Upgrade to remove ads
CISSP - Laws, Lists, and Items You Need to Know.
A Catch All
Terms in this set (77)
Steps in a BIA (Business Impact Analysis)
1) Select individuals to interview for data gathering.
2) Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
3) Identify the company s critical business functions.
4) Identify the resources these functions depend upon.
5) Calculate how long these functions can survive without these resources.
6) Identify vulnerabilities and threats to these functions.
7) Calculate the risk for each different business function.
8) Document findings and report them to management.
Steps of a Risk Assessment
1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Likelihood Determination
6) Impact Analysis
7) Risk Determination
8) Control Recommendations
9) Results Documentation
AV (Quantitative Risk Analysis )
EF (Quantitative Risk Analysis )
Exposure Factor (The percentage of Loss that is expected to result in the manifestation of a particular risk event)
SLE (Quantitative Risk Analysis )
Single Loss Expectancy (AV x EF)( $ Amount that represents the cost of a single occurrence of a threat instance.)
ARO (Quantitative Risk Analysis )
Annual Rate of Occurrence (How often a threat will materialize)
ALE (Quantitative Risk Analysis )
Annual Loss Expectancy (Cost Per Year as a result of the threat) (ALE = SLE x ARO)
TCO (Quantitative Risk Analysis )
Total Cost of Ownership (Total cost of implementing a safeguard with upkeep costs)(TCO = Initial Cost of Control + Yearly Upkeep fees)
ROI (Quantitative Risk Analysis )
Return on Investment (ROI = ALE(Before Implementing the control) - ALE (After Implementing the control) - Cost of Control)
Forensic Evidence Steps
Code of Ethics Canons
1. Protect society, the commonwealth and the infrastructure
2. Act honorably, honestly, justly, responsibly, and legally
3. Provide diligent and competent service to principals
4. Advance and protect the profession
BCP and/or DR Steps
1) Project Initiation
2) Scope the Project
4) Identify Preventative Controls
5) Recovery Strategy
6) Plan, Design, and Devlop
7) Implementation, Training, and Testing
8) BCP/DRP Maintenance
2) Development or Acquisition
US Can Stop Terrorism
5) Top Secret
Platform as a Service (PaaS)
The cloud computing concept of providing a computing
platform and software solution stack a virtual or cloud‐based service. Essentially, it is the
concept of paying for a service that provides all the aspects of a platform (i.e., operating
system and complete solution package).
Software as a Service (SaaS)
A cloud computing concept that provides on‐demand
online access to specific software applications or suites without the need for local
Identity as a Service (IDaaS)
A third‐party service
that provides identity and access management. IDaaS effectively provides SSO for the cloud
and is especially useful when internal clients access cloud‐based Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
A cloud computing concept that can provide not just
on‐demand operating solutions but complete outsourcing of IT infrastructure.
Intellectual property that is absolutely critical to a business and would cause
significant damage if it were disclosed to competitors and/or the public. Best Intellectual Property Protection for Software. No time duration
A registered word, slogan, or logo used to identify a company and its products
or services. Can be renewed unlimited amount of times. Last for 10 years
Law that guarantees the creators of "original works of authorship" protection
against the unauthorized duplication of their work. Cannot be renewed. Lasts for 70 years after the death of the original author.
A governmental grant that bestows on an invention's creator the sole right to
make, use, and sell that invention for a set period of time. Protects for 20 years. Cannot be renewed.
DRP Structured Walkthrough Test
Members of the DRP Team role play a recovery exercise in a conference room
DRP Parallel Test
Involves relocating personnel to the alternate recovery site and implementing site activation procedures
DRP Checklist Test
Involves relocating personnel to the alternate recovery site and implementing site activation procedures and involves actually shutting down operations at the primary site and shifting them to the recovery site
DRP Simulation Test
A test in which disaster recovery team members are presented with a scenario and asked to develop an appropriate response. Some of these response measures
are then tested. This may involve the interruption of noncritical business activities and the use of some operational personnel.
DRP Full interruption test
A disaster recovery test that involves shutting down operations at the primary site and shifting them to the recovery site.
Federal Information Security Management Act (FISMA)
Passed in 2002, this act requires that federal agencies implement an information security program that covers the agency's operations
Communications Assistance to Law Enforcement Act (CALEA)
Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order.
The Family Educational Rights and Privacy Act (FERPA)
Protects the rights of students and the parents of minor students
National Information Infrastructure Protection Act
This Act extends protections to portions of the National Infrastructure other than Computing systems, such as railroads, gas pipelines, power grids, etc
Computer Fraud and Abuse Act (CFA)
A US law written to exclusively cover computer crimes
that cross state boundaries to avoid infringing on states' rights.
Computer Security Act of 1987(CSA)
A US law that mandates baseline security
requirements for all federal agencies.
Government Information Security Reform Act of 2000
Act that amends the US Code to
implement additional information security policies and procedures.
Privacy Act of 1974
A law that mandates that government agencies maintain only records
that are necessary to conduct their business and destroy those records when they are no
longer needed for a legitimate function of government. It provides a formal procedure for
individuals to gain access to records the government maintains about them and to request
that incorrect records be amended. The Privacy Act also restricts the way the federal
government can deal with private information about individual citizens.
Electronic Communications Privacy Act of 1986 (ECPA)
The law that makes it a crime to invade
an individual's electronic privacy. It protects against the monitoring of email and voice
mail communications and prevents providers of those services from making unauthorized
disclosures of their content.
Communications Assistance for Law Enforcement Act of 1994 (CALEA)
Economic Espionage Act of 1996
A law that states that anyone found guilty of stealing
trade secrets from a US corporation with the intention of benefiting a foreign government
or agent may be fined up to $500,000 and imprisoned for up to 15 years and that anyone
found guilty of stealing trade secrets under other circumstances may be fined up to
$250,000 and imprisoned for up to 10 years.
Health Insurance Portability and Accountability Act of 1996 (HIPPA)
A law passed in 1996 that
made numerous changes to the laws governing health insurance and health maintenance organizations (HMOs). Among the provisions of HIPAA are privacy regulations requiring
strict security measures for hospitals, physicians, insurance companies, and other
organizations that process or store private medical information about individuals.
Health Information Technology for Economic Clinical Health Act of 2009 (HITECH)
2009, Congress amended HIPAA by passing the Health Information Technology for
Economic and Clinical Health (HITECH) Act. This law updated many of HIPAA's privacy
and security requirements and was implemented through the HIPAA Omnibus Rule in
2013. One of the changes mandated by the new regulations is a change in the way the law
treats business associates (BAs), organizations that handle protected health information
(PHI) on behalf of a HIPAA‐covered entity. HITECH also introduced new data breach
Children's Online Privacy Protection Act of 1998 (COPPA)
A law in the United States that places
specific demands on websites that cater to children or knowingly collect information from
Gramm-Leach Bliley Act of 1999 (GLB)
A law passed in 1999 that eased the strict
governmental barriers between financial institutions. Banks, insurance companies, and
credit providers were severely limited in the services they could provide and the information
they could share with each other. GLBA somewhat relaxed the regulations concerning the
services each organization could provide.
USA Patriot Act of 2001
An act implemented after the September 11, 2001, terrorist
attacks. It greatly broadened the powers of law enforcement organizations and intelligence
agencies across a number of areas, including the monitoring of electronic communications.
Family Education Rights and Privacy Act (FERPA)
A specialized privacy bill that
affects any educational institution that accepts any form of funding from the federal
government (the vast majority of schools). It grants certain privacy rights to students older
than the age of 18 and the parents of minor students.
Identity Theft And Assumption Deterrence Act
An act that makes identity theft a crime
against the person whose identity was stolen and provides severe criminal penalties (up to a
15‐year prison term and/or a $250,000 fine) for anyone found guilty of violating it.
European Union Privacy Law
Notice They must inform individuals of what information they collect about them and
how the information will be used.
Choice They must allow individuals to opt out if the information will be used for any
other purpose or shared with a third party. For information considered sensitive, an opt‐in
policy must be used.
Onward Transfer Organizations can share data only with other organizations that
comply with the safe harbor principles.
Access Individuals must be granted access to any records kept containing their personal
Security Proper mechanisms must be in place to protect data against loss, misuse, and
Data Integrity Organizations must take steps to ensure the reliability of the information
Enforcement Organizations must make a dispute resolution process available to individuals and
provide certifications to regulatory agencies that they comply with the safe harbor provisions.
Payment Card Industry Data Security Standard (PCI-DSS)
PCI DSS has 12 main requirements:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor‐supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need‐to‐know.
8. Identify and
authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
Assigns permissions to a system based on the principals of least privilege and need to know
Protects the integrity and security of data
Ultimate responsiblity for the data and classify data.
The collection of similar elements into groups, classes, or roles for the
assignment of security controls, restrictions, or permissions as a collective.
An additional function that can be added to either local or
centralized alarm systems. The purpose of an auxiliary alarm system is to notify local
police or fire services when an alarm is triggered.
Centralized Alarm System
An alarm system that signals a remote or centralized
monitoring station when the alarm is triggered.
Local Alarm Systems
Alarm systems that broadcast an audible signal that can be easily
heard up to 400 feet away. Additionally, local alarm systems must be protected from tampering and disablement, usually by security guards. In order for a local alarm system
to be effective, there must be a security team or guards positioned nearby who can respond
when the alarm is triggered.
MTD and RTO
Recovery Time Objective and Maximum Tolerable Downtime. RTO must be less than MTD.
The three essential security principles of confidentiality, integrity, and
The assurance that information is protected from unauthorized
disclosure and the defined level of secrecy is maintained throughout all subject‐object
A state characterized by the assurance that modifications are not made by
unauthorized users and authorized users do not make unauthorized modifications.
The assurance that authorized subjects are granted timely and uninterrupted
access to objects.
The process by which a subject professes an identity and accountability is
initiated. The identification process can consist of a user providing a username, a logon ID,
a PIN, or a smart card or a process providing a process ID number.
The process of verifying or testing that the identity claimed by a subject is
A process that ensures that the requested activity or object access is
possible given the rights and privileges assigned to the authenticated identity (in other
A methodical examination or review of an environment to ensure
compliance with regulations and to detect abnormalities, unauthorized occurrences, or
The process of holding someone responsible (accountable) for something.
In this context, accountability is possible if a subject's identity and actions can be tracked
A delete operation against a file, a selection of files, or the entire media. In most
cases, the deletion or erasure process removes only the directory or catalog link to the data.
The actual data remains on the drive.
A method of sufficiently deleting media that will be reused in the same secured
environment. Also known as overwriting.
The process of erasing media so it can be reused in a less secure environment.
The process of moving a resource into a lower classification level once its
value no longer justifies the security protections provided by a higher level of classification.
Any number of processes that prepares media for destruction. Sanitization
is the process that ensures that data cannot be recovered by any means from destroyed or
discarded media. Sanitization can also be the actual means by which media is destroyed.
Media can be sanitized by purging or degaussing without physically destroying the
The act of using a magnet to return media to its original pristine unused state.
Software Capability Maturity Model (CMM)
Level 1 - Initial
Level 2 - Repeatable
Level 3 - Defined
Level 4 - Managed
Level 5 - Optimizing
1 - Initiating
2 - Diagnosing
4 - Acting
5 - Learning
To Remember IDEAL and CMM
I...I DR ED AM LO
Agile 12 Principals
■ Our highest priority is to satisfy the customer through early and continuous delivery of
■ Welcome changing requirements, even late in development. Agile processes harness
change for the customer's competitive advantage.
■ Deliver working software frequently, from a couple of weeks to a couple of months,
with a preference to the shorter timescale.
■ Business people and developers must work together daily throughout the project.
■ Build projects around motivated individuals. Give them the environment and support
they need, and trust them to get the job done.
■ The most efficient and effective method of conveying information to and within a
development team is face-to-face conversation.
■ Working software is the primary measure of progress.
■ Agile processes promote sustainable development. The sponsors, developers, and users
should be able to maintain a constant pace indefinitely.
■ Continuous attention to technical excellence and good design enhances agility.
■ Simplicity—the art of maximizing the amount of work not done—is essential.
■ The best architectures, requirements, and designs emerge from self-organizing teams.
■ At regular intervals, the team reflects on how to become more effective, then tunes and
adjusts its behavior accordingly.
Waterfall Life Cycle
System Requirements> Software Requirements> Preliminary Design> Detailed Design> Code and Debug> Testing> Operations and Maintenance
Plan Next Phases-
Develop and Verify Next Level Products- Evaluate Alternatives Identify and resolve Risks - Determine Objectives, alternatives and Constraints
THIS SET IS OFTEN IN FOLDERS WITH...
D6 Security Assessment and Testing
YOU MIGHT ALSO LIKE...
CyberOps SecFund: Section 5 Information Security
CISSP DOMAIN 1 SECURITY AND RISK MANAGEMENT
Chapter 10 - Data Security
HIT Chapter 10 Data Security