Domain 1 –Information Security Governance (17%)

Domain 2 –Information Security Risk Management (20%)

Domain 3 – Information Security Program (33%)
Domain 4 – Incident Management (30%)

Exam Questions
 4 hours (240 minutes), 150 multiple choice questions
 200 – 450 Pass – 800
 1.6 minutes per question
 Every question has a stem (question) and four options
(answer choices).
 Choose the correct or best answer from the options.
 The stem may be in the form of a question or
incomplete statement.
 An exam question may require you to choose the
appropriate answer based on a qualifier, such as FIRST,
MOST likely or BEST. So, there might be two right
answers, so pick the BEST option.
 Read the question carefully, eliminate known incorrect
answers and then make the best choice
possible.
 Answers questions from a Business Risk perspective,
rather than technical solution or control.
Domain 1: Information Security Governance
CIA Triad
The three main goals of information security are:

 Confidentiality prevents unauthorized disclosure

 Integrity prevents unauthorized alteration\
 Availability ensures authorized access
Security Strategy and SWOT Analysis
Security activities must be aligned with business strategy,
mission, goals, and objectives. This requires strategic,
tactical, and operational planning.
SWOT analysis identifies the strengths, weaknesses,
opportunities, and threats facing an organization, typically laid
out in a grid:

Gap Analysis
A gap analysis compares the current state of security controls
to a benchmark and identifies any areas of deviation.
Security Frameworks
Security frameworks provide templates for security
activities. These include COBIT, NIST CSF, and ISO 27001/2.
Due Care and Due Diligence
Due care is taking reasonable steps to protect the interest of the
organisation. Due diligence ensures those steps are carried
out.
Security Governance
Security governance is carried out through
 Policies which state high-level objectives (mandatory
compliance).
 Standards which state detailed technical requirements
(mandatory compliance).
 Procedures which provide step-by-step processes
(mandatory compliance).
 Guidelines which offer advice and best practices
(optional compliance).
For the security policy framework to be successful, it must have
the support of senior leadership and other stakeholders.

Security Strategy
Security is a constant balancing act
between usability and control. Managers must constantly
make trade-offs to allow the organization to achieve both
security and business objectives.
Every organization has a risk tolerance (or risk appetite)
that describes how much risk the organization is willing to
accept. Understanding this tolerance, whether it is explicit or
implicit, is crucial to finding the correct balance for security
activities.
Key influences on security strategy include:
 Business environment
 Emerging technologies
 Social media
 Regulatory requirements
 Threat landscape
Security baselines, such as NIST SP 800-53, provide a
standardized set of controls that an organization may use as a
benchmark.

Typically, organizations don’t adopt a baseline standard

wholesale, but instead tailor a baseline to meet their specific
security requirements

Information should be classified based upon its sensitivity to the

organization.

Common classes of sensitive information include:

 Personally identifiable information (PII) which

uniquely identifies individuals.
 Protected health information (PHI) which includes
individual health records.
 Proprietary information which contains trade
secrets.
Data Classification
 Data at Rest – Data stored on a system or media
device
 Data in Motion – Data in transit over a network
 Data in Use – Data being actively processed in memory
Information Classification
Information should be labeled with its classification and security
controls should be defined and appropriate for each
classification level.

Collect only data that is necessary for legitimate business

purposes. This is known as data minimization.
 Data Owner – Senior-level executive who establishes
rules and determines controls
 Data Steward – Individual who handles day-to-day
data governance activity. Designated by the data owner.
 Data Custodian – IT staff members responsible for the
storage and processing of information.
 Key Performance Indicator (KPI) – Measures the
success of the security program.
 Key Goal Indicator (KGI) – Measures progress toward
defined goals
 Key Risk Indicator (KRI) – Measures risk on a forward-
looking basis.
Budgets are forward-looking financial plans. As budgets are
revised each year, they may be approached in two ways:
 Incremental budgeting starts with the prior years’
budget and adjusts upward or downward
  Zero-based budgeting starts with a blank slate
each year
Fiscal years are the 12-month periods used for financial
reporting and may differ from the standard calendar year for
any organization.
Expenses come in two primary forms:

 Capital expenses involve fixed-cost investments in

major assets
 Operational expenses cover the day-to-day costs of
running the organization
Authentication, authorization, and
accounting.
Authorization and Authentication are two distinct concepts in
the realm of security and access control. While they are related,
they serve different purposes.

Authentication: Authentication is the process of verifying the

identity of a user or entity. It ensures that the user is whom they
claim to be before granting them access to a system, application,
or resource. Authentication typically involves the use of
credentials, such as usernames and passwords, biometric
information, security tokens, or digital certificates. The goal of
authentication is to establish trust and validate the identity of
the user or entity requesting access.

Authorization: Authorization, on the other hand, occurs after

authentication and involves granting or denying access rights
and permissions to authenticated users or entities. Once a user’s
identity is verified, authorization determines what actions,
resources, or information they are allowed to access. It involves
defining and enforcing access controls based on roles, privileges,
and permissions assigned to individual users or groups. The
authorization ensures that users have appropriate privileges to
perform specific actions or access certain resources within the
system or application.

Domain 2: Information Risk Management

Assets should be classified according to their own criticality and
sensitivity as well as the classification of the information that
they store, process, and transmit. These asset classifications
ensure that measures taken to protect assets are proportional to
their business value.

Risks are the combination of a threat and a

corresponding vulnerability.
Quantitative risk assessment uses the following formulas:
 Single Loss Expectancy = AssetValue * ExposureFactor
 Annualized Loss Expectancy =
AnnualizedRateofOccurence * SLE
Responses to a risk include:

 Avoid risk by changing business practices

 Mitigate risk by implementing controls
 Accept risk and continue operations
 Transfer risk through insurance or contract
Security tests verify that a control is functioning properly.
Security assessments are comprehensive reviews of the
security of a system, application, or other tested environment.
Security audits use testing and assessment techniques but are
performed by independent auditors. There are three types of
security audits:
 Internal audits are performed by an organization’s
internal audit staff, normally led by a Chief Audit
 Executive who reports directly to the CEO. External
audits are performed by an outside auditing firm.
 Third-party audits are conducted by, or on behalf of,
another organization, such as a regulator.
Organizations that provide services to other organizations may
conduct audits under SSAE 16. These engagements produce
two different types of reports:
  Type I reports provide a description of the controls in
place, as described by the audited organization, and the
auditor’s opinion whether the controls described are
sufficient. The auditor does not test the controls.
 Type II reports results when the auditor actually tests
the controls and provides an opinion on their
effectiveness.
COBIT, ISO 27001, and ISO 27002 are commonly used
standards for cybersecurity audits.
Vulnerability assessments seek to identify known
deficiencies in systems and applications.

Network discovery scanning uses tools like nmap to check

for active systems and open ports. Common scanning techniques
include:
 TCP SYN scans send a single packet with the SYN flag
set.
 TCP Connect scans attempt to complete the three way
handshake.
 TCP ACK scans seek to impersonate an established
connection.
 Xmas scans set the FIN, PSH, and URG flags.
Network vulnerability scanning first discovers active
services on the network and then probes those services for
known vulnerabilities. Web application vulnerability
scans use tools that specialize in probing for web application
weaknesses.
The vulnerability management workflow includes three basic
steps: detection, remediation, and validation.
Penetration testing goes beyond vulnerability scanning and
attempts to exploit vulnerabilities. It includes five steps:
Business continuity planning conducts a business impact
assessment and then implements controls designed to keep
the business running during adverse
circumstances.
Backups provide an important disaster recovery control.
Remember that there are three major categories of backup:

 Full Backup Copies all files on a system.

 Differential Backup Copies all files on a system that
have changed since the most recent full backup.
  Incremental Backup Copies all files on a system that
have changed
since the most recent full or incremental backup.
Disaster recovery sites fit into three major categories:

Disaster recovery plans require testing. There are five major test
types:

Domain 3: Information Security Program

Development and Management
Security Controls Categorization
Security controls are categorized by their purpose
as preventive, detective, or corrective controls. They are
also categorized by their mechanism of action as technical,
physical, or administrative controls. Controls may overlap
these categories.
 Purpose-Based Categorization: Preventive, Detective,
Corrective Controls
 Mechanism-Based Categorization: Technical, Physical,
Administrative Controls
 Overlapping Categories of Controls
Purpose-Based Categorization: Preventive, Detective, Corrective
Controls
 Preventive Controls: These controls are designed to
prevent security incidents from occurring. They include
measures such as access controls, security awareness
training, and security policies.
 Detective Controls: These controls are focused on
detecting security incidents or breaches that have
occurred. Examples include intrusion detection systems,
security monitoring tools, and log analysis.
 Corrective Controls: These controls are implemented to
correct or mitigate the effects of a security incident.
They include activities such as incident response,
disaster recovery planning, and system restoration.
Mechanism-Based Categorization: Technical, Physical,
Administrative Controls
 Technical Controls: These controls involve the use of
technology to enforce security policies and protect
information assets. Examples include firewalls,
encryption, antivirus software, and intrusion prevention
systems.
 Physical Controls: These controls are physical measures
put in place to secure physical assets and facilities.
Examples include locks, access control systems,
surveillance cameras, and biometric authentication
systems.
 Administrative Controls: These controls involve policies,
procedures, and organizational practices to manage
security risks. Examples include security awareness
training, security governance frameworks, risk
assessments, and incident response plans.
Cryptography
Cryptography is one of the primary controls used to achieve
security objectives. Encryption transforms plaintext data into
ciphertext, while decryption reverses the process, turning
ciphertext back into plaintext.
The two basic cryptographic operations are substitution which
modifies characters and transposition, which moves them
around.
Cryptography is the practice of securing data through encryption
and decryption techniques. It plays a crucial role in achieving
security objectives. Here are some key aspects of cryptography:

 Encryption and Decryption: Encryption transforms

plaintext data into ciphertext using an encryption
algorithm, while decryption reverses the process,
converting ciphertext back into plaintext using a
decryption algorithm.
 Basic Cryptographic Operations: Cryptographic
operations involve substitution and transposition.
Substitution modifies characters, while transposition
moves them around, providing additional security.
 Symmetric Encryption: Symmetric encryption uses the
same shared secret key for both encryption and
decryption processes. It is efficient for bulk data
encryption but requires secure key management.
 Asymmetric Encryption: Asymmetric encryption, also
known as public-key cryptography, involves the use of
public and private key pairs. Each user has their own
key pair. Anything encrypted with one key from the pair
can only be decrypted using the other key from that
same pair. It provides secure key exchange and enables
digital signatures.
 Secure Symmetric Algorithms: Some commonly used
secure symmetric encryption algorithms include 3DES,
AES (Advanced Encryption Standard), IDEA, and
Blowfish. DES (Data Encryption Standard) is considered
insecure due to its key length.
 Secure Asymmetric Algorithms: Secure asymmetric
encryption algorithms include RSA, El Gamal, and elliptic
curve cryptography (ECC). These algorithms provide
 strong security for key exchange, digital signatures, and
encryption.
 Diffie-Hellman Algorithm: The Diffie-Hellman algorithm is
a key exchange protocol used to securely exchange
symmetric keys over an insecure channel. It enables
secure communication between parties without prior
shared secrets.
 Hash Functions: Hash functions are one-way functions
that produce a unique fixed-size hash value (digest) for
each input. They are used for data integrity, password
storage, and digital signatures. Hash functions cannot
be reversed to obtain the original data.
 Digital Certificates: Digital certificates use the X.509
standard and contain a copy of an entity’s public key.
They are digitally signed by a certificate authority (CA)
to establish trust. Digital certificates are widely used in
secure communication protocols such as Transport
Layer Security (TLS) and Secure Sockets Layer (SSL).
Encryption and Decryption
Symmetric encryption uses the same shared secret key for
encryption and decryption.
In asymmetric encryption, users each have their own
public/private keypair. Keys are used as follows:

Anything encrypted with one key from a pair may only be

decrypted with the other key from that same pair.

Secure symmetric algorithms include 3DES, AES, IDEA, and

Blowfish. DES is not secure.
Secure asymmetric algorithms include RSA, El Gamal, and
elliptic curve (ECC).

The Diffie-Hellman algorithm may be used for secure exchange

of symmetric keys.
Hashes are one-way functions that produce a unique value for
every input and cannot be reversed.

Digital certificates use the X.509 standard and contain a copy of

an entity’s public key. They are digitally signed by a certificate
authority (CA).

Transport Layer Security (TLS) is the replacement for Secure

Sockets Layer (SSL) and uses public key cryptography to
exchange a shared secret key used to secure web traffic and
other network communications.

Two serious issues can occur when users are granted limited
access to information in databases or other repositories.
Aggregation attacks occur when a user is able to summarize
individual records to detect trends that are confidential.
Inference attacks occur when a user is able to use several
innocuous facts in combination to determine, or infer, more
sensitive information.

DNS converts between IP addresses and domain names. ARP

converts between MAC addresses and IP addresses. NAT converts
between public and private IP addresses.

Wireless networks should be secured using WPA or WPA2

encryption, not WEP.

Network switches generally work at layer 2 and connect directly

to endpoints or other switches. Switches may also create virtual
LANs (VLANs) to further segment internal networks at layer 2.
Routers generally work at layer 3 and connect networks to each
other. Firewalls are the primary network security control used to
separate networks of differing security levels.

When deploying services in the cloud, organizations may choose

from three major cloud strategies:

 Software-as-a-Service (SaaS) deploys entire applications

to the cloud. The customer is only responsible for
supplying data and manipulating the application.
 Infrastructure-as-a-Service (IaaS) sells basic building
blocks, such as servers and storage. The customer
manages the operating system and configures and
installs software.
 Platform-as-a-Service (PaaS) provides the customer with
a managed environment to run their own software
without concern for the underlying hardware.
Most Virtual Private Networks (VPN) use either TLS or IPsec.
IPsec uses Authentication Headers (AH) to provide
authentication, integrity and nonrepudiation and Encapsulating
Security Payload (ESP) to provide confidentiality.

Cloud services may be built and/or purchased in several forms:

 Public cloud providers sell services to many different

customers and many customers may share the same
physical hardware.
 Private cloud environments dedicate hardware to a
single user.
 Hybrid cloud environments combine elements of public
and private cloud in a single organization.
 Community cloud environments use a model similar to
the public cloud but with access restricted to a specific
set of customers.
Access Control and Attacks
Access control refers to the mechanisms and techniques used to
limit and control access to information resources and systems.
Here are key aspects related to access control and attacks:
  Aggregation Attacks: Aggregation attacks occur when a
user can summarize individual records to detect trends
that should remain confidential. These
The core activities of identity and access management are:

 Identification where a user makes a claim of identity.

 Authentication where the user proves the claim of
 identity.
 Authorization where the system confirms that the
user is permitted to perform the requested action.
In access control systems, we seek to limit the access
that subjects (e.g. users, applications, processes) have to objects
(e.g. information resources, systems)
Access controls work in three different fashions:

 Technical (or logical) controls use hardware and

software mechanisms, such as firewalls and intrusion
prevention systems, to limit access.
 Physical controls, such as locks and keys, limit physical
access to controlled spaces.
 Administrative controls, such as account reviews,
provide management of personnel and business
practices.
Multifactor authentication systems combine authentication
technologies from two or more of the following categories:

 Something you know (Type 1 factors) rely upon secret

information, such as a password.
 Something you have (Type 2 factors) rely upon physical
possession of an object, such as a smartphone.
 Something you are (Type 3 factors) rely upon biometric
characteristics of a person, such as a face scan or
fingerprint.
Authentication technologies may experience two types of errors.
False positive errors occur when a system accepts an invalid
user as correct. It is measured using the false acceptance rate
(FAR). False negative errors occur when a system rejects a valid
user, measured using the false rejection rate (FRR). We evaluate
the effectiveness of an authentication technology using the
crossover error rate (CER), as shown here:

RADIUS is an authentication protocol commonly used for

backend services. TACACS+ serves a similar purpose and is the
only protocol from the TACACS family that is still commonly
used.

The implicit deny principle says that any action that is not
explicitly authorized for a subject should be denied.

Access control lists (ACLs) form the basis of many access

management systems and provide a listing of subjects and their
permissions on objects and groups of objects.

Discretionary access control (DAC) systems allow the owners of

objects to modify the permissions that other users have on those
objects. Mandatory access control (MAC) systems enforce
predefined policies that users may not modify.
Role-based access control assigns permissions to individual users
based upon their assigned role(s) in the organization. For
example, backup administrators might have one set of
permissions while sales representatives have an entirely
different set.

Brute force attacks against password systems try to guess all

possible passwords. Dictionary attacks refine this approach by
testing combinations and permutations of dictionary words.
Rainbow table attacks precompute hash values for use in
comparison. Salting passwords with a random value prior to
hashing them reduces the effectiveness of rainbow table attacks.

Man-in-the-middle attacks intercept a client’s initial request for a

connection to a server and proxy that connection to the real
service. The client is unaware that they are communicating
through a proxy and the attacker can eavesdrop on the
communication and inject commands.

When managing the physical environment, you should be

familiar with common power issues:

Fires require the combination of heat, oxygen, and fuel. They

may be fought with fire extinguishers:

 Class A: common combustible fires

 Class B: liquid fires
 Class C: electrical fires
 Class D: metal fires
Organizations may use wet pipe fire suppression systems that
always contain water, dry pipe systems that only fill with water
when activated, or preaction systems that fill the pipes at the
first sign of fire detection.

Mantraps use a set of double doors to restrict physical access to a

facility.

The top ten security vulnerabilities in web applications,

according to OWASP are:

1. Injection attacks
2. Broken authentication
 3. Sensitive data exposure
4. XML external entities
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting
8. Insecure deserialization
9. Using components with known vulnerabilities.
10. Insufficient logging and monitoring
In addition to maintaining current and patched platforms, one of
the most effective application security techniques is input
validation which ensures that user input matches the expected
pattern before using it in code.

Domain 4: Information Security Incident

Management

Cyber Investigations
Security professionals are often called upon to participate in a
variety of investigations:
  Criminal investigations look into the violation of a
criminal law and use the beyond a reasonable doubt
standard of proof.
 Civil investigations examine potential violations of civil
law and use the preponderance of the evidence
standard.
 Regulatory investigations examine the violation of a
private or public regulatory standard.
 Administrative investigations are internal to an
organization, supporting administrative activities.
Evidence
Investigations may use several different types of evidence:

 Real evidence consists of tangible objects that may be

brought into court.
 Documentary evidence consists of records and other
written items and must be authenticated by testimony.
 Testimonial evidence is evidence given by a witness,
either verbally or in writing.
The best evidence rule states that, when using a document as
evidence, the original document must be used unless there are
exceptional circumstances. The parol evidence rule states that a
written agreement is assumed to be the complete agreement.

Chain of Custody and Evidence Handling

Forensic investigators must take steps to ensure that they do not
accidentally tamper with evidence and that they preserve the
chain of custody documenting evidence handling from collection
until use in court.

Business Continuity Planning (BCP)

Business continuity planning (BCP) attempts to design systems
and controls in a manner that minimizes the risk that business
activity will be disrupted.

Disaster Recovery Process

The disaster recovery process begins when operations are
disrupted at the primary site and shifted to an alternate
capability. The process only concludes when normal operations
are restored.

Reference
 CISA 1.6 – What is a Risk Based Audit Approach?
– https://lnkd.in/eseF7Ymv
 CISA 1.5 – What are IS Controls?
– https://lnkd.in/eseF7Ymv
 CISA 1.4 – What is the difference between a Control and
a Control Objective? – https://lnkd.in/ehYhedRM
 CISA 1.3 – What are the 4 types of controls?
– https://lnkd.in/ek9YAXDK
 CISA 1.2 – Everything You Need to Know about Internal
Audit Function – https://lnkd.in/ekeVV9fv
 CISA 1.1 – What is IT Audit? – https://lnkd.in/ehigUK7S
 COBIT 2019 Foundation – Chapter 1: Course Overview –
https://youtube.com/playlist?
list=PL73WzVfh2gWmTod3RIdDCWSm_Xw9Ps_4W
 PMP
 ITIL
 Cybook – https://www.cybok.org/knowledgebase1_1/
Exam Questions

Which of the following should be the FIRST step in developing an

information security plan?

A. Perform a technical vulnerabilities assessment

B. Analyze the current business strategy

C. Perform a business impact analysis

D. Assess the current levels of security awareness

Explanation:
Prior to assessing technical vulnerabilities or levels of security
awareness, an information security manager needs to gain an
understanding of the current business strategy and direction. A
business impact analysis should be performed prior to
developing a business continuity plan, but this would not be an
appropriate first step in developing an information security
strategy because it focuses on availability.