Domain 1.2: Security and Risk Management Flashcards

Question

# Define: Risk Acceptance

Answer 1

A risk management strategy where an organization chooses not to take action to mitigate a known risk. ## Footnote A risk management strategy in which an organization identifies a risk but decides not to take action to remediate it. This typically occurs when the cost of mitigating the risk is greater than the potential loss or when the risk is deemed unlikely to materialize. It's a conscious decision that acknowledges the potential for loss but accepts it as a consequence of conducting business. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 2

Combining multiple individual risks to create a single comprehensive risk profile for an organization. ## Footnote The process of combining multiple individual risks into a single overall risk profile. It is used in risk management to identify and evaluate the potential impact of multiple risks on an organization's objectives and assets. Examples include aggregating the risks of a cyber-attack, data loss, and natural disaster to assess the overall risk to an organization. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Enterprise_risk_management).*

Answer 3

The process of identifying and assessing risks to determine their likelihood and potential impact. ## Footnote A component of risk management that involves the identification and assessment of risks. It involves determining the likelihood that a threat will exploit a vulnerability and the subsequent impact on an organization. It helps in prioritizing risks based on their potential impact and the likelihood of occurrence, facilitating effective decision-making about how to manage these risks, whether that's through mitigation, transfer, avoidance, or acceptance. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_assessment).*

Answer 4

The level of risk that an organization is willing to accept in pursuit of its goals and objectives. ## Footnote The amount and type of risk that an organization is willing to accept in pursuit of its objectives. It is a strategic concept that guides decision-making processes, indicating the balance between the potential benefits of innovation and the threats that change inevitably brings. By defining risk appetite, organizations can make informed choices, set priorities, and allocate resources effectively. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Enterprise_risk_management).*

Answer 5

The process of identifying, analyzing, and evaluating the potential impact of risks. ## Footnote The overall process of identifying, analyzing, and evaluating risks. It involves the estimation of the risk's likelihood and the magnitude of its impact and is an integral part of the risk management process. The objective of risk assessment is to enable the organization to decide whether the risk is acceptable or whether it is severe enough to warrant treatment or mitigation measures. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_assessment).*

Answer 6

A strategy where an organization transfer its risk exposure to a third party, such as through insurance or contracts. ## Footnote A risk mitigation strategy where an organization shifts the risk exposure to another party. This could be done through various means like contracts, insurance, or outsourcing. The intent is to manage potential business risks that could be financially damaging by transferring the responsibility of risk and its management to a third party. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 7

A strategy to prevent potential adverse consequences by avoiding certain activities or decisions. ## Footnote The strategic decision to steer clear of activities that could lead to adverse consequences. In the context of digital ecosystems, this could mean not implementing certain features, not using certain technologies, or not pursuing certain activities that are assessed to carry a high degree of risk. It's a proactive measure taken based on risk assessment results to mitigate potential threats and vulnerabilities, thereby ensuring the stability, resilience, and robustness of digital systems and networks. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 8

The collective attitude, values, and practices related to risk within an organization, shaping how it is managed. ## Footnote The values, beliefs, knowledge, attitudes, and understanding of risk shared by a group of people with a common purpose, in this case, an organization. This includes the rules and safety measures set in place to address potential risks, as well as the attitudes towards risk-taking. An effective risk culture promotes an environment where proactive and responsible risk management is part of everyone's daily activities. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management).*

Answer 9

Implementing measures to discourage or prevent the occurrence of a risk, such as robust security systems. ## Footnote A strategy that involves implementing measures to discourage the materialization of a risk. It's often used in the context of deterring malicious activities, such as implementing robust security systems to deter hackers. This strategy can also involve making the potential consequences of an unwanted action so severe that it discourages individuals or entities from proceeding with that action. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 10

Comparing risk assessment results with organizational criteria to determine if the risk is acceptable or requires action. ## Footnote The process of comparing the results of a risk assessment with risk criteria to determine whether the risk and its magnitude are acceptable or tolerable. This step is crucial in the risk management process, as it helps organizations prioritize the risks that require immediate attention or mitigation efforts. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_assessment).*

Answer 11

An aspect that increases the likelihood of an unwanted outcome or a risk, such as a vulnerability or threat. ## Footnote A characteristic, condition, or variable that increases the potential for an undesirable outcome or a risk to occur. These are aspects that can increase vulnerability, affect threat potential, or cause uncertainty in achieving objectives. Identifying risk factors helps in developing strategies to mitigate or manage the risk. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1).*

Answer 12

Sets of guidelines that offer a structured approach to managing risks within an organization. ## Footnote Structured guidelines that provide a systematic approach to identifying, assessing, managing, and monitoring risks. They offer a set of principles and practices for understanding and handling risks within an organization. Popular risk frameworks include the Risk Management Framework (RMF) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. These frameworks guide organizations in integrating risk management practices into their overall governance and management practices.

Answer 13

The process of recognizing and describing risks that could impact an organization's objectives. ## Footnote The first step in the risk management process, where organizations recognize and describe risks that might impact the achievement of their objectives. This process involves the identification of potential threats and vulnerabilities that could negatively affect operations or assets. Identifying risks early allows for timely risk management and mitigation strategies to be implemented. *For more information, view this lecture on [Risk Management - Identification](https://courses.thorteaches.com/courses/take/cissp/lessons/18588085-risk-management-identification). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_assessment).*

Answer 14

A quantitative measurement that estimates risk using multiple contributing factors. ## Footnote A numerical estimation of risk calculated using multiple factors that contribute to the potential risk. This index helps organizations quantify risk, making it easier to understand, compare, and manage. The risk index can be used to prioritize risks, guide decision-making processes, and allocate resources effectively to mitigate potential threats. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1).*

Answer 15

Metrics and benchmarks that provide signals of increasing risk exposures in an organization, aiding in risk monitoring and control. ## Footnote Statistical metrics and benchmarks used to provide an early signal of increasing risk exposures in various areas of an organization. They help in monitoring and controlling risk levels, ensuring management can take timely, corrective action to maintain risk within acceptable limits. *For more information, view this lecture on [KGIs, KPIs, and KRIs](https://courses.thorteaches.com/courses/take/cissp/lessons/18588114-kgis-kpis-and-kris).*

Answer 16

The process of identifying, assessing, and prioritizing risks, followed by resource allocation to reduce and monitor the probability of unwanted events. ## Footnote The coordinated activities undertaken to direct and control an organization with regard to risk. It involves the identification, assessment, and prioritization of risks, followed by the application of resources to reduce, monitor, and control the likelihood or impact of unwanted events. Effective risk management helps in reducing the likelihood of a disruptive event and mitigates the impact if such an event occurs. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 17

NIST's framework for managing information security risks in federal agencies, providing a systematic process for risk management. ## Footnote The National Institute of Standards and Technology (NIST) framework for managing information security risks in federal agencies. It provides a systematic and repeatable process for identifying, evaluating, and mitigating risks to information systems and data. Examples of agencies using the RMF include the Department of Defense and the Department of Homeland Security. *For more information, view this lecture on [NIST SP 800-37 Revision 1 and 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588129-nist-sp-800-37-revision-1-and-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_Management_Framework).*

Answer 18

Measures used to evaluate the effectiveness of an organization's risk management strategies, including incident frequency and response times. ## Footnote Quantitative measures that are used to assess the effectiveness of risk management efforts across an organization. These metrics can include factors such as risk exposure, control effectiveness, incident frequency, and response times, aiding in evaluating how well risks are being managed.

Answer 19

A visual representation of an organization's risks, showing their likelihood and impact, used for communicating and prioritizing risks. ## Footnote A graphical representation of the risks that an organization faces, providing a visual depiction of their likelihood and the magnitude of their impact. It can help to prioritize risks based on their potential impact and probability of occurrence. Risk maps are often used as a tool for communicating risks within the organization, making it easier for all stakeholders to understand the risk landscape.

Answer 20

Actions taken to reduce the likelihood or impact of a risk, including preventive measures and contingency planning. ## Footnote The process of taking actions to reduce the likelihood or impact of a risk. Mitigation strategies can range from preventive actions aimed at avoiding the risk to contingency plans prepared for dealing with the impact should the risk materialize. The goal of risk mitigation is to acceptably reduce the possibility and consequences of an adverse event. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 21

An individual responsible for managing a particular risk, ensuring that monitoring and control measures are implemented effectively. ## Footnote An individual or entity that is responsible for managing a particular risk. This includes monitoring the risk, implementing controls to mitigate it, and taking appropriate action if the risk materializes. Assigning a risk owner ensures accountability and improves the effectiveness of risk management activities within an organization.

Answer 22

A comprehensive overview of all risks within an organization, aiding in the holistic management of interdependent risks. ## Footnote A comprehensive and consolidated view of all the risks within an organization. It aids in understanding the collective impact of multiple risks on the organization's strategic objectives. This view allows organizations to manage interdependent risks holistically rather than treating each risk as an isolated entity, thereby improving decision-making related to risk management. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting).*

Answer 23

Actions taken to decrease the potential damage from a risk, such as implementing controls or transferring the risk. ## Footnote The process of decreasing the potential damage or loss from a risk through preventative measures or actions. This could involve applying controls or safeguards to reduce vulnerabilities, transferring the risk to another party, or avoiding the risk altogether. The aim of risk reduction is to lessen the probability of occurrence or the impact severity of a risk to an acceptable level. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 24

A Risk register is a documented log of identified risks, their potential impact, likelihood, and mitigation strategies, serving as a central tool in organizational risk management. ## Footnote Typically, each risk entry details an owner, response plan, deadlines, and updates on progress. Keeping an updated risk register helps decision-makers prioritize resources, track mitigations, and communicate effectively with stakeholders. By continuously reviewing and refining, the organization remains prepared for evolving threats. A well-maintained risk register aligns security efforts with business objectives, enhancing resilience and compliance. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_register).*

Answer 25

A non-strategic behavior where an organization ignores or denies the existence of a risk, leading to unpreparedness and vulnerability. ## Footnote An informal risk management approach where an organization chooses to ignore or deny the existence of a risk, often due to a lack of awareness or unwillingness to address it. This non-strategic behavior can stem from a cultural aversion to dealing with risks and generally leads to unpreparedness and vulnerability to potential threats. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting).*

Answer 26

Deciding how to handle identified risks, with options like acceptance, avoidance, mitigation, and transfer. ## Footnote The process of deciding on how to approach and deal with identified risks. The four primary responses to risk are acceptance (tolerating the risk), avoidance (changing plans to evade the risk), mitigation (reducing the impact or likelihood of the risk), and transfer (shifting the risk to a third party). The chosen response will depend on the organization's risk tolerance, the potential impact of the risk, and the cost of the response. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 27

A hypothetical situation describing how a risk might occur, used to prepare for and mitigate risks effectively. ## Footnote A hypothetical situation or sequence of events that could lead to a risk event. It describes a particular risk in the context of its triggers, events, impacts, and possible responses. By visualizing how a risk might occur and its potential effects, risk scenarios help organizations prepare for and mitigate risks more effectively. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2).*

Answer 28

A summary describing a specific risk and its potential impact on an organization, aiding in understanding and decision-making. ## Footnote A clear and concise description of a specific risk that an organization faces. It generally identifies the risk source, the event that could occur, and the potential impacts. Risk statements are crucial in risk management as they help stakeholders understand the nature of the risk, enabling them to make informed decisions about risk responses.

Answer 29

A risk threshold specifies the level of uncertainty or impact an organization is willing to tolerate before requiring additional actions, alerts, or escalations in its risk management process. ## Footnote Defined by executive management or risk committees, the threshold aligns with business goals and regulatory obligations. If a risk’s probability or consequences exceed this limit, the organization must respond—like increasing budgets, adding controls, or revising policies. Maintaining a clearly stated risk threshold ensures unified decision-making, fosters accountability, and balances the pursuit of opportunities against security demands. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_appetite#Risk_threshold).*

Answer 30

The level of risk an organization is willing to accept while pursuing its goals, guiding risk management decisions. ## Footnote The level of risk an organization is willing to accept in pursuit of its goals and objectives. It is used in risk management and decision-making. Examples include an organization with a high-risk tolerance that is willing to take on significant risks in pursuit of growth or an organization with a low-risk tolerance that prioritizes stability and security. *For more information, view this lecture on [Risk Response and Mitigation & Risk and Control Monitoring and Reporting](https://courses.thorteaches.com/courses/take/cissp/lessons/18588121-risk-response-and-mitigation-risk-and-control-monitoring-and-reporting). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Enterprise_risk_management).*

Answer 31

Shifting potential risk impacts to a third party through insurance or contracts, redistributing the burden of loss. ## Footnote A risk management strategy that involves shifting the potential impact of certain risks from one party to another, typically by contractual agreement or by purchasing insurance. In the context of cybersecurity, organizations can use risk transfer to offload some of the financial risks associated with data breaches, cyber-attacks, and other security incidents to third-party insurers or other business partners. For example, a company might use a cloud service provider and include terms in the contract that make the provider responsible for certain types of security incidents. Similarly, cyber insurance policies can provide compensation for direct and indirect costs resulting from cyber incidents, effectively transferring the financial risk away from the organization itself. Risk transfer does not eliminate the risk but redistributes the potential burden of loss. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 32

Selecting and applying measures to modify risks to an acceptable level, in line with an organization's risk appetite. ## Footnote The process of selecting and implementing measures to modify risk. This can include avoiding the risk, optimizing the risk through mitigation strategies, sharing the risk with other parties, or retaining the risk by informed decision. The aim is to reduce the level of risk to an acceptable level as per the organization's risk appetite. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_management).*

Answer 33

Controlling access to resources dynamically based on the associated risk of a user's access at any given time. ## Footnote A dynamic method of controlling access to resources based on the risk associated with a user's access at any given time. This approach considers factors such as the value of the resources being accessed, the current security state of the system, and the identity or role of the user in making access decisions. This ensures that higher-risk access scenarios require stricter security measures or controls. *For more information, view this lecture on [Access control systems.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179400-access-control-systems).*

Answer 34

Managing an organization through established rules to guide behavior and ensure compliance. ## Footnote A management approach that involves establishing and enforcing rules to guide decision-making and behavior within an organization. It is often used in business and government organizations to ensure compliance with regulations and policies. Examples of rule-based management include requiring employees to follow a specific code of conduct or implementing policies to protect customer data.

Answer 35

A legal provision that offers protection from penalties under certain compliant conditions. ## Footnote A provision typically found in regulations that offers protection from liability or penalty under certain circumstances. These circumstances generally involve compliance with specific guidelines or standards. In the context of data protection, for example, organizations can adhere to Safe Harbor principles to legally transfer data across different jurisdictions. The key goal is to encourage best practices, ensure regulatory compliance, and provide reassurances to stakeholders that sensitive information is being handled responsibly. *For more information, view this lecture on [GDPR (General Data Protection Regulation)](https://courses.thorteaches.com/courses/take/cissp/lessons/18552351-gdpr-general-data-protection-regulation). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles).*

Answer 36

Legislation enhancing corporate financial transparency and combating fraud, affecting IT security and data integrity. ## Footnote Legislation enacted to enhance financial transparency and combat corporate fraud. SOX imposes strict auditing and financial regulations on public companies. Part of its mandate includes requirements for reporting on the effectiveness of internal controls over financial reporting, which has significant implications for IT security and data integrity. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Sarbanes–Oxley_Act).*

Answer 37

Organizing tasks or events in a planned and systematic manner to enhance efficiency and effectiveness. ## Footnote The process of organizing and coordinating activities, events, or tasks in a systematic way. It is used to plan and execute tasks efficiently and effectively. Examples include a scheduling algorithm for scheduling jobs on a computer, a scheduling system for managing appointments in a doctor's office, and a scheduling software for planning and organizing a project. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Scheduling_(computing)).*

Answer 38

Script kiddies are novice hackers who use pre-written tools, exploits, or scripts without fully understanding underlying vulnerabilities or sophisticated hacking techniques. ## Footnote Lacking advanced skills, they often rely on publicly available malware or instructions from online communities. Though less skilled, script kiddies can still inflict damage, defacing websites or launching DDoS attacks. Organizations defend by keeping systems patched, employing firewalls, and monitoring suspicious traffic. Awareness and security hygiene effectively thwart script kiddies, preventing them from leveraging common exploits and known vulnerabilities. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Script_kiddie).*

Answer 39

A U.S. regulatory body overseeing securities markets and protecting investors. ## Footnote A U.S. government agency that regulates the securities industry and oversees the stock and options exchanges. The SEC is responsible for enforcing federal securities laws and protecting investors from fraudulent or misleading practices. For example, the SEC might investigate a company for insider trading or issuing false financial statements. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/U.S._Securities_and_Exchange_Commission).*

Answer 40

Specifications and protocols that a system or product must meet to demonstrate its security effectiveness. ## Footnote A collection of detailed specifications and protocols that an entity, be it a product, system, or service, must adhere to in order to demonstrate its reliability and robustness in the face of potential threats. These requirements serve as a quality benchmark that a solution must meet to ensure its effectiveness in protecting sensitive information and maintaining operations, often encompassing aspects such as data encryption, user authentication, system integrity, and contingency planning.

Answer 41

The level of knowledge and understanding of security practices, measures, and their importance among individuals or within organizations. ## Footnote The understanding and knowledge of security practices and measures. It is used in the workplace to educate employees on how to protect sensitive information and prevent security breaches. Examples include training sessions on password protection, avoiding phishing scams, and proper disposal of confidential documents. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_awareness).*

Answer 42

An initiative to educate and inform stakeholders about security practices, risks, and protocols. ## Footnote A coordinated effort to educate and inform employees on security practices and protocols. It is used in organizations to raise awareness and understanding of security measures among employees. Examples include posters and flyers distributed throughout the workplace, regular security newsletters, and interactive training sessions. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks).*

Answer 43

An organized approach to educate and train employees on security practices and protocols. ## Footnote A structured and comprehensive plan to educate employees on security practices and protocols. It is used in organizations to ensure that all employees are aware of security measures and are trained on how to properly implement them. Examples of a security awareness program include regular training sessions, online resources and tutorials, and security quizzes and tests. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks).*

Answer 44

A set of foundational security standards and requirements that an organization or system is expected to meet. ## Footnote A set of minimum security standards and requirements that must be met by an organization or system. It is used as a benchmark to assess the current level of security and identify areas for improvement. Examples of a security baseline include required password strength and expiration, minimum encryption standards, and regular security audits. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks).*

Answer 45

Security Breach Notification Laws mandate organizations to inform affected individuals and authorities when sensitive data is compromised, ensuring transparency and consumer protection. ## Footnote These regulations vary by jurisdiction but often require prompt reporting upon discovery of a breach that may expose personal or financial information. They typically outline timelines, notification formats, and penalties for noncompliance. Such laws drive organizations to maintain robust incident response plans and data security measures. By encouraging responsible disclosure, they aim to reduce harm, promote accountability, and uphold individuals’ right to know about potential privacy risks. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_breach_notification_laws).*

Answer 46

Advocates within an organization who promote security best practices and awareness among their peers. ## Footnote Individuals within an organization who are responsible for promoting and advocating for security best practices. They may educate employees on security policies and procedures and help to identify and address potential vulnerabilities. For example, a security champion at a company may lead training sessions on password management, or a security champion at a school may help to implement security controls on the school's network. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks).*

Answer 47

Guidelines that provide a structured approach to implementing and managing security controls within an organization. ## Footnote Organizational guides that establish the structured implementation and management of security controls, policies, and procedures. These frameworks help standardize practices across industries and often include benchmarks for assessing security maturity, such as the ISO 27001 standard for information security and the NIST Cybersecurity Framework for critical infrastructure protection. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls).*

Answer 48

Measures implemented to protect information systems against unauthorized access or cyber-attacks. ## Footnote Measures and protocols are put in place to protect an organization or system from security threats and vulnerabilities. It is used to prevent security breaches and maintain the confidentiality, integrity, and availability of information and resources. Examples of security controls include firewalls, access controls, and intrusion detection systems. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls).*

Answer 49

The examination of potential security weaknesses to assess and improve system robustness. ## Footnote The process of identifying and analyzing potential security weaknesses or vulnerabilities in an organization or system. It is used to assess the current level of security and identify areas for improvement. Examples of security fault analysis include penetration testing, vulnerability assessments, and risk assessments.

Answer 50

Structured sets of guidelines that help organizations establish, manage, and maintain secure operations. ## Footnote Structured sets of guidelines and best practices designed to assist organizations in defining, implementing, and managing their security processes. They provide comprehensive methodologies for risk assessment, implementation of security controls, monitoring and improving security posture, and ensuring compliance with regulatory requirements. Well-known examples include the ISO 27001, NIST Cybersecurity Framework, and CIS Controls. Utilizing these frameworks provides a systematic and consistent approach to managing security risks. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls).*

Answer 51

The set of principles, policies, and processes that guide and control an organization's security strategies and measures. ## Footnote The overarching structure, principles, and procedures that define and guide an organization's approach to managing security risks. Security governance encompasses the roles and responsibilities of various stakeholders, policy creation and enforcement, compliance management, and alignment of security objectives with business goals. Effective security governance ensures that all aspects of security are addressed in a coordinated manner, supporting business objectives while protecting against threats. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/IT_governance).*

Answer 52

A systematic review to identify security vulnerabilities and assess the protection level of a system or organization. ## Footnote The process of systematically evaluating an organization or system to identify security weaknesses and vulnerabilities. It is used to assess the current level of security and identify areas for improvement. Examples of a security inspection include regular security audits and assessments, as well as security testing and evaluations.

Answer 53

The process of developing and implementing policies and procedures to protect an organization's assets, including information assets. ## Footnote The process of identifying an organization's assets (including information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets. Security management encompasses a range of practices and responsibilities aimed at ensuring the confidentiality, integrity, and availability of data and IT services. It can involve various activities such as risk assessment, security planning, access control, security training and awareness, incident response, and compliance with relevant laws and regulations. Effective security management requires ongoing evaluation and adaptation to address evolving threats and vulnerabilities within the context of an organization's changing needs and objectives. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management).*

Answer 54

A set of guidelines dictating how an organization manages and protects its information and resources. ## Footnote A set of comprehensive guidelines that dictate how an organization manages and protects its information and IT resources. Security policies are the backbone of an organization's security infrastructure, outlining user responsibilities, acceptable use, and the protocols for responding to security incidents. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_policy).*

Answer 55

The overall defense capability against cyber threats, shaped by an organization's security policies and practices. ## Footnote An organization's overall defense capability against cyber threats is defined by the effectiveness of its security policies, controls, and practices. It's a comprehensive view of the organization's readiness and ability to protect its information assets from potential security incidents. A strong security posture incorporates elements such as threat intelligence, proactive risk management, effective incident response, user awareness, and continual reassessment to adapt to the evolving threat landscape.

Answer 56

Detailed steps that guide the implementation of security policies, defining specific actions for various scenarios. ## Footnote Detailed instructions that guide how security policies are implemented and enforced within an organization. They define the specific actions to be taken in various scenarios to ensure the protection of information assets. This may include procedures for user authentication, system configurations, data backup, incident response, and more. Security procedures aim to provide clarity and consistency in security practices, facilitating compliance with established security policies and standards. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks).*

Answer 57

Criteria that systems, networks, or services must meet to be considered secure from threats. ## Footnote A set of criteria that a system, network, or service must meet to ensure that it is secure from potential threats. Security requirements may pertain to the protection of data confidentiality, integrity, and availability, as well as user authentication, access controls, system resilience, and compliance with relevant regulations. They provide a clear understanding of needed to protect information assets and serve as a basis for the design, implementation, and evaluation of security controls.

Answer 58

A set of minimum security requirements a system must meet to ensure protection against threats. ## Footnote A set of minimum security requirements that a system, application, or environment must meet to ensure a satisfactory level of protection against potential threats. This baseline is established after conducting a risk assessment to identify vulnerabilities and threats. It serves as a foundation for the design and implementation of security controls and as a reference point for auditing and compliance checks. By adhering to a security requirements baseline, an organization can ensure a consistent level of security across its systems and processes.

Answer 59

Guidelines and specifications designed to maintain information security and provide a baseline for cyber protection measures. ## Footnote Established guidelines and specifications designed to maintain information security and provide a baseline for implementing cybersecurity measures. Standards such as ISO/IEC 27001 help organizations protect assets, comply with regulations, and foster trust with stakeholders. *For more information, view this lecture on [Standards and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18552255-standards-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_standards).*

Answer 60

The practice of relying on secrecy as the main method of protection, which is generally considered inadequate. ## Footnote A criticized practice that relies on keeping security mechanisms secret as the main method of protection. It is generally considered inadequate because once the obscurity is bypassed, there are no other defenses. Effective security should not depend solely on the secrecy of its implementation but rather on robust, tested, and transparent methods. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_through_obscurity).*

Answer 61

A strategy to prevent fraud and error by dividing tasks and functions among multiple people. ## Footnote A risk management strategy designed to prevent fraud and error by dividing critical tasks and functions among multiple individuals or teams. The goal of SoD is to ensure that no single person can complete a high-risk task alone, thereby reducing the potential for malicious activity or unintentional errors. SoD is often implemented in financial systems, but it's also used in various other contexts where error or fraud could have significant implications. *For more information, view this lecture on [Security models and concepts- Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18591282-security-models-and-concepts-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Separation_of_duties).*

Answer 62

A formal agreement specifying the expected level of service between a provider and a customer. ## Footnote A contract or agreement between a service provider and a customer that defines the level of service, availability, and performance expected from the provider. It is used in IT operations to establish and manage the expectations and obligations of both parties. Examples include SLAs for uptime, response time, and resolution time of a service. *For more information, view this lecture on [3rd Party, Acquisitions, and Divesture Security](https://courses.thorteaches.com/courses/take/cissp/lessons/18552367-3rd-party-acquisitions-and-divesture-security). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Service-level_agreement).*

Answer 63

A notable flaw in a system or control that could negatively impact the ability to achieve objectives. ## Footnote A flaw or weakness in a system or control mechanism that could adversely affect the ability to achieve objectives, though not to the extent of a material weakness. In a security context, a significant deficiency could involve inadequate procedures, outdated security systems, or untrained staff that might render a system more vulnerable to security breaches or data loss. Identifying and addressing these deficiencies is crucial for maintaining robust security and mitigating potential risks.

Answer 64

A metric used to calculate the expected monetary loss from a single occurrence of a specific risk event. ## Footnote A concept used in risk assessment that represents the monetary loss expected from the occurrence of a single risk event. It's calculated by multiplying the value of the asset at risk (in monetary terms) by the exposure factor (the percentage of asset loss caused by the risk event). By understanding the SLE, organizations can better prioritize their security investments, focusing on risks that would cause the greatest financial impact. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk_assessment#Quantitative_risk_assessment).*

Answer 65

A methodological approach originally for quality management, applied to enhance IT and cybersecurity processes. ## Footnote While Six Sigma is a quality management methodology primarily used to improve manufacturing and business processes, it can also be applied to IT and cybersecurity. Its data-driven approach can help enhance security operations by identifying inefficiencies, reducing errors, and fostering a culture of continuous improvement in security practices. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Six_Sigma).*

Answer 66

A goal-setting framework ensuring security objectives are specific, measurable, achievable, relevant, and time-bound. ## Footnote An acronym for Specific, Measurable, Achievable, Relevant, and Time-bound, SMART is a goal-setting framework that can be applied to various domains, including security. For example, a SMART security goal could be to reduce the number of successful phishing attacks by 50% within the next six months by implementing new training and awareness programs. By making goals SMART, organizations can more effectively plan, monitor, and achieve their security objectives. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/S.M.A.R.T.).*

Answer 67

SOPs are documented, step-by-step instructions that guide employees in performing tasks consistently, ensuring quality, compliance, and safety across an organization. ## Footnote They standardize complex workflows, from incident response to patch management, reducing variability and errors. Clearly written and regularly updated SOPs empower staff to respond uniformly to incidents or changes. In security contexts, SOPs align remediation processes with best practices. By establishing accountability and simplifying training, SOPs foster efficiency, minimize mistakes, and facilitate continual improvement in organizational operations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Standard_operating_procedure).*

Answer 68

Unsolicited bulk messages often containing unwanted or malicious content. ## Footnote Unwanted, unsolicited digital communication, often in the form of emails, which are sent in bulk. While often merely annoying and inconvenient, spam can sometimes contain malicious links or attachments or be used in phishing attacks. It's a common method used to disseminate malware or trick individuals into divulging personal information or sensitive data. Effective spam filters and user education are vital in mitigating the risks associated with spam. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Email_spam).*

Answer 69

An email validation system that checks if a sender's IP is authorized for its domain. ## Footnote SPF (Sender Policy Framework) is an email authentication technique that verifies whether an email originates from an IP address authorized by the sending domain's administrators. By publishing SPF records in DNS, organizations help prevent spoofing and unauthorized email usage. This system, often used with DKIM and DMARC, plays a key role in maintaining secure and reliable email delivery. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Sender_Policy_Framework).*

Answer 70

A set of established criteria that serve as a benchmark for quality, consistency, and performance across various industries. ## Footnote A set of rules, guidelines, or criteria used as a basis for comparison. It is used in many industries to ensure consistency and quality in products, services, and processes. Examples include technical standards for computer hardware and software, industry standards for manufacturing processes, and quality standards for customer service. *For more information, view this lecture on [Information Security Governance: Policies, Procedures, Guideline, and Frameworks](https://courses.thorteaches.com/courses/take/cissp/lessons/18588064-information-security-governance-policies-procedures-guideline-and-frameworks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Standard).*

Answer 71

Brief daily meetings where team members discuss progress, challenges, and plans to keep projects on track. ## Footnote Daily meetings where team members provide updates on their progress and any roadblocks they are facing. They are used to keep teams on track and communicate status. Examples of teams that may hold standup meetings include software development teams and IT support teams. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Stand-up_meeting).*

Answer 72

A document detailing the work activities, deliverables, and schedule a service provider will execute for a client. ## Footnote A formal document that captures and defines the work activities, deliverables, and timeline a service provider will execute in the performance of specified work for a client. In the realm of security, the SOW outlines the specific tasks, expected outcomes, and standards or metrics for performance related to enhancing a system's protection from potential threats. It is used to provide clear, concise project specifics and set expectations between stakeholders. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Statement_of_work).*

Answer 73

Mandatory legal regulations that entities must adhere to, involving data protection, reporting, and more. ## Footnote Mandatory rules, regulations, and compliance standards set forth by government bodies and regulatory authorities. They can encompass various aspects, such as data privacy, storage, processing, and transmission. Violating these requirements can lead to legal consequences. For instance, statutory requirements might mandate certain levels of data protection or dictate specific protocols for reporting data breaches. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations).*

Answer 74

Developing a structured approach to achieve a desired future by setting goals and determining the steps to reach them. ## Footnote The systematic process of envisioning a desired future and translating this vision into defined goals or objectives and a sequence of steps to achieve them. In a security context, it could involve planning the implementation of security protocols, developing an incident response strategy, or creating a roadmap for the adoption of new security technologies. It is a crucial part of ensuring that resources are utilized effectively to enhance protection and mitigate risks. *For more information, view this lecture on [Information Security Governance: Values, Vision, Mission, and Plans](https://courses.thorteaches.com/courses/take/cissp/lessons/18584579-information-security-governance-values-vision-mission-and-plans). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Strategic_planning).*

Answer 75

A tool for identifying internal and external factors that can impact performance and informing strategic planning. ## Footnote A strategic planning tool that helps identify internal and external factors that may affect an organization's performance. In a security context, strengths and weaknesses might refer to the capabilities and vulnerabilities of the current security infrastructure, while opportunities and threats could refer to emerging security technologies or evolving threat landscapes. This analysis aids in decision-making and strategy development to improve system security. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/SWOT_analysis).*

Answer 76

A Supply Chain Attack targets vulnerabilities in third-party providers, software dependencies, or components used by an organization, allowing an attacker to compromise downstream customers. ## Footnote Attackers may infiltrate a vendor’s software updates, hardware deliveries, or code repositories. Once tampered code is distributed, unsuspecting customers install malicious updates, granting wide-ranging access. High-profile examples include incidents where trusted software was hijacked to spread malware. Prevention involves stringent vendor vetting, code signing, repeatable builds, and continuous monitoring of third-party dependencies. A strong supply chain security strategy reduces dependency-related risks. *For more information, view this lecture on [External dependencies in BIA](https://courses.thorteaches.com/courses/take/cissp/lessons/54398505-new-2024-external-dependencies-in-bia). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Supply_chain_attack).*

Answer 77

In IT, managing the flow and security of hardware, software, and services from external suppliers. ## Footnote In IT, SCM encompasses the management of hardware, software, and services sourcing from external suppliers. It's crucial to manage these relationships and monitor the supply chain for risks, ensuring the security and reliability of IT components and protecting against potential vulnerabilities introduced by third-party vendors. *For more information, view this lecture on [External dependencies in BIA](https://courses.thorteaches.com/courses/take/cissp/lessons/54398505-new-2024-external-dependencies-in-bia). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Supply_chain_management).*

Answer 78

Potential vulnerabilities introduced through third-party suppliers, requiring careful management and monitoring. ## Footnote IT supply chain risks involve potential vulnerabilities that can arise from third-party suppliers, such as compromised components or software. These risks require thorough vetting, monitoring, and management strategies to safeguard the integrity and security of IT systems and data across the entire supply chain. *For more information, view this lecture on [External dependencies in BIA](https://courses.thorteaches.com/courses/take/cissp/lessons/54398505-new-2024-external-dependencies-in-bia). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Supply_chain_risk_management).*

Answer 79

Temporarily disabling access or capabilities, often used as a preventive measure during investigations. ## Footnote The temporary disabling of access privileges or other capabilities. In a security context, a user's account might be suspended due to suspicious activity, violations of policy, or as part of a user offboarding process. Suspension is often used as a preventive measure, allowing for investigations or remediation activities to take place without further potential harm or breach of security.

Answer 80

A set of mandatory and advisory controls for SWIFT users, ensuring the secure operation of financial services. ## Footnote A set of mandatory and advisory security controls for SWIFT users. It provides a clear baseline for users to secure their local environments, protect the broader SWIFT community, and help prevent fraud within the financial sector. The controls are divided into three objectives - secure your environment, know and limit access, and detect and respond, which together form a comprehensive guide to financial data protection.

Answer 81

A formal document outlining the measures and processes in place to protect a computer system from threats. ## Footnote A document that outlines the policies, procedures, and controls in place to protect a computer system from security threats. This can include information on access controls, data backups, and incident response plans. Examples of system security plans can be found in most organizations' IT policies and procedures manuals.

Answer 82

Physical property with value, such as buildings or machinery, significant in financial assessments. ## Footnote A physical property or item that has value and can be owned or controlled by an individual or organization. It is a common term in accounting and finance, where tangible assets are used to assess the value and performance of a company. Examples include buildings, equipment, machinery, and inventory. *For more information, view this lecture on [Risk Management - Identification](https://courses.thorteaches.com/courses/take/cissp/lessons/18588085-risk-management-identification). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Asset#Tangible_assets).*

Answer 83

Information about system or software weaknesses that can be exploited by an attacker. ## Footnote Details about a weakness or flaw in a system or application that can be exploited by an attacker. It is used by security professionals to identify and mitigate risks and by software developers to fix vulnerabilities. Examples include information about a buffer overflow exploit in a web application or a SQL injection attack on a database.

Answer 84

A strategic document outlining the management of an organization's technology infrastructure. ## Footnote A document that outlines the design, implementation, and maintenance of an organization's technology infrastructure. It is used to align technology investments with business goals and to ensure the availability, performance, and security of the infrastructure. Examples include plans for deploying new servers, upgrading network components, and implementing disaster recovery procedures.

Answer 85

Evidence presented in court through witness statements or expert testimony. ## Footnote Proof or information presented in the form of witness statements or expert testimony during legal proceedings. Testimonial evidence relies on personal observations, experiences, and expertise to support or refute claims within a court case. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/18552296-laws-and-regulations-evidence). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Anecdotal_evidence).*

Answer 86

Legislation regulating personal information handling and ensuring individual privacy. ## Footnote A law that regulates the handling of personal information about individuals. This includes the collection, use, storage, and disclosure of personal information and access to and correction of that information. It includes thirteen Australian Privacy Principles that outline standards, rights, and obligations around these processes and applies to most Australian Government agencies, all private sector and not-for-profit organizations with an annual turnover of more than $3 million, all private health service providers, and some small businesses. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privacy_Act_1988).*

Answer 87

Integration of external services or systems with an organization's infrastructure, presenting potential security risks. ## Footnote The integration or interaction of external services, applications, or systems with an organization's existing infrastructure. This interaction can provide expanded functionality, enhance performance, or enable interoperability between disparate systems, but it can also introduce potential vulnerabilities, so it's crucial to maintain appropriate security measures, including data encryption, access controls, and monitoring protocols. *For more information, view this lecture on [Secure Communications - Part 3](https://courses.thorteaches.com/courses/take/cissp/lessons/29462733-secure-communications-part-3).*

Answer 88

A potential cause of an adverse event that may result in harm or loss to an organization or system. ## Footnote A potential cause of an unintended incident that may result in harm to a system or organization. Threats can range from natural disasters to cyber attacks, and identifying them is crucial for implementing effective security measures and risk management strategies. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Threat_(computer)).*

Answer 89

Identifying and evaluating risks that could potentially compromise information security. ## Footnote The process of identifying, analyzing, and prioritizing potential risks to an organization's information or systems. Used in security planning to determine the likelihood and impact of potential threats. Examples include conducting vulnerability assessments and analyzing historical data on attacks. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Threat_(computer_security)#Threat_analysis).*

Answer 90

An analytical process for determining the severity and impact of potential threats. ## Footnote A methodology that evaluates the relative severity of threats to an organization's systems or data. It includes identifying potential threats, analyzing them in terms of their likelihood of occurrence and potential impact, and prioritizing them. This process enables organizations to focus their efforts and resources on the most significant threats. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Threat_(computer_security)#Threat_management).*

Answer 91

An occurrence when a threat agent actively exploits a vulnerability. ## Footnote An instance in which a threat agent actively exploits a vulnerability, potentially causing damage or disruption to a system or network. This could be a cyber-attack like a denial of service, a phishing attempt, or a ransomware attack. Understanding potential threat events and their impact helps in designing preventative controls and effective response strategies. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Threat_(computer_security)).*

Answer 92

A risk management approach focusing on identifying and assessing threats to an organization. ## Footnote A viewpoint of risk management that focuses on identifying and assessing threats that could potentially harm an organization. This perspective involves looking at specific threats, their likelihood of occurrence, and the potential impact they could have on the organization's operations and objectives. It's a proactive approach to risk management that allows an organization to take necessary precautions and plan preventive measures to reduce the impact of identified threats.

Answer 93

A method where security goals are set at the highest levels and implemented throughout the organization. ## Footnote A method of security management that involves setting high-level goals and policies and then working down to the implementation of specific security controls. It is commonly used in organizations with hierarchical structures. Examples -a top-down approach to security management in a government agency and a top-down approach to security management in a multinational corporation. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Bottom-up_and_top-down_design).*

Answer 94

The highest-ranking executives in an organization responsible for strategic decisions, including security priorities. ## Footnote The highest level of decision-makers within an organization. These individuals are responsible for creating strategies, plans, and policies to guide the organization, which includes setting security priorities, determining risk appetite, and allocating resources toward the protection and preservation of the organization's resources and systems. Their buy-in and active involvement are essential for effective security governance. *For more information, view this lecture on [Governance and Management](https://courses.thorteaches.com/courses/take/cissp/lessons/18551997-governance-and-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Senior_management).*

Answer 95

A financial estimate considering all costs associated with a product or system throughout its lifecycle. ## Footnote The comprehensive assessment of all costs associated with the purchase, operation, and maintenance of a product or system over its lifespan. It includes direct costs such as purchase and installation, as well as indirect costs like maintenance, downtime, training, and end-of-life disposal. A full understanding of TCO is essential for informed decision-making, ensuring that solutions are cost-effective and sustainable in the long term. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Total_cost_of_ownership).*

Answer 96

The cumulative potential for harm from all identified and unidentified threats to an organization. ## Footnote The combined potential impact of all identifiable and non-identifiable threats that could affect an organization's operations or assets. It takes into account both internal and external threats, vulnerabilities, and the potential impacts that could arise if these risks are realized. Effective risk management strategies aim to understand, mitigate, and, where possible, eliminate these risks. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Risk#Expected_values).*

Answer 97

Confidential business information providing a competitive edge and requiring protection in cybersecurity. ## Footnote A trade secret is any practice, design, formula, process, or compilation of information not generally known or reasonably ascertainable, by which a business can obtain an economic advantage over competitors or customers. In the context of cybersecurity, protecting trade secrets is critical to maintaining competitive advantage and financial stability. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Trade_secret).*

Answer 98

Registered symbols, names, or logos that represent a company's brand and require digital protection. ## Footnote Legally registered symbols, names, or logos that identify and distinguish a company's goods or services from those of others. They represent a company's brand and reputation. In the digital world, misuse or theft of trademarks, often through techniques like typo-squatting or phishing, can lead to brand dilution, loss of customers' trust, and financial losses, thus requiring strategies for protection. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Trademark).*

Answer 99

The process of educating employees about security best practices to minimize security incidents and protect sensitive information. ## Footnote The process of educating and informing employees about security best practices and policies in order to prevent security incidents and protect sensitive information. Examples -conducting regular security training sessions for employees and implementing a security awareness program for new hires. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_awareness).*

Answer 100

Educational efforts to prepare individuals and stakeholders for effective response in the event of a disaster, including exercises and training on backup systems. ## Footnote The process of preparing employees and stakeholders for potential disasters and providing them with the knowledge and skills to respond effectively in the event of a disaster. Examples -conducting disaster recovery drills and simulations and providing employees with training on how to use backup and recovery systems. *For more information, view this lecture on [Personnel safety.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149922-personnel-safety).*

Answer 101

The transfer of digital information across national borders, posing challenges for consistent data protection. ## Footnote The movement or transfer of digital information across national or jurisdictional boundaries. It often involves different legal and regulatory environments, including diverse data protection laws. This cross-border data flow can present challenges to ensuring consistent data protection and privacy standards, making the understanding and application of proper safeguards and compliance measures crucial.

Answer 102

Openness that allows stakeholders to understand and review security processes to build trust and assurance. ## Footnote The principle of allowing users, stakeholders, and even the public to understand and review the processes, protocols, and practices used to secure systems, services, and data. It is a key factor in building trust with users and customers, as it provides assurance that procedures are in place to protect data and uphold privacy.

Answer 103

Standards for evaluating an entity's controls related to security and privacy based on core principles. ## Footnote A set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs. They are used in the evaluation of the design and operational effectiveness of an entity's controls relevant to security, availability, processing integrity, confidentiality, and privacy.

Answer 104

Occurs when malicious actors register domain names closely resembling popular websites, exploiting common user typing errors to direct victims to fraudulent sites. ## Footnote This involves registering a domain name that closely resembles another legitimate domain but with minor typ

Answer 105

Standards for good corporate governance practices in UK-listed companies. ## Footnote A framework that sets out standards for good practice in relation to board leadership, effectiveness, remuneration, and accountability in the governance of UK-listed companies. It operates under a 'comply or explain' approach, whereby companies must publicly state their compliance with the code's principles or provide a rationale for any non-compliance. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/UK_Corporate_Governance_Code).*

Answer 106

Legislation enacted to bolster law enforcement abilities in the wake of the September 11 attacks. ## Footnote Officially the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, it's a legislative act signed into law to enhance law enforcement investigatory tools following the September 11 terrorist attacks. The act increased the ability of law enforcement agencies to search telephone, email communications, medical, financial, and other records in their efforts to detect and prevent terrorism. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Patriot_Act).*

Answer 107

The level of understanding among system users about the importance of security practices in preventing breaches. ## Footnote The knowledge and understanding of security risks and best practices among users of a system or network. It is an essential element of an effective security program, as users are often the first line of defense against threats. Examples include educating users on password security, phishing scams, and safe browsing habits. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internet_security_awareness).*

Answer 108

Denotes the practical usefulness and value of information. ## Footnote Utility in the Parkerian Hexad refers to the capacity of data to serve its intended purpose effectively. It measures how beneficial and actionable information is for decision-making, operations, and achieving strategic objectives. Ensuring high utility means that data remains relevant, accessible, and applicable, thereby supporting robust organizational processes and contributing significantly to overall system value. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Parkerian_Hexad#Utility).*

Answer 109

Collaborative entities that operate across traditional boundaries via technology, necessitating strong cybersecurity protocols. ## Footnote Networked groups of independent entities that share resources and skills to achieve common objectives but are not limited by traditional organizational boundaries or physical locations. They leverage information and communication technologies to operate, offering flexibility and scalability, but require robust security measures to protect shared information and to ensure reliable and secure collaboration. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Virtual_organization).*

Answer 110

A flaw or weakness in a system that can be exploited to cause harm or unauthorized access. ## Footnote A weakness or flaw in a system that can be exploited by malicious actors to gain unauthorized access or cause damage. These vulnerabilities can stem from a variety of sources, including software bugs, hardware defects, configuration errors, or poor security practices, and pose a potential risk to the system's security and integrity. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Vulnerability_(computing)).*

Answer 111

An event in which a system's weakness is exploited, leading to a potential security incident. ## Footnote An occurrence where a system's vulnerability is exploited by a threat actor. This event can lead to unauthorized access, data breaches, or even system damage. Monitoring and detecting these events is crucial in timely incident response and mitigation of potential damage. *For more information, view this lecture on [Risk Management- Assessment Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588095-risk-management-assessment-part-1).*

Answer 112

The continuous oversight of identifying, evaluating, and addressing security vulnerabilities in IT systems. ## Footnote The continuous process of identifying, evaluating, remediating, and reporting security vulnerabilities within IT systems. Vulnerability management is a foundational element of a security program, essential for minimizing the risk of cyber attacks and maintaining the integrity of an organization's technology infrastructure. *For more information, view this lecture on [Risk Management- Assessment Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588106-risk-management-assessment-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Vulnerability_management).*

Answer 113

A risk management approach focusing on system weaknesses and their potential exploitation. ## Footnote A vulnerability-based risk perspective is a viewpoint that focuses on identifying and analyzing system vulnerabilities as a measure of risk. Instead of primarily considering the potential threats, it concentrates on the system's inherent weaknesses and the potential damage if these vulnerabilities were to be exploited.

Answer 114

An international agreement regulating the export of conventional arms and dual-use goods and technologies. ## Footnote An international accord that governs the export of conventional arms and dual-use goods and technologies, such as advanced cryptographic systems, which can have both civilian and military applications. Its purpose is to prevent the proliferation of arms and sensitive technologies that could be misused to undermine security and stability, ensuring that transfers do not contribute to harmful military buildups or human rights abuses. *For more information, view this lecture on [International Agreements and Guidelines](https://courses.thorteaches.com/courses/take/cissp/lessons/18552357-international-agreements-and-guidelines). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Wassenaar_Arrangement).*

Answer 115

Embeds identifiable information—like logos, unique codes, or imperceptible patterns—into content to trace ownership, usage, or unauthorized distribution. ## Footnote Applied to documents, images, or video, watermarks remain visible or hidden. Visible marks may deter casual theft; invisible ones enable ownership verification without impairing aesthetics. In digital rights management, forensic watermarking reveals leaks by embedding trackable data. Content creators leverage watermarking to assert copyright, reduce piracy, and support legal enforcement. Effective watermarking must withstand transformations, ensuring robust traceability throughout the content’s lifecycle. *For more information, view this lecture on [Data Protection](https://courses.thorteaches.com/courses/take/cissp/lessons/25649829-data-protection). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_watermarking).*

Answer 116

The evaluation of potential risks associated with using web applications in an organization. ## Footnote The process of identifying, analyzing, and understanding the risks associated with the use of web applications in an organization. The objective is to determine the potential impact of these risks and formulate strategies to mitigate or eliminate them.

Answer 117

The act of exposing unethical or illegal activities within an organization, often related to cybersecurity incidents or breaches. ## Footnote The act of reporting illegal or unethical behavior within an organization. It is often used in the field of IT security to report issues such as cyber-attacks, data breaches, or unauthorized access to sensitive information. Examples of whistleblowing in IT security might include reporting a colleague who has accessed company data without permission or alerting management to a cyber-attack that has occurred. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Whistleblower).*

Answer 118

A security professional who lawfully tests and discloses vulnerabilities, helping organizations fortify defenses without exploiting discovered weaknesses. ## Footnote Often called ethical hackers, they follow responsible disclosure policies and maintain high ethical standards. White hats may receive bug bounties or hold roles in penetration testing teams. Their activities prevent malicious exploitation, offering valuable insights into system resilience. By continuously challenging defenses and collaborating with security teams, white hat hackers play a crucial role in bolstering cybersecurity. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Hacker).*

Answer 119

Covert monitoring of telephone or internet conversations, often associated with privacy concerns and legal restrictions. ## Footnote The act of covertly monitoring and recording telephone and internet conversations. This can be done either through physical access to the communication wires or remotely through software exploits. While often associated with unlawful surveillance and espionage, wiretapping is also used lawfully, under strict regulation, for purposes such as criminal investigations or intelligence gathering. Regardless of intent, wiretapping poses significant privacy concerns and is typically subject to rigorous legal constraints. *For more information, view this lecture on [US Laws, European Laws, and International Treaties.](https://courses.thorteaches.com/courses/take/cissp/lessons/18552341-us-laws-european-laws-and-international-treaties). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Telephone_tapping).*

Answer 120

An individual who provides evidence based on their observation or knowledge in legal proceedings. ## Footnote In the context of legal proceedings, a witness is an individual who, either voluntarily or under compulsion, provides testimonial evidence about what they observed or experienced. Witnesses can offer crucial information that may decide the outcome of a trial. *For more information, view this lecture on [Laws and Regulations](https://courses.thorteaches.com/courses/take/cissp/lessons/18552277-laws-and-regulations). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Witness).*

Answer 121

An international organization promoting the protection of intellectual property worldwide. ## Footnote An international organization that promotes the protection of intellectual property rights around the world. It is used in the field of intellectual property law to provide services and support for the enforcement of IP rights. For example, registering and protecting trademarks, patents, and copyrights through WIPO's international treaties and systems. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/World_Intellectual_Property_Organization).*

Answer 122

A quality goal in system or software development aiming to create defect-free products. ## Footnote The ultimate goal of creating systems, software, or procedures that have no defects or flaws, particularly those that could be exploited to compromise security. Achieving a zero-defect state would theoretically mean that all potential vulnerabilities have been identified and resolved. However, the complexity of modern systems and software often makes this goal difficult to achieve in practice. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Zero_Defects).*

Domain 1.2: Security and Risk Management Flashcards

Review key terms related to governance, risk, compliance, and security principles.