Domain 1: Security and Risk Management

Question 1

3 main elements of Security Program

Answer 1

People, Process, Technology

Question 2

Important for people

Answer 2

training, knowledge/skill set, company culture

Question 3

important about process

Answer 3

controls how people interact with the technology

Question 4

Information Security Triad

Answer 4

Confidentiality, Integrity, Availability

Question 5

cost v. performance

Answer 5

always a balance between levels of security and performance. Security will reduce performance.

Question 6

Confidentiality

Answer 6

Prevent unauthorized disclosure

Question 7

Integrity

Answer 7

Prevent unauthorized modification

Question 8

Availability

Answer 8

Timely access to resources

Question 9

Why implement security?

Answer 9

to support the mission of the organization. Not security for security sake

Question 10

GRC

Answer 10

Governance, Risk, Compliance

Question 11

Why GRC Came about

Answer 11

Response to widescale fraud and unethical behaviors of organizations in the early 2000s. Open Compliance & Ethics Group (OCEG) provided open standards addressing GRC

Question 12

Culpable Negligence

Answer 12

Not doing something a reasonably cautious person would do

Question 13

Due Care

Answer 13

Acting on the research to show you have acted prudently

Question 14

Due Care

Answer 14

Acting on the research to show you have acted prudently

Question 15

Prudent Person Rule

Answer 15

You have used due diligence and due care to take reasonable actions, responsibly and cautiously

Question 16

Ulimate Responsibliity/Liability

Answer 16

Senior Management

Question 17

Information Security Frameworks

Answer 17

Provide standard set of IS requirements to guide organizations; foundation, structure

Question 18

ISO 27001 has how many domains

Answer 18

14

Question 19

ISO 27001

Answer 19

Specifies requirements for establishing, implementing, maintaining, and improving an IS Management system within an organization

Question 20

GDPR

Answer 20

General Data Privacy Regulation

Question 21

Who adheres to GDPR

Answer 21

Not the US, more popular in Europe

Question 22

Goal of GDPR

Answer 22

Protect the Rights of data subjects

Question 23

Data subject

Answer 23

person the data pertains to

Question 24

Timeline for Breach Disclosure under GDPR

Answer 24

72 hours to notification

Question 25

Seven Steps of the NIST CSF

Answer 25

Prioritize and scope, Orient, Create a current profile, Conduct a Risk Assessment, Create a Target Profile, Determine analyze and prioritize gaps, implement action plan

Question 26

Gap Analysis

Answer 26

Identifying and prioritizing gaps between where you are and where you want to be

Question 27

5 goals of NIST CSF

Answer 27

Identify, Protect, Detect, Respond, Recover

Question 28

CMMI Five Maturity Levels

Answer 28

Initial, Developing, Defined, Managed, Optimized

Question 29

CMMI Maturity Model

Answer 29

Identifies Maturity of Technology, Process, and People

Question 30

CMMI Level 1

Answer 30

People are unstaffed or uncoordinated, no formal security program, no security controls exist

Question 31

CMMI Level 2

Answer 31

Infosec leadership established, Basic governance and risk management process/policies, some controls in development with limited documentation

Question 32

CMMI Level 3

Answer 32

Some roles and responsibilities established, organization wide processes and policies in place with minimal verification, more controls documented and developed, over reliant on individual efforts

Question 33

CMMI Level 4

Answer 33

Increased resources and awareness, clearly defined roles and responsibilities, formal infosec committees, verification and measurement processes, controls monitored, measured for compliance but uneven levels of automation

Question 34

CMMI Level 5

Answer 34

Culture supports continuous improvements, processes comprehensively implemented, risk based and quantitatively understood, controls comprehensively implemented and automated

Question 35

Information Security Program Steps

Answer 35

Provide means for achieving strategy, policies/standards/procedures/guidelines, controls and control objectives, 3rd party governance, data classification/security, Certification and Accredidation (aka Assessment and Authorization), auditing

Question 36

Corporate Policy

Answer 36

Comes from senior leadership, expresses their vision for security

Question 37

System Specific Policy

Answer 37

Every system or role of system should have their own policy

Question 38

Issue Specific Policy

Answer 38

Policy focusing on a specific issue ex. Change Management Policy

Question 39

List of Issue Specific Policies

Answer 39

Change Management
Acceptable Use policy
privacy
Data/System Ownership
Separation of Duties
Mandatory Vacations
Job Rotation
Least privilege
need to know
dual control 
M of N control

Question 40

Change management policy

Answer 40

discusses how to manage and approve changes to the system

Question 41

Acceptable Use policy

Answer 41

Policy stating how to use system resources and restrictions

Question 42

Privacy policy

Answer 42

Pertains to employee privacy and notification of employees

Question 43

Data/System Ownership Policy

Answer 43

Data is more important for security, policy states who has security ownership as it pertains to systems and data

Question 44

Separation of Duties

Answer 44

Prevents any 1 individual from being too powerful, separates duties and forces collusion (multiple people coming together to perform an action)

Question 45

Mandatory vacations

Answer 45

Only in finance, mandates a set number of days in a row where employee can do absolutely no work actions or communications. Detective control

Question 46

Job Rotation

Answer 46

Personnel rotation through positions to avoid knowing all the workarounds and provide cross-training

Question 47

Least Privilege / Need to Know

Answer 47

Only allow people to perform actions they need to or access data they need to know

Question 48

Dual Control

Answer 48

Takes multiple personnel to perform an action, identifies specific personnel

Question 49

M of N Control

Answer 49

X out of Y personnel need to be present, more flexible than Dual Control

Question 50

Standards, Procedures, and Guidelines difference

Answer 50

Standards and Procedures are mandatory, guidelines are not.

Question 51

Strategic Policy Framework pieces

Answer 51

Driven by senior management. Org Drivers, Principles, Policies

Question 52

Tactical Policy Framework pieces

Answer 52

Standards, Guidelines, Procedures, and Baselines

Question 53

Compensating control

Answer 53

When plan A doesn’t work or provide a full and complete solution

Question 54

Control Objectives

Answer 54

understanding of the long-term objectives of an organization. strategy should describe a well-articulated vision of the desired outcomes for a security program through SMART objectives

Question 55

Senior Management Responsibilities

Answer 55

Provide oversight
Provide funding and support
Ensure Testing
Prioritize Business functions
establish a common vision/strategy/framework
Sign off on policy, BIA (business impact analysis), and other organizational documents

Question 56

Steering committee Responsibilities

Answer 56

Oversight of Information Security Program
Act as liaison b/w management, business, IT, and IS
Assess and incorporate result of risk assessment
Into the decision-making process
Ensure all stakeholder interests are addressed
Oversees compliance activities

Question 57

Chief Informational Officer Responsibilities

Answer 57

Strategic Planning
Policy development
technology assessments
process improvements
acquisitions
capital planning
security

Question 58

Chief Information Security Office (CISO) Responsibilities

Answer 58

Responsible for the CIA Triad
Usually reports to the CIO
Conduct risk assessments
program management
loss prevention
incident management
security operations

Question 59

Information Security manager Responsibilities

Answer 59

Functional manager responsible for achieving and determining the how
Play a leading role in introducing an appropriate methodology
Act as major consultants in support of senior management

Question 60

Busines Managers Responsibilities

Answer 60

The Data owners
Responsible for business operations. individual lines of business
provide direction to ensure security is implemented in such a way to meet objectives
responsible for security enforcement and direction
responsible for the day to day

Question 61

Security Practitioners Responsibilities

Answer 61

Responsible for implementation of security requirements
Support or use the Risk management process to identify and assess new potential risk and implement new security controls as needed

Question 62

Auditors Responsibilities

Answer 62

Evaulation of controls and policies
Can be internal or external
Document, not modify

Question 63

Security Trainers Responsibilities

Answer 63

Understnad the risk management process
develop training materials
conduct security trainings and awareness programs catered to roles within the org
incorporate risk assessment into training programs to educate end users
encourage users to report violations

Question 64

Information Security Risk Management

Answer 64

ISRM, process of managing risks associated with the use of information technology; identifying assessing and treating risks to the CIA of organization’s assets

Question 65

Asset

Answer 65

Anything of value to the company

Question 66

Vulnerability

Answer 66

A weakness, the absence of a safeguard

Question 67

Threat

Answer 67

Something that could pose loss to all or part of an asset

Question 68

Threat Agent

Answer 68

What carries out the attack

Question 69

Exploit

Answer 69

An instance of compromise

Question 70

Risk

Answer 70

The probability of a threat materializing

Question 71

Controls

Answer 71

Physical, Administrative, and Technical Protections

Question 72

Safeguards

Answer 72

Deterrents or Preventive Controls

Question 73

Countermeasures

Answer 73

Detective or Corrective Controls

Question 74

Total Risk

Answer 74

The risk that exists before any control is implemented

Question 75

Residual Risk

Answer 75

Risk that is left after applying a control

Question 76

Secondary Risk

Answer 76

When one risk response triggers another risk event

Question 77

Incident

Answer 77

A risk event that has transpired

Question 78

Risk Management Lifecycle

Answer 78

Identify, assess, mitigate, monitor

Question 79

Risk Identification

Answer 79

First step in lifecycle, Discovery all of threats and vulnerabilities against assets. Record risks in a risk register

Question 80

Risk Assessment

Answer 80

Second step in lifecycle, Determining loss potential. Probability * Impact

Question 81

RIsk mitigation

Answer 81

Third step in lifecycle, How we respond based on risk assessment. Could be controls, removal of risk, or transferring risk

Question 82

Risk Monitoring

Answer 82

Final step in lifecycle, ensuring risks stay in allowable range

Question 83

Formula for Risk

Answer 83

Asset Value * Threat * Vulnerability = Risk

Question 84

STRIDE Threats

Answer 84

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege

Question 85

DREAD Vulnerabilties

Answer 85

Damage potential, Reproducibility, Exploitability, Affected user base, Discoverability

Question 86

Qualitative Risk Assessment

Answer 86

Subjective analysis to help prioritize probability and impact of risk events. May use Delphi Technique (anonymous inputs from users)
Uses terms like high medium low; probability and impact
Produces a heat map

Question 87

Quantitative Risk Assessment

Answer 87

Provides a dollar value to risk event
More difficult and requires a special skill set
Can’t exist on its own, depends on qualitative info

Question 88

Asset Value (AV)

Answer 88

Dollar figure that represents what the asset is worth to the organization

Question 89

Exposure Factor (EF)

Answer 89

Percentage of loss that is expected to result in the manifestation of an actual risk event

Question 90

Single Loss Expectancy (SLE)

Answer 90

Dollar figure that represents the cost of a single occurrence of a threat instance

Question 91

Annual Rate of Occurrence (AOR)

Answer 91

How often the threat is expected to materialize

Question 92

Annual Loss Expectancy (ALE)

Answer 92

Cost per year as a result of the threat

Question 93

Total Cost of Ownership (TCO)

Answer 93

cost of implementing a safeguard, includes initial cost and maintenance fees

Question 94

Return on Investment (ROI)

Answer 94

money saved by implementing a safeguard; also known as value of safeguard/control

Question 95

Single Loss Expectancy (SLE) Formula

Answer 95

AV * EF

Question 96

ALE Formula

Answer 96

SLE * ARO

Question 97

TCO Formula

Answer 97

Initial Cost of Control + Yearly Fees

Question 98

ROI Formula

Answer 98

ALE before Control - ALE after Control - Cost of control

Question 99

Steps for Quantitative Analysis

Answer 99

Assign Asset value (AV)
Calculate Exposure Factor (EF)
Calculate Single Loss Expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the Annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures

Question 100

Key Performance Indicator (KPI)

Answer 100

Performance objectives for the system. not meeting objectives could be a sign of an incident

Question 101

Key Risk Indicator (KRI)

Answer 101

A trigger for a risk
Provide early warning
Provide backward-looking view on risk events
Enable documentation and analysis of trends
Provide an indication of risk appetite and tolerance
Increase the likelihood of achieving strategic objectives
Assist in optimizing risk governance

Question 102

Wassenaar Arrangement

Answer 102

Cryptographic software is allowed to non-government end-users of other countries
No exporting of strong encryption software to terrorist states

Question 103

Import Restrictions

Answer 103

Some countries do not allow import of crypto tools with strong encryption unless a copy of the private keys is provided to law enforcement so they can break the encryption

Question 104

HIPAA

Answer 104

Regulation of Health info for individuals

Question 105

Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)

Answer 105

Financial agencies required to protect financial information

Question 106

Payment Card Industry Data Security Standard (PCI DSS)

Answer 106

Self regulated for credit card information

Question 107

Parol Evidence

Answer 107

When agreement in written form, it contains all terms of the agreement. No verbal agreements can modify written agreement