Domain 5.0: Governance, Risk and Compliance

Question 1

Controls tend to do what?

Answer 1

Deters, prevents, detect or correct.

Anti-malware is an example since it includes more than one of those functions.

Question 2

Computer login notification is example of what control?

Answer 2

Preventative control

Question 3

What is compensating control?

Answer 3

It’s used when a business or technological constraint exists and an alternative control is effective in the current security threat landscape.

Question 4

SLA

Answer 4

Service Level Agreement

Question 5

BPA

Answer 5

Business Partners Agreement

Question 6

MOU

Answer 6

Memorandum of Understanding

Question 7

ISA

Answer 7

Interconnection Security Agreement

Question 8

SLA, BPA, MOU, and ISA is what?

Answer 8

They are types of interoperability agreements that help mitigate risks when dealing with third parties.

Question 9

What does user types require?

Answer 9

They require training and awareness.

Question 10

What are user types?

Answer 10

General users
Privileged users
System Administrators
Executive users
Data owners
System owners

Question 11

Which user types are responsible for creating and managing security policies?

Answer 11

Executive users
Data owners
System owners

Question 12

How should users be trained?

Answer 12

Proper use of their various personal applications including email and social media networks. The training should address any limitations or expectations regarding their use.

Question 13

RPO

Answer 13

Recovery Point Objective designates the amount of data that will be lost or will have to be reentered due to network downtime.

Question 14

RTO

Answer 14

Recovery Time Objective designates the amount of time that can pass before a disruption begins to seriously impede normal business operations.

Question 15

MTBF

Answer 15

Means Time Between Failure is average time before a produce requires repair

Question 16

MTTF

Answer 16

Means Time to Failure is the average time before a produce fails and cannot be repaired.

Question 17

Privacy Threshold Assessment

Answer 17

They determines whether systems contain personal information.

Question 18

Privacy Impact Assessment

Answer 18

It is needed for any organization that collects, uses, stores or processes personal information.

Question 19

Risk assessment

Answer 19

Function of threat, vulnerability, and impact. Formula can be like this: Risk = Threat * Vulnerability * Impact.

Question 20

Risk Identification

Answer 20

Includes asset identification, risk assessment, threat identification & classification and identification of vulnerabilities.

Question 21

Regarding risk, qualitative measures are based on what?

Answer 21

Subjective values – they are less precise than quantitative measures which relies on numbers.

Question 22

What can be done with identified risk?

Answer 22

They can be accepted, mitigated, transferred or avoided. Purchasing insurance is a common example of transferring risk.

Question 23

ALE

Answer 23

Annual Loss Expectancy, it’s a formula -> ALE = SLE and ARO

SLE = Single Loss Expectancy
ARO = Annualized rate of occurrence.

Question 24

Why is change management important?

Answer 24

Change introduces risk that can impact systems and services.

Question 25

DRP

Answer 25

Disaster Recovery Planning details considerations for backup and restoration including secure recovery methods.

Question 26

What is considered PII

Answer 26

Personal Identifiable Information – information must be specifically associated with an individual.

Question 27

Data owners

Answer 27

They determine data classification level

Question 28

Data custodians

Answer 28

They implement the controls for data

Question 29

Degaussing

Answer 29

Data disposal method that includes using a tool to reduce or remove the magnetic field of storage media.

Question 30

Benchmarks

Answer 30

Providing guidance for creating a secure configuration posture.