Cissp Study Guide Netwrix-Books Pdf

CISSP Study Guide Netwrix
24 Mar 2020 | 21 views | 0 downloads | 93 Pages | 1.13 MB

Share Pdf : Cissp Study Guide Netwrix

Download and Preview : Cissp Study Guide Netwrix


Report CopyRight/DMCA Form For : Cissp Study Guide Netwrix



Transcription

Table of Contents,Introduction 6,Domain 1 Security and Risk Management 8. 1 1 Understand and apply concepts of confidentiality integrity and availability 8. 1 2 Evaluate and apply security governance principles 8. 1 3 Determine compliance requirements 10, 1 4 Understand legal and regulatory issues that pertain to information security in a global context 10. 1 5 Understand adhere to and promote professional ethics 11. 1 6 Develop document and implement security policy standards procedures and guidelines 12. 1 7 Identify analyze and prioritize Business Continuity BC requirements 12. 1 8 Contribute to and enforce personnel security policies and procedures 13. 1 9 Understand and apply risk management concepts 14. 1 10 Understand and apply threat modeling concepts and methodologies 17. 1 11 Apply risk based management concepts to the supply chain 18. 1 12 Establish and maintain a security awareness education and training program 19. Domain 1 Review Questions 20,Answers to Domain 1 Review Questions 21. Domain 2 Asset Security 22, 2 1 Identify and classify information and assets 22. 2 2 Determine and maintain information and asset ownership 23. 2 3 Protect privacy 23,2 4 Ensure appropriate asset retention 24.
2 5 Determine data security controls 24, 2 6 Establish information and asset handling requirements 25. Domain 2 Review Questions 27,Answers to Domain 2 Review Questions 28. Domain 3 Security Architecture and Engineering 29, 3 1 Implement and manage engineering processes using secure design principles 29. 3 2 Understand the fundamental concepts of security models 30. 3 3 Select controls based upon systems security requirements 30. 3 4 Understand the security capabilities of information systems 31. 3 5 Assess and mitigate the vulnerabilities of security architectures designs and solution elements 32. 3 6 Assess and mitigate vulnerabilities in web based systems 34. 3 7 Assess and mitigate vulnerabilities in mobile systems 34. 3 8 Assess and mitigate vulnerabilities in embedded devices 35. 3 9 Apply cryptography 35, 3 10 Apply security principles to site and facility design 39. 3 11 Implement site and facility security controls 39. Domain 3 Review Questions 42,Answers to Domain 3 Review Questions 43.
Domain 4 Communication and Network Security 44, 4 1 Implement secure design principles in network architecture 44. 4 2 Secure network components 46, 4 3 Implement secure communication channels according to design 48. Domain 4 Review Questions 49,Answers to Domain 4 Review Questions 50. Domain 5 Identity and Access Management IAM 51, 5 1 Control physical and logical access to assets 51. 5 2 Manage identification and authentication of people devices and services 52. 5 3 Integrate identity as a third party service 54. 5 4 Implement and manage authorization mechanisms 56. 5 5 Manage the identity and access provisioning lifecycle 57. Domain 5 Review Questions 59,Answers to Domain 5 Review Questions 60.
Domain 6 Security Assessment and Testing 61, 6 1 Design and validate assessment test and audit strategies 61. 6 2 Conduct security control testing 61,6 3 Collect security process data 63. 6 4 Analyze test output and generate reports 64,6 5 Conduct or facilitate security audits 64. Domain 6 Review Questions 65,Answers to Domain 6 Review Questions 66. Domain 7 Security Operations 67,7 1 Understand and support investigations 67.
7 2 Understand the requirements for different types of investigations 68. 7 3 Conduct logging and monitoring activities 69,7 4 Securely provision resources 70. 7 5 Understand and apply foundational security operations concepts 70. 7 6 Apply resource protection techniques 72,7 7 Conduct incident management 73. 7 8 Operate and maintain detective and preventative measures 74. 7 9 Implement and support patch and vulnerability management 75. 7 10 Understand and participate in change management processes 76. 7 11 Implement recovery strategies 77,7 12 Implement disaster recovery DR processes 78. 7 13 Test disaster recovery plans DRP 79, 7 14 Participate in business continuity BC planning and exercises 80. 7 15 Implement and manage physical security 81, 7 16 Address personnel safety and security concerns 81.
Domain 7 Review Questions 83,Answers to Domain 7 Review Questions 84. Domain 8 Software Development Security 85, 8 1 Understand and apply security in the software development lifecycle 85. 8 2 Enforce security controls in development environments 87. 8 3 Assess the effectiveness of software security 88. 8 4 Assess security impact of acquired software 88. 8 5 Define and apply secure coding guidelines and standards 88. Domain 8 Review Questions 90,Answers to Domain 8 Review Questions 91. Useful References 92,About the Author 93,About Netwrix 93. Introduction,Exam Overview, Preparing to take the Certified Information Systems Security Professional CISSP exam requires a great deal of time and.
effort The exam covers eight domains,1 Security and Risk Management. 2 Asset Security,3 Security Architecture and Engineering. 4 Communication and Network Security,5 Identity and Access Management IAM. 6 Security Assessment and Testing,7 Security Operations. 8 Software Development Security, To qualify to take the exam you must generally have at least five years of cumulative paid full time work experience in two.
or more of the eight domains However you can satisfy the eligibility requirement with four years of experience in at least. two of the eight domains if you have either a four year college degree or an approved credential or certification See. https www isc2 org Certifications CISSP Prerequisite Pathway for a complete list of approved credentials and. certifications, The exam is long especially compared with other industry certifications You can take it in English or another language. The English language exam is a computerized adaptive testing CAT exam so it changes based on your answers. You get up to 3 hours to complete a minimum of 100 questions and a maximum of 150 questions. Exams in languages other than English remain in a linear format You get up to 6 hours to complete a series of 250. You must score 700 points or more to pass the exam. How to Use this Study Guide, Using multiple study sources and methods improves your chances of passing the CISSP exam For example instead of. reading three or four books you might read one book watch a series of videos take some practice test questions and read. a study guide Or you might take a class take practice test questions and read a study guide Or you might join a study. group and read a book The combination of reading hearing and doing helps your brain process and retain information If. your plan is to read this study guide and then drive over to the exam center you should immediately rethink your plan. There are a couple of ways you can use this study guide. Use it before you do any other studying Read it thoroughly Assess your knowledge as you read Do you already. know everything being said Or are you finding that you can t follow some of the topics easily Based on how your. reading of the study guide goes you ll know which exam domains to focus on and how much additional study time. Use it as the last thing you read prior to taking the exam Maybe you ve taken a class read a book and gone. through a thousand practice test questions and now you re wondering if you are ready This study guide might. help you answer that question At a minimum everything in this study guide should be known to you make sense. to you and not confuse you, Note that a study guide like this doesn t dive deep enough to teach you a complete topic if you are new to that topic But it. is a very useful preparation tool because it enables you to review a lot of material in a short amount of time In this guide. we ve tried to provide the most important points for each of the topics but it cannot include the background and details. you might find in a 1 000 page book,Recent Changes to the Exam. On April 15 2018 the agency that provides the CISSP exam the International Info System Security Certification. Consortium released an updated set of exam objectives the exam blueprint This blueprint is available at. https www isc2 org media ISC2 Certifications Exam Outlines CISSP Exam Outline 121417 Final ashx. While most of the exam topics remain the same there are some minor changes to reflect the latest industry trends and. information Most books for the new version of the exam will be released in May 2018 or later This study guide has been. updated to reflect the new blueprint The updates are minor A few small topics have been removed a few new ones. have been added and some items have been reworded, What does this mean for you if you are preparing to take the exam If you have already spent a good amount of time.
preparing you might just need to supplement your study with some sources that explain the new and revised material. But if you are just starting to study consider waiting until the updated guides are released. Domain 1 Security and Risk Management, 1 1 Understand and apply concepts of confidentiality integrity and. availability, Confidentiality integrity and availability make up what s known as the CIA triad The CIA triad is a security model that helps. organizations stay focused on the important aspects of maintaining a secure environment. Confidentiality Sensitive data including personally identifiable information PII like identification numbers and. bank account numbers must be kept confidential It s important to understand that confidentiality is different from. secrecy If you aren t aware something exists such as data or a web service then it is a secret But keeping. something secret by itself doesn t ensure confidentiality You ve probably seen stories of attackers or even regular. web surfers stumbling across secret web sites or information sometimes by accident To ensure confidentiality. you must make certain that even if someone is aware that something valuable exists such as a store that processes. credit card transactions or a file share with sensitive data they can t get to it At a high level you use access controls. locked doors folder permissions and two factor authentication to maintain confidentiality At a lower level. you use encryption to protect data at rest hashing to protect data in motion and physical security for data in use. privacy screens or physical separation between data in use and unauthorized persons You can use a default. deny configuration so that unless somebody has been expressly authorized to access data they are denied access. Integrity You also have to make certain that data isn t changed improperly Encryption helps ensure the integrity. of data at rest but it isn t the best option for data in motion Instead hashing is typically used Hashing data assigns. the data a numeric value which is calculated at the source before the transfer and then again by the recipient after. the transfer a match proves data integrity Algorithms such as SHA256 and SHA512 are commonly used for. hashing older algorithms such as SHA 1 have become susceptible to attack and therefore are rarely used. Availability To ensure high availability of services and data use techniques like failover clustering site resiliency. automatic failover load balancing redundancy of hardware and software components and fault tolerance For. example they can help you thwart a denial of service DoS attack that aims to deny the availability of a service or. data by overloading a system with invalid requests or requests that take a long time to process. 1 2 Evaluate and apply security governance principles. To establish security governance principles adopt a framework such as the one from the National Institute of Standards. and Technology NIST Be sure the framework you choose includes the following. Alignment of security function to strategy goals mission and objectives An organization has a mission and. uses strategy plans and objectives to try to meet that mission These components flow down with the ones below. supporting the ones above Business strategy is often focused 5 or more years out In the shorter term typically 1. to 2 years you have tactical plans that are aligned with the strategic plan Below that are operational plans the. detailed tactical plans that keep the business running day to day Objectives are the closest to the ground and. represent small efforts to help you achieve a mission For example a car manufacturer s mission might be to build. and sell as many high quality cars as possible The objectives might include expanding automation to reduce the. total build time of a car and expanding from 2 factories to 3 A security framework must closely tie to the. organization s mission and objectives enabling the business to complete its objectives and advance the mission. while securing the environment based on risk tolerance Continuing with the car manufacturer example the. security framework must enable the expansion of automation If the security framework is such that automation. cannot be expanded then the security framework isn t sufficiently aligned with the mission and objectives. Organizational processes acquisitions divestitures governance committees Be aware of the risks in. acquisitions since the state of the IT environment to be integrated is unknown due diligence is critical and. divestitures you need to determine how to split the IT infrastructure and what to do with identities and. credentials Understand the value of governance committees vendor governance project governance. architecture governance etc Executives managers and appointed individuals meet to review architecture. projects and incidents security or otherwise and provide approvals for new strategies or directions The goal is a. fresh set of eyes often eyes that are not purely focused on information security. Organizational roles and responsibilities There are multiple roles to consider Management has a responsibility. to keep the business running and to maximize profits and shareholder value The security architect or security. engineer has a responsibility to understand the organization s business needs the existing IT environment and. the current state of security and vulnerability as well as to think through strategies improvements configurations. and countermeasures that could maximize security and minimize risk There is a need for people who can translate. between technical and non technical people Costs must be justified and reasonable based on the organization s. requirements and risk, Security control frameworks A control framework helps ensure that your organization is covering all the bases. around securing the environment There are many frameworks to choose from such as Control Objectives for. Information Technology COBIT and the ISO 27000 series 27000 27001 27002 etc These frameworks fall into. four categories, Preventative Preventing security issues and violations through strategies such as policies and security. awareness training, Deterrent Discouraging malicious activities using access controls or technologies such as firewalls.
intrusion detection systems and motion activated cameras. Detective Uncovering unauthorized activity in your environment. Corrective Getting your environment back to where it was prior to a security incident. Due care due diligence Ensure you understand the difference between these two concepts Due care is about. your legal responsibility within the law or within organizational policies to implement your organization s controls. follow security policies do the right thing and make reasonable choices Due diligence is about understanding your. security governance principles policies and procedures and the risks to your organization Due diligence often. involves gathering information through discovery risk assessments and review of existing documentation creating. documentation to establish written policies and disseminating the information to the organization Sometimes. people think of due diligence as the method by which due care can be exercised. After you establish and document a framework for governance you need security awareness training to bring everything. together All new hires should complete the security awareness training as they come on board and existing employees. should recertify on it regularly typically yearly,1 3 Determine compliance requirements. Many organizations need to comply with applicable laws and industry standards Noncompliance can mean fines jail time. for executives or even the end of a business To achieve compliance you must focus on controls Although most common. standards are vague about implementation a few provide detailed documentation to help organizations achieve. compliance For example NIST provides a guide for complying with federal information standards. Contractual legal industry standards and regulatory requirements Understand the legal systems Civil law. is most common rulings from judges typically do not set precedents that impact other cases With common law. which is used in the USA Canada the UK and former British colonies rulings from judges can set precedents that. have significant impact on other cases An example of religious law is Sharia Islamic law which use the Qur an. and Hadith for the foundation of laws Customary law takes common local and accepted practices and sometimes. makes them laws Within common law you have criminal law laws against society and civil law typically person. vs person and results in a monetary compensation from the losing party Compliance factors into laws. regulations and industry standards such as Sarbanes Oxley SOX the Gramm Leach Bliley Act GLBA the. Payment Card Industry Data Security Standard PCI DSS the Health Insurance Portability and Accountability Act. HIPAA and the Federal Information Security Management Act FISMA As part of your exam preparation. familiarize yourself with these standards by reading their high level summaries. Privacy requirements Privacy is about protection of PII Laws vary The European Union has tough laws around. privacy Be familiar with the General Data Protection Regulation GDPR Be familiar with the requirements around. healthcare data credit card data and other PII data as it relates to various countries and their laws and regulations. 1 4 Understand legal and regulatory issues that pertain to information. security in a global context, While you might be familiar with your local legal and regulatory issues you must be familiar with legal and regulatory issues. elsewhere too at least at a high level, Cyber crimes and data breaches Before your organization expands to other countries perform due diligence to. understand their legal systems and what changes might be required to the way that data is handled and secured. In particular be familiar with the Council of Europe Convention on Cybercrime a treaty signed by many countries. that establishes standards for cybercrime policy Be familiar with the various laws about data breaches including. notification requirements In the United States the Health Information Technology for Economic and Clinical Health. HITECH Act requires notification of a data breach in some cases such as when the exposed personal health. information was not protected in accordance with the Health Insurance Portability and Accountability Act HIPAA. The Gramm Leach Bliley Act GLBA applies to insurance and financial organizations it requires notification to. federal regulators law enforcement agencies and customers when a data breach occurs States in the United States. also impose their own requirements concerning data breaches The EU and other countries have their own. requirements too The GDPR has very strict data breach notification requirements A data breach must be reported. to the competent supervisory authority within 72 hours of its discovery Some countries do not have any reporting. requirements, Licensing and intellectual property requirements Understand the rules around. Trademarks A logo symbol or mascot used for marketing a brand. Patents A temporary monopoly for producing a specific item such as a toy which must be novel and. unique to qualify for a patent, Copyright Exclusive use of artistic musical or literary works that prevents unauthorized duplication.
distribution or modification, Licensing A contract between the software producer and the consumer that limits the use and or. distribution of the software, Import export controls Every country has laws around the import and export of hardware and software For. example the United States has restrictions around the export of cryptographic technology and Russia requires a. license to import encryption technologies manufactured outside the country. Trans border data flow If your organization adheres to specific security laws and regulations then you should. adhere to them no matter where the data resides for example even if you store a second copy of your data in. another country Be aware of the applicable laws in all countries where you store data and maintain computer. systems In some cases data might need to remain in the country In other cases you need to be careful with your. data because the technical teams might be unaware of the security and compliance requirements The EU US. Privacy Shield formerly the EU US Safe Harbor agreement controls data flow from the EU to the United States. The EU has more stringent privacy protections and without the Safe Harbor act personal data flow from the EU to. the United States would not be allowed, Privacy Many laws include privacy protections for personal data The new GDPR has strong privacy rules that. apply to any organization anywhere that stores or processes the personal data of EU citizens in particular. individuals must be told how their data is collected and used and they must be able to opt out The privacy. guidelines of the Organization for Economic Co operation and Development OECD require organizations to avoid. unjustified obstacles to trans border data flow limit personal data collection protect personal data with. reasonable security and more, 1 5 Understand adhere to and promote professional ethics. As a CISSP you must understand and follow the ISC code of ethics as well as your organization s own code. ISC Code of Professional Ethics Take the time to read the code of ethics available at www isc2 org Ethics At a. minimum know and understand the ethics canons, Protect society the common good necessary public trust and confidence and the infrastructure.
This is do the right thing Put the common good ahead of yourself Ensure that the public can have faith. in your infrastructure and security, Act honorably honestly justly responsibly and legally Always follow the laws But what if you find. yourself working on a project where conflicting laws from different countries or jurisdictions apply In such. a case you should prioritize the local jurisdiction from which you are performing the services. Provide diligent and competent service to principles Avoid passing yourself as an expert or as qualified. in areas that you aren t Maintain and expand your skills to provide competent services. Advance and protect the profession Don t bring negative publicity to the profession Provide competent. services get training and act honorably Think of it like this If you follow the first three canons in the code. of ethics you automatically comply with this one, Organizational code of ethics You must also support ethics at your organization This can be interpreted to mean. evangelizing ethics throughout the organization providing documentation and training around ethics or looking. for ways to enhance the existing organizational ethics Some organizations might have slightly different ethics than. others so be sure to familiarize yourself with your organization s ethics and guidelines. 1 6 Develop document and implement security policy standards. procedures and guidelines, Develop clear security policy documentation including the following. Policy This is the high level document often written by the management team Policy is mandatory It is purposely. vague For example a policy might require you to ensure the confidentiality of company data but not specify the. method for doing so, Standards These are more descriptive than policies and document the standards to be used by the company for. things such as hardware and software For example an organization might standardize on virtual machines and. not physical servers, Procedures These are the step by step documents that detail how to perform specific tasks such as how to.
restore a database The person following the procedure uses the document to perform the task Procedures are. mandatory If you have a procedure for restoring a database then that procedure needs to be followed for every. database restore, Guidelines These are recommended but optional For example your organization might have a guideline that. recommends storing passwords in an encrypted password vault It is a good idea to do that But somebody might. choose to store passwords in their brain or using another secure storage mechanism. Baselines Although baselines are not explicitly mentioned in this section of the exam don t forget about them. Baselines automate implementation of your standards thereby ensuring adherence to them For example if you. have 152 configuration items for your server builds you can configure all of them in a baseline that is applied to. every server that is built Group Policy objects GPOs are often used to comply with standards in a Windows. network Configuration management solutions can also help you establish baselines and spot configurations that. drift away from them, 1 7 Identify analyze and prioritize Business Continuity BC requirements. Business continuity is the goal of remaining fully operational during an outage ISO IEC 27031 covers business continuity in. detail it provides a framework to build on along with methods and processes covering the entire subject Business. continuity requires a lot of planning and preparation The actual implementation of business continuity processes occurs. quite infrequently The primary facets of business continuity are resilience within a data center and between sites or data. centers recovery if a service becomes unavailable you need to recover it as soon as possible and contingency a last. resort in case resilience and recovery prove ineffective. Develop and document scope and plan Developing the project scope and plan starts with gaining support of the. management team making a business case cost benefit analysis regulatory or compliance reasons etc and. ultimately gaining approval to move forward Next you need to form a team with representatives from the. business as well as IT Then you are ready to begin developing the plan Start with a business continuity policy. statement then conduct a business impact analysis as explained in the next bullet and then develop the. remaining components preventive controls relocation the actual continuity plan testing training and. maintenance Be familiar with the difference between business continuity resuming critical functions without. regard for the site and disaster recovery recovering critical functions at the primary site when possible. Conduct a business impact analysis BIA Identify the systems and services that the business relies on and figure. out the impacts that a disruption or outage would cause including the impacts on business processes like accounts. receivable and sales You also need to figure out which systems and services you need to get things running again. think foundational IT services such as the network and directory which many other systems rely on Be sure to. prioritize the order in which critical systems and services are recovered or brought back online As part of the BIA. you will establish the recovery time objectives RTOs how long it takes to recover the recovery point objectives. RPOs the maximum tolerable data loss and maximum tolerable downtime MTD along with the costs of. downtime and recovery, 1 8 Contribute to and enforce personnel security policies and procedures. In many organizations the number one risk to the IT environment is people And it s not just IT staff but anyone who has. access to the network Malicious actors routinely target users with phishing and spear phishing campaigns social. engineering and other types of attacks Everybody is a target And once attackers compromise an account they can use. that entry point to move around the network and elevate their privileges The following strategies can reduce your risk. Candidate screening and hiring Screening candidates thoroughly is a critical part of the hiring process Be sure. to conduct a full background check that includes a criminal records check job history verification education. verification certification validation and confirmation of other accolades when possible Additionally contact all. references, Employment agreements and policies An employment agreement specifies job duties expectations rate of pay. benefits and information about termination Sometimes such agreements are for a set period for example in a. contract or short term job Employment agreements facilitate termination when needed for an underperforming. employee The more information and detail in an employment agreement the less risk risk of a wrongful. termination lawsuit for example the company has during a termination proceeding For instance a terminated. employee might take a copy of their email with them without thinking of it as stealing but they are less likely to do. so if an employment agreement or another policy document clearly prohibits it. Onboarding and termination processes Onboarding comprises all the processes tied to a new employee. starting at your organization Having a documented process in place enables new employees to be integrated as. quickly and consistently as possible which reduces risk For example if you have five IT admins performing the. various onboarding processes you might get different results each time if you don t have the processes. standardized and documented a new hire might end up with more access than required for their job Termination. is sometimes a cordial process such as when a worker retires after 30 years Other times it can be a high stress. situation such as when a person is being terminated unexpectedly You need to have documented policies and. procedures to handle all termination processes The goal is to have a procedure to immediately revoke all access. to all company resources In a perfect world you would push one button and all access would be revoked. immediately, Vendor consultant and contractor agreements and controls When workers who are not full time employees.
have access to your network and data you must take extra precautions Consultants often work with multiple. customers simultaneously so you need to have safeguards in place to ensure that your company s data isn t mixed. in with data from other organizations or accidentally or deliberately transmitted to unauthorized people In high. security organizations it is common to have the organization issue a computing device to consultants and enable. the consultant to access the network and data only through that device Beyond the technical safeguards you must. also have a way to identify consultants vendors and contractors For example maybe they have a different security. badge than regular full time employees Perhaps they sit in the same area or their display names in the directory. call out their status, Compliance policy requirements Organizations have to adhere to different compliance mandates depending. on their industry country and other factors All of them need to maintain documentation about their policies and. procedures for meeting those requirements Employees should be trained on the company s compliance mandates. at a high level upon hire and regularly thereafter such as re certifying once a year. Privacy policy requirements Personally identifiable information about employees partners contractors. customers and other people should be stored in a secure way accessible only to those who require the information. to perform their jobs For example somebody in the Payroll department might need access to an employee s. banking information to have their pay automatically deposited but no one else should be able to access that data. Organizations should maintain a documented privacy policy that outlines the types of data covered by the policy. and who the policy applies to Employees contractors and anyone else who might have access to the data should. be required to read and agree to the privacy policy upon hire and on a regular basis thereafter such as annually. 1 9 Understand and apply risk management concepts, Risk management involves three primary steps identify threats and vulnerabilities assess the risk risk assessment and. choose whether and how to respond often the choice is risk mitigation As part of managing overall risk the IT team strives. to secure the IT environment provide information to the management teams so that they can make informed decisions. and enable the management team to sign off on the IT environment based on the goals and requirements Risk. management also has a financial component The management team must balance the risk with the budget In a perfect. world the company would spend the minimum amount of money and time to minimize risk to an acceptable level for the. organization, Identify threats and vulnerabilities Threats and vulnerabilities are linked A threat such as a hacker taking over. a client computer is possible when a vulnerability such as an unpatched client computer is present That is a. known threat But unknown threats also exist such as when a hacker is aware of a bug that nobody else knows. about in your anti virus software and can remotely compromise your computer. Assess risk You have a risk when you have a threat and a vulnerability In those cases you need to figure out the. chances of the threat exploiting the vulnerability and the consequences if that does happen Be familiar with the. approaches, Qualitative This method uses a risk analysis matrix and assigns a risk value such as low medium or high. For example if the likelihood is rare and the consequences are low then the risk is low If the likelihood is. almost certain and the consequences are major then the risk is extreme. Quantitative This method is more objective than the qualitative method it uses dollars or other metrics. to quantify risk, Hybrid A mix of qualitative and quantitative If you can easily assign a dollar amount you do if not you.
don t This can often provide a good balance between qualitative and quantitative. Respond to risk You must formulate a plan of action for each risk you identify For a given risk you can choose. risk mitigation reduce the risk risk assignment assign the risk to a team or provider for action risk acceptance. accept the risk or risk rejection ignore the risk, Outside of the three primary steps for applying risk management you should familiarize yourself with some of the details. for those three steps, Countermeasure selection and implementation You can use a software or hardware solution to reduce a. particular risk by implementing a countermeasure sometimes referred to as a control or a safeguard Suppose. you have a password policy that a legacy application cannot technically meet for example the app is limited to 10. characters for the password To reduce the likelihood of that password being compromised you can implement. any of several countermeasures For instance you can require that the password be changed more frequently than. other longer passwords or mandate that the password be stored in a secure password vault that requires two. factor authentication For your exam preparation don t just understand the words and definitions understand. how you implement the concepts in your environment You don t have to provide a step by step technical. configuration but you must understand the implementation process where you start the order of the steps you. take and how you finish, Applicable types of controls Be familiar with the 6 types of controls. Preventive This type of control is intended to prevent a security incident from happening For example. you add an anti virus product to your computers, Detective This type of control is used to identify the details of a security incident including sometimes. the attacker, Corrective A corrective control implements a fix after a security incident occurs.
Deterrent This type of control attempts to discourage attackers For example you lock your office. whenever you leave for lunch or go home for the day. Recovery A recovery control tries to get the environment back to where it was prior to a security incident. Compensating A compensating control is an alternative control to reduce a risk Suppose you need to. enable outside users to get to your SharePoint site which resides on your local area network Instead of.

Related Books

Analysis of a Reinforcement Learning algorithm using Self ...

Analysis of a Reinforcement Learning algorithm using Self

Analysis of a Reinforcement Learning algorithm using Self-Organizing Maps ... chosen from the data set on each ... in Section 2.2. 2.2 SOM visualization of ...

Numerical Analysis of Crack Propagation and Lifetime ...

Numerical Analysis of Crack Propagation and Lifetime

Numerical Analysis of Crack Propagation and Lifetime Estimation . 1 Introduction Through the history a lot of disasters cause by fracture failure of structures have caused many injuries and financial loss. Annual cost of facture in U.S.A in 1978 was estimated to $119 billion

LCD Monitor User Manual - vn.aoc.com

LCD Monitor User Manual vn aoc com

AOC Anti-Blue Light Feature Description Studies have shown that just as ultra-violet rays can cause eye damage, blue light rays from LED displays can cause damage to different parts of the eye and affect vision over time. AOC Anti-Blue Light feature uses a smart technology to

LCD Monitor User Manual

LCD Monitor User Manual

5 Power The monitor should be operated only from the type of power source indicated on the label. If you are not sure of the type of power supplied to your home, consult your dealer or local power company.

DATA VISUALIZATION IN THE RESAMPLING METHODS

DATA VISUALIZATION IN THE RESAMPLING METHODS

DATA VISUALIZATION IN THE ... ? graphical train schedule for Paris to ... Selected packages to extend the graphical possibilities of R Package Description

DIFFERENT OPTIONS WHICH CAN BE THOUGHT OF AFTER COMPLETION ...

DIFFERENT OPTIONS WHICH CAN BE THOUGHT OF AFTER COMPLETION

Such people must prepare for entrance exams like GATE/PGCET etc. To face these exams one must prepare from 3rd year itself. Most of the syllabus in GATE includes only 2nd year and 3rd year core subjects. Related Exams: GATE: Conducted by one of seven Indian Institutes of Technology in rotation, Graduate Aptitude Test in Engineering (GATE) is an annual exam for admission to M.Tech and M.S ...

FITEL Fusion Splicers & Tools Catalog - 3sae.com

FITEL Fusion Splicers amp Tools Catalog 3sae com

S122 SERIES Hand-Held Fusion Splicer With its super low pro? le and new user interface, the FITEL S122 series fusion splicer offers next generation workability for every splicing ? eld, FTTX, LAN, backbone, or long-haul installations. Combining the portability, power ? exibility and ? eld rug-

FROM 1 DEC 2018 TO 15 DEC 2018

FROM 1 DEC 2018 TO 15 DEC 2018

II Swarnim Raghav Vidya Bharati School III Vansh Saxena Sunrise Play School . III Atharv Bhandula Vidya Bharati School 4 Fashion Show 3+ I Shnaya Raghav Vidya Bharati School II Nivika Arora Decorum play and Nursery School II Tejasvini Bachpan A play School III Dhupita Shami Champs Valley Consolati on Samriddhi Sunrise Play School 5 Fancy Dress ...

Reprogrammable Platforms for High-speed Data Acquisition

Reprogrammable Platforms for High speed Data Acquisition

1 Introduction High energy physics experiments study properties of el-ementary particles. Accelerator based experiments can currently produce particle energies up to a few TeV while cosmic rays were found up to 1021eV. The data aquisition system (DAQ) of a physics ex-periement captures the data generated by a detector. A DAQ system simulation model includes a number of distinct components ...

3D MODEL-BASED COLLABORATION IN DESIGN DEVELOPMENT AND ...

3D MODEL BASED COLLABORATION IN DESIGN DEVELOPMENT AND

1. INTRODUCTION 1.1 Background The adoption of digital design and manufacturing technology and BIM technologies in construction have opened up new opportunities for architects who are willing to adapt towards integrated processes to assume leadership roles in the creation of the built environment (Bedrick, 2006). Architects have