Domain 1 Flash Cards

Question 1

Acceptable risk

Answer 1

A suitable level of risk commensurate with the potential benefits of the organization’s operations as determined by senior management.

Question 2

Audit/auditing

Answer 2

The tools, processes, and activities used to perform compliance reviews.

Question 3

Availability

Answer 3

Ensuring timely and reliable access to and use of information by authorized users.

Question 4

Business continuity (BC)

Answer 4

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

Question 5

Business continuity and
disaster recovery (BC/DR)

Answer 5

A term used to jointly describe business continuity and disaster recovery efforts.

Question 6

Business impact analysis
(BIA)

Answer 6

A list of the organization’s assets, annotated to reflect the criticality of each asset to the organization.

Question 7

Compliance

Answer 7

For the IT professional, includes the activities that maintain and provide systematic proof of both adherence to internal policies and the external laws, guidelines, or regulations imposed upon the company.

Question 8

Confidentiality

Answer 8

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Question 9

Data custodian

Answer 9

The person/role within the organization who usually manages the data on a day-to-day basis on behalf of the data owner/controller.

Question 10

Data owner/controller

Answer 10

The data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organization. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity

Question 11

Data subject

Answer 11

The individual human related to a set of personal data

Question 12

Disaster recovery (DR)

Answer 12

Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.

Question 13

Due diligence

Answer 13

is a management process used to gather facts before making a decision.

Question 14

Due Care

Answer 14

refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.

Question 15

Governance

Answer 15

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make
those decisions.

Question 16

Governance committee

Answer 16

A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Question 17

Guidelines

Answer 17

Suggested practices and expectations of activity to best accomplish tasks and attain goals.

Question 18

Integrity

Answer 18

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Question 19

Intellectual property

Answer 19

In general terms, intellectual property is any product of the human intellect that the law protects from unauthorized use by others. The ownership of intellectual property inherently creates a limited monopoly in the protected property. Intellectual property is traditionally comprised of four categories: patent, copyright, trademark, and trade secrets

Question 20

Maximum allowable
downtime (MAD)

Answer 20

The measure of how long an organization can survive an interruption of critical functions.
[also known as maximum tolerable downtime (MTD)]

Question 21

Personally identifiable
information (PII)

Answer 21

Any data about a human being that could be used to identify that person.

Question 22

Policy

Answer 22

Documents published and promulgated by senior management dictating and describing the organization’s strategic goals.

Question 23

Privacy

Answer 23

The right of a human individual to control the distribution of information about him or herself.

Question 24

Procedures

Answer 24

Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences

Question 25

Recovery time objective
(RTO)

Answer 25

A measure of how much data the organization can lose before the organization is no longer viable.
RTO must be less than the Maximum Tolerable Downtime
RTO < MTD aka MAD

Question 26

Residual risk

Answer 26

The risk remaining after security controls have been put in place as a means of risk mitigation.

Question 27

Risk

Answer 27

The possibility of damage or harm and the likelihood that damage or harm will be realized.

Question 28

Risk Frameworks

Answer 28

Provide a structured approach to identifying, assessing, prioritizing, and managing risk to guide decision-making.
Provide the overarching structure for making risk-informed decisions. Address the “why” - they guide strategic decision-making about risk.

Question 29

Risk acceptance

Answer 29

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action. Do nothing, and you must
accept the risk and potential loss if threat occurs.

Question 30

Risk avoidance

Answer 30

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination. When costs of mitigating or accepting are higher than benefits of the service

Question 31

Risk mitigation

Answer 31

Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk. You do this by implementing a
countermeasure and accepting the residual risk.

Question 32

Risk transference

Answer 32

Paying an external party to accept the financial impact of a given risk. Also known as Risk Assignment.

Question 33

Security control framework

Answer 33

A notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization.
Provide a prescriptive set of cybersecurity safeguards and best practices to protect an organization’s valuable assets. Help in implementing the risk management strategy. Address the “how” – providing specific controls to mitigate cybersecurity risks.

Question 34

Security governance

Answer 34

The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

Question 35

Standards

Answer 35

Specific mandates explicitly stating expectations of performance or conformance.

Question 36

5 pillars of information security

Answer 36

They are confidentiality, integrity, and availability, authenticity, and nonrepudiation

Question 37

Sherwood Applied Business Security Architecture (SABSA)

Answer 37

is a security architecture framework and methodology. It focuses on aligning security with business goals by providing a structured method for designing, implementing, and managing security architectures.
It can be used in conjunction with both risk frameworks and security control frameworks.
It adds a layer focused on practical security architecture implementation. Adds another “how” layer by focusing on the structure and design of the security architecture itself.

Question 38

Federal Risk and Authorization Management Program (FEDRAMP)

Answer 38

a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Question 39

ISO/IEC 27001:2022

Answer 39

Outlines a framework for implementing, maintaining, and continually improving an Information Security Management System (ISMS)
An ISMS is a set of policies, processes, and controls that helps organizations protect their information assets. Guides in Identifying information assets and assessing their value and information security risks AND
Implementing mitigating security controls (based on ISO 27002)
Regularly monitoring and measuring effectiveness of and continuously improving the ISMS. Focus on the WHAT and WHY

Question 40

ISO/IEC 27002:2022

Answer 40

Offers best practices and control objectives related to
key aspects of cybersecurity in support of ISO/IEC 27001
Focus areas include access control, cryptography, human resource
security, operational security, and incident response.
Serves as a practical blueprint for organizations aiming to effectively
safeguard their information assets against cyber threats.
Focus on the HOW

Question 41

Privacy impact assessment(PIA)

Answer 41

is designed to identify the privacy data being collected, processed, or stored by a system, and assess the effects of a data breach. To conduct you must define assessment scope,
data collection methods, and plan for data retention.

Question 42

External Dependencies

Answer 42

Entities outside the organization that it depends on for
business continuity, disaster recovery, or operations.
EXAMPLES - ISPs, utility companies, providers of
recovery site(s), and fuel for backup generators.

Question 43

Hardware Root of Trust

Answer 43

A line of defense against executing
unauthorized firmware on a system
And when certificates are used in FDE, they use a hardware root of trust for key storage.
It verifies that the keys match before the secure boot process takes place. Examples Trusted platform module (TPM) and Silicon root of trust (SRoT)

Question 44

Silicon Root of Trust

Answer 44

a specialized chip or module embedded directly into the hardware of a device (server, IoT, etc.)
contains a unique, unchangeable cryptographic identity that is established during manufacturing
acts as an anchor point for verifying the integrity of the system’s firmware

Question 45

Physically Unclonable Function

Answer 45

Hardware component that generates a digital fingerprint or signatures based on the unique physical characteristics of an integrated circuit or chip.
When a PUF is queried, or given a challenge, it responds with a unique output, based on the chip’s inherent variations.
This response, like a fingerprint, is impossible to clone or recreate in another device.

Question 46

SOFTWARE BILL OF MATERIALS (SBOM)

Answer 46

A list of all software components, libraries, and modules that go into a particular software build or product.
The SBOM functions as the inventory of all the building blocks that make up a software product.
Helps organizations better understand, manage, and secure their applications.

Question 47

ICS2 Code of Ethics

Answer 47

1 Protect society, the commonwealth,
and the infrastructure
2 Act honorably, honestly, justly,
responsibly, and legally
3 Provide diligent and competent
service to principals
4 Advance and protect the profession

Question 48

4 levels of Security Policy Development

Answer 48

1. Acceptable use policy
   Assign roles and responsibilities
2. Security baselines
   define “minimum levels”
3. Security guidelines
   Offer recommendations
   Security baselines
4. Security procedures
   Detailed step
   by step

Question 49

Risk Deterrence

Answer 49

Implementing deterrents to
would be violators of security and policy

Question 50

Risk Rejection

Answer 50

.An unacceptable possible
response to risk is to reject risk or ignore risk.