Domain 1 Flashcards
What does Governance refer too?
Governance refers to the framework of:
- policies
- processes
- and rules
that guide how an organization is directed, controlled and held accountable.
What is the goal of Governance?
The goal of governance is to ensure:
- transparency
- accountability
- effective decision-making
to support the organization’s long-term strategy and objectives.
Where does Governance occurs?
Governance occurs at the topmost level of any organization. It is designed to establish:
- the overarching vision,
- strategic direction
- and frameworks
that guide the organization’s operations and decision-making processes.
What does leadership must establish at the top level in any governance model?
At the top level in any governance model, leadership must establish organizational goals and objectives.
What are the requirements for high-level governance objectives?
High-level objectives do not need to be overly specific on how they will be accomplished, but they must provide enough information for consistent application of more specific guidance.
For example, a high-level objective might state that the organization will hire and retain high quality staff.
This forms a general mission statement that can be used by groups within the organization. This specific example likely results in a comprehensive set of:
- policies,
- procedures
- and guidance
within the human resources department, but it also informs other business units of management’s intent with regards to staffing, which is likely to modify the decisions made by all managers within the organization.
Governance Approach: what are the most common approaches to Governance?
However, the most common approaches are to use either a:
- centralized top-down approach
- a decentralized delegated approach
- or a combination of the two.
What is a centralized top-down approach to Governance?
In a centralized top-down approach, all governance decisions are managed by a central decision-making body to be well informed of all organizational elements and activities.
What is a decentralized delegated approach to Governance?
Conversely, a decentralized delegated approach gives authority to smaller elements of the organization (e.g. departments, divisions) to make governance decisions but risks inconsistencies between elements.
What is the most common way of providing governance output?
Once a governance decision has been made, the decision must be promulgated.
One of the most common ways of providing governance output is through creation and distribution of policies.
What does a Policy describe?
Policy describes governance decision in a meaningful and useful way to the organization and can also provide more detailed information to functional areas or divisions within a larger organization.
An important element of governance output is distributing governance policies to ensure all members have appropriate awareness and training.
What is Risk Management?
Risk management is a critical component of an organization’s overall strategy to manage threats that could impact its:
- operations
- reputation
- financial stability
What does Risk Management cover within an enterprise?
Risk management within an enterprise covers the entire set of activities to:
- identify
- assess
- treat
- monitor
enterprise-level risk.
What is Risk identification, framing or scoping?
Risk identification, framing, or scoping refers to the process of identifying types of risk to be addressed by the risk management process, scoping that risk, and identifying organizational risk tolerance levels.
This is the initial step where the organization systematically identifies potential risks that could affect its operations, assets, or stakeholders.
What is a major challenge within risk identification?
One challenge in risk identification is to determine what level of risk is acceptable for each risk type or category identified.
This is often referred to as:
- **risk tolerance,
- risk appetite
- or acceptable risk.
What is Risk Assessment?
Risk assessment is the methodology used by an organization to determine the potential harm if risks are realized and the likelihood of the risk being realized.
GRC professionals may use one or more methodologies to perform risk assessments, but the chosen approaches should be consistently applied and remain as objective as possible.
Consistency ensures the risk assessment process is standardized across the organization, allowing for reliable comparison and aggregation of risk data.
What is crucial for the risk assessment process?
Objectivity is crucial for ensuring the assessment is free from personal biases and reflects a true picture of the risk based on evidence and realistic scenarios. If the risk assessments are inconsistently performed or overly subjective, the results are difficult to use in decision making and may ultimately be of limited value.
What refers to Risk Treatment or response?
Risk treatment or response refers to the activities taken by an organization to manage identified risks in a way that aligns with its risk appetite and objectives.
It involves controlling or reducing either the likelihood of a risk being realized or the impact of the risk if it is realized.
The strategies for risk treatment typically fall into what four categories?
- risk acceptance
- risk mitigation
- risk sharing/transfer
- risk avoidance
What is Risk Monitoring?
Risk monitoring is a critical component of the risk management process, involving continuous observation and tracking of identified risks and identification of new risks that may emerge over time.
This practice ensures that the organization remains aware of its risk environment, both internally and externally, and can respond appropriately as conditions change.
What is **Compliance? **
Compliance can be summarized as adhering to established rules.
The complexity often lies in identifying the specific sets of rules to be complied with.
Compliance requirements may come from external entities such as:
- governments or
- regulatory bodies
- industry requirements
- or other sources
What is external compliance?
External entities, such as governments or regulatory bodies (government or industry) may define standards or minimum compliance requirements within:
- geographic
- industry
- or national boundaries.
Organizations that operate within these boundaries must identify and comply with mandatory compliance requirements or potentially face fines or censure.
What is internal compliance?
Organizations may choose to comply with optional or voluntary standards, or even develop their own.
They may do this because compliance with a standard or set of rules provides value to the organization, either through showing that compliance to their customers or through the furtherance of organizational goals that align with the standard.
However, once an organization adopts a standard or set of rules, it will become mandatory for internal elements of the organization. This ensures a degree of consistency within the organization and provides coordination of effort between suborganizations within the larger organization.
What is a compliance failure?
Failure to meet compliancerequirements, whether external or internal, can have significant negative impact on any organization.
External compliance failures can result in:
- fines
- civil or
- criminal liabilities
- or the inability to continue to operate within a compliance boundary
The failure of suborganizations to meet internal compliance mandates may result in poor or inconsistent performance.
What is the primary value of any framework?
The primary value of any framework is to provide structure.
What is the value of frameworks in terms of a GRC program?
In terms of a GRC program, this means ensuring that appropriate framework elements are identified, implemented correctly, maintained over time, and modified when necessary. The frameworks discussed below address the mechanisms for accomplishing these tasks differently, but they generally agree on the elements of a GRC program.
When was the NIST Cybersecurity Framework version 2.0 published?
The NIST Cybersecurity Framework (CSF) Version 2.0 was published February 26, 2024, and extends the earlier versions of the framework.
What are the five primary functions covered by the NIST Cybersecurity Framework and the one additional function that was added in 2.0?
- Identify
- Protect
- Detect
- Respond
- Recover
Govern
In what three main components is the NIST Cybersecurity Framework (CSF) broken into?
The Cybersecurity Framework (CSF) is broken into three main components:
- CSF Core
- CSF Tiers
- CSF Organizational profiles
What is the NIST Cybersecurity Framework (CSF) - CSF core?
The CSF Core is the main element of the framework that creates a common taxonomy for organizations to manage and describe cybersecurity risk.
The core takes the five top-level functions and places them into categories that are then further refined into subcategories.
What are NIST Cybersecurity Framework (CSF) - CSF Tiers?
CSF Tiers are identified for each element in the core during the creation of a CSF profile for an organization. The tiers represent the rigor applied by an organization to their cybersecurity risk governance and management for each element in the Core.
What are NIST Cybersecurity Framework profiles? (CSF organizational profiles)
Organizational profiles represent an analysis of the organization’s application of elements within the core based on the defined [[1.1.3.1.2 Cybersecurity Framework Tiers (CSF-Tiers)|CSF Tiers]].
Organizations may develop current profiles that represent their current state and target profiles that represent their desired state.
This allows for efficient allocation of resources to improve targeted cybersecurity areas.
For example, each element in the core would be assigned a current value ranging from Tier 1 to Tier 4, and the target profile would be assigned Tier 1 to Tier 4 values based on what the organization needs. The difference between the two process can be used to create project plans and allocate resources to meet the future goals of the target profile.
What is NIST SP 800-39?
NIST SP 800-39 is the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA.
NIST Special Publication (SP) 800-39 provides guidance toward the creation of an integrated, organization-wide program to manage the information security risks of:
- organizational operations
- mission
- functions
- image
- reputation
- organizational assets
- individuals
- other organizations
- and the nation
as they result from the operation and use of federal information systems.
What does NIST SP 800-39 provide?
NIST SP 800-39 provides a structured, yet flexible, approach to managing risk.
It is intentionally broad-based,. with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.
- NIST SP 800-39 is the central risk management publication in the organization’s RMF. The complex relationships among missions, mission/business processes, and the information systems supporting those missions/processes require an integrated, organization-wide view of managing risk.
NIST SP 800-39 places information security into the broader organizational context of achieving mission and business success.
What are NIST SP 800-39 objectives?
According to NIST SP 800-39, the objectives are:
- Ensure that senior leaders/executives recognize the importance of managing information security risk and establish appropriate governance structures for managing such risk.
- Ensure that the organization’s risk management process is effectively conducted across the three tiers of organization, mission/business processes, and information systems.
- Foster an organizational climate where information security risk is considered within the context of the design of mission/business processes, the definition of an overarching enterprise architecture, and system development life cycle processes
- Help individuals with responsibilities for information system implementation or operation to better understand how information security risk associated with their systems translates into organization-wide risk that may ultimately affect the mission/business success.
What are the NIST SP 800-39 Key elements?
According to NIST SP 800-39, effectively managing organization-wide information security risk requires the following key elements:
- Assignment of risk management responsibilities to senior leaders/executives
- Ongoing recognition and understanding by senior leaders/executives of the information security risks to:
- organizational operations and assets
- individuals
- other organizations
- and the nation arising from the operation and use of information systems
- Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance impacts ongoing decision-making activities.
- Accountability by senior leaders/executives for their risk management decisions and for the implementation of effective, organization-wide risk management programs
How should you manage risks according to NIST SP 800-39?
Managing risk is a complex, multifaceted activity that requires the involvement and support of the entire organization
- from senior leaders/executives providing the strategic vision and top-level goals and objectives;
- to mid-level leaders planning, executing, and managing projects;
- to individuals on the front lines operating the information systems supporting the organization’s missions and business functions.
RIsk management is a comprehensive process that requires organizations to do… ?
Risk management is a comprehensive process that requires organizations to:
- frame
- assess
- respond to
- and monitor
risk.
Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.
NIST SP 800-39: Describe the Risk Management Process
The four components include:
- Risk framing
- Risk assessment
- Risk response
- Risk Monitoring
What is Risk framing?
Risk Framing: Risk framing includes the identification of risk assumptions and constraints (e.g. scoping) to be considered by the organization.
It also includes the identification of tolerance for different types of risk acceptable to an organization as the cost of doing business. It may also consider other factors, such as which risk types are more or less important (i.e., prioritization) to the organization.
One of the key outputs of risk framing addresses how organizations intend to assess, respond to, and monitor the risk associated with the operation and use of organizational information systems.
What is Risk Assessment?
Risk assessment: Risk assessment is the use of one or more methodologies to determine the magnitude of a risk.
The aim of risk assessment is to understand the nature, likelihood, and the potential impact of risks to:
- inform decision-making,
- prioritize actions
- develop strategies
to mitigate or manage these risks effectively.
What is Risk monitoring?
Risk Monitoring: Risk monitoring is the implementation of a continuous monitoring program to ensure risk is understood over time and changes to risk scenarios are identified and reassessed as required.
What is a Risk response?
Risk response: Risk response is a critical component of risk management. It involves taking specific actions to address identified risks in a way that aligns with the organization’s risk appetite and management strategy. The objective of risk response is to reduce the risk to an acceptable level.
Common risk responses are:
- Acceptance
- Avoidance
- Mitigation
- Sharing or Transfer
What is Risk Acceptance?
Acceptance: Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk appetite and risk tolerance. This usually involves the acceptance of residual risk, which is the risk remaining after other risk responses are completed.
What is Risk avoidance?
Avoidance: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Risk avoidance involves changing behavior or functionality so the risk conditions no longer exist (e.g. disabling Wi-Fi to avoid Wi-Fi related risks).
However, risk avoidance may not be possible in many cases where the underlying risk conditions are necessary to support required functions.
What is Risk mitigation?
Mitigation: Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be:
- accepted
- avoided
- shared
- or transferred
It often involves some type of modification or control (e.g. patching a system).
What is Risk Transfer or Risk sharing?
Transfer or Sharing: Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations or entities (e.g. purchasing insurance).
Risk sharing may be possible for certain types of risk (e.g. financial, performance) but is often not feasible for all types of risk.
What are the NIST SP 800-39 Risk Management Tiers?
NIST SP 800-39 extrapolates the four components of risk management into an organizational construct with three tiers:
- Tier One: Organization (Governance)
- Tier Two: Mission/Business Processes (Information Flow)
- Tier Three: Information System (Environment of operations)
Explain NIST SP 800-39 Risk Management Tier One.
Tier One addresses risk from an organizational perspective. The activities conducted at this tier affect and influence the activities carried out in Tiers Two and Three.
Tier One is alternatively referred to as the governance tier.
Explain NIST SP 800-39 Risk Management Tier Two.
Tier Two is focused on the mission and business processes.
The organization may have a collection of Tier Two entities that reflect more than one mission or business function. This correlates with considerations such as enterprise architecture (EA) and the fact that each mission area within an organization can require separate segment and solution architecture approaches.
Explain NIST SP 800-39 Risk Management Tier Three.
While Tier Three must be responsive to [[1.1.3.2.5.1 Risk Management Tier One|Tier One]] and [[1.1.3.2.5.2 Risk Management Tier Two|Tier two]], the focus of the Risk Management Framework (RMF) is on properly determining the:
- information and information-system classifications,
- categorization,
- proper determinations of risk
- appropriate risk responses
- as well as the ways in which risk will be monitored over time.
Each system is unique, but the totality of Tier Three information systems forms the overall organizational perspective. So each of the information systems and the associated environment of operation are integral to the overall organization-wide risk management program.
What is a Risk Management strategy?
A risk management strategy makes explicit the specific assumptions, constraints, risk tolerances and priorities/trade-offs used within organizations for making investment and operational decisions.
A risk management strategy also includes any strategic-level decisions and considerations on how senior leaders are to manage information security risk to organizational operations and assets, individuals, other organizations, and the nation.
Why do** investment strategies **play a significant role in an organizational risk management efforts?
Investment strategies play a significant role in organizational risk management efforts.
These strategies generally reflect the long-term strategic goals and objectives of organizations and the associated risk management strategies that are developed and implemented to ensure mission and business success.
Underlying all investment strategies is the recognition that the resources available to invest in helping organizations effectively manage risk are finite; thus, effectively addressing risk to achieve ongoing mission/business success does not mean eliminating all risk.
