Domain 1, Information Security Governance

Question 1

PCI-DSS

Answer 1

Payment Card Industry Data Security Standard

Question 2

OCTAVE

Answer 2

Operationally Critical Threat, Asset, and Vulnerability Evaluation.
• Self Directed Risk Management.

Question 3

COBIT

Answer 3

Control Objectives for Information and related Technology.

• Goals for IT – Stakeholder needs are mapped down to IT related goals.

Question 4

COSO

Answer 4

Committee Of Sponsoring Organizations.

• Goals for the entire organization.

Question 5

ITIL

Answer 5

Information Technology Infrastructure Library.

• IT Service Management (ITSM).

Question 6

FRAP

Answer 6

Facilitated Risk Analysis Process.
• Analyses one business unit, application or system at a time in a roundtable brainstorm with internal employees. Impact analyzed, threats and risks prioritized.

Question 7

SWOT

Answer 7

Strengths, Weaknesses, Opportunities, and Threats

Question 8

Gap analysis:

Answer 8

Identify the existing process:
• What are we doing?
Identify the existing outcome:
• How well do we do it?
Identify the desired outcome:
• How well do we want to do?
Identify and document the gap:
• What is the difference between now and desired result?
Identify the process to achieve the desired outcome:
• How can we possibly get to the desired result?
Develop the means to fill the gap:
• Build the tool or processes to get the result.
Develop and prioritize Requirements to bridge the gap.

Question 9

OPEX

Answer 9

(Operating Expense) is the ongoing cost for running a product, business, or system.

Question 10

CAPEX

Answer 10

(Capital Expenditure) is the money a company spends to buy, maintain, or improve its fixed assets, such as buildings, vehicles, equipment, or land.

Question 11

KGI (Key Goal Indicator):

Answer 11

Define measures that tell management, after the fact—whether an IT process has achieved its business requirements.

Question 12

KPI (Key Performance Indicators):

Answer 12

Define measures that determine how well the IT process is performing in enabling the goal to be reached.

Question 13

KRI (Key Risk Indicators):

Answer 13

Metrics that demonstrate the risks that an organization is facing or how risky an activity is.

Question 14

The CIA Triad (AIC)

Answer 14

Confidentiality
Integrity
Availability

Question 15

Data at Rest

Answer 15

(Stored data): This is data on disks, tapes, CDs/DVDs, USB sticks

Question 16

Data in Motion

Answer 16

(Data being transferred on a network).

Question 17

Data in Use

Answer 17

We are actively using the files/data, it can’t be encrypted

Question 18

Mission/business owner

Answer 18

Senior executives make the policies that govern our data security.

Question 19

Data/information owner

Answer 19

Management level, they assign sensitivity labels and backup frequency.

Question 20

Data custodian

Answer 20

These are the technical hands-on employees who do the backups, restores, patches, system configuration. They follow the directions of the data owner.

Question 21

Users

Answer 21

These are the users of the data. User awareness must be trained; they need to know what is acceptable and what is not acceptable, and the consequences for not following the policies, procedures and standards.

Question 22

Data controllers and data processors

Answer 22

• Controllers create and manage sensitive data in the organization (HR/Payroll)
• Processors manage the data for controllers (Outsourced payroll)