CISSP - Domain 1: Security and Risk Management

The prudent man rule requires that senior executives take personal responsibility
for ensuring the due care that ordinary, prudent individuals would exercise in the same
situation. The rule originally applied to financial matters, but the Federal Sentencing
Guidelines applied them to information security matters in 1991

The Economic Espionage Act imposes fines and jail sentences on anyone found guilty
of stealing trade secrets from a US corporation. It gives true teeth to the intellectual
property rights of trade secret owners.

The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of
customer financial information. It applies specifically to financial institutions.

The Federal Information Security Management Act (FISMA) specifically applies to
government contractors. The Government Information Security Reform Act (GISRA) was
the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to
healthcare and credit card information, respectively.

Strategic plans have a long-term planning horizon of up to five years in most cases.
Operational and tactical plans have shorter horizons of a year or less

The United States Patent and Trademark Office (USPTO) bears responsibility for the
registration of trademarks.

The Federal Information Security Management Act (FISMA) applies to federal
government agencies and contractors

Written works, such as website content, are normally protected by copyright law. Trade
secret status would not be appropriate here because the content is online and available
outside the company. Patents protect inventions, and trademarks protect words and
symbols used to represent a brand, neither of which is relevant in this scenario

The Code of Federal Regulations (CFR) contains the text of all administrative laws
promulgated by federal agencies. The United States Code contains criminal and civil law.
Supreme Court rulings contain interpretations of law and are not laws themselves. The
Compendium of Laws does not exist.

The Service Organizations Control audit program includes business continuity controls
in a SOC 2, but not SOC 1, audit.

SLAs do not normally address issues of data confidentiality. Those provisions are
normally included in a nondisclosure agreement (NDA).

Nondisclosure agreements (NDAs) typically require either mutual or one-way
confidentiality in a business relationship. Service-level agreements (SLAs) specify service
uptime and other performance measures. Noncompete agreements (NCAs) limit the
future employment possibilities of employees. Recovery time objectives (RTOs) are used in
business continuity planning

Digital signatures are used to provide nonrepudiation, not confidentiality.

Virtual LANs (VLANs) provide network segmentation on local networks but do not
cross the Internet.

What law serves as the basis for privacy rights in the United States?
The Fourth Amendment directly prohibits government agents from searching
private property without a warrant and probable cause. The courts have expanded the
interpretation of the Fourth Amendment to include protections against other invasions of
privacy.

The Computer Security Act of 1987 gave the National Institute of Standards and
Technology (NIST) responsibility for developing standards and guidelines for federal
computer systems. For this purpose, NIST draws upon the technical advice and assistance
of the National Security Agency where appropriate

The project scope and planning phase includes four actions: a structured analysis of
the organization, the creation of a BCP team, an assessment of available resources, and an
analysis of the legal and regulatory landscape.

ISO 27002 is an international standard focused on information security and titled
“Information technology—Security techniques—Code of practice for information security
management.” The Information Technology Infrastructure Library (ITIL) does contain
security management practices, but it is not the sole focus of the document, and the ITIL
security section is derived from ISO 27002. The Capability Maturity Model (CMM)
is focused on software development, and the Project Management Body of Knowledge
(PMBOK) Guide focuses on project management

The Communications Assistance to Law Enforcement Act (CALEA) requires that all
communications carriers make wiretaps possible for law enforcement officials who have
an appropriate court order.

The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial
institutions, including providing written notice of privacy practices to customers.

COPPA requires that websites obtain advance parental consent for the collection of
personal information from children under the age of 13.

The laws or industry standards match to the descriptions as follows:
1. GLBA: A US law that requires covered financial institutions to provide their customers
with a privacy notice on a yearly basis.
2. PCI DSS: An industry standard that covers organizations that handle credit cards.
3. HIPAA: A US law that provides data privacy and security requirements for medical
information.
4. SOX: A US law that requires internal controls assessments including IT transaction
flows for publicly traded companies.

Risks are the combination of a threat and a vulnerability. Threats are the external
forces seeking to undermine security, such as the malicious hacker in this case.
Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this
case, the missing patch is the vulnerability. In this scenario, if the malicious hacker (threat)
attempts a SQL injection attack against the unpatched server (vulnerability), the result is
website defacement (Risk): r = t * v