Understanding cybersecurity is crucial in today’s digital landscape, particularly for professionals seeking to achieve CISSP certification. This topic encompasses a range of essential security concepts necessary for mastering the CISSP exam. By exploring these flashcards, you will gain insights into key areas such as risk management, asset security, and identity access management, all of which are vital for any information security expert.
Within this comprehensive set, you will find flashcards covering critical domains such as Security Architecture, Cryptography, Communication Security, and Security Operations. Each section is structured to facilitate learning through focused topics like Governance, Incident Response, and Secure Coding practices. This organized approach allows for a thorough understanding of each domain, giving you the tools needed to excel in your studies and professional endeavors.
Utilizing an engaging audio format, these flashcards employ the spaced repetition technique (SM-2) to enhance retention and recall of information. Whether you're preparing for the CISSP exam or seeking to expand your knowledge, these flashcards offer an efficient way to study and master essential cybersecurity concepts. Start your journey now and elevate your security expertise!
CISSP Flashcards: Security and Risk Management, Governance, Compliance, Ethics
Master the CISSP domains with our engaging flashcards covering crucial security topics. Enhance your knowledge and prepare effectively for the CISSP exam.
What are the three components of the CIA triad in information security?
0:27
The CIA triad consists of confidentiality, integrity, and availability. Confidentiality ensures that information is accessible only to authorized individuals through controls like encryption and access controls. Integrity ensures that data is accurate, complete, and unmodified by unauthorized parties through controls like hashing and digital signatures. Availability ensures that systems and data are accessible to authorized users when needed through controls like redundancy and backups.
What is the difference between a threat, a vulnerability, and a risk?
0:23
A threat is any potential event or action that could exploit a vulnerability and cause harm, such as a hacker, natural disaster, or malware. A vulnerability is a weakness in a system, process, or control that a threat could exploit, such as unpatched software or weak passwords. Risk is the likelihood that a threat will exploit a vulnerability multiplied by the impact of that exploitation. Risk equals threat times vulnerability times impact.
The four risk response strategies are mitigation, transfer, avoidance, and acceptance. Mitigation reduces the likelihood or impact of a risk by implementing controls, such as installing a firewall. Transfer shifts the financial impact to another party, most commonly through insurance or outsourcing. Avoidance eliminates the risk entirely by discontinuing the activity that creates it, such as not storing sensitive data. Acceptance acknowledges the risk without additional controls when the cost of mitigation exceeds the potential loss.
What is the difference between qualitative and quantitative risk analysis?
0:31
Quantitative risk analysis assigns monetary values to assets, threats, and losses using formulas. Key metrics include asset value, exposure factor as a percentage of loss, single loss expectancy which equals asset value times exposure factor, annualized rate of occurrence, and annualized loss expectancy which equals single loss expectancy times annualized rate of occurrence. Qualitative risk analysis uses subjective ratings like high, medium, and low based on expert judgment, scenarios, and matrices. Quantitative is more precise but requires reliable data.
What is due diligence versus due care in information security?
0:28
Due diligence is the process of researching, understanding, and assessing risks before making decisions, essentially doing your homework. It involves identifying threats, evaluating controls, and understanding legal requirements. Due care is the ongoing implementation and maintenance of reasonable security measures based on what due diligence revealed, essentially acting responsibly. A company that conducts a risk assessment performs due diligence. A company that implements and maintains the controls identified by that assessment practices due care.
What are the key privacy principles that CISSP candidates must know?
0:31
Key privacy principles include purpose limitation meaning data is collected only for specified purposes, data minimization meaning only necessary data is collected, consent meaning individuals agree to data collection and use, notice meaning individuals are informed about data practices, access meaning individuals can view and correct their data, and retention limitation meaning data is kept only as long as needed. These principles appear across privacy frameworks including the General Data Protection Regulation, the California Consumer Privacy Act, and the OECD Privacy Guidelines.
What is the ISC-squared Code of Ethics and what are its canons?
0:26
The ISC-squared Code of Ethics has a preamble and four mandatory canons that all CISSP holders must follow. First, protect society, the common good, necessary public trust and confidence, and the infrastructure. Second, act honorably, honestly, justly, responsibly, and legally. Third, provide diligent and competent service to principals. Fourth, advance and protect the profession. These canons are listed in order of priority, so protecting society takes precedence over loyalty to an employer.
What is the difference between a policy, a standard, a procedure, and a guideline?
0:30
A policy is a high-level statement of management intent and direction that is mandatory, such as "all data must be classified." A standard specifies mandatory requirements for implementing a policy, such as "passwords must be at least 12 characters." A procedure is a detailed step-by-step instruction for performing a specific task, such as "how to request access to the financial system." A guideline is a recommendation or best practice that is not mandatory, such as "consider using a password manager." Policies are the broadest and most authoritative.
The NIST Risk Management Framework, defined in Special Publication 800-37, provides a structured process for managing security risk across an organization. Its seven steps are prepare by establishing context and priorities, categorize information systems by impact level, select appropriate security controls, implement the selected controls, assess whether controls are effective, authorize the system to operate based on residual risk, and monitor controls on an ongoing basis. The RMF is mandatory for US federal agencies and widely adopted in the private sector.
What are administrative, technical, and physical security controls?
0:32
Administrative controls are management-oriented measures including policies, procedures, training, background checks, and risk assessments. Technical controls, also called logical controls, are implemented through technology including firewalls, encryption, access control lists, intrusion detection systems, and antivirus software. Physical controls protect the physical environment including locks, fences, security guards, cameras, mantraps, and environmental controls like fire suppression. A defense-in-depth strategy layers all three types so that if one control fails, others compensate.
---
