential or Proprietary 

classifications?
Private

Sensitive

Public

In a business data classification scheme, Both usually require the same security controls. However, confidential 
what's the main difference between data usually has company information while private data is more
confidential and private data?
What are the six general security roles in an
organization?
What are the five principles COBIT has for
governance and enterprise management?
What's the difference between due care
and due diligence? Why are these
important?
What are the four levels of formal
individual information, like medical records.
Senior manager - signs off of security policies. Ultimately responsible. 
Security Professional - Design and implement security solutions based
on policies.
Data Owner - Classifies data and responsible for its protection.
Data Custodian - Follows data owner's policies and does actual
testing and backing up of data.
User - Anyone using IT in the company. Restricted by principle of least
privilege. Must understand security policies.
Auditor - Reviews policies and implementation, checks to see if they
are being followed, produces compliance reports.
1. Meeting stakeholder needs 
2. Covering the enterprise end to end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management
Due care is using reasonable care to protect the interests of the 
company, while diligence are the activities practicing that care.
Management must perform due care/diligence to disprove
negligence in case of a loss.

documentation for security in an Policies - The scope of the security needed. Also used to assign roles,
organization? What does each discuss? responsibilities, audit requirements. Explains why security is important
in the company, and what assets are valuable. Defines acceptable risk.

Standards - Define mandatory requirements for IT systems and

homogenizes them. Baselines ensure all systems meet minimum
security levels. Baselines may refer to standards like ITSEC, TCSEC, or
NIST.

Guidelines - Flexible. They recommend how standards and baselines

should be implemented. These are not compulsory.

Procedures - Detailed step by step instructions on how to implement

security controls or solutions. If everyone follows the procedures,
everyone will act securely.

Should the different levels of No, the security policies, standards, baselines, guidelines, and 
documentation in a company be combined procedures should be kept as separate entities. Not every user needs
into one? Why? to know every single procedure. In addition, this makes it easier to
enact changes.

What are the three overall categories of Advisory - Discusses behavior and activities that are acceptable. 
security policies? Defines consequences for violations. Explains senior management's
desire for security and compliance.

Regulatory - Required when industry or legal standards apply to your

company.

Informative - Provides information on company goals, mission

 statements, and provides background information relevant to specific
pieces of the overall policy.

Who does a security policy assign roles to? No individual in particular. The policy does not define who is to do 
what, but rather what must be done by various roles in the company.

What is threat modeling? Potential threats are identified, categorized, and analyzed. 
What is the defensive approach to threat Predicting threats and building into your code the defenses against 
modeling? them. Not all threats can be predicted though.

What is the adversarial approach to threat Building, deploying, and then dealing with security issues. It's the 
modeling? whole point behind ethical hacking/penetration testing, source code
review, etc.

What might the analysis of a threat entail if As an example, figure out what a hacker may want do to your website. 
the threat is a human and not a natural His motives. Just disable it? Steal credit card info? Etc.
event?

What is STRIDE? What does it stand for? A threat modeling guide that helps you categorize threats 

Spoofing
Tampering (ruins integrity of info)
Repudiation (deleting evidence, blaming someone else)
Information Disclosure
Denial of Service
Escalation of Privilege

What is architecture diagramming for? Lets you see, at a high level, how data flows between users, servers, 
and applications. Useful for mapping out how you want to protect that
data.

What should be identified in an architecture 

diagram? After the diagram is crafted, label the technologies including any OS,
app, and protocols. Include version numbers and patches.

Then identify attacks that could happen to each target (all kinds,
physical/social/technical/etc).

What is reduction analysis? Decomposing an application, system, or environment for purposes of 

understanding its logic and how it interacts with external things.

What are the five key concepts in reduction Trust Boundaries 

analysis or decompisition?
Data Flow Paths

Input Points

Privileged Operations (any activity requiring escalated privs)

Details about security stance and approach

What is the DREAD system? Used in threat modeling to help you decide on a level of risk. 

Damage potential
Reproducibility (can the attackers do it over and over)
Exploitability (how hard is it to perform the attack)
Affected users
Discoverability (how hard is it to discover the weakness)