Domain 1: GOVERNANCE AND RISK MANAGEMENT Flashcards

1
Q

Business driver

A

Condition, process, requirement, or other concern that influences the way an org manages activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does understanding why an organization exists and conducts business preceed?

A

Developing Infosec Governence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Proprietership

A

Single owner/family owned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Proprietorship decision-making process

A

Single decision maker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Partnership

A

Multiple owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is responsible for management and risk in a partnership?

A

All partners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Corporation purpose

A

Separate liability from the owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Articles of incorporation

A

How a business will be run

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Primary force driving governance

A

Shareholder value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CMMI

A

Capability Maturity Model Integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CMMI Levels

A
  1. Initial
  2. Managed
  3. Defined
  4. Quantitatively Managed
  5. Optimizing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CMMI Proactive levels

A

3-5 (Defined, Quantitatively Managed, Optimizing)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When do orgs realize the benefits of mapping processes to organizational standards and achieving consistency?

A

CMMI Level 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Business drivers affect…

A

Decisions made in an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Most important infoSec drivers? (2)

A

Business compliance
Privacy needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CISO must understand these drivers (4)

A

Objectives
Business processes supporting objectives
Information and technology
Threats to operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

First things CISO’s need to do

A

Understand how org works. People, Revenue streams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ISMS

A

Policy, guided by Governance and Compliance
Then everything under that.
Risk, Architecture, Asset Classification, SecOps
Business Resilince
Training
Metrics & Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Benefit of a security policy

A

Provides legal protection because of a stated commitment to requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Most common reason companies create security policies…

A

Regulatory requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Other reasons for policies

A

Compliance
Frameworks (ISO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Most important content

A

Understandable
Target Audience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Policy best-practices (5)

A

Concise
Common Language
Consistent with law
Reasonable
Enforceable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Who must support a policy?

A

Senior Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Traditional role of CISO is to develop processes to support 4 objectives

A

Reduce IT Risk
Establish and implement security policies and procedures
Establish standards and controls
Respond to incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Ethics

A

Moral principles that govern behavior of a person or group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Seven-question framework for ethical decision-making

A

Alternatives?
Stakeholders?
Harm?
Most good with least harm?
Are alternatives objectionable?
Am I comfortable with it?
Comfortable telling friends or family?

28
Q

Does EC-Council have Code of Ethics?

A

Yes

29
Q

Risk management

A

Identification, assessment, and prioritization of risks followed by effort to minimize, monitor, and control probability and impact

30
Q

Risk management principles (7)

A

Understand risks
Measure risk
Communicate risk
Select treatment plans
Implement treatment plan
Manage residual risk
Communicate status of risk management program

31
Q

Who is responsible for the process or framework for communicating risk?

A

CISO or CRO

32
Q

Risk management framework provides…

A

Approach to a specific objective

33
Q

NIST RMF

A

Life cycle to incorporate security throughout a system development project

34
Q

NIST RMF Lifecycle (8)

A

Categorize systems
Select controls
Supplement controls
Document
Implement
Assess controls
Authorize systems
Monitor controls

35
Q

How do you know if you own a risk?

A

Whether you have the authority to fix it or not.

36
Q

Who is responsible for the final decision to apply a risk treatment?

A

Business/Asset owner

37
Q

Risk treatment options (4)

A

Modification or mitigation
Avoidance
Transfer
Acceptance

38
Q

Risk modification

A

Most common
Applying security controls

39
Q

Risk modification aka

A

mitigation

40
Q

Risk avoidance

A

Eliminate the risk

41
Q

Risk sharing aka

A

Risk transfer

42
Q

Inherent risk

A

Risk that comes with using a system

43
Q

Residual risk

A

Risk following treatment

44
Q

ISO 27005

A

Guidelines for information security risk management
Costs money

45
Q

ISO 27005 steps (4)

A

Design controls
Deploy
Manage controls
Ongoing analysis of controls

46
Q

ISO 27005 Risk Assessment Workflow (3)

A

Risk Identification
Risk Analysis
Risk Evaluation

47
Q

Risk identification

A

Determine what can cause loss
Learn how, where, why loss might happen

48
Q

Risk identification evaluates…

A

Assets
Threats
Controls
Vulnerabilities
Consequences

49
Q

Risk identification maps consequences to…

A

Assets
Business processes

50
Q

Risk Analysis analyzes… (3)

A

Consequences
Likelihood
Level of risk (rating)

51
Q

Risk Evaluation

A

P

52
Q

Risk treatment

A

Prioritized set of risks
Develop recommendations

53
Q

Risk acceptance occurs….

A

After risk treatment and validation of control effectiveness

54
Q

Risk feedback

A

Monitoring, review, and communication

55
Q

Risk monitoring feedback loop (2)

A

Monitor risks and initiate assessment when risks change.

Review risk management program for continuous improvement

56
Q

Risk communication includes…

A

Outcome of assessments
Status reports
Assessment issues
General concerns

57
Q

NIST 800-37r1

A

Risk Management Lifecycle

58
Q

800-30

A

Guidance for risk assessments

59
Q

800-39

A

Risk management guidance

60
Q

Risk framing

A

Assumptions, constraints, tolerances, priorities that shape an organizations approach to managing risk.

61
Q

ISO 31000

A

Enterprise Risk Management

62
Q

Threat Agent Risk Assessment (TARA)

A

Process to identify and assess threats and select countermeasures

63
Q

OCTAVE Allegro

A

Lean Risk Assessment
Doesn’t select controls

64
Q

FAIR

A

Quantifies strength of controls

65
Q

COBIT

A

ISACA framework for IT management

66
Q

ITIL

A

Practices for IT service management

67
Q
A