Domain 1: Security and Risk Management

Question 1

Audit/Auditing

Answer 1

The tools, processes, and activities used to perform compliance reviews.

Question 2

Availability

Answer 2

Ensuring timely and reliable access to and use of information by authorized users.

Question 3

Business Continuity(BC)

Answer 3

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

Question 4

Business impact analysis(BIA)

Answer 4

A list of the organization’s assets, annotated to reflect the criticality of each asset to the organization.

Question 5

Compliance

Answer 5

Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.

Question 6

Confidentiality

Answer 6

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Question 7

Data subject

Answer 7

The individual human related to a set of personal data.

Question 8

Disaster recovery(DR)

Answer 8

Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.

Question 9

Due care

Answer 9

A legal concept pertaining to the duty owed by a provider to a customer.

Question 10

Due diligence

Answer 10

Actions taken by a vendor to demonstrate/provide due care.

Question 11

Governance

Answer 11

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles. and procedures the organization uses to make those decisions.

Question 12

Governance committee

Answer 12

A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Question 13

Guidelines

Answer 13

Suggested practices and expectations of activity to best accomplish tasks and attain goals.

Question 14

Integrity

Answer 14

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Question 15

Intellectual Property

Answer 15

Intangible assets (notably, includes software and data).

Question 16

Maximum allowable downtime(MAD)

Answer 16

The measure of how long an organization can survive an interruption of critical functions. [also known as maximum tolerable downtime(MTD)]

Question 17

Personally Identifiable information (PII)

Answer 17

Any data about a human being that could be used to identify that person.

Question 18

Policy

Answer 18

Documents published and promulgated by senior management dictating and describing the organization’s strategic goals.

Question 19

Privacy

Answer 19

The right of human individual to control the distribution of information about themselves.

Question 20

Procedures

Answer 20

Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences.

Question 21

Recovery time objective (RTO)

Answer 21

The target time set for recovering from any interruption

Question 22

Residual Risk

Answer 22

The risk remaining after security controls have been put in place as a means of risk mitigation.

Question 23

Risk

Answer 23

The possibility of damage or harm and the likelihood that damage or harm will be realized.

Question 24

Risk Acceptance

Answer 24

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

Question 25

Risk avoidance

Answer 25

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Question 26

Risk mitigation

Answer 26

Putting security controls in place to attenuate the possible impact or likelihood, or both, of a specific risk.

Question 27

Risk transference

Answer 27

Paying an external party to accept the financial impact of a given risk.

Question 28

Security control framework

Answer 28

A notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures. and solutions used by the organization.

Question 29

Security governance

Answer 29

The entirety of the policies, roles. and processes the organization uses to make security decisions in an organization.

Question 30

Standards

Answer 30

Specific mandates explicitly stating expectations of performance or conformance.