CPP 2022 Domain 1 Security Principles and Practices Flashcards
What is Enterprise Security Risk Management (ESRM)?
ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted and established risk management principles.
Source: POA, Security Management, 1.1.2, page 2
What are the three primary components of ESRM?
The context,The foundation,The ESRM cycle.
Source: POA, Security Management, 1.2, page 6
This component of ESRM includes organizational aspects that security professionals must understand to successfully adopt ESRM.
The context.
Source: POA, Security Management, 1.2, page 6
This component of ESRM includes organizational concepts that support the ESRM approach and maximize its impact.
The foundation.
Source: POA, Security Management, 1.2, page 6
This component of ESRM is the actual process of security risk management that emphasizes the importance of understanding assets.
The ESRM cycle.
Source: POA, Security Management, 1.2, page 6
What organizational aspects are included in the context of ESRM?
Mission and vision, Core values, Operating Environment, Stakeholders.
Source: POA, Security Management, 1.2.1, pages 6-10
What three things comprise the operating environment of an organization?
Physical, Non physical, Logical.
Source: POA, Security Management, 1.2.1, page 8
This operating environment includes much of what influences traditional security factors, such as the type and location of buildings, industrial control systems, and products on hand.
Physical.
Source: POA, Security Management, 1.2.1, page 8
These factors are sources of risk, and include things such as the geopolitical environment, intensity of competition, and speed required for decision making.
Non physical factors.
Source: POA, Security Management, 1.2.1, page 9
These factors focus on information types such as servers, workstations, and network infrastructure.
Logical factors.
Source: POA, Security Management, 1.2.1, page 9
What are the four processes in the ESRM cycle?
Identify and prioritize assets, Identify and prioritize risks, Mitigate prioritized risks, Continuous improvement.
Source: POA, Security Management, 1.2.2, page 12
What is an asset owner?
The person most directly responsible for successful operation of the asset. In ESRM, the asset owner is assigned responsibility for the risk to an asset.
Source: POA, Security Management, 1.2.2, page 13
What four concepts comprise the foundation of ESRM?
Holistic risk management, Partnership with stakeholders, Transparency, Governance.
Source: POA, Security Management, 1.2.3, page 14
What are two types of assets?
Tangible, Intangible.
Source: POA, Security Management, 2.1.1, page 22
What are four ways to manage risk?
Eliminate, Reduce, Transfer, Accept.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy involves removing the risk entirely.
Eliminate.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy attempts to minimize risk through protective measures.
Reduce.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy is typically achieved when another entity takes the risk on the organization’s behalf.
Transfer.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy allows risk if the costs of reducing, eliminating, or transferring the risk outweigh the potential losses associated with it.
Accept.
Source: POA, Security Management, 2.2.1, page 26
What is a risk assessment?
Risk assessment is the identification, analysis, and evaluation of uncertainties to objectives and outcomes. It provides a comparison between the desired/undesired outcomes and expected rewards/losses of organizational objectives. The risk assessment analyzes whether the uncertainty is within acceptable boundaries and within the organization’s capacity to manage risk.
Source: Risk Assessment Standard, 0.2, page xvi
What do the results of a risk assessment inform?
The choices available to effectively manage risk to achieve the organization’s outcomes.
Source: Risk Assessment Standard, 0.2, page xvi
What are the deciding factors between a qualitative or quantitative approach to a risk assessment?
The reliability and validity of the available data, The nature of the risk factors and if they are quantifiable, The target audience for the outputs.
Source: Risk Assessment Standard, 0.3, page xvii
What is risk appetite?
The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one of more desired and expected outcomes.
Source: Risk Assessment Standard, 3.41, page 5
What tasks take place at the start of the risk assessment?
Setting objectives, Identification of stakeholders, Identification of internal context and variables, documenting assumptions, Defining scope and statement of work, Policy and management commitment, Commitment of resources.
Source: Risk Assessment Standard, 6.2, pages 40-45