Domain 1.1: Security and Risk Management Flashcards

Question

# Define: Impact Analysis

Answer 1

Assessing the potential consequences of changes or disruptions to inform decisions and risk management strategies. ## Footnote A process used to understand the potential consequences of a change in a system, application, or another component of an organization's operations. Impact analysis can be used in various contexts, such as assessing the potential effects of a security incident or evaluating the implications of a new policy or process. It aids in decision-making, planning, and risk management, helping to identify potential risks, required resources, and strategies for minimizing negative effects. *For more information, view this lecture on [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_impact_analysis).*

Answer 2

Evaluating the potential effects of proposed actions or decisions, often in security, to inform planning and risk management. ## Footnote A systematic process that identifies and evaluates the potential consequences (positive or negative) of a proposed action or decision. In a security context, it often involves understanding the effects of a security breach, policy change, or new technology deployment. The assessment could consider multiple factors, including potential financial, reputational, operational, and legal impacts. *For more information, view this lecture on [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Impact_assessment).*

Answer 3

Any condition that disrupts the optimal functioning of systems, applications, or networks, potentially leading to insecurity or unreliability. ## Footnote Any event or condition that disrupts the optimal functioning of a system, application, or network. It can be caused by a wide range of incidents, including hardware failure, software bugs, malicious attacks, or network congestion. The objective of many security protocols is to identify and resolve impairments to maintain system reliability and availability.

Answer 4

Executing changes and assessing their effectiveness and compliance, crucial for security and stability. ## Footnote The stage in change management where changes are executed and their effects are assessed. Implementation involves enacting the changes, monitoring the process for issues, and making necessary adjustments. The evaluation follows implementation and assesses the success of the changes in meeting their intended outcomes, and identifies any unintended consequences. In this phase, system performance, stability, and security are key points of assessment to confirm that changes haven't inadvertently introduced vulnerabilities or weakened existing protections. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Implementation#Information_technology).*

Answer 5

Regulations on cross-border technology transfer, ensuring security and compliance in handling sensitive tools or data. ## Footnote Import/export controls refer to regulations and compliance measures applied to the cross-border transfer of sensitive technologies, including dual-use items, military goods, encryption software, and other cybersecurity-related tools. These controls are designed to prevent items from being used for purposes that could threaten national security or interests. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Export_controls).*

Answer 6

A minor security weakness with minimal impact that does not necessitate immediate attention but should still be addressed. ## Footnote A security weakness that does not have a significant impact on the overall security of the system. These deficiencies are typically low-risk and do not require immediate attention but should still be addressed in order to maintain the overall security of the system. An example of an inconsequential deficiency might be a weak password policy that does not require complex passwords but does not pose a significant threat to the security of the system.

Answer 7

The self-sufficiency of a system or operation to function without external dependencies, important for stability and security. ## Footnote In the context of IT, independence refers to the self-sufficiency of a system or operation, such that it can function without external dependencies or interventions. This is critical for system stability and security, as it reduces reliance on third-party systems that could become single points of failure or introduce additional security vulnerabilities.

Answer 8

Unwritten rules or practices adopted by an organization for information security, less common in regulated environments. ## Footnote An informal security policy consists of unwritten rules or common practices adopted by an organization to safeguard its information and systems. While not formally documented, these practices are understood and followed by members of the organization. Such policies are more common in less regulated or smaller environments where formal policies have not been established. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_policy).*

Answer 9

Safeguarding information systems from unauthorized access or alterations, ensuring data confidentiality, integrity, and availability. ## Footnote The practice of protecting and securing an organization's information and systems. This includes activities such as risk management, security planning, and incident response. Information assurance is used to ensure the confidentiality, integrity, and availability of an organization's information and systems. Examples of information assurance practices include data encryption, access control, and security testing. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_assurance).*

Answer 10

A product designed to secure information systems by addressing threats and vulnerabilities, like encryption tools or security software. ## Footnote Information assurance products are designed to enhance the security of an organization's information systems by addressing a range of threats and vulnerabilities. They encompass a wide variety of solutions, such as encryption tools, security incident and event management software, and identity management platforms, all aimed at protecting the confidentiality, integrity, and availability of data.

Answer 11

Guidelines for classifying data based on sensitivity, aiding in the application of appropriate protection measures. ## Footnote Guidelines and procedures that outline how an organization's data and information should be classified based on its sensitivity and importance. These policies help to ensure that the appropriate level of protection is applied to the data and information. Examples of information classification policies include access control policies, data retention policies, and data disposal policies. *For more information, view this lecture on [Data Classification and Clearance](https://courses.thorteaches.com/courses/take/cissp/lessons/18588247-data-classification-and-clearance). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_policy).*

Answer 12

Protecting information systems from threats to ensure the confidentiality, integrity, and availability of data. ## Footnote The practice of protecting and securing an organization's information and systems. This includes activities such as risk management, security planning, and incident response. Information security is used to ensure the confidentiality, integrity, and availability of an organization's information and systems. Examples of information security practices include data encryption, access control, and security testing. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security).*

Answer 13

Management and oversight of an organization's infosec program, including roles, policies, and compliance monitoring. ## Footnote The overall management and oversight of an organization's information security program. This includes defining the roles and responsibilities of individuals and groups within the organization, establishing policies and procedures for information security, and monitoring compliance with those policies and procedures. Information security governance is used to ensure that the organization's information and systems are secure, and that the organization's information security program is effective. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_governance).*

Answer 14

A structured approach for managing information security risks, involving policies, procedures, and controls. ## Footnote A framework for managing and protecting an organization's information assets. An ISMS typically includes policies, procedures, and controls for ensuring the confidentiality, integrity, and availability of sensitive data. Examples of ISMS components could include access controls, encryption, and user awareness training. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_standards#ISO/IEC_27000_Family_of_Standards).*

Answer 15

Guidelines outlining an organization's approach to infosec, providing a framework for protecting information assets. ## Footnote A set of guidelines and rules that outline an organization's approach to information security. It is used in organizations to provide a clear and consistent framework for protecting information assets. Examples - a policy on acceptable use of company devices, a policy on data classification, and a policy on incident response. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_policy).*

Answer 16

Safeguards for an organization's information assets, encompassing policies, procedures, and technical measures. ## Footnote A program that outlines the policies, procedures, and technical measures used to protect an organization's information assets. It is used in organizations to ensure that information is secure and that all employees understand their roles and responsibilities in maintaining information security. Examples - an employee training program on information security, a policy on password management, and regular security audits. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks).*

Answer 17

Combination of hardware, software, and people for organizing and processing data within an organization. ## Footnote A combination of hardware, software, and people that is used to collect, process, store, and share information. It is used in organizations to support business operations and decision-making. Examples - a database management system, a customer relationship management system, and a supply chain management system. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_system).*

Answer 18

Safeguarding info systems from unauthorized access or alterations, protecting data confidentiality and integrity. ## Footnote The practice of protecting information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It is used in organizations to ensure the confidentiality, integrity, and availability of information assets. Examples - encryption, access control, and intrusion detection.

Answer 19

An individual managing the infosec program, ensuring the implementation of security policies and procedures. ## Footnote A person who is responsible for managing the information security program of an organization. It is used in organizations to ensure that information security policies and procedures are implemented and followed. Examples include overseeing security training for employees, conducting security assessments, and responding to security incidents.

Answer 20

An individual responsible for the security controls of a specific system, maintaining compliance and security measures. ## Footnote A person who is responsible for implementing and maintaining information security controls for a specific information system. It is used in organizations to ensure that the information system is secure and compliant with information security policies and regulations. Examples - implementing access controls, conducting security audits, and providing security guidance to system users.

Answer 21

Use of computers and software to manage and process data, including cybersecurity to protect assets against threats. ## Footnote Information Technology (IT) involves the use of computers, networking, and other physical devices to manage and process data. IT is integral to modern businesses, providing tools for data analysis, infrastructure management, and digital communications. Cybersecurity is a critical aspect of IT, protecting data from threats like hacking and breaches. With technology's rapid evolution, IT is constantly adapting and adopting innovative practices and systems such as cloud computing, artificial intelligence, and the Internet of Things (IoT). IT professionals work to maintain operational efficiency, ensure data integrity, and foster technological growth within organizations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology).*

Answer 22

The exposure to potential adverse effects in an activity before any mitigating controls are applied, key in risk assessments. ## Footnote Inherent risk refers to the exposure to potential negative outcomes in any activity or process that is present before any mitigating controls or actions are applied. It's essential in risk management to assess the raw exposure to threats in order to effectively plan for risk reduction measures. Examples include the inherent risk of data breaches due to system vulnerabilities or the inherent risk of investment loss due to market volatility. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Inherent_risk_(accounting)).*

Answer 23

The beginning phase in change management where the need for change is identified, documented, and detailed before implementation. ## Footnote Initiation in change management refers to the first stage of the change process, where a need for change is identified, defined, and documented. Factors such as new business requirements, system updates, or security vulnerabilities might trigger this phase. The initiation phase includes detailing the rationale for the change, its potential impact, and proposed ways to manage the change. It is a crucial step in highlighting potential risks and in setting the course for a systematic, controlled change process that ensures the system's continued security.

Answer 24

Insider attacks involve threats originating from within an organization, typically by employees, contractors, or partners who misuse their privileged access to compromise systems or data. ## Footnote Motivated by financial gain, revenge, or negligence, insiders may steal intellectual property, sabotage networks, or leak confidential information. This risk is heightened by familiarity with security measures and trusted privileges. Countermeasures include strict access controls, user behavior analytics, and segmenting critical assets. By promoting security awareness and carefully monitoring privileged actions, organizations lower the risk of damaging insider threats.

Answer 25

An Insider Threat is a security risk originating from within an organization—such as employees, contractors, or partners—who misuse privileges or unintentionally expose sensitive information. ## Footnote These threats can be malicious, where insiders deliberately steal data or sabotage systems, or accidental, where poor security practices lead to breaches. Insider Threat programs integrate behavior monitoring, access controls, and training to reduce risks. Detection involves correlating unusual data access patterns, changes in user privileges, and device usage anomalies. Properly managing insider threats helps prevent reputational damage, compliance violations, and data loss from within the organization. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Insider_threat).*

Answer 26

An asset without physical substance but with value, such as intellectual property, reputation, or brand identity. ## Footnote An asset that has no physical form and cannot be touched or seen but has value to an organization. It is used in accounting and finance to classify and value assets that do not have a physical form. Examples -intellectual property, trademarks, and brand reputation. *For more information, view this lecture on [Risk Management - Identification](https://courses.thorteaches.com/courses/take/cissp/lessons/18588085-risk-management-identification). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Intangible_asset).*

Answer 27

A collaborative, cross-functional group focused on delivering a specific product or service. ## Footnote A cross-functional team responsible for developing and delivering a product or service. IPTs are typically composed of individuals with different expertise and backgrounds, including engineering, design, marketing, and project management. An example of an IPT could be a team of software developers, user experience designers, and product managers working together to create a new mobile app. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Integrated_product_team).*

Answer 28

The correctness and reliability of data or information, ensuring it remains unaltered and trustworthy. ## Footnote A quality that represents the truthfulness and accuracy of data or information. It is used in various fields, such as in the ethical principles of an organization, in the security measures to protect sensitive data, and in the validation of information sources. Examples of integrity include a company's code of ethics, a password protection system, and a peer-reviewed research article. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_integrity).*

Answer 29

The overall attitude and actions towards internal controls within an organization. ## Footnote The overall attitude, awareness, and actions of an organization's management and employees towards the effectiveness and efficiency of internal controls. It is used in financial reporting, compliance, and risk management. Examples of internal control environments include a strong tone at the top, an emphasis on ethics and accountability, and regular training and assessments. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Control_environment).*

Answer 30

Processes ensuring the accuracy and integrity of financial information. ## Footnote A set of policies and procedures that ensure the accuracy, reliability, and integrity of an organization's financial information and reports. It is used in financial accounting, auditing, and regulatory compliance. Examples of internal control over financial reporting include management oversight, segregation of duties, and independent verification and validation. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internal_control).*

Answer 31

The framework for policies, procedures, and activities to manage risks and compliance. ## Footnote The internal control structure of an organization refers to the comprehensive framework of policies, procedures, and activities crafted to manage risk, achieve effective and efficient operations, and comply with applicable laws and regulations. This structure includes control activities, risk assessment, information and communication systems, and monitoring activities, each contributing to the overall governance and integrity of the organization's processes. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internal_control).*

Answer 32

Policies and processes ensuring the fulfillment of an organization's objectives and reliability of reports. ## Footnote The policies, procedures, and processes that an organization implements to achieve its objectives, manage its risks, and ensure the reliability and integrity of its information and reports. It is used in financial reporting, compliance, and risk management. Examples of internal controls include management oversight, segregation of duties, and independent verification and validation. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internal_control).*

Answer 33

Regulations invalidated in 2015, replaced by Privacy Shield and then SCCs. ## Footnote The International Safe Harbor Privacy Principles were invalidated in October 2015 by the European Court of Justice. They were replaced by the EU-U.S. Privacy Shield framework in July 2016, which itself was invalidated in July 2020. Organizations previously relying on Safe Harbor now typically use mechanisms like Standard Contractual Clauses or Binding Corporate Rules for the legal transfer of personal data from the European Union to the United States. *For more information, view this lecture on [GDPR (General Data Protection Regulation)](https://courses.thorteaches.com/courses/take/cissp/lessons/18552351-gdpr-general-data-protection-regulation). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles).*

Answer 34

Standards for independent auditors' assurance services quality. ## Footnote A set of auditing standards for assurance services provided by independent auditors. It is used in the financial industry to ensure the reliability and credibility of assurance engagements such as audits and reviews. Examples include ISAE 3402 for assurance engagements on controls at a service organization and ISAE 3000 for assurance engagements on financial statements. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISAE_3402).*

Answer 35

An organization that develops worldwide proprietary, industrial, and commercial standards. ## Footnote The International Organization for Standardization (ISO) is an independent, non-governmental international organization that develops and publishes a wide range of proprietary, industrial, and commercial standards. ISO standards help to ensure the quality, safety, efficiency, and interoperability of products and services across different industries, and they provide best practice recommendations, including those related to information security management systems (ISMS). *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/International_Organization_for_Standardization).*

Answer 36

US regulations controlling the transfer of defense-related articles and services. ## Footnote A set of US government regulations that control the export, import, and transfer of defense-related articles and services. This includes data and technical information related to defense and military technologies. Organizations that deal with such materials are required to be ITAR compliant, meaning they must have protocols in place to prevent unauthorized transfer of this sensitive information, whether it's shared electronically, verbally, or physically. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations).*

Answer 37

The online platform enabling customers to conduct financial transactions and manage accounts electronically. ## Footnote Internet banking, also known as online banking, enables customers to perform financial transactions electronically via their bank's secure website. This service provides a convenient way to manage accounts without physically visiting a bank branch. Functions available through Internet banking include fund transfers, bill payments, account management, and loan applications. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Online_banking).*

Answer 38

Agreements ensuring different systems or components can work together across organizational boundaries. ## Footnote Arrangements, often formalized as contracts or technical standards, which ensure different systems or components can work together effectively. These agreements may pertain to data formats, communication protocols, or user authentication mechanisms, among other things. Ensuring interoperability is a key factor in achieving system integration and can reduce potential security risks associated with inconsistent or incompatible system interactions.

Answer 39

The practice of questioning individuals to extract information, used in law enforcement and intelligence gathering. ## Footnote The act of questioning or interrogating someone to obtain information. It is used in law enforcement, intelligence gathering, and other contexts to obtain information from individuals or groups. Examples include police interrogations of suspects and intelligence agencies interrogating captured enemies.

Answer 40

An anomaly in system behavior or network traffic that deviates from expected patterns, signaling potential threats. ## Footnote In cybersecurity, an irregularity refers to any anomaly in system behavior or network traffic that deviates from the established baseline or expected patterns. Identifying irregularities is crucial for early detection of security incidents, as they may indicate a breach, system compromise, or impending attack.

Answer 41

Standards for quality assurance engagements, like audits and reviews. ## Footnote Professional standards for assurance engagements in which independent assurance is provided on the subject matter. It is used in various industries, such as financial services and healthcare, to provide assurance on the effectiveness of internal controls and management processes. For example, a financial institution may use ISAE to provide assurance to its customers on the security of their financial information. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISAE_3402).*

Answer 42

ISO is a global, independent, non-governmental body that develops voluntary international standards to ensure consistency, quality, and safety across numerous sectors. ## Footnote Through technical committees made up of experts, ISO publishes standards like ISO 27001 for information security management systems. Adopting these frameworks helps companies structure processes, demonstrate compliance, and foster trust. Since standards evolve with industry consensus, they facilitate interoperability and minimize misunderstandings. ISO’s collaborative nature encourages innovation and global trade while enhancing customer confidence in products and services. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/International_Organization_for_Standardization).*

Answer 43

An international standard for systems and software engineering, providing a process framework for life cycle activities. ## Footnote This is an international standard for systems and software engineering, providing a process framework that facilitates the application of system life cycle processes. It covers a range of activities including acquisition, supply, development, operation, and maintenance of systems. By applying the guidelines in ISO/IEC/IEEE 15288, organizations can improve the quality of their systems and software while reducing errors, redundancies, and costs. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_15288).*

Answer 44

A standard offering an overview of cloud computing concepts, aiding organizations in understanding cloud services and their security considerations. ## Footnote A standard that provides a comprehensive overview of cloud computing, including a set of common terms and definitions. This standard can aid organizations in understanding the concepts, characteristics, and benefits of cloud computing, as well as the potential security considerations. By adopting ISO/IEC 17788, organizations can ensure a shared understanding of cloud computing, support effective decision-making, and manage potential risks associated with cloud services.

Answer 45

Renumbered as ISO/IEC 27002, it provides guidelines for organizational infosec standards and management practices. ## Footnote ISO/IEC 17799 was renumbered as ISO/IEC 27002. It provides guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls. By following the practices outlined in ISO/IEC 27002, organizations can help to protect the confidentiality, integrity, and availability of their information. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_17799).*

Answer 46

A standard specifying the evaluation methodology for assessing IT products' security based on the Common Criteria. ## Footnote An international standard that specifies the methodology for conducting security evaluations of information technology (IT) products, including the evaluation of security functional requirements as defined by the ISO/IEC 15408 series of standards, commonly known as the Common Criteria for Information Technology Security Evaluation. ISO/IEC 18045 provides guidance on the actions to be performed by evaluators during an assessment, aiming to ensure consistency, repeatability, and objectivity throughout the evaluation process. It is widely used by certification bodies and laboratories that perform security evaluations of IT products to ensure they meet the defined security assurance levels.

Answer 47

Standards for IT asset management, aiding in secure and effective asset management practices. ## Footnote A series of standards for IT asset management (ITAM) developed by the International Organization for Standardization (ISO). IT asset management is crucial for maintaining an effective security posture, as understanding what assets an organization has, where they are, and how they're configured is essential for assessing vulnerabilities, planning security measures, and responding to incidents. ISO 19770 provides a framework for implementing systematic ITAM processes and promoting effective and secure asset management practices. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_19770).*

Answer 48

A standard for service management, outlining specifications for planning, establishing, and improving a Service Management System. ## Footnote An international standard for service management, originally known as BS15000. It details specifications for the service provider to plan, establish, implement, operate, monitor, review, maintain, and improve a Service Management System (SMS). The utilization of this standard ensures the delivery of a consistent and reliable service, supporting the management of data security and business continuity. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_20000).*

Answer 49

Standards for managing information security, providing a framework for establishing and improving an ISMS. ## Footnote A family of standards developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) for managing information security. These standards provide a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system. This series promotes a risk management approach, allowing organizations to identify, analyze, and address their information security risks effectively. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_27000-series).*

Answer 50

The specification for an ISMS, outlining a systematic approach to managing sensitive company information. ## Footnote A part of the ISO 27000 family, ISO 27001 provides the specification for an information security management system (ISMS). It outlines a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process and giving due importance to information security risk treatment. Achieving ISO 27001 certification can help organizations demonstrate to clients, stakeholders, and regulatory authorities that they have implemented best-practice information security processes. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_27001).*

Answer 51

A code of practice for information security controls, guiding the implementation of controls per ISO 27001. ## Footnote A part of the ISO 27000 family, ISO 27002 is a code of practice for information security controls. It provides best practice guidance on applying the controls listed under Annex A of ISO 27001. These controls, when implemented, provide ways of managing information security risks and ensuring confidentiality, integrity, and availability of data. Organizations often use ISO 27002 to guide the selection and implementation of controls based on their specific risk environment. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_27002).*

Answer 52

Guidelines for measuring the effectiveness of an ISMS, aiding in evaluating and improving security. ## Footnote A part of the ISO 27000 family of standards, ISO 27004 provides guidelines and recommendations for the development and use of measures and measurements to assess the effectiveness of an implemented information security management system (ISMS) and the controls or groups of controls, as specified in ISO 27001. This standard is designed to help organizations measure, report, and, consequently, improve the effectiveness of their information security management systems.

Answer 53

A standard with guidelines for bodies that audit and certify ISMSs, ensuring their competency and consistency. ## Footnote A standard that provides guidelines and requirements for bodies providing audit and certification of an information security management system (ISMS) in accordance with ISO/IEC 27001. It's aimed at ensuring the competency, consistency, and impartiality of the organizations conducting ISMS certifications. Adopting ISO/IEC 27006 helps certification bodies provide robust and credible ISMS certifications, enhancing trust in the organization's information security capabilities. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_27006).*

Answer 54

An international standard providing guidelines for implementing information security controls for cloud services. ## Footnote An international standard that provides guidelines for implementing information security controls for cloud services. The standard extends the ISO/IEC 27002 controls to address cloud-specific risks and challenges, enabling organizations to maintain data security when using cloud services. By adopting ISO/IEC 27017, organizations can ensure that they have effective security controls in place to protect data in the cloud. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_27017).*

Answer 55

A framework for integrating security into software development and applications, ensuring secure applications. ## Footnote ISO/IEC 27034 provides a framework for integrating security into the life cycle of software development and applications. It focuses on ensuring that security is an inherent part of the design and development process, ultimately leading to more secure applications. Following ISO/IEC 27034 can help organizations address software security from inception through deployment, effectively reducing the risks associated with application vulnerabilities. *For more information, visit this [Wikipedia page](https://www.iso27001security.com/html/27034.html).*

Answer 56

An updated version of the ISO/IEC 27035 standard, detailing guidance on managing information security incidents. ## Footnote The 2023 version of the ISO/IEC 27035 standard, which is part of the ISO/IEC 27000 series focused on information security management systems (ISMS). This specific standard provides detailed guidance on information security incident management, including principles, processes, and best practices for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents in an organization. This updated version would reflect the latest developments and practices in incident management to help organizations improve their incident response strategies and maintain effective information security management. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_27000-series).*

Answer 57

Guidelines for handling digital evidence, ensuring its accurate and secure management for legal proceedings. ## Footnote A part of the ISO 27000 series, it provides guidelines for specific activities in handling digital evidence, which includes the identification, collection, acquisition, and preservation of digital evidence. This standard plays a crucial role in incident responses, investigations, and legal proceedings. Compliance with ISO 27037 ensures that digital evidence is handled and preserved in a manner that upholds its accuracy, reliability, and integrity. *For more information, visit this [Wikipedia page](https://www.iso27001security.com/html/27037.html).*

Answer 58

A standard offering guidance on identifying and preserving digital evidence for legal proceedings. ## Footnote Provides guidelines for the identification, collection, acquisition, and preservation of digital evidence. It helps organizations to ensure the authenticity, integrity, and reliability of digital evidence, which is crucial in investigations and legal proceedings. By following ISO/IEC 27037-2012, organizations can enhance their capabilities to handle digital evidence in a secure and effective manner. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_27000_family).*

Answer 59

Guidelines for assurance in incident investigations, establishing confidence in investigative processes. ## Footnote Part of the ISO 27000 family, ISO 27041 offers guidance on the assurance aspects and methodologies associated with the investigation process. This includes criteria and methods to be considered when conducting an investigation, establishing confidence in the investigative process, and assessing the effectiveness of an investigation. By adhering to ISO 27041, organizations can ensure their investigative processes are consistent, reliable, and effective. *For more information, visit this [Wikipedia page](https://www.iso27001security.com/html/27041.html).*

Answer 60

Guidelines for the interpretation and analysis of digital evidence, supporting effective investigations. ## Footnote A part of the ISO 27000 series, ISO 27042 provides guidelines for the analysis and interpretation of digital evidence. This includes procedures for analysis, interpretation, attribution, and validation of digital evidence. Compliance with ISO 27042 ensures that organizations can accurately analyze and interpret digital evidence, supporting effective incident response, investigations, and legal proceedings. *For more information, visit this [Wikipedia page](https://www.iso27001security.com/html/27042.html).*

Answer 61

Guidelines for incident investigation principles and processes, ensuring thorough and systematic investigations. ## Footnote A member of the ISO 27000 series, ISO 27043 provides guidelines for incident investigation principles and processes. This includes the characteristics of various types of incidents, key considerations in the investigation process, and the roles and responsibilities involved. By adhering to ISO 27043, organizations can ensure their incident investigations are thorough, systematic, and effective in identifying the cause and impact of incidents and preventing future occurrences. *For more information, visit this [Wikipedia page](https://www.iso27001security.com/html/27043.html).*

Answer 62

Guidelines for eDiscovery in handling electronic information for legal processes, preserving evidential value. ## Footnote Part of the ISO 27000 family, ISO 27050 provides guidelines for electronic discovery (eDiscovery), including the identification, collection, and preservation of electronic information for legal proceedings. By adhering to ISO 27050, organizations can ensure they manage eDiscovery processes in a way that maintains the integrity, authenticity, and confidentiality of electronic information, thereby upholding its evidential value. *For more information, visit this [Wikipedia page](https://www.iso27001security.com/html/27050.html).*

Answer 63

A standard for security management systems in the supply chain, ensuring protection from threats like theft or loss. ## Footnote A standard for security management systems for the supply chain developed by the International Organization for Standardization (ISO). While not part of the ISO 27000 series, this standard is relevant to information security because it covers aspects like the transportation and storage of goods, which can include data storage devices. Compliance with ISO 28000 helps to protect the supply chain from threats like theft, damage, or loss, which can compromise the security and integrity of data. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO_28000).*

Answer 64

A series of standards providing KPIs for measuring data centers' energy efficiency and other aspects. ## Footnote Set of standards that provides quantitative measurements and key performance indicators (KPIs) for evaluating the energy efficiency and other aspects of data centers. The series includes different parts that address power usage, renewable energy utilization, water usage, and more. Organizations that adopt the ISO/IEC 30134 series can effectively monitor and enhance their energy efficiency and environmental sustainability, reducing their ecological impact while also optimizing operational costs.

Answer 65

A standard that outlines principles and guidelines for effective risk management, applicable to various sectors and activities. ## Footnote A standard that provides guidelines for risk management. It outlines a clear and comprehensive process for identifying, assessing, and managing risks, which can apply to a wide variety of activities and sectors, including those related to data and information handling. By following this standard, organizations can manage risks more effectively, which can include risks to data security, integrity, and availability. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO_31000).*

Answer 66

A technical report that aids organizations in applying the principles and guidelines of ISO 31000 for risk management. ## Footnote While ISO 31004 provides guidance on the implementation of risk management, it is important to note that ISO 31004 is not an officially published standard by ISO. Rather, it is a technical report designed to help organizations apply the principles and guidelines of ISO 31000, the risk management standard. The technical report aims to clarify the intent of ISO 31000 and to assist with the effective application of risk management within the organization. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO_31000).*

Answer 67

A suite of standards focusing on asset management, including both tangible and intangible assets, to maximize value and manage risks. ## Footnote A suite of standards for asset management, which encompasses tangible assets like buildings and intangible assets like intellectual property and digital information. This standard sets out the principles of a good asset management system, which includes maintaining an inventory of assets, understanding the risks associated with each asset, and planning appropriate maintenance and risk management activities. By complying with ISO 55000, organizations can manage their assets more effectively, including their data assets, to ensure their value is maximized and risks are managed effectively. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO_55000).*

Answer 68

A standard offering a security framework to address vulnerabilities in Industrial Automation and Control Systems. ## Footnote This standard provides a flexible framework to address and mitigate current and future security vulnerabilities in Industrial Automation and Control Systems (IACS). It presents a comprehensive set of guidelines for designing, deploying, and managing the cybersecurity of IACS. By conforming to ISO/IEC 62443, organizations can ensure a robust defense mechanism against cyber threats, thereby securing their industrial control systems and critical infrastructure. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/IEC_62443).*

Answer 69

The first part of the OSI model, providing a conceptual framework for network communication. ## Footnote This standard is the first part of the ISO/IEC 7498 series, also known as the Open Systems Interconnection (OSI) model. It provides a conceptual framework for understanding and describing network communications, specifying seven distinct layers from physical data transmission to application-level interaction. Utilizing ISO/IEC 7498 assists organizations in developing and deploying interoperable network services and protocols. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/OSI_model).*

Answer 70

A standard specifying a system for card issuer identification, ensuring the validity of card numbers globally. ## Footnote This standard specifies a system for the identification of issuers of cards that requires the processing of data on cards with embossed or encoded identification numbers. The primary purpose is to provide a unique international identification number for each issuer. Its compliance assures the validity and uniqueness of card numbers, facilitating reliable transactions across multiple platforms globally. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_7812).*

Answer 71

A standard that defines criteria for a quality management system, emphasizing customer focus and continuous improvement. ## Footnote A standard that sets out the criteria for a quality management system. This standard is based on a number of quality management principles, including a strong customer focus, the involvement of top management, a process approach, and a commitment to continuous improvement. Even though it is not directly related to cybersecurity, its principles can be applied to ensure high-quality processes and procedures are in place, which can indirectly contribute to maintaining data security and integrity. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO_9001).*

Answer 72

A guide providing risk management vocabulary, encouraging a consistent approach to describing risk management activities. ## Footnote ISO/IEC Guide 73, "Risk management — Vocabulary," provides terms and definitions related to risk management to encourage a mutual and consistent understanding of and a coherent approach to the description of activities relating to the management of risk. It is intended to be used by those engaged in managing risks and those who are involved in the activities of ISO and IEC. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO_31000).*

Answer 73

A target related to an organization's info tech efforts, helping guide initiatives and measure success. ## Footnote An IT goal is a clearly defined target related to an organization's information technology efforts. It is established to guide the IT department's initiatives and measure their success. Goals are designed to be SMART - Specific, Measurable, Achievable, Relevant, and Time-bound. They ensure that IT activities align with broader organizational objectives and facilitate continuous improvement.

Answer 74

Directing how technology systems and resources are managed within an organization. ## Footnote The structure of rules and procedures that guide how an organization's technological systems and resources are managed and utilized. By outlining clear responsibilities, decision-making authorities, and strategic alignment, governance ensures that these systems support business objectives while maintaining security and compliance with relevant laws and regulations. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_governance).*

Answer 75

A visual tool displaying key IT investment metrics, helping executives monitor financial performance and strategic alignment. ## Footnote An IT investment dashboard is a visual tool that provides executives and stakeholders with quick access to key metrics regarding IT investments. It allows for real-time monitoring of financial performance, project status, and alignment with strategic objectives. Dashboards facilitate informed decisions by displaying trends, identifying issues, and highlighting opportunities within the IT portfolio.

Answer 76

Potential losses or harms related to IT systems, requiring comprehensive management to address. ## Footnote The potential for loss or harm related to technical infrastructure or the use of technology within an organization. IT risk encompasses a variety of threats, such as cybersecurity breaches, data loss, and system failures, and requires comprehensive management strategies. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_risk).*

Answer 77

A recognized IT risk requiring immediate attention due to its potential danger to the organization. ## Footnote An IT risk issue is a previously identified risk that requires immediate attention because it presents a clear and present danger to an organization's IT environment. It is critical for risk management plans to address and remediate these issues promptly to prevent or mitigate adverse impacts on operations and security. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1).*

Answer 78

An overview of an organization's IT risks, aiding in identifying concerns and creating risk management strategies. ## Footnote A comprehensive overview of an organization's IT risks. It is used to identify areas of concern and develop strategies to mitigate those risks. Examples include a cyber security risk profile, a data privacy risk profile, and a business continuity risk profile. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk-based_authentication).*

Answer 79

A document tracking identified IT risks, their assessment, and the status of mitigation efforts. ## Footnote A document that records and tracks IT risks in an organization. It is used to identify, assess, and prioritize risks and monitor their status and progress over time. Examples include a risk register template, a risk register software, and a risk register example. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_register).*

Answer 80

A hypothetical illustration of the potential impact of an IT risk, testing response strategies. ## Footnote A hypothetical situation that illustrates the potential impact of an IT risk on an organization. It is used to test the effectiveness of risk management strategies and to develop contingency plans. Examples include a cyber-attack scenario, a natural disaster scenario, and a data breach scenario. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2).*

Answer 81

A group providing strategic oversight and direction for an organization's IT initiatives. ## Footnote A group of senior executives within an organization responsible for providing strategic direction and oversight for the organization's technology initiatives. The committee often includes representatives from various departments and functions and plays a key role in IT governance, helping to align technology strategies with business objectives, prioritize projects, and manage risks. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://courses.thorteaches.com/courses/take/cissp/lessons/18584579-information-security-governance-values-vision-mission-and-plans).*

Answer 82

A blueprint outlining an organization's IT-related objectives and strategies to achieve them. ## Footnote A document that outlines an organization's technology-related objectives and the strategies for achieving them. The plan typically covers a multi-year period and includes considerations such as infrastructure upgrades, system improvements, resource allocation, and data protection measures. The plan guides decisions and helps ensure alignment between technology initiatives and broader organizational goals. *For more information, view this lecture on [Information Security Governance: Values, Vision, Mission, and Plans](https://courses.thorteaches.com/courses/take/cissp/lessons/18584579-information-security-governance-values-vision-mission-and-plans). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Strategic_planning).*

Answer 83

Executives and leaders determining the direction of tech initiatives, aligning with organizational strategy. ## Footnote A group of individuals, usually high-ranking executives and department heads within an organization, which determines the strategic direction of technology initiatives. The committee's role is to align these initiatives with the organization's overall strategy, ensuring technology decisions support business objectives and growth while considering risks and resource requirements. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://courses.thorteaches.com/courses/take/cissp/lessons/18584579-information-security-governance-values-vision-mission-and-plans).*

Answer 84

A short-term plan detailing specific IT initiatives to implement the broader strategic plan. ## Footnote A shorter-term, action-oriented document that outlines specific tasks and initiatives required to implement the broader IT strategic plan. The tactical plan typically covers a period of one year or less and includes details such as project timelines, resource allocation, and specific responsibilities. It's designed to provide a roadmap for operational activities and guide day-to-day decision-making. *For more information, view this lecture on [Information Security Governance: Values, Vision, Mission, and Plans](https://courses.thorteaches.com/courses/take/cissp/lessons/18584579-information-security-governance-values-vision-mission-and-plans).*

Answer 85

Best practices and guidelines for delivering and managing IT services aligned with business objectives. ## Footnote A set of best practices and guidelines for managing and delivering IT services. It is used to improve the quality, efficiency, and effectiveness of IT services and to align them with the organization's business objectives. Examples include ITIL certification, ITIL training, and ITIL framework. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/ITIL).*

Answer 86

A record of a financial transaction in accounting, documenting business activities for tracking and reporting. ## Footnote A written record of a financial transaction or other business event. It includes the date, description, and amount of the transaction and is used to track and document business activities. It is used in accounting and auditing. Examples include recording a sale or recording a payment. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Journal_entry).*

Answer 87

A measurable value demonstrating progress towards a specific organizational goal or objective. ## Footnote A metric used to measure the progress towards a specific goal or objective. It is commonly used in performance management systems to track and evaluate the success of an organization's strategies and initiatives. Examples include a KGI used to measure customer satisfaction, a KGI used to measure employee engagement, and a KGI used to measure profitability. *For more information, view this lecture on [KGIs, KPIs, and KRIs](https://courses.thorteaches.com/courses/take/cissp/lessons/18588114-kgis-kpis-and-kris).*

Answer 88

Quantifiable measures evaluating the effectiveness of specific activities or processes. ## Footnote Quantifiable measures that are used to evaluate the success or effectiveness of a particular activity or process. These are often used to track progress toward strategic objectives over time. For instance, in a security context, KPIs could include the time taken to detect a threat, the rate of false positive alerts, or the percentage of employees who pass a phishing test. *For more information, view this lecture on [KGIs, KPIs, and KRIs](https://courses.thorteaches.com/courses/take/cissp/lessons/18588114-kgis-kpis-and-kris). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Key_performance_indicator).*

Answer 89

Metrics measuring an organization's risk level to prioritize and monitor potential threats. ## Footnote Metrics used to measure and evaluate the risk level of an organization or system based on predetermined criteria and thresholds. It is used to identify, prioritize, and monitor potential risks to the organization's security and integrity. Examples of security-related KRIs include the number of vulnerabilities, the frequency of security incidents, and the level of access controls. *For more information, view this lecture on [KGIs, KPIs, and KRIs](https://courses.thorteaches.com/courses/take/cissp/lessons/18588114-kgis-kpis-and-kris). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Key_risk_indicator).*

Answer 90

A defense strategy using multiple security layers to protect against attacks and unauthorized access. ## Footnote A security strategy that uses multiple layers of defense to protect against attacks and prevent unauthorized access. It is used to reduce the risk of a single point of failure and increase the overall security of a system. Examples of layered security include firewalls, intrusion detection systems, and access control policies. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)).*

Answer 91

A security concept granting users the minimum access necessary to perform their duties, reducing potential damage from misuse. ## Footnote A computer security concept in which a user or program is given the minimum levels of access necessary to complete its tasks. This means granting only the rights or permissions necessary to perform an assigned job function, and no more. This approach helps limit the potential damage that can result from errors, system faults, or unauthorized use of privileges, making it a fundamental strategy for maintaining system security. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Principle_of_least_privilege).*

Answer 92

The burden of an organization to properly handle the data it processes, subject to legal accountability for misuse or breaches. ## Footnote The responsibility of an organization for the data it collects, stores, and uses. It is used to ensure that organizations are held accountable for their handling of personal and sensitive data. For example, a company may be held legally liable for a data breach if it fails to adequately protect the personal information of its customers. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations).*

Answer 93

The distance from the specifics of a system to the concepts used to describe it, ranging from very general to highly detailed. ## Footnote The distance between the details of a system and the concepts used to represent it. Higher levels of abstraction use more general concepts and provide less detail, while lower levels provide more specific details. Examples of high-level abstraction might include using a database abstraction layer to hide the details of database queries or using a high-level programming language to represent complex algorithms. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Abstraction).*

Answer 94

A measurement of confidence that a system or process provides the intended level of security, often used in audits. ## Footnote A measure of the confidence that a system or process provides the desired level of security. It is used in security assessments and audits to determine the adequacy of security controls. Examples include low, medium, and high levels of assurance.

Answer 95

An evaluation of the potential impact of security threats, informing the urgency and priority of response efforts. ## Footnote A measure of the potential impact of a security threat or vulnerability. It is used in risk assessments to determine the priority of addressing the threat or vulnerability. Examples include low, medium, and high levels of concern.

Answer 96

An assessment of how effectively security controls safeguard a system from threats, including integrity and confidentiality measures. ## Footnote A measure of the effectiveness of security controls in protecting a system or process from security threats and vulnerabilities. It is used in security assessments and audits to determine the adequacy of security controls. Examples include confidentiality, integrity, and availability.

Answer 97

The series of changes a system undergoes from inception to retirement, crucial in integrating security throughout system development. ## Footnote The stages a system or process goes through from its inception to disposal. It is used in system development and management to ensure that security is considered and implemented throughout the entire life cycle. Examples include planning, design, development, implementation, operation, and disposal. *For more information, view this lecture on [The Information Life Cycle](https://courses.thorteaches.com/courses/take/cissp/lessons/18588237-the-information-life-cycle). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/System_lifecycle).*

Answer 98

The estimated probability that a given threat will exploit a vulnerability, impacting risk assessment and prioritization. ## Footnote In the context of risk management, likelihood refers to the probability that a given threat will exploit a vulnerability to cause harm to an organization. It is a key component in assessing risk levels and prioritizing security efforts. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Probability).*

Answer 99

Activities involved in directing an organization to achieve security objectives and manage resources. ## Footnote The set of activities involved in planning, organizing, and controlling resources to achieve security objectives. This includes defining security policies, overseeing their implementation, setting security goals, allocating resources, and managing personnel responsible for security. Good management practices are essential for maintaining a robust and effective security posture. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Management).*

Answer 100

Security processes and practices focusing on risk management and information system security. ## Footnote The security controls, procedures, and practices that focus on the management of risk and the management of information system security. They involve risk assessment, security planning, system and services acquisition, and security program management. Management controls are designed to ensure that information systems are adequately protected and that risk management strategies are in place and functioning properly. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types).*

Answer 101

Managerial controls are policies, procedures, and documentation put in place by leadership to guide security strategy, risk management, and compliance oversight within an organization. ## Footnote They encompass frameworks like ISO 27001 or NIST, shaping how resources are allocated, incidents are handled, and personnel responsibilities are defined. Managerial controls also involve audits, training programs, and third-party assessments. By establishing accountability, setting objectives, and continuously refining governance, these controls form the strategic backbone of an effective security program, bridging technical measures with organizational directives. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_control).*

Answer 102

A requirement to report specific incidents to authorities to protect sensitive information and ensure prompt response. ## Footnote A requirement, often established by law, regulation, or industry guidelines, which obligates individuals or organizations to report certain types of incidents or data breaches to relevant authorities within a specified timeframe. In cybersecurity, mandatory reporting typically involves notifying government bodies, regulatory agencies, affected individuals, or other stakeholders about security incidents that could potentially lead to the exposure of sensitive, confidential, or personally identifiable information. The goal of mandatory reporting is to ensure timely and transparent communication about breaches, enabling prompt response and mitigation efforts to protect affected parties and prevent future occurrences. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Mandatory_reporting).*

Answer 103

The significance of a risk or discrepancy affecting decision-making, guiding risk prioritization. ## Footnote A concept used in risk assessment and audit planning to define the significance of a risk or a discrepancy. If the effect of a risk or discrepancy is large enough to impact decisions made based on the outcome, it is considered material. This principle guides the identification of relevant issues and ensures that time and resources are allocated to manage the most impactful risks. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Materiality_(auditing)).*

Answer 104

The development and refinement level of security processes within an organization. ## Footnote The development and refinement level of processes, procedures, or technologies within an organization. In this context, maturity typically describes the extent to which an organization has formalized its procedures and practices and the extent to which these procedures are followed. High maturity levels often correlate with more efficient operations and better overall security posture.

Answer 105

A measure used to assess status and performance, critical in security for evaluating measures and monitoring incidents. ## Footnote A quantifiable measure used to track and assess the status of a specific process. In the context of secure operations, metrics can be used to determine the effectiveness of various security measures, track incident response times, measure compliance with security policies or evaluate the success of awareness programs, among others. They provide key insights for decision-makers and help inform strategic planning. *For more information, view this lecture on [KGIs, KPIs, and KRIs](https://courses.thorteaches.com/courses/take/cissp/lessons/18588114-kgis-kpis-and-kris).*

Answer 106

Short, focused training sessions designed to convey important information or skills quickly, used in security training. ## Footnote Micro training refers to short, focused educational or training sessions designed to quickly convey important information or skills. In cybersecurity, microtraining can be used to efficiently address specific threats, educate employees on security best practices, or update teams on new policies, all with the goal of promoting security awareness in a time-effective manner. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Microlearning).*

Answer 107

A significant point in a project timeline marking an achievement or progress, helping manage and track project development. ## Footnote A significant event or a point in time that marks a notable achievement or progress. For instance, in a security system implementation, a milestone might be the successful installation and testing of a new firewall. These markers aid in the overall management and tracking of project progress, ensuring that each component contributes effectively to the overall security posture of an organization. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Milestone_(project_management)).*

Answer 108

The process of reducing the severity or impact of negative events, crucial in risk management and incident response. ## Footnote The process of reducing the impact or severity of potential or actual negative events. In the context of risks, threats, or attacks, mitigation strategies could involve a variety of measures, from implementing additional safeguards to improving response strategies, with the goal of minimizing the potential damage and disruption that could result from such events. *For more information, view this lecture on [Incident Management - part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/34120646-incident-management-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security#Vulnerability_management).*

Answer 109

A representation of a system or concept aiding in understanding complex processes or systems. ## Footnote A representation of a system or concept that is used to simplify and understand complex ideas or processes. Where it is used in various fields, including computer science and engineering, to aid in the understanding and design of systems. Examples -a mathematical model, a conceptual model, and a physical model. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Model).*

Answer 110

The practice of continuously gathering data to detect potential threats and maintain system security. ## Footnote The process of continuously collecting and analyzing data to identify potential security threats. It is used in IT security to identify and respond to potential security breaches in real-time. Examples include using network intrusion detection systems to monitor network traffic for anomalies and using security information and event management (SIEM) tools to collect and analyze logs from multiple sources. *For more information, view this lecture on [GRC - Governance, Risk Management, and Compliance](https://courses.thorteaches.com/courses/take/cissp/lessons/45836768-grc-governance-risk-management-and-compliance). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Monitoring).*

Answer 111

The process of observing user activity to detect and prevent security threats, key in IT security. ## Footnote The process of monitoring user activity to identify potential security threats. It is used in IT security to detect and prevent unauthorized access to sensitive data and systems. Examples include using access logs to track user login and logout times, monitoring network traffic to identify potential malicious activity, and implementing user behavior analytics to identify anomalies in user behavior.

Answer 112

Tracking and analyzing API operations to ensure they function correctly and identify security issues. ## Footnote Monitoring APIs involves tracking and analyzing the operation, performance, and usage of application programming interfaces to ensure they function as intended and to detect any abnormal activity that could indicate a security issue. It includes verifying that API calls meet security policies, checking for unauthorized use, and tracking changes in API behavior over time.

Answer 113

A foundational contract that establishes long-term service terms between parties. ## Footnote A Master Service Agreement (MSA) is a comprehensive contract that outlines the general terms, responsibilities, and conditions governing an ongoing business relationship. It sets the groundwork for future transactions by detailing service scopes, pricing, performance metrics, and dispute resolution methods. An effective MSA streamlines negotiations for subsequent engagements while providing legal and operational clarity, ensuring that both parties maintain a secure and mutually beneficial partnership. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Master_service_agreement).*

Answer 114

A sophisticated cyberattack conducted or sponsored by a government against targeted entities. ## Footnote A Nation State Attack is a highly coordinated cyber operation backed by a government, targeting another nation’s critical infrastructure, corporations, or political entities. These attacks leverage extensive resources and advanced techniques to conduct espionage, disrupt services, or influence public opinion. Their complexity and strategic motives make them a significant threat to international security and economic stability. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cyberwarfare).*

Answer 115

Guidelines for secure online service design and implementation, enhancing security and user trust. ## Footnote A set of guidelines provided by the UK's National Cyber Security Centre aimed at helping organizations design and implement secure online services. These principles provide a strategic framework for security and are intended to be applicable across different types of online services and business models. They cover aspects such as data minimization, user authentication, security monitoring, and incident management. The NCSC's 12 principles encourage a user-centered approach to security, promoting the protection of personal data, service integrity, and availability while fostering innovation and ease of use. They are designed to be adaptable and relevant to the evolving nature of cyber threats and the digital landscape.

Answer 116

A U.S. initiative ensuring security testing of IT products through CCEVS. ## Footnote A U.S. government initiative that aims to meet the security testing needs of both information technology consumers and producers. It is operated by the National Security Agency (NSA) and is responsible for implementing the Common Criteria Evaluation and Validation Scheme (CCEVS), which provides a process for evaluating the security features of IT products and systems. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/National_Information_Assurance_Partnership).*

Answer 117

The collective technology resources enabling communications across the U.S., including the internet and telecommunications networks. ## Footnote The National Information Infrastructure (NII) refers to the collective technology resources that enable the vast range of communications across the United States, including not just networks but also the services and data that reside on them. It encompasses a multitude of systems and services essential for national interests, economic activities, and individual use, such as telecommunications networks, satellite communications, broadcasting, and the Internet. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/National_Information_Infrastructure).*

Answer 118

A U.S. agency developing standards and providing guidance for technology, science, and industry practices. ## Footnote A federal agency within the U.S. Department of Commerce that develops and promotes measurement standards. Known worldwide for its contribution towards technology, science, and industry, NIST provides technical guidance, including benchmarks and best practices, which help companies meet regulatory requirements and protect their systems and data. *For more information, view this lecture on [NIST SP 800-53 Revision 5](https://courses.thorteaches.com/courses/take/cissp/lessons/18588123-nist-sp-800-53-revision-5). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology).*

Answer 119

Nation-state attackers are sophisticated, government-backed hacking groups that target strategic industries, infrastructure, or geopolitical rivals for espionage, sabotage, or intelligence gathering. ## Footnote They possess significant resources, advanced tactics, and insider knowledge, often persisting within networks undetected for extended periods. Their operations may include supply chain compromises, custom malware, and zero-day exploits. Organizations take defensive measures like threat intelligence sharing, network segmentation, and robust intrusion detection. Understanding these groups’ motivations and techniques is crucial for national security and corporate defense in critical sectors. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cyberwarfare).*

Answer 120

A framework providing standards and practices to help organizations manage cybersecurity risks effectively. ## Footnote A voluntary set of standards, guidelines, and best practices designed to assist organizations in managing cybersecurity risk. It is composed of three parts - the Framework Core, the Framework Profile, and the Framework Implementation Tiers, each providing specific guidance for establishing new or improving existing cybersecurity programs. The framework has been widely adopted by various sectors and organizations due to its flexibility and scalability. *For more information, view this lecture on [NIST SP 800-37 Revision 1 and 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588129-nist-sp-800-37-revision-1-and-2). Or visit this [Wikipedia page](https://csrc.nist.gov/projects/risk-management/about-rmf).*

Answer 121

The NIST Risk Management Framework (RMF) guides federal agencies and organizations on categorizing systems, selecting controls, and continuously monitoring risks for better cybersecurity governance. ## Footnote Issued by the National Institute of Standards and Technology, RMF aligns security practices with organizational objectives and regulatory requirements. Steps include characterizing the system, implementing appropriate security controls, assessing effectiveness, and ensuring ongoing risk surveillance. This lifecycle approach emphasizes accountability by involving stakeholders and standardizing processes. Widely recognized, RMF offers a structured methodology that balances operational needs with robust protection against evolving threats. *For more information, visit this [Wikipedia page](https://csrc.nist.gov/projects/risk-management/about-rmf).*

Answer 122

Guidelines for securing mobile devices within enterprises, addressing device policy and management for security. ## Footnote NIST Special Publication 800-124, titled "Guidelines for Managing the Security of Mobile Devices in the Enterprise," is a guidance document from the National Institute of Standards and Technology (NIST). This publication provides recommendations for the secure deployment and management of mobile devices, such as smartphones and tablets, within enterprise environments. It covers topics like device policy development, device configuration and management, secure data communication, and the protection of enterprise data stored on mobile devices. The objective of NIST SP 800-124 is to help organizations mitigate security risks associated with the use of mobile devices while supporting the productivity benefits that these devices offer. The guidance is intended for IT managers and security professionals responsible for mobile device security. As mobile technology and security threats evolve, NIST periodically updates its publications to reflect the most current best practices and recommendations. *For more information, visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/124/r2/final).*

Answer 123

Guidance on protecting data throughout the System Development Life Cycle for federal systems. ## Footnote A publication by the National Institute of Standards and Technology providing guidance on data-centric System Development Life Cycle (SDLC) security. It focuses on the protection of data in federal information systems and emphasizes the importance of integrating security considerations throughout the SDLC, from initial design to system disposal. *For more information, visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/154/ipd).*

Answer 124

A document providing guidance on assuring integrity in information system components, focusing on security. ## Footnote NIST Special Publication 800-192 is titled "Assuring Integrity in Information System(s) Components." This document provides guidance from the National Institute of Standards and Technology (NIST) on ensuring the integrity of information systems, with a focus on the integrity of components within those systems. It addresses various approaches and techniques to protect system components from unauthorized changes, detect when integrity violations occur, and restore systems to a trusted state. The publication is intended to assist organizations in understanding and implementing measures that can significantly reduce the risk of system component integrity being compromised, which is a critical aspect of securing information systems against cyber threats. Please note that NIST is continually updating its Special Publications, so it is advisable to consult the latest documents for current information and guidance. *For more information, visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/192/final).*

Answer 125

Guidelines for applying the Risk Management Framework to federal information systems, including identifying and classifying assets. ## Footnote NIST Special Publication 800-37 presents guidelines for applying the Risk Management Framework to federal information systems, a process that includes identifying and classifying information system assets, identifying relevant threats, determining risk, selecting and implementing appropriate controls, and documenting the process. The goal of the publication is to provide a structured and scalable approach for managing risk to information systems and to promote near real-time risk management. *For more information, view this lecture on [NIST SP 800-37 Revision 1 and 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588129-nist-sp-800-37-revision-1-and-2). Or visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/37/r2/final).*

Answer 126

Security and privacy controls for federal information systems, outlining measures to protect against cyber threats. ## Footnote NIST Special Publication 800-53 Revision 5, "Security and Privacy Controls for Information Systems and Organizations," provides a comprehensive set of security and privacy controls for federal information systems and organizations. It includes controls to address diverse requirements derived from federal laws, executive orders, policies, directives, regulations, standards, and mission/business needs. *For more information, view this lecture on [NIST SP 800-53 Revision 5](https://courses.thorteaches.com/courses/take/cissp/lessons/18588123-nist-sp-800-53-revision-5). Or visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/53/r5/ipd).*

Answer 127

Guidelines for integrating security considerations into the system development lifecycle. ## Footnote NIST Special Publication 800-64 provides comprehensive guidelines for integrating security considerations into the system development life cycle (SDLC). It assists organizations in understanding the process of incorporating effective security measures at every phase of the software development process, thus ensuring the creation of more secure and robust systems. *For more information, view this lecture on [What is NIST SP 800-64?](https://csrc.nist.gov/pubs/sp/800/64/r2/final).*

Answer 128

Guidelines for creating security configuration checklists to maintain secure systems and mitigate threats. ## Footnote NIST Special Publication 800-70 provides guidelines for the development, selection, and implementation of security configuration checklists. It is designed to guide organizations in establishing and maintaining secure configurations for their operating systems, software applications, and network devices to reduce vulnerabilities and mitigate potential threats. *For more information, view this lecture on [What is NIST SP 800-70?](https://csrc.nist.gov/pubs/sp/800/70/r4/final).*

Answer 129

Observing system activity without affecting operation or performance. ## Footnote The observation and measurement of system activity in a way that does not affect the operation or performance of the system. This could involve gathering and analyzing log files, traffic patterns, or user behavior while minimizing impact on the system and its users.

Answer 130

An organization that develops technology standards for various industries. ## Footnote The Object Management Group (OMG) is an international, open membership, not-for-profit technology standards consortium that develops enterprise integration standards for a wide range of technologies and an even wider range of industries. OMG's standards include the Unified Modeling Language (UML), Common Object Request Broker Architecture (CORBA), and Model Driven Architecture (MDA). *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Object_Management_Group).*

Answer 131

An organization promoting economic growth and developing guidelines, including for IT security. ## Footnote An international organization that works to promote economic growth and development through cooperation among its member countries. It also develops and publishes best practices and guidelines for a variety of topics, including IT security and cloud computing. *For more information, view this lecture on [International Agreements and Guidelines](https://courses.thorteaches.com/courses/take/cissp/lessons/18552357-international-agreements-and-guidelines). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/OECD).*

Answer 132

The OECD Privacy Framework provides international guidelines governing privacy protection and data flows, establishing principles for fair information practices among member countries. ## Footnote Developed by the Organisation for Economic Co-operation and Development, it outlines core principles like collection limitation, data quality, purpose specification, and accountability. Intended to foster consistency while respecting member states’ legal frameworks, the framework guides data protection legislation and enforcement. By emphasizing transparency, user rights, and responsible data handling, it facilitates cross-border trade and cooperation, while safeguarding individual privacy interests in an increasingly global digital landscape. *For more information, view this lecture on [International Agreements and Guidelines](https://courses.thorteaches.com/courses/take/cissp/lessons/18552357-international-agreements-and-guidelines).*

Answer 133

The process of removing an employee's access to systems and returning company property when they leave. ## Footnote The process of terminating an employee's access to company resources and systems, as well as returning company property, upon their departure from the organization. It is used to protect the company's data and assets and to ensure compliance with legal and regulatory requirements. Examples include revoking the employee's access to company systems, disabling their email account, and conducting an exit interview. *For more information, view this lecture on [Personnel.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180447-personnel). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Recruitment).*

Answer 134

A U.S. agency ensuring equal access to education and protecting sensitive information. ## Footnote A subdivision of the U.S. Department of Health & Human Services that enforces federal laws designed to ensure equal access to education and to protect privacy and the handling of sensitive information. It's particularly notable for overseeing the application of the Health Insurance Portability and Accountability Act (HIPAA), which includes regulations for the secure handling and transmission of health information, a significant concern for healthcare providers and related businesses. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Office_for_Civil_Rights).*

Answer 135

Data protected by legal or policy requirements, restricted to authorized parties. ## Footnote Official information refers to data or records designated as confidential, sensitive, or for limited distribution and protected according to legal or policy requirements. Access and dissemination are restricted to individuals with proper authorization to prevent unauthorized use, ensuring that such information is not compromised. Examples include personnel records, proprietary business details, and certain governmental communications.

Answer 136

Introducing new employees to an organization's culture and systems. ## Footnote The process of introducing a new employee to the organization and its culture, policies, and systems. It is used to ensure that the employee has the knowledge and tools they need to perform their job effectively. Examples include providing orientation and training, introducing the employee to their team and colleagues, and setting up their workstations. *For more information, view this lecture on [Personnel.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180447-personnel). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Recruitment).*

Answer 137

A structured set of guidelines defining operational and decision-making processes within an organization, including data security practices. ## Footnote A structured set of guidelines and procedures that defines how an organization should operate and make decisions. In a data security context, this can involve rules about how data should be handled, stored, or transmitted, as well as policies for identifying and mitigating potential threats and vulnerabilities. The framework also outlines roles and responsibilities within the organization to ensure that every individual understands their duties in maintaining security and privacy.

Answer 138

The ongoing costs associated with the normal operations of a business, such as utilities, rent, and payroll. ## Footnote The costs that a business incurs through its normal business operations, such as rent, equipment, inventory costs, staffing, transportation, sales commissions, and advertising. These recurring expenses are essential to the running of the business and directly influence its profitability. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Operating_expense).*

Answer 139

Procedures and standards focusing on daily operations, contributing to an organization's security. ## Footnote A type of security control that focuses on the day-to-day operations of an organization. It includes procedures, policies, and standards that are designed to prevent, detect, and respond to security incidents. Examples of operational controls include access controls, change management, and incident response plans. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types).*

Answer 140

An agreement detailing how internal departments collaborate to meet service requirements. ## Footnote A contract that defines how various departments of an organization work together to meet the service level requirements (SLR) of internal or external customers. OLAs are often used in conjunction with Service Level Agreements (SLAs) to ensure that all supporting processes are aligned to provide a certain level of service. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Operational-level_agreement).*

Answer 141

A risk assessment technique focusing on operational resilience and protection needs. ## Footnote A risk-based strategic assessment and planning technique for security. It helps organizations identify and manage risks related to information security by focusing on operational resilience and protection needs. It enables organizations to assess their security needs and formulate a risk-based strategy accordingly. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Threat_model#Evolution_of_technology-centric_threat_modeling).*

Answer 142

An entity promoting economic progress and global trade, offering guidelines for various subjects. ## Footnote An international organization that works to build better policies for better lives. Their goal is to shape policies that foster prosperity, equality, opportunity, and well-being for all. They draw on almost 60 years of experience and insights to better prepare the world of tomorrow. *For more information, view this lecture on [International Agreements and Guidelines](https://courses.thorteaches.com/courses/take/cissp/lessons/18552357-international-agreements-and-guidelines). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/OECD).*

Answer 143

Focusing on the consequences of risks and their effects on objectives to guide risk management. ## Footnote An outcome-based risk perspective in risk management focuses on understanding the consequences of risks and their effects on an organization's objectives. It is used to prioritize risks based on their potential impact on critical business processes or outcomes rather than merely their probability and to allocate resources effectively to the most significant threats. In cybersecurity, this approach helps organizations concentrate their efforts on protecting essential assets and implementing controls that significantly reduce the risk to their most critical operations.

Answer 144

Contracting out services or tasks to external organizations, a strategy for cost savings and efficiency. ## Footnote The practice of contracting with external organizations or individuals to perform services or tasks that are typically performed in-house. It is commonly used to reduce costs, improve efficiency, and access specialized expertise. Examples of outsourcing include IT support and payroll processing. *For more information, view this lecture on [Mission, Data, System Owners, and Data Custodians.](https://courses.thorteaches.com/courses/take/cissp/lessons/18588265-mission-data-system-owners-and-data-custodians). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Outsourcing).*

Answer 145

A model that expands on traditional information security to include six attributes: confidentiality, possession or control, integrity, authenticity, availability, and utility. ## Footnote A model of information security that identifies six key components - confidentiality, integrity, availability, authenticity, accountability, and non-repudiation. It is used in security frameworks and policies to ensure that sensitive information is protected in all aspects. Examples include access control, encryption, and auditing. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Parkerian_Hexad).*

Answer 146

A collaborative initiative aimed at enhancing system safety and security across various fields. ## Footnote A collaborative effort by various entities aimed at enhancing system safety and security. This collaboration typically involves sharing best practices, researching new methodologies, and working towards the development of holistic strategies that emphasize system-level understanding and proactive management of risks. In the context of data systems, PSASS principles can guide the design of secure and reliable systems that are resilient to potential threats.

Answer 147

A legal form of protection granting inventors exclusive rights to their discoveries for a specific period. ## Footnote A legal document granting the owner the exclusive right to make, use, and sell an invention for a certain period of time. Used to protect intellectual property and promote innovation. Examples -a patent for a new type of computer chip, a patent for a medical device, and a patent for a software algorithm. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Patent).*

Answer 148

The actual data or contents of a transmission; in security, the part of malware performing the harmful action. ## Footnote In computing, the term "payload" refers to the actual data or contents of a transmission that is being sent from one point to another. In the security context, it also refers to the part of malware that performs malicious action. The payload could be anything from a simple text message to complex code designed to exploit a vulnerability or deliver a malicious effect, such as a ransomware encryption routine or a spyware data exfiltration mechanism. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2). Or view this lecture on [Emanations and Covert Channels](https://courses.thorteaches.com/courses/take/cissp/lessons/18591390-emanations-and-covert-channels). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Payload_(computing)).*

Answer 149

A set of security standards ensuring all entities that process credit card information maintain secure environments. ## Footnote A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. This standard was developed by the PCI Security Standards Council, a consortium of major credit card brands, and it includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks ). Or view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard).*

Answer 150

Canadian legislation governing the collection, use, and disclosure of personal information in commercial activities. ## Footnote The federal privacy legislation in Canada that sets out the rules for the collection, use, and disclosure of personal information in the course of commercial activities. This concept is used in the private sector, including businesses, organizations, and individuals, to protect the privacy rights of individuals and ensure the responsible handling of personal information. Examples include PIPEDA compliance, PIPEDA consent, and PIPEDA complaints. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act).*

Answer 151

Information that can uniquely identify an individual, requiring protection to ensure privacy and security. ## Footnote Information that can be used to uniquely identify an individual, such as their name, address, social security number, or biometric data. It is used in privacy and security to protect sensitive personal information from unauthorized access or use. Examples include medical records and financial information. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Personally_identifiable_information).*

Answer 152

Individuals who manipulate phone systems, often for free calls or access to private information. ## Footnote Individuals who engage in the unauthorized access of telecommunication systems, such as telephone networks or voicemail systems. They may use special equipment or software to bypass security measures and gain access to restricted information or services. It is used in the field of information security to identify and prevent potential security breaches in telecommunications systems. 3 examples of phreaking activities are hacking into voicemail systems, making free long-distance calls, and accessing restricted phone numbers.

Answer 153

A cyclical methodology for continuous improvement in business processes, including cybersecurity, involving planning, action, evaluation, and adjustment. ## Footnote The Plan-Do-Check-Act (PDCA) cycle, also known as the Deming Wheel, is a management method used for the control and continuous improvement of processes and products. It is a fundamental principle of quality management where planning initiates change, execution implements the plan, checking measures new outcomes against expected results, and acting involves implementing successful changes broadly. In cybersecurity, PDCA can be applied to improve information security management processes. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/PDCA).*

Answer 154

A set of organizational rules or guidelines dictating how specific scenarios or processes are handled. ## Footnote A set of guidelines or rules that dictate how a company or organization should handle certain situations or processes. Policies are often used to ensure compliance with regulations and to protect the security and integrity of an organization's data and systems. Examples of policies include an employee password policy, a data retention policy, and a policy for handling confidential information. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Policy).*

Answer 155

An official or body authorized to approve and endorse organizational policies. ## Footnote A Policy Approving Authority (PAA) is a designated official or governing body within an organization that has the authority to formally approve and endorse policies. The PAA is responsible for ensuring that policies are suitable for the organization's needs and comply with relevant laws and regulations. Their approval signifies that the policy meets the organizational standards for managing risks and aligns with its strategic objectives.

Answer 156

An entity within PKI validating policies for the issuance of digital certificates. ## Footnote An entity within a Public Key Infrastructure (PKI) that is responsible for defining, implementing, and enforcing policies and practices regarding the issuance and management of digital certificates. The PCA sets the standards and requirements that must be adhered to by subordinate Certification Authorities (CAs) within the hierarchy. It ensures that these CAs operate under a common framework and comply with the established trust model, thus maintaining the integrity and reliability of the digital certificates issued within the PKI. The PCA helps create a trusted environment for secure electronic transactions by establishing and certifying that the guidelines for digital certificate issuance and management are strictly followed.

Answer 157

The total number of individuals or items within a defined group, relevant for security target assessments. ## Footnote The total number of people or items in a specific group or area. In the context of cybersecurity, population refers to the number of potential targets for an attack, such as the number of computers on a network or the number of users of a particular software application. Examples of population in cybersecurity include the total number of computers on a company's network, the number of users of a particular software application, and the number of people in a geographic area who are potential targets for a phishing attack.

Answer 158

Refers to the actual holding or access to data by an entity. ## Footnote Possession or Control is one of the six components of the Parkerian Hexad that emphasizes the critical role of physically or digitally having data in hand. It highlights that risks arise not only from data theft but also from unauthorized access to data already controlled, underlining the need for robust access control mechanisms to secure valuable information. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Parkerian_Hexad#Possession_or_control).*

Answer 159

The entity responsible for assessing a system's security controls and granting accreditation. ## Footnote The organization responsible for evaluating and certifying the security controls in place for a particular system or network. It is used in the accreditation process to ensure the security of information systems. Examples include the National Institute of Standards and Technology (NIST) and the Defense Information Systems Agency (DISA).

Answer 160

The right to be free from public scrutiny and to control one's personal information and how it is used. ## Footnote The state of being free from public attention or observation. It is used in the context of personal information and data protection to ensure that individuals have control over their own personal information and how it is used. Examples include privacy policies, privacy settings on social media platforms, and privacy laws such as the General Data Protection Regulation (GDPR). *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privacy).*

Answer 161

A framework that incorporates privacy into system design, ensuring privacy protection from the outset. ## Footnote A framework for designing and implementing systems, products, and services that prioritize and protect individuals' privacy rights. It is used in various industries, such as healthcare and technology, to ensure that personal data is collected, used, and disclosed in a transparent and secure manner. Examples of PbD principles include data minimization and user control. *For more information, view this lecture on [GDPR (General Data Protection Regulation)](https://courses.thorteaches.com/courses/take/cissp/lessons/18552351-gdpr-general-data-protection-regulation) or [Secure design principles](https://courses.thorteaches.com/courses/take/cissp/lessons/25340659-secure-design-principles). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privacy_by_Design).*

Answer 162

A structured approach to managing privacy risks and ensuring compliance with privacy regulations. ## Footnote A Privacy Management Framework (PMF) is an organizational blueprint that helps establish, implement, assess, and refine the processes and practices surrounding the handling of personal information. The PMF encompasses policies, procedures, and tools to manage risks to privacy and ensure compliance with applicable privacy norms and regulations.

Answer 163

A document detailing an organization's practices regarding the collection, use, and disclosure of personal information. ## Footnote A document that outlines an organization's practices and procedures related to the collection, use, and disclosure of personal information. It is used to inform and protect individuals' privacy rights and to comply with legal and regulatory requirements. Examples of privacy policies can be found on websites, mobile apps, and physical stores. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privacy_policy).*

Answer 164

A framework that facilitated data transfer between the EU and US, now invalidated, replaced by other mechanisms. ## Footnote The EU-U.S. Privacy Shield was a framework established to facilitate the lawful transfer of personal data from the European Union to the United States. It provided companies with a mechanism to comply with EU data protection requirements. However, the Privacy Shield was declared invalid by the European Court of Justice in 2020, and organizations must now use alternative legal mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for such data transfers. *For more information, view this lecture on [GDPR (General Data Protection Regulation)](https://courses.thorteaches.com/courses/take/cissp/lessons/18552351-gdpr-general-data-protection-regulation). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/EU–US_Privacy_Shield).*

Answer 165

A set of controls designed to protect individuals' privacy and personal information within an information system. ## Footnote A system or set of controls designed to protect the privacy of individuals and their personal information. It is used in information systems to prevent unauthorized access and use of personal data. Examples include encryption technologies, access controls, and privacy-enhancing technologies (PETs).

Answer 166

PETs are tools and methods, like homomorphic encryption or secure multi-party computation, designed to analyze or share data without exposing sensitive information. ## Footnote These technologies allow organizations to collaborate on data-driven insights while preserving individual or proprietary privacy. Techniques include differential privacy, secure enclaves, and zero-knowledge proofs that limit disclosure of underlying data. PETs are especially critical in regulated sectors—like healthcare and finance—where data protection is paramount. By safeguarding confidentiality, PETs foster trust, enable ethical data use, and help businesses comply with increasingly stringent privacy regulations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privacy-enhancing_technologies).*

Answer 167

A detailed set of instructions for performing a specific task or operation within a system. ## Footnote A set of detailed instructions that outline the steps to be taken to complete a specific task or process. It is used in various industries, such as healthcare and manufacturing, to ensure consistency and compliance. Examples include emergency procedures, data backup procedures, and incident response procedures. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Standard_operating_procedure).*

Answer 168

A series of actions or steps taken to achieve a particular goal within a system. ## Footnote A series of actions or steps that are taken to achieve a specific goal or outcome. It is used in various fields, such as business and engineering, to optimize performance and efficiency. Examples include the water treatment process, the hiring process, and the manufacturing process. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Process_(computing)).*

Answer 169

A project management tool visualizing tasks and timelines to optimize processes. ## Footnote A project management methodology that uses a network diagram to visualize the dependencies and interdependencies of tasks within a project. It is used to estimate the duration of a project and identify potential bottlenecks. Examples include PERT diagrams for software development projects, construction projects, and event planning projects. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Program_Evaluation_and_Review_Technique).*

Answer 170

Owned exclusively by an entity and protected by legal rights, often used for software or processes. ## Footnote Belonging to a specific person or organization or protected by a patent or other legal right. It is used in various industries, such as pharmaceuticals and software, to prevent others from using or copying a product or technology. Examples include proprietary software, proprietary formulas, and proprietary processes. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Proprietary_protocol).*

Answer 171

Confidential information owned by an entity, crucial for competitive advantage and innovation. ## Footnote Confidential or sensitive information that belongs to a specific person or organization and is not intended to be shared with others. It is used in various fields, such as finance and healthcare, to protect sensitive data and assets. Examples include financial records, customer lists, and trade secrets. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Trade_secret).*

Answer 172

Individually identifiable health information needing protection under laws like HIPAA. ## Footnote Any individually identifiable health information that is collected, used, or disclosed in the course of providing healthcare services. It is used in the healthcare industry to ensure that patient's personal and medical information is kept confidential and secure and to comply with HIPAA regulations. Examples of PHI include medical records, diagnoses, and treatment plans. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Protected_health_information).*

Answer 173

Guiding principles that shape how security measures are implemented within an organization. ## Footnote A set of principles and guidelines that determine how security measures should be implemented and maintained in an organization. This is often used to guide the development of security policies and procedures. Examples include the CIA triad (confidentiality, integrity, availability) and the principle of least privilege.

Answer 174

Differentiating between specific safeguards (protection) and the overall safe state (security). ## Footnote Protection refers to the specific safeguards and mechanisms implemented to defend a system or data against unauthorized access, damage, or theft. Security is a broader concept encompassing the state of being free from danger or threat, which includes protection as well as other aspects such as detection, response, and recovery.

Answer 175

An assessment technique evaluating risk based on subjective criteria to identify potential impacts and develop strategies. ## Footnote A method of risk assessment that uses subjective judgment and expert opinions to evaluate the likelihood and impact of risks. It is used in risk management to prioritize risks and develop mitigation strategies. Examples include interviews, workshops, and scenario analysis. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2) or [GRC - Governance, Risk Management, and Compliance](https://courses.thorteaches.com/courses/take/cissp/lessons/45836768-grc-governance-risk-management-and-compliance). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Qualitative_risk_analysis).*

Answer 176

The measure of how well an IT system or process meets user needs, requirements, and standards, ensuring reliability and performance. ## Footnote Refers to the degree to which an IT system, application, or process meets specified criteria, user requirements, and performs reliably and efficiently. Quality in IT is maintained through best practices, testing, and continuous improvement.

Domain 1.1: Security and Risk Management Flashcards

Review key terms related to governance, risk, compliance, and security principles.