[Cisspstudy] Insurance Preventive Control

Dallas, Michael J Civ USAF USAFE 100 CS/SCQ mike.dallas at mildenhall.af.mil
Thu Oct 8 09:20:20 EDT 2009 

Pertaining to "Due Diligence", Shon Harris refers the following:
Due Care=Due Correct & Due Diligence=Due Detect

With this, it would mean that Due Diligence would be "Detective"


-----Original Message-----
From: cisspstudy-bounces at cccure.org [mailto:cisspstudy-bounces at cccure.org] On Behalf Of An.Dang at do.treas.gov
Sent: 08 October 2009 12:25
To: cisspstudy at cccure.org
Subject: Re: [Cisspstudy] Insurance Preventive Control

Insurance is a preventive measure because it lets an organization avoid spending money on infrastructure safeguards and transfer the risk, ergo liability, to a third party.  Which leads to the question, are all things related to due diligence be considered preventive?

A network person may also say that an audit log is an insurance too, in terms of users accountability.

-----Original Message-----
From: cisspstudy-bounces at cccure.org [mailto:cisspstudy-bounces at cccure.org] On Behalf Of cisspstudy-request at cccure.org
Sent: Thursday, October 08, 2009 12:35 AM
To: cisspstudy at cccure.org
Subject: cisspstudy Digest, Vol 16, Issue 5

Send cisspstudy mailing list submissions to
        cisspstudy at cccure.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
        cisspstudy-request at cccure.org

You can reach the person managing the list at
        cisspstudy-owner at cccure.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisspstudy digest..."


Today's Topics:

   1. Re: cisspstudy Digest, Vol 16, Issue 4 (Smith, Luther B.)
   2. Re: cisspstudy Digest, Vol 16, Issue 4 (Andrea Gatta)
   3. Re: Insurance Preventive Control (Vardhan, Aditya {PI})


----------------------------------------------------------------------

Message: 1
Date: Wed, 7 Oct 2009 12:34:48 -0400
From: "Smith, Luther B." <smithlb at mitre.org>
To: "cisspstudy at cccure.org" <cisspstudy at cccure.org>
Subject: Re: [Cisspstudy] cisspstudy Digest, Vol 16, Issue 4
Message-ID:
        <56157BB752EC7042BBB6CB79E980F2420B9FE929C0 at IMCMBX4.MITRE.ORG>
Content-Type: text/plain; charset="us-ascii"

RE:  Insurance

All prior assessments are correct, but Insurance 'prevents' a financial loss to the insurance policy holder when an event occurs.

R/

-Butch Smith-


-----Original Message-----
From: cisspstudy-bounces at cccure.org [mailto:cisspstudy-bounces at cccure.org] On Behalf Of cisspstudy-request at cccure.org
Sent: Wednesday, October 07, 2009 12:00 PM
To: cisspstudy at cccure.org
Subject: cisspstudy Digest, Vol 16, Issue 4

Send cisspstudy mailing list submissions to
        cisspstudy at cccure.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
        cisspstudy-request at cccure.org

You can reach the person managing the list at
        cisspstudy-owner at cccure.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisspstudy digest..."


Today's Topics:

   1. Re: Insurance Preventive Control (Andrea Gatta)


----------------------------------------------------------------------

Message: 1
Date: Wed, 7 Oct 2009 15:18:14 +0100
From: Andrea Gatta <andrea.gatta at gmail.com>
To: The CISSP Study Mailing list <cisspstudy at cccure.org>
Subject: Re: [Cisspstudy] Insurance Preventive Control
Message-ID:
        <89ab1b610910070718l7f01f82bh9954f26d1ea90b1 at mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

Another way to look at insurance in the context of the question would be in
terms of what causes it: risk tranfer.

Risk transfer does not address the ante but just the post of an
event/incident. Moreover, the risk is still there with the insurer. To this
end I can't see how insurance could be defined as preventive controls since
it does not reduce the risk and does not stop the incident from happening.

In case - I did found a number of references that classify insurance as a
compensatory control.

Andrea

On Tue, Oct 6, 2009 at 9:55 PM, Andrea Gatta <andrea.gatta at gmail.com> wrote:

> Just thinking loud - a preventive control avoids in part (mitigation) or
> altogether an incident from happening.
>
> In the context of the question 'audit logs' is the only control which is
> clearly not preventative in nature.
>
> it's a quite a long shot but a recovery control - 'insurance' in this case
> - although not preventative in nature actually shares with preventative
> controls the focus on complete or partial reduction of the damage so that it
> will be as 'it has never happened'.
>
> In the context of the question 'insurance' is clearly a distractor which
> introduces that uncertainty that usually causes me to 'overthink' big time
> something that otherwise would be straightforward.
>
>
> Andrea
>
> On Tue, Oct 6, 2009 at 6:09 PM, Holland, Brandon <hollandb at frmaint.com>wrote:
>
>>  Transcender:
>>
>> Which measure is NOT considered to be preventative in nature?
>>
>> Insurance
>>
>> Fire suppression systems
>>
>> Redundant communication links
>>
>> Audit Logs
>>
>> Ok, so I understand Audit Logs are NOT preventative? but how is insuranceconsidered preventative?
>>
>> Brandon Holland
>>
>> Army Fleet Support
>>
>> ITS | Network Services
>>
>> Ph:  598-0626
>>
>>
>> _______________________________________________
>> cisspstudy mailing list
>> cisspstudy at cccure.org
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20091007/09c0652b/attachment-0001.html>

------------------------------

_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


End of cisspstudy Digest, Vol 16, Issue 4
*****************************************



------------------------------

Message: 2
Date: Wed, 7 Oct 2009 17:57:51 +0100
From: Andrea Gatta <andrea.gatta at gmail.com>
To: The CISSP Study Mailing list <cisspstudy at cccure.org>
Subject: Re: [Cisspstudy] cisspstudy Digest, Vol 16, Issue 4
Message-ID:
        <89ab1b610910070957r1b48b431w2d310d91dfb10842 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I believe that this is what the author of the original question has been
trying to confuse the heck out of the unlucky test taker.

I do see where you are coming from but it's a matter of fact that insurance
does not stop an incident from happening and is just looking at the
afterwards of the events so I won't say that technically speaking it can be
defined as a preventive control. In my eyes it can be at best a recovery or
a compensating control.

Here is an interesting discussion on the ISC2 forum:

http://blog.isc2.org/isc2_blog/2008/06/information-sec.html


Andrea


On Wed, Oct 7, 2009 at 5:34 PM, Smith, Luther B. <smithlb at mitre.org> wrote:

> RE:  Insurance
>
> All prior assessments are correct, but Insurance 'prevents' a financial
> loss to the insurance policy holder when an event occurs.
>
> R/
>
> -Butch Smith-
>
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org [mailto:cisspstudy-bounces at cccure.org]
> On Behalf Of cisspstudy-request at cccure.org
> Sent: Wednesday, October 07, 2009 12:00 PM
> To: cisspstudy at cccure.org
> Subject: cisspstudy Digest, Vol 16, Issue 4
>
> Send cisspstudy mailing list submissions to
>        cisspstudy at cccure.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> or, via email, send a message with subject or body 'help' to
>        cisspstudy-request at cccure.org
>
> You can reach the person managing the list at
>        cisspstudy-owner at cccure.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisspstudy digest..."
>
>
> Today's Topics:
>
>   1. Re: Insurance Preventive Control (Andrea Gatta)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 7 Oct 2009 15:18:14 +0100
> From: Andrea Gatta <andrea.gatta at gmail.com>
> To: The CISSP Study Mailing list <cisspstudy at cccure.org>
> Subject: Re: [Cisspstudy] Insurance Preventive Control
> Message-ID:
>        <89ab1b610910070718l7f01f82bh9954f26d1ea90b1 at mail.gmail.com>
> Content-Type: text/plain; charset="windows-1252"
>
> Another way to look at insurance in the context of the question would be in
> terms of what causes it: risk tranfer.
>
> Risk transfer does not address the ante but just the post of an
> event/incident. Moreover, the risk is still there with the insurer. To this
> end I can't see how insurance could be defined as preventive controls since
> it does not reduce the risk and does not stop the incident from happening.
>
> In case - I did found a number of references that classify insurance as a
> compensatory control.
>
> Andrea
>
> On Tue, Oct 6, 2009 at 9:55 PM, Andrea Gatta <andrea.gatta at gmail.com>
> wrote:
>
> > Just thinking loud - a preventive control avoids in part (mitigation) or
> > altogether an incident from happening.
> >
> > In the context of the question 'audit logs' is the only control which is
> > clearly not preventative in nature.
> >
> > it's a quite a long shot but a recovery control - 'insurance' in this
> case
> > - although not preventative in nature actually shares with preventative
> > controls the focus on complete or partial reduction of the damage so that
> it
> > will be as 'it has never happened'.
> >
> > In the context of the question 'insurance' is clearly a distractor which
> > introduces that uncertainty that usually causes me to 'overthink' big
> time
> > something that otherwise would be straightforward.
> >
> >
> > Andrea
> >
> > On Tue, Oct 6, 2009 at 6:09 PM, Holland, Brandon <hollandb at frmaint.com
> >wrote:
> >
> >>  Transcender:
> >>
> >> Which measure is NOT considered to be preventative in nature?
> >>
> >> Insurance
> >>
> >> Fire suppression systems
> >>
> >> Redundant communication links
> >>
> >> Audit Logs
> >>
> >> Ok, so I understand Audit Logs are NOT preventative? but how is
> insuranceconsidered preventative?
> >>
> >> Brandon Holland
> >>
> >> Army Fleet Support
> >>
> >> ITS | Network Services
> >>
> >> Ph:  598-0626
> >>
> >>
> >> _______________________________________________
> >> cisspstudy mailing list
> >> cisspstudy at cccure.org
> >> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >>
> >>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20091007/09c0652b/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> End of cisspstudy Digest, Vol 16, Issue 4
> *****************************************
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20091007/8a1d2ff5/attachment-0001.html>

------------------------------

Message: 3
Date: Thu, 8 Oct 2009 12:34:51 +0800
From: "Vardhan, Aditya {PI}" <aditya.vardhan at intl.pepsico.com>
To: "The CISSP Study Mailing list" <cisspstudy at cccure.org>
Subject: Re: [Cisspstudy] Insurance Preventive Control
Message-ID:
        <BA3849E85C9B6040BFA9656812C802F9834CF5 at PEPWMV33125.cww.pep.pvt>
Content-Type: text/plain; charset="us-ascii"

Hi guys,

Before I comment on this, let me share the good news- I cleared my CISSP
which I attempted on 26th Sep.



My view on this is that you always go with the best answer. There will
always ( in most of the cases) be two almost correct options.

In this question we were debating on insurance being preventive or
compensatory control, however audit is not at all a preventive control
hence is the best answer.



Regards,

Aditya

From: cisspstudy-bounces at cccure.org
[mailto:cisspstudy-bounces at cccure.org] On Behalf Of Andrea Gatta
Sent: Wednesday, October 07, 2009 7:48 PM
To: The CISSP Study Mailing list
Subject: Re: [Cisspstudy] Insurance Preventive Control



Another way to look at insurance in the context of the question would be
in terms of what causes it: risk tranfer.

Risk transfer does not address the ante but just the post of an
event/incident. Moreover, the risk is still there with the insurer. To
this end I can't see how insurance could be defined as preventive
controls since it does not reduce the risk and does not stop the
incident from happening.

In case - I did found a number of references that classify insurance as
a compensatory control.

Andrea

On Tue, Oct 6, 2009 at 9:55 PM, Andrea Gatta <andrea.gatta at gmail.com>
wrote:

Just thinking loud - a preventive control avoids in part (mitigation) or
altogether an incident from happening.

In the context of the question 'audit logs' is the only control which is
clearly not preventative in nature.

it's a quite a long shot but a recovery control - 'insurance' in this
case - although not preventative in nature actually shares with
preventative controls the focus on complete or partial reduction of the
damage so that it will be as 'it has never happened'.

In the context of the question 'insurance' is clearly a distractor which
introduces that uncertainty that usually causes me to 'overthink' big
time something that otherwise would be straightforward.


Andrea

On Tue, Oct 6, 2009 at 6:09 PM, Holland, Brandon <hollandb at frmaint.com>
wrote:

        Transcender:

        Which measure is NOT considered to be preventative in nature?

        Insurance

        Fire suppression systems

        Redundant communication links

        Audit Logs

        Ok, so I understand Audit Logs are NOT preventative... but how
is insurance considered preventative?

        Brandon Holland

        Army Fleet Support

        ITS | Network Services

        Ph:  598-0626



        _______________________________________________
        cisspstudy mailing list
        cisspstudy at cccure.org
        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20091008/e05fe17d/attachment.html>

------------------------------

_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


End of cisspstudy Digest, Vol 16, Issue 5
*****************************************

_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

More information about the cisspstudy mailing list