Domain 1: Security and Risk Management Flashcards

1
Q

What is the CIA Triad?

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Security Program?
- People

A

Training and Awareness
Knowledge and Skill Set
Company Culture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Security Program
- Process

A

Strategic Planning
Management
Systems
Frameworks
Compliance with Standards
Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a Security Program
- Technology

A

The success of the technology is driven by the people and processes of the organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is GRC?

A

Governance, Risk, Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Governance

A

Top leadership being accountable. Buy in from Executive Level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Risk?

A

The likelihood of a threat exploiting a vulnerability and the costs associated with it.

Controls for risk must be cost effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Compliance?

A

Auditing and monitoring to ensure methods of risk control are actioned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you make any security activity successful?

A

You get support and buy-in from Senior Leadership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

All security decisions should relate to…

A

Risk Management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Due diligence is…

A

… doing the research.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Due care is…

A

… acting on the due diligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Prudent Person rule means…

A

…asking “have I done what any Prudent Person would do”?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who is ULTIMATELY responsible (sometimes called “Accountable”) for the security within an organisation?

A

Senior management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the five desirable goals of NIST CSF?

A

1: Identify
2: Protect
3: Detect
4: Respond
5: Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 7 steps of the NIST CSF?

A
  1. Prioritise and scope
  2. Orient
  3. Create a current profile
  4. Conduct a risk assessment
  5. Create a target profile
  6. Determine, analyse and prioritise gaps
  7. Implement action plan
17
Q

What are the stages of the CMMI (Capability Maturity Model Integrated)?
(Carnegie Melon)

A

1.0 Initial
2.0 Developing
3.0 Defined
4.0 Managed
5.0 Optimised

18
Q

What constitutes an Information Security Program?

A
  • Provides the means for achieving strategy
  • Policies/ Standards / Procedures
  • Controls and Control Objectives
  • Roles and Responsibilities
  • 3rd Party Governance
  • Data Classification / Security
  • Certification & Accreditation (or Assessment & Authorisation)
  • Auditing
19
Q

Three Main Types of Policy are…

A
  1. Corporate Policy
  2. System Specific Policy
  3. Issue Specific Policy
20
Q

What make up the backbone of an Information Security Program?

A
  • Standards
  • Procedures
  • Baselines
  • Guidelines