-
Facilities that house systems that process sensitive information should have physical access controls to limit access to authorized personnel only. -
Clipping levels should be implemented to establish a baseline of user activity and acceptable errors. -
Separation of responsibilities and duties should be in place so that if fraud takes place, it requires collusion. -
Access to resources should be limited to authorized personnel, applications, and services and should be audited for compliance to stated policies. -
Change control and configuration management should be put in place so changes are approved, documented, tested, and properly implemented. -
Activities that involve change management include requesting a change, approving a change, documenting a change, testing a change, implementing a change, and reporting to management. -
Proper fault-tolerant mechanisms should be put in place to counter equipment failure. -
Antivirus and IDS signatures should be updated on a continual basis. -
Continuous monitoring allows organizations to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. -
A whitelist is a set of known-good resources such as IP addresses, domain names, or applications. Conversely, a blacklist is a set of known-bad resources. -
A security information and event management (SIEM) system is a software platform that aggregates security information (like asset inventories) and security events (which could become incidents) and presents them in a single, consistent, and cohesive manner. -
The key aspects of operational security include resource protection, change control, hardware and software controls, trusted system recovery, separation of duties, and least privilege. -
Least privilege ensures that users, administrators, and others accessing a system have access only to the objects they absolutely require to complete their job. -
Some physical security controls may conflict with the safety of people. These issues need to be addressed; human life is always more important than protecting a facility or the assets it contains. -
Proximity identification devices can be user activated (action needs to be taken by a user) or system sensing (no action needs to be taken by the user). -
A transponder is a proximity identification device that does not require action by the user. The reader transmits signals to the device, and the device responds with an access code. -
Exterior fencing can be costly and unsightly, but can provide crowd control and help control access to the facility. -
If interior partitions do not go all the way up to the true ceiling, an intruder can remove a ceiling tile and climb over the partition into a critical portion of the facility. -
Intrusion detection devices include motion detectors, CCTVs, vibration sensors, and electromechanical devices. -
Intrusion detection devices can be penetrated, are expensive to install and monitor, require human response, and are subject to false alarms. -
CCTV enables one person to monitor a large area, but should be coupled with alerting functions to ensure proper response. -
Security guards are expensive but provide flexibility in response to security breaches and can deter intruders from attempting an attack. -
Vulnerability management is the cyclical process of identifying vulnerabilities, determining the risks they pose to the organization, and applying security controls that bring those risks to acceptable levels. -
Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. -
Egress monitoring is the practice of tracking (and perhaps restricting) the information that is flowing out of a network. -
Offsite backup locations can supply hot, warm, or cold sites. -
A reciprocal agreement is one in which a company promises another company it can move in and share space if it experiences a disaster, and vice versa. Reciprocal agreements are very tricky to implement and may be unenforceable. However, they offer a relatively cheap offsite option and are sometimes the only choice. -
A hot site is fully configured with hardware, software, and environmental needs. It can usually be up and running in a matter of hours. It is the most expensive option, but some companies cannot be out of business longer than a day without very detrimental results. -
A warm site does not have computers, but it does have some peripheral devices, such as disk drives, controllers, and tape drives. This option is less expensive than a hot site, but takes more effort and time to become operational. -
A cold site is just a building with power, raised floors, and utilities. No devices are available. This is the cheapest of the three options, but can take weeks to get up and operational. -
Recovery time objective (RTO) is the maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences. -
Recovery point objective (RPO) is the acceptable amount of data loss measured in time. -
Mean time between failures (MTBF) is the predicted amount of time between inherent failures of a system during operation. -
Mean time to repair (MTTR) is the estimated amount of time it will take to get a device fixed and back into production after its failure. -
High availability refers to a system, component, or environment that is continuously operational. -
High availability for disaster recovery is often a combination of technologies and processes that include backups, redundancy, fault tolerance, clustering, and load balancing. -
Data recovery and restoration are often carried out through vaulting, backups, and replication technologies. -
When returning to the original site after a disaster, the least critical organizational units should go back first. -
COOP focuses on restoring an organization’s (usually a headquarters element) essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. This term is commonly used by the U.S. government to denote BCP. -
An important part of the business continuity plan is to communicate its requirements and procedures to all employees. -
Business interruption insurance covers the loss of income that an organization suffers after a disaster while it is in its recovery stage. -
Due diligence means you’re identifying and analyzing risks; due care means you’re taking prudent actions day in and day out to mitigate them. -
Elements of negligence include not fulfilling a legally recognized obligation, failure to conform to a standard of care that results in injury or damage, and proximate causation. -
The primary reason for the chain of custody of evidence is to ensure that it will be admissible in court by showing it was properly controlled and handled before being presented in court. -
To be admissible in court, business records have to be made and collected in the normal course of business, not specially generated for a case in court. Business records can easily be hearsay if there is no firsthand proof of their accuracy and reliability. -
The life cycle of evidence includes the identification and collection of the evidence, and its storage, preservation, transportation, presentation in court, and return to the owner. -
Collection of computer evidence is a very complex and detail-oriented task. Only skilled people should attempt it; otherwise, evidence can be ruined forever. -
When looking for suspects, it is important to consider the motive, opportunity, and means (MOM). -
For evidence to be admissible in court, it needs to be relevant, complete, sufficient, and reliable to the case at hand. -
Evidence must be legally permissible, meaning it was seized legally and the chain of custody was not broken. -
Duress is the use of threats or violence against someone in order to force them to do something they don’t want to do or otherwise wouldn’t do.
原文始发于微信公众号(debugeeker):CISSP考试指南笔记:7.14 快速提示
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论