Domain 1: Security and Risk Management Flashcards

Question

# Define: Attestation Engagement

Answer 1

A type of audit where an independent auditor **examines controls** within an organization, resulting in a report that can demonstrate **compliance**. ## Footnote A type of assurance engagement in which an independent auditor examines and reports on controls within an organization, usually according to a recognized framework. The result is an attestation report that can be used to demonstrate compliance to stakeholders.

Answer 2

**Selecting a subset of data** based on specific characteristics to make **inferences** about the overall **population**, useful in identifying potential **security threats**. ## Footnote A statistical approach where a subset of data is selected from a larger population based on specific characteristics or "attributes." The analysis of this sample can then be used to make inferences about the overall population. This method is often employed in various security contexts, such as network monitoring or transaction reviews, to identify anomalous behavior or potential threats without having to analyze every single data point. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Sampling_risk).*

Answer 3

The **assurance** that data or a message truly originates from its **claimed source**, important in security for preventing **phishing or identity theft**. ## Footnote The assurance that a message, transaction, or data origin is indeed from the source it claims to be. Ensuring authenticity is crucial in preventing activities such as phishing, identity theft, and forgery. Techniques used to maintain authenticity include digital signatures and certificates, encryption, and watermarking. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Authenticity).*

Answer 4

The **power** or right to **enforce rules** and **grant permissions** in a **system**. ## Footnote Authority in security contexts refers to an entity or framework empowered to set, enforce, and audit policies, control access, and validate identities. It underpins trust within systems by delineating responsibilities and ensuring compliance. Whether implemented through organizational hierarchies or digital certificates, authority establishes the framework necessary for secure and orderly operations across networks and infrastructures. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Social_hacking).*

Answer 5

A vendor approved by an **organization** to **provide goods or services**, based on criteria like security practices and reputation. ## Footnote A vendor that has been approved by an organization to provide goods or services. This approval is typically based on factors such as the vendor's reputation, security practices, and pricing. For example, a company may have a list of authorized vendors for office supplies, IT services, or marketing services. Only vendors on this list are allowed to provide services to the company. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Social_hacking).*

Answer 6

In **cybersecurity**, the **guarantee** that **systems and data are accessible when needed**, ensuring users have reliable access while preventing unauthorized use. ## Footnote The accessibility of a system, function, or piece of data when needed. In the context of secure systems, it is one of the three key elements of the CIA triad (Confidentiality, Integrity, Availability) and represents the commitment to ensure that authorized users have continuous and reliable access to resources and data while simultaneously preventing unauthorized access. *For more information, view this lecture on [The CIA Triad- Part 2- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551704-the-cia-triad-part-2-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Availability).*

Answer 7

**Knowledge** of potential **security threats and risks**, often involving training programs to help recognize and defend against threats, like recognizing phishing attempts. ## Footnote The understanding and recognition of potential security threats, vulnerabilities, and risks. This can involve training and education programs to help individuals and organizations understand how to identify and protect against these threats. For example, a security awareness program may include training on how to spot phishing emails, the importance of strong passwords, and the proper disposal of confidential documents. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Awareness).*

Answer 8

Verifying **personal and professional history**, especially important in cybersecurity for personnel with access to sensitive information or systems. ## Footnote The process of verifying an individual's personal and professional history. In cybersecurity, this is a crucial step in vetting personnel who will have access to sensitive data, systems, or facilities. It typically involves reviewing criminal records, employment history, and other relevant information to assess potential security risks. *For more information, view this lecture on [Administrative personnel controls](https://courses.thorteaches.com/courses/take/cissp/lessons/19180180-administrative-personnel-controls). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Background_check).*

Answer 9

A **strategic management tool** aligning **business activities** with organizational **vision** and **strategy**, used in risk management to monitor performance against goals. ## Footnote A strategic planning and management system used to align business activities with the vision and strategy of the organization. Within the realm of risk management, it can help organizations monitor performance against strategic goals, considering perspectives like financial performance, customer knowledge, internal business processes, and learning and growth. This tool is particularly effective in maintaining a comprehensive view of system health, offering valuable insights that can be used for proactive security management and threat mitigation. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Balanced_scorecard).*

Answer 10

The **simplest scenario** in a series of **assessments**, serving as a **benchmark for evaluating the impact of changes** such as the introduction of new features to a system. ## Footnote The simplest instance or the starting point in a series of scenarios, typically used as a benchmark in the context of scenario analysis or problem-solving. For instance, in testing a new security feature, the base case could represent the system's behavior without the new feature being implemented. By examining the base case, one can understand how deviations from this base scenario (like introducing new features or changes) affect the system's performance or security. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Base_case).*

Answer 11

A **standard** or reference used to **evaluate system, process, or product performance**, aiding in testing and optimization for efficiency and effectiveness improvements. ## Footnote A standard or reference point used to evaluate the performance of a system, process, or product. It is commonly used in testing and optimization to compare and improve the efficiency and effectiveness of different solutions. Examples include performance metrics, test cases, and reference data. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Benchmark_(computing)).*

Answer 12

The **process** of **comparing performance** against a **benchmark** to evaluate **quality** and identify **improvement areas**, commonly used in various industries for performance optimization. ## Footnote The process of comparing the performance of a system, process, or product against a benchmark to evaluate its quality and identify areas for improvement. It is commonly used in industries such as manufacturing, finance, and technology to assess and optimize performance. Examples include process audits, customer surveys, and competitive analysis. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Benchmark_(computing)).*

Answer 13

A **positive outcome** or advantage from an **action, decision, or investment**, often evaluated in business and policy analysis to weigh different options' value and impact. ## Footnote A positive outcome or advantage that results from an action, decision, or investment. It is commonly used in business and policy analysis to evaluate the value and impact of different options. Examples include cost savings, increased productivity, and improved customer satisfaction. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1).*

Answer 14

The **process of planning and managing the benefits** of a project or program to ensure they contribute to the organization's **overall goals and strategic objectives**. ## Footnote The process of identifying, planning, and managing the benefits of a project or program to ensure that they contribute to the organization's overall goals and strategic objectives. It focuses on achieving the expected enhancements in performance, service, and outcomes as a result of the project's deliverables. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Benefits_realisation_management).*

Answer 15

A set of **recognized procedures** considered **effective and efficient**, serving as the **standard** in various areas including security, system hardening, and incident response. ## Footnote A procedure or set of procedures that is recognized as effective and efficient, typically representing the standard that should be aimed for in a particular area. In a security context, best practices could cover a wide range of areas, from password policies and access controls to incident response planning and system hardening. Adopting these practices can help organizations improve their security posture and mitigate potential risks. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Best_practice).*

Answer 16

**Coercion** through **threats** to expose **sensitive or damaging information**. ## Footnote Blackmail involves threatening to reveal compromising information unless certain demands are met. In cybersecurity, it can be linked to ransomware or social engineering tactics where attackers exploit private data to force compliance, extract payment, or gain strategic advantages. The act of blackmail undermines trust and can lead to severe personal, financial, or organizational harm, making it a serious crime and security threat. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Blackmail).*

Answer 17

**Sturdy physical posts** designed to **restrict** or channel **vehicle access**. ## Footnote Bollards are short, robust barriers installed in strategic locations to control vehicular traffic and protect buildings or sensitive areas. They serve as a physical deterrent against vehicle-based attacks or accidental collisions. Often incorporated into urban design, campuses, or security perimeters, bollards help enhance safety while maintaining necessary access for authorized vehicles and pedestrians. *For more information, view this lecture on [Physical security- Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/19149796-physical-security-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Bollard).*

Answer 18

A **detailed financial plan** projecting an organization's **revenues and expenses**, guiding resource allocation and strategic decision-making, essential for financial management. ## Footnote A detailed financial plan outlining an organization's expected revenues and expenses over a specific period, typically a fiscal year. Budgets serve as a blueprint for how a company intends to manage its financial resources, allocating funds to various departments, projects, and initiatives. They are essential tools for financial planning and control, helping businesses prioritize expenditures, forecast financial performance, identify potential shortfalls or surpluses, and make informed strategic decisions based on their financial goals and objectives. Budgets are often revised periodically to reflect actual performance and changing circumstances. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Budget).*

Answer 19

The **obligation** to present **evidence supporting one's claims**, primarily resting on the prosecution in criminal cases and the plaintiff in civil litigation to prove assertions. ## Footnote The obligation to present evidence to support one's claim. In legal contexts, it refers to the requirement that a party must show factual evidence to prove their assertions are true, typically resting on the prosecution in criminal cases and on the plaintiff in civil litigation. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Burden_of_proof_(law)).*

Answer 20

A **strategic tool** translating an organization's **vision into objectives** across financial, customer, process, and learning perspectives, aligning activities with strategy. ## Footnote A strategic planning and management tool that translates an organization's vision and strategy into clear objectives and measures across four perspectives - financial, customer, internal business processes, and learning and growth. It helps align business activities with the vision and strategy of the organization, improve internal and external communications, and monitor organizational performance against strategic goals. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Balanced_scorecard).*

Answer 21

A document outlining the **justification for a project's initiation**, detailing objectives, risks, costs, benefits, and alternatives, vital for resource and effort allocation. ## Footnote A structured document providing the justification for the initiation of a project or task based on its expected commercial benefits. It outlines the objectives, risks, costs, benefits, and potential alternatives to inform decision-making. It's vital to ensure that resources and efforts invested in a particular project or initiative are worthwhile and aligned with the organization's strategic goals. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_case).*

Answer 22

**Practices** and **mechanisms** to **regulate processes, manage risks, and achieve objectives**, spanning financial, operational, IT, and security domains, critical for compliance and protection. ## Footnote Practices and mechanisms established by an organization to regulate business processes, manage risks, and achieve objectives. Controls span across various domains, including financial, operational, IT, and security, and are critical for maintaining order, ensuring compliance, and safeguarding assets against fraud and other threats. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_control).*

Answer 23

**Analysis of critical elements** necessary for key services delivery, identifying dependencies and impacts, crucial for **prioritizing recovery strategies and resources**. ## Footnote An analysis process that identifies the critical operational elements within an organization, such as people, information, and processes, which are necessary to deliver the key products and services. This process also identifies the interdependencies between these elements and the impact that a disruption to them might have. Understanding these dependencies and their potential impact is crucial in prioritizing recovery strategies and resources during an incident. *For more information, view this lecture on [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis).*

Answer 24

**Specific activities and processes** conducted to achieve **business objectives**, defining core operations such as production or sales functions in respective industries. ## Footnote The specific activities and processes that are performed by a business to achieve its objectives. It is used to define the core operations of the business. For example, the production function of a manufacturing company or the sales function of a retail store. *For more information, view this lecture on [BCP and DRP - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180431-bcp-and-drp-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_function).*

Answer 25

An **objective** aimed to be **achieved by an organization**, such as **revenue growth or customer satisfaction improvement**, often driving technology strategies in IT and cybersecurity. ## Footnote A business goal is an objective that an organization aims to achieve, such as increasing revenue, improving customer satisfaction, or enhancing security posture. In IT and cybersecurity, technology strategies are often aligned with these goals to support the overall vision and success of the business.

Answer 26

The **potential effects** of events on an organization's **operation, reputation, or financial stability**, including consequences from cyber-attacks, breaches, or system failures. ## Footnote The potential consequences or effects of an event, incident, or change on the operation, reputation, or financial stability of an organization. From a security perspective, the impact can be the result of a successful cyber-attack, data breach, or system failure and may include consequences such as operational downtime, financial loss, or reputational damage. *For more information, view this lecture on [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_impact_analysis).*

Answer 27

A **process to identify and evaluate** potential effects of **operational interruptions**, crucial for effective business continuity planning and recovery prioritization. ## Footnote A systematic process to identify and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency. A BIA is crucial for developing an effective business continuity plan as it aids in understanding the organization's business processes, determining the impact of disruptions, and establishing recovery priorities. *For more information, view this lecture on [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_impact_analysis).*

Answer 28

A **holistic approach** to managing information security, considering people, processes, technology, and governance for **system complexity management**. ## Footnote A holistic and business-oriented approach to managing information security and provides understanding and insight into managing complex systems. It helps organizations understand the different factors that influence successful information security by considering people, processes, and technology, as well as strategy, architecture, and governance. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_Model_for_Information_Security_(BMIS)).*

Answer 29

The phase where **stakeholders reach consensus on prioritizing and addressing business needs**, involving negotiation for collective decision-making. ## Footnote The "agree" phase of business need identification involves reaching a consensus among stakeholders about which needs should be prioritized and how they should be addressed. This may involve negotiating with different parties to come to an agreement about the best course of action or using a decision-making process to determine which needs are most important. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_Need_Identification_-_Agree).*

Answer 30

The phase of **gathering information about the business needs for a project**, involving stakeholder inquiries or market research for informed planning. ## Footnote The "ask" phase of business need identification involves gathering information about the business needs that a particular project or initiative is intended to address. This may involve asking stakeholders or other relevant parties about their needs and priorities or conducting market research to gather data about what customers or clients are looking for. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_Need_Identification_-_Ask).*

Answer 31

The phase of **creating written records of identified business needs and their proposed solutions**, detailing plans, timelines, budgets, and other relevant facts. ## Footnote The "document" phase of business need identification involves creating a written record of the business needs identified and how they will be addressed. This may involve creating a written plan or proposal outlining the details of the project or initiative, as well as any relevant timelines, budgets, or other considerations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_Need_Identification_-_Document).*

Answer 32

The phase of **evaluating gathered information** to determine the most **pressing needs and optimal solutions**, involving data analysis and stakeholder consultation. ## Footnote The "evaluate" phase of business need identification involves evaluating the information gathered during the "ask" phase to determine which needs are most pressing and how they can best be addressed. This may involve analyzing data or conducting interviews with stakeholders to better understand the underlying issues and how they can be resolved. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_Need_Identification_-_Evaluate).*

Answer 33

A **measurable goal** set by an organization to advance its mission, often time-bound with **targets for growth, efficiency, or performance**, driving security strategies. ## Footnote A specific, measurable goal that an organization aims to achieve to further its mission and vision. Objectives are often time-bound and may include targets related to growth, efficiency, or other aspects of organizational performance. These objectives often drive the strategies and tasks necessary to maintain security and protect the organization's valuable assets. *For more information, view this lecture on [GRC - Governance, Risk Management, and Compliance](https://courses.thorteaches.com/courses/take/cissp/lessons/45836768-grc-governance-risk-management-and-compliance). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Strategic_planning).*

Answer 34

An **organized set of tasks** producing a specific **product or service** for customers, fundamental to operations and optimized for efficiency and adaptability. ## Footnote A structured set of activities or tasks that produce a specific service or product for a particular group of customers. Business processes are fundamental to an organization's operations and are optimized for efficiency, effectiveness, and adaptability. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_process).*

Answer 35

**Implemented mechanisms** to **manage** and **regulate business processes**, ensuring efficiency, effectiveness, adherence to objectives, compliance, and security. ## Footnote The mechanisms implemented within an organization to manage and regulate business processes. These controls aim to ensure that processes are efficient, effective, and adaptable and that they meet the organization's objectives and comply with laws and regulations. The security and reliability of these controls are essential in preventing unauthorized activities and maintaining overall operational effectiveness. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_process).*

Answer 36

The upkeep of **accurate, consistent, and trustworthy business processes**, requiring security measures to ensure reliability and prevent alteration or corruption. ## Footnote Involves maintaining the accuracy, consistency, and trustworthiness of business processes over their entire lifecycle. This concept is key to ensuring that these processes function as intended, are free from any form of alteration or corruption, and that they produce reliable and consistent outcomes. Ensuring business process integrity often requires security measures like access controls and audit trails. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_process).*

Answer 37

An individual or group **responsible for a business process's definition, implementation, and maintenance**, ensuring alignment with organizational goals. ## Footnote A person or group who is responsible for defining, implementing, and maintaining a business process. It is used to ensure that the process is aligned with the organization's goals and objectives and to identify and address any issues or gaps in the process. Examples include a department manager, a project team leader, or a process improvement specialist. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_process).*

Answer 38

A **strategy** involving the radical redesign of business processes to significantly **improve cost, quality, service, and speed**, optimizing alignment with goals. ## Footnote A management strategy that involves the fundamental rethinking and radical redesign of business processes to achieve significant improvements in critical areas such as cost, quality, service, and speed. BPR endeavors to break down and rebuild processes to make them more efficient and aligned with the overall goals of the organization. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_process_reengineering).*

Answer 39

The **potential for loss due to internal or external vulnerabilities**, with risks arising from financial uncertainty, strategic decisions, or disasters, necessitating security measures. ## Footnote The potential for loss, damage, or destruction of an organization's value—be it in terms of physical or non-physical assets—caused by internal or external vulnerabilities that may prevent it from achieving its objectives. Such risks can arise from various factors, including financial uncertainty, strategic management decisions, legal liabilities, accidents, and natural disasters. Ensuring adequate security measures are in place to protect an organization's data and assets is a critical component of business risk management. *For more information, view this lecture on [Risk Management - Identification](https://courses.thorteaches.com/courses/take/cissp/lessons/18588085-risk-management-identification). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_risks).*

Answer 40

A company offering business services through **SaaS**, specializing in solutions like **ERP** or **CRM**, with a focus on **security for data protection**. ## Footnote A company that offers organizations various business solutions and services, often through software as a service (SaaS) model. BSPs might specialize in delivering applications for enterprise resource planning, customer relationship management, or human resources management, among others. When engaging with BSPs, organizations must assess the providers' security measures to ensure the protection of sensitive business data. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_Service_Provider_(BSP)).*

Answer 41

An **executive** responsible for a **project's success**, ensuring it matches organizational **goals** and adheres to necessary **security protocols** for safe implementation. ## Footnote Typically a high-ranking executive who takes ownership of the successful delivery of a project within an organization. They ensure the project aligns with the organization's goals and provides resources and decision-making power. A critical part of their role is ensuring that the project adheres to necessary security protocols, which is crucial in the design, implementation, and operation of any system within an organization. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_sponsor).*

Answer 42

An **action plan** for achieving **business goals**, encompassing data security and asset safeguarding to prevent undermining operations by security incidents. ## Footnote The plan of action implemented by a business to attain specific goals and objectives, such as increasing profits, expanding market share, or improving customer satisfaction. A comprehensive business strategy includes considerations around data security, safeguarding assets, and maintaining reputation, ensuring that the company's operations and growth are not undermined by security incidents or data breaches. *For more information, view this lecture on [Information Security Governance: Values, Vision, Mission, and Plans](https://courses.thorteaches.com/courses/take/cissp/lessons/18584579-information-security-governance-values-vision-mission-and-plans). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_strategy).*

Answer 43

The **exchange of goods, services, or information between businesses**, requiring cybersecurity measures to protect trade secrets and maintain operational integrity. ## Footnote B2B refers to the exchange of products, services, or information between businesses, rather than between businesses and consumers. Cybersecurity in B2B transactions is crucial to protect trade secrets, customer data, and maintain the integrity of business operations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business-to-business).*

Answer 44

**Direct online sales by businesses to consumers**, necessitating strong security measures to protect personal and financial data and maintain business reputation. ## Footnote The online sale of products or services by businesses directly to consumers. This process often involves financial transactions and the exchange of personal data, making the implementation of robust security measures crucial to protect the consumers' personal and financial information and to maintain the trust and reputation of the businesses involved. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business-to-consumer).*

Answer 45

The set of **functionalities** or **features** of a **system**, **device**, or **software** that enable it to perform tasks effectively, including features that may impact system security. ## Footnote In a broader sense, capability refers to the set of functionalities or features a system, device, or software possesses that enable it to perform its tasks or roles effectively. This could include computational power, access permissions, and other software or hardware features. From a security standpoint, understanding a system's capabilities helps identify potential weak points and areas for improvement. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Capability-based_security).*

Answer 46

**Spending on acquiring or upgrading physical assets** like buildings and hardware, including those used to enhance or maintain security measures. ## Footnote The spending of funds by an organization to acquire or upgrade physical assets such as buildings, equipment, or hardware infrastructure. In the context of digital security, it may include the purchase of servers, storage devices, security appliances, or other significant hardware tools that are used to enhance or maintain security measures within an organization. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Capital_expenditure).*

Answer 47

A **process** tracking **evidence movement from collection to court presentation**, documenting transfers, and vital for the integrity of digital evidence in legal proceedings. ## Footnote A process that tracks the movement and handling of evidence from the moment it is collected until the moment it is presented in court. It includes a written record of all individuals who have had custody of the evidence, documenting each transfer of custody and the reason for the transfer. In digital forensics, maintaining a proper chain of custody is crucial for the integrity of digital evidence. It ensures that digital evidence, such as log files or hard drives, can be verified as being handled and stored in a secure manner, preventing tampering or unauthorized access and making the evidence legally admissible in court. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/18552296-laws-and-regulations-evidence). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chain_of_custody).*

Answer 48

The **highest-ranking executive** with the responsibility for **major corporate decisions, managing operations**, and acting as the public face of the company. ## Footnote The highest-ranking executive in a company or organization, responsible for making major corporate decisions, managing overall operations and resources, acting as the main point of communication between the board of directors and corporate operations, and being the public face of the company. The CEO is often elected by the board and its shareholders. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chief_executive_officer).*

Answer 49

A senior executive responsible for **managing the financial actions** of a company, including tracking cash flow and financial planning. ## Footnote The senior executive responsible for managing an organization's financial operations and reporting, including financial planning and analysis, accounting, and budgeting. They often work closely with the CEO and other senior executives to develop and implement strategic plans and policies. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chief_financial_officer).*

Answer 50

A senior executive in charge of **information technology strategy**, ensuring IT systems and policies align with enterprise business goals. ## Footnote The senior executive responsible for overseeing an organization's information technology (IT) strategy, policies, and operations. They work closely with the CEO and other senior executives to develop and implement IT solutions that align with the organization's business goals and objectives. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chief_information_officer).*

Answer 51

An executive responsible for an organization's **information security vision, strategy, and program** to protect data and assets. ## Footnote The senior executive responsible for overseeing an organization's information security strategy, policies, and operations. They work closely with the CIO and other senior executives to develop and implement security solutions that protect the organization's sensitive data and assets. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chief_information_security_officer).*

Answer 52

An executive who **manages the security of the organization's assets**, including cyber, physical, and human security. ## Footnote The senior executive responsible for overseeing an organization's security strategy, policies, and operations. This role encompasses the management of cyber, physical, and human security measures to protect the organization's assets and ensure business continuity. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chief_security_officer).*

Answer 53

An executive who oversees the **development and implementation of technology strategies** to align with business objectives. ## Footnote The senior executive responsible for overseeing an organization's technology strategy, policies, and operations. They work closely with the CEO and other senior executives to develop and implement technology solutions that align with the organization's business goals and objectives. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chief_technology_officer).*

Answer 54

A model representing the three fundamental principles of **information security**: **Confidentiality**, **Integrity**, and **Availability**. ## Footnote A widely-used information security model that represents the three fundamental principles of security - Confidentiality, Integrity, and Availability. Confidentiality is about protecting information from being accessed by unauthorized parties, integrity ensures that the information is accurate and hasn't been improperly modified, and availability ensures that the information is accessible to authorized users when needed. The triad serves as a simple framework for keeping an organization's sensitive data secure. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security#Security_Goals).*

Answer 55

An **IT/Cybersecurity certification** for experienced security practitioners, managers, and executives, emphasizing a broad **security knowledge base**. ## Footnote The most in-demand IT/Cybersecurity certification, the CISSP is golden standard. It is offered by ISC2 and is designed for experienced security practitioners, managers, and executives who want to demonstrate their knowledge across a wide array of security practices and principles. *For more information, view this lecture on [Why should you want to get the CISSP certification?](https://courses.thorteaches.com/courses/take/cissp/lessons/19182184-why-should-you-want-to-get-the-cissp-certification). Or visit this [Wikipedia page](https://www.isc2.org/certifications/cissp).*

Answer 56

A **directive** that requires employees to **secure sensitive information and devices** when their workspace is **unattended** to protect against unauthorized access. ## Footnote A corporate directive that specifies how employees should leave their working space when they aren't there. This policy aims to protect sensitive information by ensuring that all papers, sticky notes, flash drives, and other information storage devices are properly stored away and secured when not in immediate use. It also includes shutting down computers or locking them when left unattended. Such a policy reduces the risk of sensitive data being exposed to unauthorized personnel or visitors. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks).*

Answer 57

A US law allowing **federal law enforcement to compel US-based tech companies** to provide **data** stored on **servers**, regardless of location. ## Footnote A US law that allows federal law enforcement agencies, under certain circumstances, to compel U.S.-based technology companies to provide requested data stored on servers, regardless of whether the data is stored in the US or on foreign soil. This legislation aims to improve law enforcement agencies' access to digital information for investigations and court proceedings, but it has also raised privacy and data sovereignty concerns. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/CLOUD_Act).*

Answer 58

A framework by **ISACA** for **information governance and management**, providing processes for managing information systems. ## Footnote A framework created by ISACA for information governance and management. It is used globally to help businesses achieve strategic goals through effective and innovative use of IT while mitigating risks and managing organizational complexity. COBIT provides a set of generic processes for the management of information systems, each with a high-level control objective, input/output tasks, process controls, and performance measures. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/COBIT).*

Answer 59

A U.S.-led coordination arrangement to **restrict technology sales to adversaries**. ## Footnote COCOM, or **Coordinating Committee for Multilateral Export Controls**, was an international framework designed to restrict the export of sensitive technologies to adversarial countries. It established guidelines to prevent critical technology from reaching potential security threats, influencing modern export control policies even after its dissolution. *For more information, view this lecture on [The history of Cryptography- Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/19215103-the-history-of-cryptography-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/CoCom).*

Answer 60

A document outlining expected behaviors and decision-making processes within an organization or profession, guiding professional conduct. ## Footnote A guiding document that outlines expected behaviors and decision-making approaches within an organization or profession. It serves as a set of principles to guide professionals in carrying out their work with integrity, honesty, and responsibility. Violation of the code of ethics can lead to disciplinary actions, including termination of employment or membership. *For more information, view this lecture on [The ISC2 Code of Ethics](https://courses.thorteaches.com/courses/take/cissp/lessons/18552377-the-isc2-code-of-ethics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Ethical_code).*

Answer 61

A set of professional principles for ISC2 members, highlighting the importance of protecting the public good and acting responsibly in cybersecurity. ## Footnote A set of professional principles adhered to by members of ISC2 (International Information System Security Certification Consortium), a non-profit organization specializing in training and certifications for cybersecurity professionals. The code stipulates four mandatory canons - Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. *For more information, view this lecture on [The ISC2 Code of Ethics](https://courses.thorteaches.com/courses/take/cissp/lessons/18552377-the-isc2-code-of-ethics). Or visit this [Wikipedia page](https://www.isc2.org/ethics).*

Answer 62

A set of principles for IT governance professionals, stipulating standards for honesty, confidentiality, and professional competence. ## Footnote A set of principles specifically designed for IT governance, risk, cybersecurity, and assurance professionals. These principles stipulate professional standards for fairness, honesty, confidentiality, and professional competence. ISACA members and certification holders are required to adhere to this code, promoting trust and value in the industries they serve. *Or visit this [Wikipedia page](https://www.isaca.org/code-of-professional-ethics).*

Answer 63

A structured collection of laws, rules, or guidelines compiled in written form. ## Footnote A Codex is traditionally a systematic compilation of rules, laws, or practices consolidated into a single document. In modern contexts, it may also refer to a set of protocols or guidelines that standardize procedures within a system. Codexes serve as authoritative references for ensuring consistency, order, and compliance in legal, technological, or organizational frameworks. *For more information, view this lecture on [SAN and VoIP protocols.](https://courses.thorteaches.com/courses/take/cissp/lessons/19177558-san-and-voip-protocols). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Codex).*

Answer 64

Entities unlawfully cooperating to bypass security protocols, share credentials, or engage in unauthorized activities, challenging security maintenance. ## Footnote A situation where two or more entities (individuals, systems, or processes) unlawfully or maliciously cooperate to deceive or defraud. In terms of security, this could involve users sharing access credentials, systems working together to bypass security protocols, or processes being manipulated to allow unauthorized actions. Preventing collusion is an important aspect of maintaining robust security controls. *For more information, view this lecture on [Administrative personnel controls.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180180-administrative-personnel-controls). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Collusion).*

Answer 65

Alternative security measures used when primary controls are impractical, providing similar protection against identified risks. ## Footnote Also known as an alternative control, compensating control is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the moment. While it may not be an exact replacement, a compensating control should provide a similar level of defense against the identified risk, thus maintaining the integrity of the security system. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls).*

Answer 66

The notion that increased system complexity can lead to an increase in security vulnerabilities and challenges in maintaining secure operations. ## Footnote This concept suggests that as a system becomes more complex, it's harder to maintain its security. Each additional component or feature in a system could potentially introduce new vulnerabilities or make it harder to identify existing ones. Simplifying systems and eliminating unnecessary elements can, therefore, be an effective strategy for enhancing their overall security.

Answer 67

Ensuring an organization follows applicable laws, regulations, standards, and internal policies to avoid legal issues and maintain operational integrity. ## Footnote The process of ensuring that an organization follows relevant laws, regulations, and standards. This includes internal policies and procedures, as well as external requirements such as regulatory standards or contractual obligations. Compliance activities can range from regular audits and checks to training and education programs designed to prevent violations and ensure that all operations align with the expected requirements. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Regulatory_compliance).*

Answer 68

Records that evidence an organization's adherence to laws, regulations, and policies, often required for audits or legal proceedings. ## Footnote Official documents that evidence an organization's adherence to regulatory standards, laws, and internal policies. They can include policy manuals, procedural guidelines, audit results, training records, and other records demonstrating regulatory compliance. These documents are often essential in audits or investigations to demonstrate that an organization has met its compliance obligations. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations).*

Answer 69

Compliance-as-Code applies automated, code-defined rules and checks to ensure systems and processes meet regulatory or organizational framework requirements continuously. ## Footnote Instead of relying on manual audits, Compliance-as-Code embeds guidelines into version-controlled templates and scripts, verifying infrastructure and applications against compliance baselines in real time. Integration with CI/CD pipelines allows teams to detect and remediate configuration drifts or misalignments before deploying changes. This practice increases transparency and auditability, as compliance rules become traceable and testable. Merging compliance with development processes leads to faster, more reliable releases, reducing the risk of costly violations or fines.

Answer 70

A US statute criminalizing improper computer access, including hacking, unauthorized information acquisition, and other offenses. ## Footnote The CFAA is a US statute that criminalizes unauthorized and improper access to computers and networks. It addresses a range of computer-related offenses, including hacking, unauthorized access to obtain information, causing damage, trafficking in passwords, and more. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act).*

Answer 71

A US law to enhance the security and privacy of federal computer systems and establish minimum security practices. ## Footnote A United States federal law enacted to improve the security and privacy of sensitive information in federal computer systems and to establish minimum acceptable security practices for such systems. The CSA mandated the establishment of standards and guidelines for federal computer systems and tasked the National Bureau of Standards (now the National Institute of Standards and Technology) with their development and the training of federal computer system users. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_Security_Act_of_1987).*

Answer 72

Tools and methods used by auditors to analyze data using software, improving audit process efficiency and accuracy. ## Footnote A set of tools and techniques used by auditors to analyze an organization's data with software, improving efficiency and accuracy in audit processes. CAATs include data extraction and analysis tools, which can automate procedures to identify anomalies or patterns in data related to financial statements or compliance. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer-aided_audit_tools).*

Answer 73

Strong proof that eliminates reasonable doubt about a fact or assertion, especially crucial in digital forensics for legal proceedings. ## Footnote A proof that is so strong and compelling that it effectively eliminates any reasonable doubt about a particular fact or assertion. In the context of digital forensics, it's the digital data that can be produced in court as an indisputable fact or proof to confirm an event or action. The nature of conclusive evidence is such that it can't be contradicted or disproved by any other evidence. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/185).*

Answer 74

The principle of ensuring information is accessed only by authorized users, through measures like encryption, passwords, and access controls. ## Footnote A fundamental principle of information security that mandates restricting access to information to authorized users only. It's about ensuring that sensitive information is not disclosed to unauthorized individuals or entities. Confidentiality measures include the use of passwords, encryption, access control lists, and security policies that define who can access what data and under which circumstances. It is the C of the CIA triad. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security#Confidentiality).*

Answer 75

A system or application feature that can be adjusted by users to improve operating environment control and manage risks. ## Footnote A feature or setting within a system or application that can be adjusted to enhance control over the operating environment. This can include anything from user permissions to data access controls, all aimed at managing risk and safeguarding the system or data within it. *For more information, view this lecture on [Configuration Management.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180328-configuration-management).*

Answer 76

A management practice that maintains consistency of system attributes with its requirements, design, and operational information. ## Footnote A practice aimed at maintaining consistency of a system or component's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. It involves processes such as identifying configurations, controlling changes, and ensuring that configurations conform to applicable standards and requirements, thus helping avoid unnecessary modifications and maintaining system reliability. *For more information, view this lecture on [Configuration Management.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180328-configuration-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Configuration_management#Overview).*

Answer 77

A model-driven approach for conducting security risk analysis, providing a language for threat modeling and tools for executing risk analysis steps. ## Footnote A model-driven method for conducting security risk analysis. CORAS offers a customized language for threat and risk modeling and comes with detailed guidelines explaining each step of the risk analysis process. It includes tools that support the execution of these steps, as well as libraries for documenting and reusing common types of threats, vulnerabilities, and treatments. The CORAS method is particularly designed for precise, unambiguous, and efficient risk modeling of security-critical systems and is often used in industries that demand a high level of security assurance.

Answer 78

The trend of consumer-originated technologies influencing business practices and policies, presenting challenges for security and control. ## Footnote The influence that consumer-originated technologies and preferences are exerting on broader business and organizational contexts. In many cases, these consumer technologies are being adopted by businesses due to their ease of use, convenience, or innovative features. However, it poses certain challenges in terms of ensuring security and control over business data and processes, as the boundary between personal and professional technology use blurs. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Consumerization).*

Answer 79

Developing readiness for emergencies or unexpected situations to ensure business continuity and rapid recovery after disruptions. ## Footnote The process of developing preparedness for potential emergencies or unexpected situations that can disrupt normal operations. It involves identifying critical functions, assessing risks, and establishing procedures to ensure business continuity and recovery. Contingency plans aim to minimize impact and guide rapid and effective responses to incidents such as natural disasters, cyber-attacks, or equipment failures. *For more information, view this lecture on [External dependencies in BIA](https://courses.thorteaches.com/courses/take/cissp/lessons/54398505-new-2024-external-dependencies-in-bia). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Contingency_plan).*

Answer 80

CARTA is a Gartner concept that continuously evaluates risk and trust levels to adapt security controls dynamically, reflecting changing threats and organizational contexts. ## Footnote In CARTA, security decisions are not static but evolve with every user action, data request, or device interaction. It integrates real-time analytics, machine learning, and threat intelligence to decide whether to allow, block, or require additional verification. This continuous assessment tightens or loosens controls as risk conditions shift, balancing protection and user experience. CARTA aims to reduce attack surfaces, foster proactive defenses, and support business agility by responding quickly to emerging threats and opportunities.

Answer 81

Incremental efforts to enhance procedures, products, or services, aiming for greater efficiency and quality. ## Footnote An ongoing effort to incrementally enhance procedures, products, or services. The objective is to achieve higher efficiency and quality by eliminating waste, reducing delays, and improving the current methodologies. It's a key component of many methodologies, where regular assessments lead to small enhancements that cumulate into significant improvements over time. *For more information, view this lecture on [DevOps and DevSecOps](https://courses.thorteaches.com/courses/take/cissp/lessons/29669508-devops-and-devsecops). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Continuous_improvement_process).*

Answer 82

A safeguard or countermeasure implemented to protect a system or process against potential risks, ensuring data integrity and availability. ## Footnote In the context of information security, a control is a safeguard or countermeasure designed to detect, prevent, or mitigate potential risks to a system or process. Controls can be administrative (e.g., policies and training), technical (e.g., encryption and access controls), or physical (e.g., locks and guards) and are implemented to ensure the confidentiality, integrity, and availability of data. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internal_control).*

Answer 83

Processes evaluating the effectiveness of an organization's controls to ensure they function as intended and comply with standards. ## Footnote Processes for evaluating the effectiveness and compliance of controls implemented within an organization. They involve thorough testing and analysis of controls to verify they are functioning as intended, adequately mitigating risk, and compliant with relevant regulations and standards. *For more information, view this lecture on [Security Assessments](https://courses.thorteaches.com/courses/take/cissp/lessons/19179927-security-assessments).*

Answer 84

Different types of security controls, such as preventive, detective, corrective, deterrent, and compensating, classified by their purposes and effects. ## Footnote In cybersecurity and risk management, classify controls into several types based on their purposes and effects within an organization's security posture. They include Preventive Controls to stop incidents before they happen. Detective Controls for identifying and detecting issues when they occur. Corrective Controls to resolve issues after they've been detected. Deterrent Controls discourage potential security violations. Compensating Controls are alternative mechanisms when primary controls are not viable. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Access_control#Physical_security).*

Answer 85

A set of guidelines detailing processes for risk management and maintaining control over systems and data, providing a standardized risk approach. ## Footnote A structured set of guidelines that details an organization's processes for maintaining a certain level of risk management and control over its systems and data. It provides a standardized approach to identifying, managing, and reducing risks, often encompassing a blend of policies, procedures, and technology measures. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls#Information_security_standards_and_control_frameworks).*

Answer 86

A desired outcome guiding the design of security controls, aiming to align with the organization's goals and security requirements. ## Footnote A desired outcome or end result that is established to guide the design and implementation of controls. It is used in the development of a control framework to ensure that controls are aligned with the organization's goals and objectives. For example, a control objective for an e-commerce website might be to ensure the confidentiality of customer data, or for a manufacturing company, it could be to prevent unauthorized access to production processes. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internal_control).*

Answer 87

The execution of specific actions or procedures to meet control objectives, reducing risks and ensuring compliance or operational efficiency. ## Footnote The implementation and execution of specific actions, activities, or procedures designed to meet control objectives. It serves as a concrete step in reducing risks, ensuring compliance, or improving operational efficiency. Examples can range from password policies to network monitoring procedures or regular security audits.

Answer 88

The likelihood that controls may fail to prevent or correct errors or fraud, a concern in security for the possibility of breaches or incidents. ## Footnote Control risk refers to the likelihood that the design or operational effectiveness of controls may fail to prevent or detect and correct errors or fraud. In information security, it is the risk of failure or inadequacy of the security measures in place, potentially leading to data breaches or other security incidents that compromise the CIA (Confidentiality, Integrity, and Availability) of the organization's information. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Audit_risk).*

Answer 89

An evaluation by organization personnel of threats and vulnerabilities, with employees identifying and assessing the effectiveness of controls. ## Footnote An organization's personnel evaluate the potential threats and vulnerabilities in their area of responsibility. Employees and management participate in identifying and evaluating the effectiveness of controls designed to mitigate risks. This form of self-assessment enhances understanding of potential risks, promotes ownership, and encourages more active involvement in designing and implementing relevant controls. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2).*

Answer 90

A deficiency in an organization's internal controls, pointing to areas where controls are insufficient to prevent errors or non-compliance. ## Footnote A deficiency in internal controls, which are processes and procedures intended to prevent or detect problems. It indicates a point where an organization's controls are not strong or comprehensive enough to prevent or detect errors, fraud, or non-compliance with policies or regulations. Control weaknesses increase the risk of undesirable outcomes and can lead to financial loss, reputational damage, or regulatory action. Identifying and addressing control weaknesses is a critical part of risk management and corporate governance. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internal_control).*

Answer 91

Differences between the current and desired states of system controls, potentially exposing organizations to vulnerabilities if not addressed. ## Footnote The difference between the current state of a system's controls and the desired or necessary state. This gap can expose an organization to vulnerabilities if not properly addressed, so identifying and mitigating control gaps is a key part of risk management and maintaining secure operations.

Answer 92

A legal right granted to creators of original works, providing exclusive usage rights for a specific period. ## Footnote Copyright is a legal right granted to the creators of original works, including various types of creative, literary, and intellectual productions. It provides the creator with exclusive rights over the use of their work for a specific period, typically the life of the author plus a fixed number of years after their death, varying by country. For corporations or works made for hire, copyright may last 95 to 120 years from the date of creation or 70 years after the author's death in the US. Upon expiration, the work becomes part of the public domain. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Copyright).*

Answer 93

The system of rules and processes by which a company is directed and controlled, ensuring accountability and fairness. ## Footnote The system of rules, practices, and processes by which a company is directed and controlled. It involves balancing the interests of a company's many stakeholders, such as shareholders, management, customers, suppliers, financiers, government, and the community. Good corporate governance ensures accountability, fairness, and transparency in a company's relationship with all its stakeholders. It provides the framework within which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Corporate_governance).*

Answer 94

An executive role overseeing all security aspects, including strategy development and incident response. ## Footnote An executive role within an organization responsible for overseeing all aspects of security, including physical security, personal security, and digital security. This role often involves creating and implementing security strategies, managing security personnel, coordinating with other executives and stakeholders, and responding to security incidents. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management).*

Answer 95

An internal control mechanism designed to address problems after they occur, focusing on rectification and mitigation. ## Footnote A type of internal control mechanism designed to rectify and mitigate the impact of identified problems or incidents after they occur. Corrective controls include activities and procedures that are implemented to address and correct the undesirable outcomes of an event, such as restoring systems to their normal state after a security breach, repairing damages, and updating processes to prevent future occurrences. These controls are reactive by nature, focusing on response and recovery. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types).*

Answer 96

A framework for establishing internal controls, addressing governance, risk management, and business ethics. ## Footnote A widely accepted framework for designing and implementing internal controls in business organizations. The COSO framework addresses organizational governance, risk management, and business ethics and has become a globally recognized standard for managing and controlling risk in various domains. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission).*

Answer 97

A decision-making process evaluating the costs and benefits of security measures against potential losses. ## Footnote A decision-making process often used in business and organizational settings to determine the feasibility and value of a proposed action or solution. It involves a thorough evaluation of the expected costs and potential benefits of an initiative. In the context of risk management, a cost/benefit analysis might be used to weigh the investment in security measures against the potential losses from security incidents. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cost%E2%80%93benefit_analysis).*

Answer 98

A practice or action used to prevent, mitigate, or defeat vulnerabilities, threats, or attacks in security systems. ## Footnote A tactic, procedure, or technique that is applied to prevent, mitigate, or eliminate vulnerabilities, threats, or attacks. This could be a wide range of actions, such as installing a firewall to block unauthorized access, implementing encryption algorithms to secure data, or deploying intrusion detection systems to identify potential security breaches. Countermeasures are crucial for maintaining the confidentiality, integrity, and availability of data and systems. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Countermeasure_(computer)).*

Answer 99

Vital physical and virtual systems whose incapacitation would severely impact national security and welfare ## Footnote Critical infrastructures are essential systems and assets, both physical and virtual, that are crucial to a nation's security, economic stability, public health, or safety. Their incapacitation or destruction would significantly impact a nation's ability to function and maintain security. Examples include power grids, water supply systems, transportation networks, communication systems, and financial services. Protecting critical infrastructures involves coordinated efforts between government agencies, private sector entities, and international partners to ensure resilience against threats such as natural disasters, terrorism, and cyber-attacks.

Answer 100

Key elements necessary for an organization to achieve its mission and reach its objectives. ## Footnote The essential elements that an organization must achieve to fulfill its mission and reach its objectives. In terms of security, CSFs might include robust risk management, strong access controls, and an educated workforce, among others. A failure in any CSF could lead to serious implications for the security and integrity of systems or data. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Critical_success_factor).*

Answer 101

The importance of certain areas or elements within an organization's security program. ## Footnote The state or quality of being critical or essential to the success of an organization's security program. It is used to identify the most important areas to focus on in order to prevent or mitigate potential security breaches. Examples of critical security areas include sensitive data storage and access, network security, and access control. *For more information, view this lecture on [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis).*

Answer 102

Evaluating system components to determine potential disruption impacts and devising mitigation plans. ## Footnote A method used to identify and evaluate the critical components, systems, or processes that could cause significant disruptions if they fail. It involves assessing the potential consequences of each failure and devising plans to mitigate these risks. Criticality analysis helps organizations prioritize their resources and protection strategies according to the potential impact of a security incident. *For more information, view this lecture on [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Failure_mode,_effects,_and_criticality_analysis).*

Answer 103

A strategy to manage interactions with customers using data analysis to improve business relationships and drive sales. ## Footnote A strategic approach that focuses on managing an organization's interactions with its customers and potential customers. It uses data analysis about a customer's history with a company to improve business relationships, primarily focusing on retaining customers and driving sales growth. CRM systems also maintain a robust layer of security to protect sensitive customer data from potential threats or breaches. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Customer_relationship_management).*

Answer 104

Illegal activities conducted over digital networks or devices, including hacking, identity theft, phishing, and unauthorized system access. ## Footnote Illegal activities conducted through the Internet or other forms of digital communication. These crimes include hacking, identity theft, phishing scams, online fraud, the distribution of child exploitation material, cyberstalking, and the unauthorized access to or manipulation of systems, networks, and data. Cybercrimes are a growing concern for individuals, corporations, and governments, as they can lead to significant financial losses, privacy violations, and threats to digital infrastructure. Efforts to combat cybercrimes involve legal, technical, and educational measures. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cybercrime).*

Answer 105

The illicit use of technologies to access and steal sensitive information for strategic or competitive advantage. ## Footnote The practice of using covert techniques and technologies to illicitly access, steal, or destroy an adversary's sensitive information or intellectual property for strategic, military, or competitive advantage. This activity is typically carried out by highly skilled individuals or groups and can target a range of entities, including governments, corporations, or individuals. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cyberespionage).*

Answer 106

The practice of protecting networks, systems, devices, and data from cyber-attacks, ensuring the security of digital information and infrastructure. ## Footnote The practice of protecting computer systems, networks, devices, and data from unauthorized access, theft, damage, or other forms of cyber-attack. It encompasses a wide range of techniques, technologies, and processes designed to safeguard the integrity, confidentiality, and availability of information. Cybersecurity is critical in managing and mitigating risks related to the use and storage of digital information and is crucial for both individuals and organizations in our increasingly networked world. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security).*

Answer 107

A certification process by the US DoD to ensure defense contractors meet prescribed cybersecurity readiness. ## Footnote A certification process established by the United States Department of Defense (DoD) to certify the cybersecurity readiness of defense contractors. CMMC was designed to protect sensitive, unclassified information that is shared by the DoD with its contractors and subcontractors. The model encompasses several maturity levels that reflect the extent to which cybersecurity practices and processes are established, institutionalized, and consistent within an organization. Contractors must meet the appropriate level of CMMC certification to be eligible for new DoD contracts. Examples of organizations that have obtained CMMC certification include Lockheed Martin and Raytheon. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cybersecurity_Maturity_Model_Certification).*

Answer 108

The strategic use of cyber activities by state actors or groups to attack, infiltrate, and disrupt digital infrastructure for warfare purposes. ## Footnote The use or targeting of computers and networks in warfare or conflict, where state actors and associated groups engage in cyber activities to attack, infiltrate, and sabotage the digital infrastructure of other nations, organizations, or individuals. It includes operations that can disrupt critical systems, steal classified information, interfere with decision-making processes, and affect the physical infrastructure through cyber means. Cyberwarfare presents a complex threat landscape, often blurring the lines between civilian and military targets and posing significant challenges to international law and security. It's an integral part of modern military strategy, with nations actively developing defensive and offensive cyber capabilities. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cyberwarfare).*

Answer 109

Security incidents involving unauthorized access, disclosure, or loss of sensitive data, leading to financial, reputational, and legal impacts. ## Footnote Incidents where information security is compromised, leading to the unauthorized access, disclosure, alteration, destruction, or loss of protected, sensitive, or confidential data. Breaches can affect personal data, intellectual property, and trade secrets and can result from cyberattacks like hacking, malware, and phishing due to negligence or insider threats. They often lead to significant financial, reputational, and legal consequences. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_breach).*

Answer 110

Ensuring data is consistent, accurate, and reliable throughout its lifecycle, employing error checking, backups, and security controls. ## Footnote A key principle in data security that ensures data is accurate, consistent, and reliable over its entire lifecycle. It involves maintaining the consistency, accuracy, and trustworthiness of data from the moment it is created until the point it is deleted. Measures to ensure data integrity include error checking and validation, backup, security access controls, and the implementation of specific rules and protocols. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_integrity).*

Answer 111

Regulations that require data about residents to be stored and processed within the nation's borders, often as a condition for business operation. ## Footnote Laws or regulations requiring data about a nation's citizens or residents to be collected, processed, and/or stored inside the country before being transferred internationally, often as a condition for conducting business in a country. These measures are often enforced to protect data privacy, maintain data security, or enable law enforcement access to data. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_localization).*

Answer 112

The ability to move data safely and securely from one system to another without affecting its usability, enhancing users' control over their data. ## Footnote The ability to move data from one system, controller, or environment to another in a safe and secure manner without affecting its usability. Often a topic in discussions about personal data rights, it allows users to take their data from a service and transfer or 'port' it elsewhere, offering greater control over their own data. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_portability).*

Answer 113

Legislation protecting personal data stored on computers or filing systems, mandating privacy and secure processing of such data. ## Footnote Legislation designed to protect personal data stored on computers or in an organized paper filing system. It requires respecting the privacy rights of individuals and ensuring their personal data is processed lawfully and transparently, used for specified purposes, is accurate, and is kept secure. Different countries may have their own versions of the Data Protection Act, such as the UK's Data Protection Act of 2018, which aligns with the EU's General Data Protection Regulation (GDPR). *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_Protection_Act_1998).*

Answer 114

The principle that data is subject to the laws and governance of its country of residence. ## Footnote Data Sovereignty refers to the concept that data stored within a country is subject to its local laws, regulations, and governmental oversight. This principle affects how multinational organizations manage and transfer data across borders, requiring compliance with regional legal frameworks. Ensuring data sovereignty is fundamental for protecting privacy, adhering to regulatory mandates, and maintaining control over sensitive information in a globalized digital environment. *For more information, view this lecture on [Audit strategies for cloud and hybrid environments - part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/54399189-new-2024-audit-strategies-for-cloud-and-hybrid-environments-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_sovereignty).*

Answer 115

Distributing control across a network's nodes, seen in blockchain tech and peer-to-peer networks, reducing single points of failure. ## Footnote The distribution or dispersion of functions, powers, people, or things away from a central location or authority. In technology, decentralized systems distribute the network control across all participating nodes rather than relying on a centralized authority. This is often seen in blockchain technology and peer-to-peer networks, where no single entity has complete control, enhancing resilience and reducing single points of failure. Decentralization can also refer to organizational structures where decision-making is spread out to include more roles and divisions, often to increase the responsiveness and flexibility of an organization. *For more information, view this lecture on [Access control systems.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179400-access-control-systems). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Decentralization).*

Answer 116

Revoking a product, service, or professional qualification, often due to non-compliance or discovery of vulnerabilities. ## Footnote The process of revoking or withdrawing the certification of a product, service, or professional qualification, often due to non-compliance with set standards or regulations or in the aftermath of discovering new vulnerabilities or defects that significantly impact performance or security. In the IT field, decertification can occur with security products, software, and professionals if they no longer meet industry or regulatory requirements. *For more information, view this lecture on [Digital signatures.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures).*

Answer 117

A multi-layered security strategy employing diverse defense mechanisms across an organization to protect against threats. ## Footnote A security strategy that employs multiple layers of defense measures across an organization's technical and procedural boundaries. It is designed to slow down an attack's progress and provide redundant protective measures in case one system fails or is compromised. This includes not just technical controls like firewalls, antivirus software, and intrusion detection systems but also administrative controls like security policies, training, and physical controls like surveillance and secure locks. The concept is based on a military strategy with the same name, where a series of defensive mechanisms are layered to protect valuable assets. Multiple, complimentary, overlapping security measures. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)).*

Answer 118

An iterative forecasting method relying on a panel of experts to achieve consensus on a specific issue. ## Footnote A structured communication method originally developed as a systematic, interactive forecasting method that relies on a panel of experts. The experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts' forecasts from the previous round, as well as the reasons they provided for their judgments. This process is intended to encourage convergence toward a correct answer over several rounds. The Delphi Technique is used for data collection and group problem-solving, particularly suitable for issues that do not have a precise analytical solution. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Delphi_method).*

Answer 119

A process improvement method involving planning, doing, checking, and acting (PDCA) on changes. ## Footnote The Deming Cycle, also known as PDCA, is a framework for continuous improvement in business processes. It consists of four iterative steps - Plan (identify and strategize change), Do (execute the change), Check (evaluate results), and act (implement or refine changes based on the evaluation). This model is essential for process optimization and quality management. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/PDCA).*

Answer 120

A U.S. government agency that promotes economic growth and supports business development. ## Footnote A cabinet-level agency of the United States government concerned with promoting economic growth. The DOC handles a variety of tasks, from conducting the national census to issuing patents and trademarks, fostering international trade, and supporting business development. It aims to create conditions for economic growth and opportunity by working with businesses, universities, communities, and the nation's workers. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/United_States_Department_of_Commerce).*

Answer 121

A U.S. agency overseeing health, welfare, and health IT, critical for enforcing HIPAA. ## Footnote A federal agency in the United States that administers programs dealing with health, welfare, and health information. In terms of data protection and confidentiality, DHHS plays a pivotal role in enforcing the Health Insurance Portability and Accountability Act (HIPAA), which includes rules to protect the privacy and security of certain health information. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/United_States_Department_of_Health_and_Human_Services).*

Answer 122

An accounting practice allocating the cost of tangible assets over their useful life, reflecting wear or obsolescence. ## Footnote The accounting method of allocating the cost of a tangible asset over its useful life. It reflects the usage, wear and tear, or obsolescence of the asset. Depreciation helps companies earn revenue from an asset while expensing part of its cost each year the asset is in use. This process affects the value of the asset on the balance sheet and reduces taxable income on the income statement. Common methods include straight-line and accelerated depreciation. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Depreciation).*

Answer 123

The chance that monitoring systems will fail to detect a breach or malicious activity, highlighting the need for robust systems. ## Footnote In auditing, detection risk is the chance that the auditor's procedures will fail to detect a material misstatement in a company's financial statements. From a cybersecurity perspective, detection risk involves the likelihood that an organization's monitoring systems will not catch an ongoing security breach or malicious activity. Both concepts emphasize the importance of robust testing and monitoring systems to minimize the risk of oversight. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Audit_risk).*

Answer 124

Security measures designed to identify unauthorized activity, alerting organizations to potential incidents. ## Footnote Security measures that are designed to identify and detect unwanted or unauthorized activity within systems and networks. Examples include intrusion detection systems (IDS), log monitoring, security audits, and surveillance cameras. These controls serve to alert an organization to security incidents as they occur or shortly thereafter, enabling a timely response to potential threats. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls).*

Answer 125

A measure that discourages malicious activities by imposing consequences to outweigh the benefits. ## Footnote Measures taken to discourage or dissuade unwanted actions or behaviors, especially related to malicious activities. By imposing severe consequences or risks, deterrents aim to make the cost of carrying out harmful actions, such as unauthorized access or data breaches, outweigh any potential benefits. Examples include security awareness training to deter internal staff from unsafe practices or legal penalties for external actors to discourage hacking activities. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). For more information, view this lecture on [Physical security- Part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149785-physical-security-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls).*

Answer 126

Variances from expected standards in IT practices that could indicate performance issues or security incidents. ## Footnote Deviations from Baselines refer to any variances observed from the expected or established standards (baselines) within IT and cybersecurity practices. These deviations might signal a range of issues, from system performance degradation to a potential security incident. Constant monitoring for such deviations is essential for timely identification and remediation to ensure system stability and security.

Answer 127

A U.S. law addressing copyright issues in the digital age, including DRM. ## Footnote A US law enacted in 1998 to address the challenges of copyright management in the digital age. The DMCA implements two 1996 World Intellectual Property Organization (WIPO) treaties and provides a legal framework for copyright holders to control how their content is distributed online. It also limits the liability of online service providers for copyright infringement by their users, provided they respond to notices of alleged infringement appropriately. Furthermore, the DMCA prohibits the circumvention of digital rights management (DRM) technologies and outlines a notice-and-takedown process for removing infringing material from the Internet. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act).*

Answer 128

Digital Risk Protection (DRP) proactively identifies, monitors, and mitigates risks in online assets, social media, dark web forums, and other digital channels where organizations face threats. ## Footnote DRP solutions scan internet sources for mentions of a company’s brand, data leaks, phishing attempts, or impersonation profiles. By matching indicators of compromise or unauthorized usage, these platforms alert security teams to take swift corrective actions. Intelligence from DRP helps inform strategic policy and incident response, reducing attack success rates. It extends beyond traditional network defenses to protect public-facing digital footprints that attackers commonly exploit.

Answer 129

An assessment where results are communicated directly to interested parties without intermediaries. ## Footnote Direct Reporting Engagement is a specific type of assessment where an auditor or reviewer directly communicates the results of their evaluation to interested parties without intermediation. The engagement results in a report or statement detailing the auditor's findings regarding the subject matter under review, which could pertain to financial, operational, or security-related concerns.

Answer 130

A formal instruction or policy from an authority, setting standards and procedures to follow. ## Footnote A formal instruction, order, or policy issued by an authority. It sets a course of action, procedure, or standard to be followed. Directives can be used to implement and enforce compliance with laws and regulations, and in an organizational context, they might outline specific requirements related to information protection, user behavior, or the use of systems and networks. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Directive).*

Answer 131

Releasing new or secret information, in both legal and business contexts, often mandated by regulatory compliance for transparency and public interest. ## Footnote The action of making new or secret information known. In a legal context, disclosure can involve the release of evidence or information during the discovery phase of a trial. In the business and financial world, it refers to the act of providing important information to the public, such as a company revealing financial statements or a data breach being reported to customers. Disclosure is a critical concept in regulatory compliance, where laws often require the release of information to protect the public interest and maintain transparency. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)).*

Answer 132

Policies ensuring accurate and timely reporting of important information, particularly for financial data, maintaining integrity and confidentiality. ## Footnote Policies and procedures implemented by an organization to ensure that important information, particularly financial information, is accurately and timely reported to those who need to know this information. These controls are established to ensure that data is appropriately processed and disclosed to maintain its integrity and confidentiality and to meet compliance and governance requirements. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations).*

Answer 133

The sale or disposal of assets, subsidiaries, or investments, requiring secure data transfer and compliance with regulations. ## Footnote The process of selling or otherwise disposing of an asset, subsidiary, or investment. In the context of data management, this involves the secure and proper disposal or transfer of digital assets, such as data and software, ensuring that no sensitive data is exposed or lost during the process and that compliance with relevant laws and regulations is maintained. *For more information, view this lecture on [3rd Party, Acquisitions, and Divesture Security](https://courses.thorteaches.com/courses/take/cissp/lessons/18552367-3rd-party-acquisitions-and-divesture-security). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Divestment).*

Answer 134

Recorded information, tangible or digital, used as evidence in investigations, audits, or legal proceedings. ## Footnote The recorded, tangible, or digital information that can be used as evidence in an investigation or audit. This could include written contracts, emails, log files, or transaction records. In the context of digital systems, this often means logs, system messages, and other digitally recorded actions that could serve as proof of an event or activity. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/18552296-laws-and-regulations-evidence). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Evidence_(law)).*

Answer 135

A risk assessment model for evaluating security vulnerabilities, using Damage, Reproducibility, Exploitability, Affected Users, and Discoverability metrics. ## Footnote An acronym for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability, DREAD is a risk assessment model used to quantify, compare, and prioritize the risk levels of security vulnerabilities in a system. It helps stakeholders to understand the potential risk of a vulnerability and to make informed decisions about mitigations. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)).*

Answer 136

The level of caution expected of someone in a specific role, involving taking steps to protect an organization and its assets from harm. ## Footnote In the context of cybersecurity and business, due care refers to the level of judgment, attention, and prudence reasonably expected of a person in a particular position when taking actions to protect the interests of an organization and mitigate risks. It is essentially taking reasonable steps to protect a company and its assets from harm, which includes implementing and maintaining a comprehensive security program, regularly updating systems, and following best practices and compliance standards. Failure to exercise due care can lead to liability issues for an organization. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Due_care).*

Answer 137

Investigation and evaluation of an organization's security posture to identify risks, vulnerabilities, and threats. ## Footnote In cybersecurity, due diligence refers to the careful investigation and evaluation of an organization's information security posture and practices. It involves assessing the effectiveness of security policies, procedures, and controls to identify risks, vulnerabilities, and threats to the organization's digital assets. This process is crucial when entering into business agreements or transactions to ensure that potential partners maintain adequate cybersecurity measures and comply with relevant regulations. Due diligence in cybersecurity aims to prevent data breaches, maintain privacy, protect intellectual property, and ensure business continuity. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Due_diligence).*

Answer 138

The legal requirement that entities must respect all legal rights owed to a person, ensuring fairness and justice. ## Footnote The legal requirement that an entity, especially a government, must respect all legal rights owed to a person, ensuring fairness and justice. This principle applies in a cybersecurity context when an entity, such as a corporation or an individual, is suspected of conducting illegal activities like hacking or other malicious activities. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Due_process).*

Answer 139

Online buying and selling processes involving the transfer of data and funds over the Internet, including B2B, B2C, C2C, and C2B transactions. ## Footnote The buying and selling of goods or services using the Internet and the transfer of money and data to execute these transactions. E-commerce can be conducted over computers, tablets, smartphones, and other smart devices. It encompasses a wide range of data, systems, and tools for online buyers and sellers, including mobile shopping and online payment encryption. E-commerce platforms can be focused on business-to-business (B2B), business-to-consumer (B2C), consumer-to-consumer (C2C), or consumer-to-business (C2B) transactions. It has transformed retail through online marketplaces, electronic payment systems, online shopping, and digital marketing. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/E-commerce).*

Answer 140

A U.S. law criminalizing the theft of trade secrets for foreign benefit, addressing industrial and economic espionage. ## Footnote A US federal law that makes it a crime to steal or misappropriate trade secrets for the benefit of a foreign government, instrumentality, or agent. It is used to prosecute individuals or organizations that engage in industrial espionage or other forms of economic espionage. Examples include a company insider selling proprietary information to a foreign competitor or a nation-state hacking into a US company's computer systems to steal trade secrets. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Economic_Espionage_Act_of_1996).*

Answer 141

The electronic transfer of money between bank accounts, used for various financial transactions and payment systems. ## Footnote Refers to the digital transfer of money from one bank account to another, either within the same financial institution or across different institutions, via computer-based systems. EFTs include a variety of financial transactions, such as direct deposits, wire transfers, direct debits, online bill payments, and transactions initiated through credit or debit cards. EFTs enable quick and secure movement of funds, reducing the need for paper checks and cash handling. They are widely used for both personal and business financial transactions. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Electronic_funds_transfer).*

Answer 142

A regional trade organization consisting of Iceland, Liechtenstein, Norway, and Switzerland, cooperating on economic issues. ## Footnote The European Free Trade Association (EFTA) is a regional trade organization and free trade area consisting of four European states - Iceland, Liechtenstein, Norway, and Switzerland. It operates in parallel with the European Union (EU) and participates in the European Single Market while remaining outside of the EU. EFTA facilitates free trade and economic cooperation between its members and also manages a network of trade relations around the world through its own international trade agreements. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/European_Free_Trade_Association).*

Answer 143

The EU's center of expertise for cybersecurity, assisting Member States in preventing, detecting, and responding to cyber issues. ## Footnote Established in 2004, it's a center of expertise for cyber security in Europe. ENISA helps the EU and its Member States to be better equipped and prepared to prevent, detect, and respond to information security problems. The agency also assists in the development of a high level of network and information security (NIS) to enhance Europe's capability to prevent and react to cyber-attacks and disruptions. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity).*

Answer 144

An approach integrating corporate governance and business management to ensure effective strategy achievement and risk management. ## Footnote A holistic and integrated approach to corporate governance, business management, and assurance. It ensures that an organization's strategies are set effectively, that they are implemented proficiently, and that risk is managed appropriately. This approach is designed to help an organization achieve its goals while maintaining a balance between risk and reward. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Corporate_governance).*

Answer 145

A discipline addressing an organization's risks comprehensively to support the achievement of objectives. ## Footnote A strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. It involves the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. *For more information, view this lecture on [GRC - Governance, Risk Management, and Compliance](https://courses.thorteaches.com/courses/take/cissp/lessons/45836768-grc-governance-risk-management-and-compliance). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Enterprise_risk_management).*

Answer 146

Creating a scenario to lure attackers with existing criminal intent, enabling monitoring and potential apprehension. ## Footnote In a security context, enticement involves the creation of an attractive scenario to lure attackers into engaging in illicit activity that is already part of their intent. Unlike entrapment, it does not induce someone to commit a crime they were not predisposed to commit. Instead, it provides an opportunity for the attacker to act on preexisting criminal intent, allowing law enforcement or security professionals to monitor and potentially apprehend the attacker. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/18552296-laws-and-regulations-evidence). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Entrapment#United_States).*

Answer 147

Tempting someone to commit a crime they weren't predisposed to commit, often legally regulated to prevent abuse. ## Footnote In a security context, entrapment refers to the strategy of tempting an attacker to commit a crime in order to catch them in the act. Unlike enticement, which involves luring an already-intent attacker, entrapment can involve creating conditions that provoke an attack that might not otherwise have occurred. This strategy can be controversial and is carefully regulated in many jurisdictions to prevent abuse and maintain fairness. We convince them to commit the crime if they have not already decided to commit it. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/18552296-laws-and-regulations-evidence). Or visit this [Wikipedia page](https://en.wikipedia.org).*

Answer 148

Protected health information in electronic form, safeguarded under laws like HIPAA. ## Footnote Any Protected Health Information (PHI) that is created, stored, transmitted, or received in an electronic form. Under laws such as the Health Insurance Portability and Accountability Act (HIPAA), ePHI must be kept confidential and secure to protect patients' privacy. This often involves the use of encryption, secure networks, and robust access controls. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Protected_health_information).*

Answer 149

A broad approach to managing all risks facing an organization with the aim to maximize value by managing the impact of uncertainty on objectives. ## Footnote A comprehensive, systematic approach to managing all the risks that an organization faces. The aim is to maximize the firm's value by managing the potential impact of uncertainty on objectives. This approach includes identifying potential risks, assessing their likelihood and impact, developing response strategies, and monitoring progress. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Enterprise_risk_management).*

Answer 150

Responsible reporting of vulnerabilities to respective parties, allowing for remediation before they can be exploited maliciously. ## Footnote The practice of reporting vulnerabilities found in software or systems to the party responsible for the software or the broader community rather than exploiting them or making them public immediately. This gives the responsible party an opportunity to address and fix the vulnerability before potential malicious actors can exploit it. *For more information, view this lecture on [Penetration testing tools.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180049-penetration-testing-tools). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure).*

Answer 151

EUROPOL is an EU law enforcement agency based in The Hague, coordinating cross-border investigations and intelligence sharing to combat serious international crime and terrorism. ## Footnote It connects police and security bodies from member states, facilitating data analysis, operational support, and joint task forces. EUROPOL focuses on areas like cybercrime, drug trafficking, human smuggling, and financial fraud, aiming to enhance cooperation among national agencies. By centralizing intelligence, providing secure communication channels, and supporting collaborative investigations, EUROPOL strengthens the EU’s collective security framework. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Europol).*

Answer 152

Formerly, a data transfer framework between the EU and US, invalidated in 2020, now replaced by alternate mechanisms like SCCs. ## Footnote The EU-US Privacy Shield was a framework designed to ensure compliance with EU data protection requirements when transferring personal data from the European Union to the United States. However, it's important to note that the Privacy Shield was invalidated by the Court of Justice of the European Union (CJEU) in July 2020. Organizations previously relying on this framework now have to find alternative mechanisms, such as Standard Contractual Clauses (SCCs), for transatlantic data transfers that meet EU data protection standards. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privacy_Shield).*

Answer 153

A numerical grade in the Common Criteria certification, assessing the design and testing of a product's security features. ## Footnote A numerical grade assigned to an information system product or system for the certification of its security. Defined by the Common Criteria certification standards, the EAL represents a third-party assessment of the design, implementation, and testing of security functions, with levels ranging from EAL1 (functionally tested) to EAL7 (formally verified, designed, and tested). *For more information, view this lecture on [Security evaluation models.](https://courses.thorteaches.com/courses/take/cissp/lessons/18591287-security-evaluation-models). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Evaluation_Assurance_Level).*

Answer 154

Information used to support the truth or existence of a claim, crucial in legal, scientific, and cybersecurity contexts for verification. ## Footnote Information presented to support the truth or existence of an assertion. In legal contexts, evidence includes testimony, documents, and objects admissible in court to prove or disprove allegations. In science, evidence consists of collected data and observations that support or refute hypotheses. In cybersecurity, it comprises digital records and activities that indicate the security posture of systems or that a security incident has occurred. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations) and [Digital forensics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180189-digital-forensics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Evidence).*

Answer 155

Software or data that takes advantage of vulnerabilities to cause unintended system behavior, often leading to unauthorized access or control. ## Footnote In cybersecurity, an exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. It often includes gaining control over a computer system, allowing privilege escalation, or a denial-of-service attack. Exploits are a fundamental component of many cyberattacks, using vulnerabilities in applications, operating systems, or networks to gain access or control. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Exploit_(computer_security)).*

Answer 156

U.S. laws governing the export of commercial items, including dual-use technologies with military applications. ## Footnote United States regulatory laws that govern the export and re-export of most commercial items, including "dual-use" items that can serve both commercial and military or proliferation applications. EAR is administered by the Bureau of Industry and Security under the US Department of Commerce and covers technologies such as computers, software, and certain types of data. Companies must comply with EAR when exporting goods and services that could have implications on national security, foreign policy, and anti-terrorism. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Export_Administration_Regulations).*

Answer 157

The vulnerability of an organization to threats that could lead to unauthorized access or damage to systems and data. ## Footnote In the context of finance and investments, exposure refers to the degree to which an investor or business is open to risk from market fluctuations, which could potentially lead to loss. In cybersecurity, exposure denotes the vulnerability of an organization or individual to potential threats that could lead to unauthorized access or damage to information systems and data. It is often used to measure the risk associated with network interfaces, code, or practices that make a system susceptible to cyberattacks. Reducing exposure is key to strengthening the security posture. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2).*

Answer 158

A percentage representing the potential impact of a threat on an asset, used to quantify loss in risk assessment. ## Footnote A metric that represents the magnitude of loss or impact that a threat could have on a system or data. It's quantified as a percentage of loss that a realized threat would have on a specific asset. For example, an EF of 0.2 (or 20%) for a specific threat would indicate that a realization of that threat would result in a loss of 20% of the asset's value. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Exposure_factor).*

Answer 159

A network including an organization's suppliers, vendors, partners, contractors, and customers, extending its risk landscape. ## Footnote A network of associated entities that a central organization interacts with directly or indirectly, including suppliers, vendors, partners, contractors, and customers. These entities have access to certain data or systems of the central organization, thereby extending the risk landscape and necessitating the use of additional controls to safeguard assets and data. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Extended_enterprise).*

Answer 160

A methodology for performing qualitative risk analysis and assessment in organizations. ## Footnote A methodology for performing risk analysis and assessment within an organization. It is a qualitative risk management approach that involves identifying threats and vulnerabilities and then discussing potential impacts and countermeasures with the aim of prioritizing risks. FRAP is designed to be less time-consuming than quantitative risk analysis by focusing on the most critical assets and their most likely threats, facilitating the involvement of multiple stakeholders to reach a consensus on risk priorities and mitigation strategies. It provides a streamlined process that organizations can use to quickly identify and address their most significant risks. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_analysis_(business)#Facilitated_risk_analysis_process).*

Answer 161

FAIR is a risk management framework that quantifies cybersecurity risks in financial terms, enabling data-driven decisions on security investments and risk-reduction strategies. ## Footnote Instead of relying on vague threat ratings, FAIR uses probabilistic modeling to estimate potential loss events and the frequency of incidents. Key components include measuring threat capability, vulnerability, and loss magnitude. By translating technical risks into monetary values, security teams can compare cybersecurity spending against potential impact. FAIR fosters executive-level support by aligning security objectives with business goals, offering clarity on where to prioritize resources and how to reduce overall risk exposure. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Factor_analysis_of_information_risk).*

Answer 162

An analysis that evaluates a project's practicality, cost-effectiveness, and potential profitability before commitment. ## Footnote A critical analysis and evaluation of a proposed project or system to determine if it is technically feasible, if it is feasible within the estimated cost, and if it will be profitable or not. This process typically involves evaluating different solutions and recommending the most effective option based on factors such as cost efficiency, technical capabilities, and regulatory compliance. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Feasibility_study).*

Answer 163

Standards developed by the U.S. government for computer systems, focusing on security and interoperability. ## Footnote Publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. FIPS standards are issued to establish requirements for various purposes, such as ensuring computer security and interoperability, and are intended to be adhered to both by the agencies themselves and any companies doing business with them. Among the well-known FIPS standards is FIPS 140, which specifies the security requirements for cryptographic modules used within a security system protecting sensitive but unclassified information. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards).*

Answer 164

A U.S. law protecting the privacy of personal data held by federal agencies, mandating fair information practices. ## Footnote A United States federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. It was enacted in response to concerns about how the creation and use of computerized databases might impact individuals' privacy rights. The Privacy Act requires federal agencies to share information about their records with individuals upon request and to follow various principles, known as "Fair Information Practices," about information collection, use, and disclosure. It also restricts the disclosure of personal data without the consent of the individual. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privacy_Act_of_1974).*

Answer 165

A U.S. law that protects student educational records' privacy at federally funded institutions. ## Footnote A United States federal law that protects the privacy of student education records. This law applies to all schools that receive funds through an applicable program of the US Department of Education, ensuring that parents have certain rights with respect to their children's education records, and these rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act).*

Answer 166

Amendments to HIPAA including stricter privacy and security rules for personal health information. ## Footnote Refers to a set of regulations that significantly amends the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules. Published in January 2013 by the US Department of Health and Human Services, the rule strengthens the privacy and security protection for individuals' health information, modifies the breach notification requirements under the HITECH Act, provides increased flexibility, and strengthens the government's ability to enforce the law. It also extends the requirements to cover business associates of healthcare entities. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act).*

Answer 167

A detailed inspection of an organization's financial records by a qualified professional to assure accuracy and compliance with regulations. ## Footnote A systematic examination and verification of an organization's financial and accounting records and supporting documents by a professional, such as a Certified Public Accountant. This process involves checking financial statements, accounting books, and banking information to confirm that they are accurate, complete, and in accordance with established laws, regulations, and industry standards. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Financial_audit).*

Answer 168

A U.S. government standard that accredits cryptographic modules based on four increasing levels of security requirements. ## Footnote A US government computer security standard used to accredit cryptographic modules. The title is "Security Requirements for Cryptographic Modules", and it provides four increasing, qualitative levels of security - Level 1 to Level 4. It specifies the requirements for physically securing and role-based authentication of cryptographic modules used within security systems protecting sensitive but unclassified information. The standard is applicable to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems). *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/FIPS_140-2).*

Answer 169

A U.S. standard for categorizing information and systems to determine the needed level of security controls. ## Footnote A mandatory standard developed by the National Institute of Standards and Technology (NIST) in the United States for defining security requirements for information systems. FIPS 199 categorizes information and information systems, which helps to identify the appropriate level of security controls. The standard assists *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/FIPS_199).*

Answer 170

A mandatory standard prescribing minimum security requirements for federal information systems, except national security systems. ## Footnote A legally mandated standard that stipulates minimum security requirements for federal information and information systems. It defines a practical and flexible framework that federal agencies must follow to document and implement controls from the NIST Special Publication 800-53, which provides guidelines for selecting security controls for information systems supporting the executive agencies of the federal government. The controls are intended to safeguard all information systems except those related to national security. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002#Security_controls).*

Answer 171

A standard that specifies the SHA-3 family of cryptographic hash functions, providing data integrity and security. ## Footnote FIPS 202, titled "SHA-3 Standard - Permutation-Based Hash and Extendable-Output Functions," specifies the Secure Hash Algorithm-3 (SHA-3) family of cryptographic hash functions. SHA-3 is a subset of cryptographic hash functions, including SHA3-224, SHA3-256, SHA3-384, and SHA3-512, as well as SHAKE128 and SHAKE256, which are extendable-output functions (XOFs). It is designed to provide integrity and security for digital data and is utilized as part of various security applications and protocols. *Or visit this [Wikipedia page](https://csrc.nist.gov/projects/hash-functions/sha-3-project/sha-3-standardization).*

Answer 172

A one-year accounting period for financial statements, budgeting, and taxation, often not aligned with the calendar year. ## Footnote A one-year period that companies and governments use for accounting and preparing financial statements. A fiscal year is often different from a calendar year and can vary between organizations. It is used for budgeting, keeping accounts, and taxation purposes and is designed to end during a period when the operations of the company are at a low point, making it easier to compile financial and operational results. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Fiscal_year).*

Answer 173

A U.S. agency enforcing consumer protection laws to prevent fraudulent business practices. ## Footnote An independent agency of the United States government that enforces federal consumer protection laws. It is used to prevent deceptive or fraudulent business practices and protect consumers. For example, the FTC has brought lawsuits against companies for false advertising or unfair business practices. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Federal_Trade_Commission).*

Answer 174

The practice of publicly revealing all known vulnerabilities, pressuring vendors to address issues and informing users of risks. ## Footnote The practice of revealing all known vulnerabilities of a system or software to the public. This approach is often taken by security researchers and ethical hackers after finding a security weakness to ensure that all stakeholders, including the vendor and users, are aware of the issue. The intent is usually to pressure the software producer into addressing the vulnerability promptly while enabling users to understand their risk exposure and take necessary precautions, such as applying patches or workarounds. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)).*

Answer 175

The series of stages an asset goes through from creation to disposal, accounting for costs and revenues. ## Footnote The complete series of stages that an asset, product, or service goes through from creation to its final use or disposal. This includes design, production, distribution, operation and maintenance, and finally, disposal or recycling. The full economic life cycle accounts for all costs and revenues associated with the asset over its entire lifetime and is used for the comprehensive assessment of the total cost of ownership, environmental impact, and value generation. It's a concept used in economics, finance, and sustainable development to evaluate the long-term economic, environmental, and social outcomes of investments or business strategies.

Answer 176

Accounting rules for financial reporting that public U.S. companies must follow for consistency. ## Footnote Pertains to a common set of accounting rules and standards for financial reporting that public companies in the United States must follow. These principles are designed to ensure consistency, reliability, and comparability of financial statements. In the context of IT and cybersecurity firms, GAAP guides the recording and reporting of financial transactions, including the capitalization and expense recognition of software development costs, purchase of IT equipment, and investments in cybersecurity infrastructure. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Generally_Accepted_Accounting_Principles_(United_States)).*

Domain 1: Security and Risk Management Flashcards

Review key terms related to governance, risk, compliance, and security principles.