Domain 1: Security and Risk Management

Question 1

What is the CIA Triad?

Answer 1

Confidentiality
Integrity
Availability

Question 2

What is a Security Program?
- People

Answer 2

Training and Awareness
Knowledge and Skill Set
Company Culture

Question 3

What is a Security Program
- Process

Answer 3

Strategic Planning
Management
Systems
Frameworks
Compliance with Standards
Audit

Question 4

What is a Security Program
- Technology

Answer 4

The success of the technology is driven by the people and processes of the organisation.

Question 5

What is GRC?

Answer 5

Governance, Risk, Compliance

Question 6

What is Governance

Answer 6

Top leadership being accountable. Buy in from Executive Level.

Question 7

What is Risk?

Answer 7

The likelihood of a threat exploiting a vulnerability and the costs associated with it.

Controls for risk must be cost effective.

Question 8

What is Compliance?

Answer 8

Auditing and monitoring to ensure methods of risk control are actioned.

Question 9

How do you make any security activity successful?

Answer 9

You get support and buy-in from Senior Leadership.

Question 10

All security decisions should relate to…

Answer 10

Risk Management.

Question 11

Due diligence is…

Answer 11

… doing the research.

Question 12

Due care is…

Answer 12

… acting on the due diligence.

Question 13

Prudent Person rule means…

Answer 13

…asking “have I done what any Prudent Person would do”?

Question 14

Who is ULTIMATELY responsible (sometimes called “Accountable”) for the security within an organisation?

Answer 14

Senior management.

Question 15

What are the five desirable goals of NIST CSF?

Answer 15

1: Identify
2: Protect
3: Detect
4: Respond
5: Recover

Question 16

What are the 7 steps of the NIST CSF?

Answer 16

1. Prioritise and scope
2. Orient
3. Create a current profile
4. Conduct a risk assessment
5. Create a target profile
6. Determine, analyse and prioritise gaps
7. Implement action plan

Question 17

What are the stages of the CMMI (Capability Maturity Model Integrated)?
(Carnegie Melon)

Answer 17

1.0 Initial
2.0 Developing
3.0 Defined
4.0 Managed
5.0 Optimised

Question 18

What constitutes an Information Security Program?

Answer 18

• Provides the means for achieving strategy
• Policies/ Standards / Procedures
• Controls and Control Objectives
• Roles and Responsibilities
• 3rd Party Governance
• Data Classification / Security
• Certification & Accreditation (or Assessment & Authorisation)
• Auditing

Question 19

Three Main Types of Policy are…

Answer 19

1. Corporate Policy
2. System Specific Policy
3. Issue Specific Policy

Question 20

What make up the backbone of an Information Security Program?

Answer 20

• Standards
• Procedures
• Baselines
• Guidelines