Nadean H. Tanner

CASP+ Practice Tests


Скачать книгу

href="#u0364c4e9-2ad1-5e4f-a052-52d29e9303fb">Chapter 4 Technical deployment models (outsourcing/insourcing/managed services/partnerships), cloud and virtualization considerations, security advantages, and disadvantages of virtualization. Cloud-augmented security services, and vulnerabilities associated with hosts with different security requirements. 4.3 Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives. Chapter 4 Authentication, authorization, attestation, identity proofing, identity propagation, federation, and trust models. 4.4 Given a scenario, implement cryptographic techniques. Chapter 4 Cryptographic techniques, such as hashing, digital signatures, code signing, data-in-transit encryption, data-in-memory processing, data-at-rest encryption, and steganography. Implementing encryption in an enterprise, such as DRM, SSH, SSL, S/MIME, and PKI. 4.5 Given a scenario, select the appropriate control to secure communications and collaboration solutions. Chapter 4 Remote access, resources and services, and remote assistance. Unified collaboration tools for video/audio/web conferencing, instant messaging, email, VoIP, and collaboration sites. 5.0 Research, Development, and Collaboration 5.1 Given a scenario, apply research methods to determine industry trends and their impact on the enterprise. Chapter 5 Ongoing research in best practices, new technologies, security systems, and services. Threat intelligence of latest attacks, current vulnerabilities, and threats; zero-day mitigation controls; and threat modeling. Research security implications of emerging business tools and the global IA industry/community. 5.2 Given a scenario, implement security activities across the technology life cycle. Chapter 5 Systems/software development lifecycles. Application frameworks, development approaches, secure coding standards, and documentation. Validation and acceptance testing. Adapting solutions to address emerging threats, security trends, and disruptive technology. Asset management and inventory control. 5.3 Explain the importance of interaction across diverse business units to achieve security goals. Chapter 5 Interpreting security requirements and goals to communicate with stakeholders, such as sales, programmers, DBA, network administrators, human resources, and legal counsel. Provide guidance and recommendations to staff and management on processes and security controls. Governance, risk, and compliance committees.

       THE CASP+ EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

       Domain 1: Risk Management1.1 Summarize business and industry influences and associated security risks.Risk management of new products, new technologies, and user behaviorsNew or changing business models/strategiesPartnershipsOutsourcingCloudAcquisition/merger—divestiture/demergerData ownershipData reclassificationSecurity concerns of integrating diverse industriesRulesPoliciesRegulationsExport controlsLegal requirementsGeographyData sovereigntyJurisdictionsInternal and external influencesCompetitorsAuditors/audit findingsRegulatory entitiesInternal and external client requirementsTop-level managementImpact of de-perimeterization (e.g., constantly changing network boundary)TelecommutingCloudMobileBYODOutsourcingEnsuring third-party providers have requisite levels of information security1.2 Compare and contrast security, privacy policies, and procedures based on organizational requirements.Policy and process life cycle managementNew businessNew technologiesEnvironmental changesRegulatory requirementsEmerging risksSupport legal compliance and advocacy by partnering with human resources, legal, management, and other entities.Understand common business documents to support security.Risk Assessment (RA)Business Impact Analysis (BIA)Interoperability Agreement (IA)Interconnection Security Agreement (ISA)Memorandum of Understanding (MOU)Service-Level Agreement (SLA)Operating-Level Agreement (OLA)Non-Disclosure Agreement (NDA)Business Partnership Agreement (BPA)Master Service Agreement (MSA)Research security requirements for contracts.Request for Proposal (RFP)Request for Quote (RFQ)Request for Information (RFI)Understand general privacy principles for sensitive information.Support the development of policies containing standard security practices.Separation of dutiesJob rotationMandatory vacationLeast privilegeIncident responseForensic tasksEmployment and termination proceduresContinuous monitoringTraining and awareness for usersAuditing requirements and frequencyInformation classification1.3 Given a scenario, execute risk mitigation strategies and controls.Categorize data types by impact levels based on CIA.Incorporate stakeholder input into CIA impact-level decisions.Determine minimum-required security controls based on aggregate score.Select and implement controls based on CIA requirements and organizational policies.Extreme scenario planning/worst-case scenarioConduct system-specific risk analysis.Make a risk determination based upon known metrics.Magnitude of impact based on ALE and SLELikelihood of threatMotivationSourceAROTrend analysisReturn on Investment (ROI)Total cost of ownershipTranslate technical risks in business terms.Recommend which strategy should be applied based on risk appetite.AvoidTransferMitigateAcceptRisk management processesExemptions—Deterrence—Inherent—ResidualContinuous improvement/monitoringBusiness continuity planningRTORPOMTTRMTBFIT governanceAdherence to risk management frameworksEnterprise resilience1.4 Analyze risk metric scenarios to secure the enterprise.Review effectiveness of existing security controls.Gap analysisLessons learnedAfter-action reportsReverse engineer/deconstruct existing solutions.Creation, collection, and analysis of metricsKPIsKRIsPrototype and test multiple solutions.Create benchmarks and compare to baselines.Analyze and interpret trend data to anticipate cyber defense needs.Analyze security solution metrics and attributes to ensure they meet business needs.PerformanceLatencyScalabilityCapabilityUsabilityMaintainabilityAvailabilityRecoverabilityROITCOUse judgment to solve problems where the most secure solution is not feasible.

      1 One of the biggest tasks as a security professional is identifying vulnerabilities. What is the difference between a vulnerability and a threat?A vulnerability is a weakness in system design, procedure, or code. A threat is the circumstance or likelihood of a vulnerability being exploited.A vulnerability is the driving force behind the activity. A threat is the probability of an attack.A vulnerability is the value to an institution where a threat is the source of the risk, internal or external.A vulnerability is the probability of the realization of a threat. A threat is the driving force behind the activity.

      2 Which of the following BEST defines risk in IT?You have a vulnerability with a known active threat.You have a threat with a known vulnerability.You have a risk with a known threat.You have a