Domain 1 Summary Cards

Question 1

Control Objectives for Information and Related Technologies (COBIT)

Answer 1

IT governance framework for risk, control, and performance management. It outlines end to end IT governance objectives and processes that encompass many security requirements and concepts.

Question 2

ISO/IEC 27001

Answer 2

International standard for information security management systems (ISMS)

Question 3

NIST Cybersecurity Framework (CSF)

Answer 3

Guidelines for improving cybersecurity posture.

Question 4

Information Technology Infrastructure Library (ITIL)

Answer 4

IT service management best practices.

Question 5

Policies

Answer 5

High-level statements of security objectives (e.g., “All data must be encrypted”).

Question 6

Standards

Answer 6

Mandatory security controls that enforce policies (e.g., “AES-256 encryption for sensitive data”).

Question 7

Guidelines

Answer 7

Recommended best practices (e.g., “Use passphrases instead of passwords”).

Question 8

Procedures

Answer 8

Step-by-step instructions for implementing policies (e.g., “How to configure encryption”).

Question 9

Risk Management Process

Answer 9

1. Risk Identification
2. Risk Assessment (Analysis)
3. Risk Treatment (Response Options)
4. Risk Monitoring

Question 10

Risk Identification

Answer 10

Identify threats and vulnerabilities.

Question 11

Qualitative

Answer 11

Subjective assessment (e.g., high, medium, low risk).

Question 12

Quantitative

Answer 12

Uses numerical values

Question 13

DREAD

Answer 13

Evaluates risk impact based on
Damage
Reproducibility
Exploitability
Affected Users
Discoverability

Question 14

COBIT Principles

Answer 14

Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End to End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management

Question 15

STRIDE

Answer 15

Threat Modeling methodology developed by Microsoft to help identify and classify computer security threats
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 16

PASTA

Answer 16

Process for Attack Simulation and Threat Analysis. Risk based threat model that supports dynamic threat analysis.
Integrates business objectives with technical requirements.

Question 17

7 stages of PASTA

Answer 17

Define objectives
Define technical scope
Application decomposition
Threat Analysis
Vulnerability analysis
Attack enumeration
Risk and impact analysis

Question 18

General Data Protection Regulation (GDPR)

Answer 18

Regulations that require organizations around the world to protect the privacy of EU citizens.

Question 19

GDPR 7 Principles for Processing Personal Data

Answer 19

Lawfulness, fairness, and transparency
Purpose limitation
Data Minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

Question 20

NIST Risk Management Framework (RMF)

Answer 20

U.S government framework for security risk management

Question 21

ISO 3100

Answer 21

Enterprise risk management framework

Question 22

Common Vulnerabilities and Exposures (CVE)

Answer 22

Database of known security vulnerabilities

Question 23

Common Vulnerability Scoring System (CVSS)

Answer 23

Measures severity of vulnerabilities