Domain 1: GOVERNANCE AND RISK MANAGEMENT

Question 1

Business driver

Answer 1

Condition, process, requirement, or other concern that influences the way an org manages activities

Question 2

What does understanding why an organization exists and conducts business preceed?

Answer 2

Developing Infosec Governence

Question 3

Proprietership

Answer 3

Single owner/family owned

Question 4

Proprietorship decision-making process

Answer 4

Single decision maker

Question 5

Partnership

Answer 5

Multiple owners

Question 6

Who is responsible for management and risk in a partnership?

Answer 6

All partners

Question 7

Corporation purpose

Answer 7

Separate liability from the owners

Question 8

Articles of incorporation

Answer 8

How a business will be run

Question 9

Primary force driving governance

Answer 9

Shareholder value

Question 10

CMMI

Answer 10

Capability Maturity Model Integration

Question 11

CMMI Levels

Answer 11

1. Initial
2. Managed
3. Defined
4. Quantitatively Managed
5. Optimizing

Question 12

CMMI Proactive levels

Answer 12

3-5 (Defined, Quantitatively Managed, Optimizing)

Question 13

When do orgs realize the benefits of mapping processes to organizational standards and achieving consistency?

Answer 13

CMMI Level 3

Question 14

Business drivers affect…

Answer 14

Decisions made in an organization

Question 15

Most important infoSec drivers? (2)

Answer 15

Business compliance
Privacy needs

Question 16

CISO must understand these drivers (4)

Answer 16

Objectives
Business processes supporting objectives
Information and technology
Threats to operations

Question 17

First things CISO’s need to do

Answer 17

Understand how org works. People, Revenue streams

Question 18

ISMS

Answer 18

Policy, guided by Governance and Compliance
Then everything under that.
Risk, Architecture, Asset Classification, SecOps
Business Resilince
Training
Metrics & Reporting

Question 19

Benefit of a security policy

Answer 19

Provides legal protection because of a stated commitment to requirements

Question 20

Most common reason companies create security policies…

Answer 20

Regulatory requirements

Question 21

Other reasons for policies

Answer 21

Compliance
Frameworks (ISO)

Question 22

Most important content

Answer 22

Understandable
Target Audience

Question 23

Policy best-practices (5)

Answer 23

Concise
Common Language
Consistent with law
Reasonable
Enforceable

Question 24

Who must support a policy?

Answer 24

Senior Management

Question 25

Traditional role of CISO is to develop processes to support 4 objectives

Answer 25

Reduce IT Risk
Establish and implement security policies and procedures
Establish standards and controls
Respond to incidents

Question 26

Ethics

Answer 26

Moral principles that govern behavior of a person or group.

Question 27

Seven-question framework for ethical decision-making

Answer 27

Alternatives?
Stakeholders?
Harm?
Most good with least harm?
Are alternatives objectionable?
Am I comfortable with it?
Comfortable telling friends or family?

Question 28

Does EC-Council have Code of Ethics?

Answer 28

Yes

Question 29

Risk management

Answer 29

Identification, assessment, and prioritization of risks followed by effort to minimize, monitor, and control probability and impact

Question 30

Risk management principles (7)

Answer 30

Understand risks
Measure risk
Communicate risk
Select treatment plans
Implement treatment plan
Manage residual risk
Communicate status of risk management program

Question 31

Who is responsible for the process or framework for communicating risk?

Answer 31

CISO or CRO

Question 32

Risk management framework provides…

Answer 32

Approach to a specific objective

Question 33

NIST RMF

Answer 33

Life cycle to incorporate security throughout a system development project

Question 34

NIST RMF Lifecycle (8)

Answer 34

Categorize systems
Select controls
Supplement controls
Document
Implement
Assess controls
Authorize systems
Monitor controls

Question 35

How do you know if you own a risk?

Answer 35

Whether you have the authority to fix it or not.

Question 36

Who is responsible for the final decision to apply a risk treatment?

Answer 36

Business/Asset owner

Question 37

Risk treatment options (4)

Answer 37

Modification or mitigation
Avoidance
Transfer
Acceptance

Question 38

Risk modification

Answer 38

Most common
Applying security controls

Question 39

Risk modification aka

Answer 39

mitigation

Question 40

Risk avoidance

Answer 40

Eliminate the risk

Question 41

Risk sharing aka

Answer 41

Risk transfer

Question 42

Inherent risk

Answer 42

Risk that comes with using a system

Question 43

Residual risk

Answer 43

Risk following treatment

Question 44

ISO 27005

Answer 44

Guidelines for information security risk management
Costs money

Question 45

ISO 27005 steps (4)

Answer 45

Design controls
Deploy
Manage controls
Ongoing analysis of controls

Question 46

ISO 27005 Risk Assessment Workflow (3)

Answer 46

Risk Identification
Risk Analysis
Risk Evaluation

Question 47

Risk identification

Answer 47

Determine what can cause loss
Learn how, where, why loss might happen

Question 48

Risk identification evaluates…

Answer 48

Assets
Threats
Controls
Vulnerabilities
Consequences

Question 49

Risk identification maps consequences to…

Answer 49

Assets
Business processes

Question 50

Risk Analysis analyzes… (3)

Answer 50

Consequences
Likelihood
Level of risk (rating)

Question 51

Risk Evaluation

Answer 51

P

Question 52

Risk treatment

Answer 52

Prioritized set of risks
Develop recommendations

Question 53

Risk acceptance occurs….

Answer 53

After risk treatment and validation of control effectiveness

Question 54

Risk feedback

Answer 54

Monitoring, review, and communication

Question 55

Risk monitoring feedback loop (2)

Answer 55

Monitor risks and initiate assessment when risks change.

Review risk management program for continuous improvement

Question 56

Risk communication includes…

Answer 56

Outcome of assessments
Status reports
Assessment issues
General concerns

Question 57

NIST 800-37r1

Answer 57

Risk Management Lifecycle

Question 58

800-30

Answer 58

Guidance for risk assessments

Question 59

800-39

Answer 59

Risk management guidance

Question 60

Risk framing

Answer 60

Assumptions, constraints, tolerances, priorities that shape an organizations approach to managing risk.

Question 61

ISO 31000

Answer 61

Enterprise Risk Management

Question 62

Threat Agent Risk Assessment (TARA)

Answer 62

Process to identify and assess threats and select countermeasures

Question 63

OCTAVE Allegro

Answer 63

Lean Risk Assessment
Doesn’t select controls

Question 64

FAIR

Answer 64

Quantifies strength of controls

Question 65

COBIT

Answer 65

ISACA framework for IT management

Question 66

ITIL

Answer 66

Practices for IT service management