Domain 5.0: Governance, Risk and Compliance Flashcards

1
Q

Controls tend to do what?

A

Deters, prevents, detect or correct.

Anti-malware is an example since it includes more than one of those functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Computer login notification is example of what control?

A

Preventative control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is compensating control?

A

It’s used when a business or technological constraint exists and an alternative control is effective in the current security threat landscape.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SLA

A

Service Level Agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

BPA

A

Business Partners Agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

MOU

A

Memorandum of Understanding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ISA

A

Interconnection Security Agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SLA, BPA, MOU, and ISA is what?

A

They are types of interoperability agreements that help mitigate risks when dealing with third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does user types require?

A

They require training and awareness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are user types?

A
General users
Privileged users
System Administrators
Executive users
Data owners
System owners
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which user types are responsible for creating and managing security policies?

A

Executive users
Data owners
System owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How should users be trained?

A

Proper use of their various personal applications including email and social media networks. The training should address any limitations or expectations regarding their use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

RPO

A

Recovery Point Objective designates the amount of data that will be lost or will have to be reentered due to network downtime.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

RTO

A

Recovery Time Objective designates the amount of time that can pass before a disruption begins to seriously impede normal business operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

MTBF

A

Means Time Between Failure is average time before a produce requires repair

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

MTTF

A

Means Time to Failure is the average time before a produce fails and cannot be repaired.

17
Q

Privacy Threshold Assessment

A

They determines whether systems contain personal information.

18
Q

Privacy Impact Assessment

A

It is needed for any organization that collects, uses, stores or processes personal information.

19
Q

Risk assessment

A

Function of threat, vulnerability, and impact. Formula can be like this: Risk = Threat * Vulnerability * Impact.

20
Q

Risk Identification

A

Includes asset identification, risk assessment, threat identification & classification and identification of vulnerabilities.

21
Q

Regarding risk, qualitative measures are based on what?

A

Subjective values – they are less precise than quantitative measures which relies on numbers.

22
Q

What can be done with identified risk?

A

They can be accepted, mitigated, transferred or avoided. Purchasing insurance is a common example of transferring risk.

23
Q

ALE

A

Annual Loss Expectancy, it’s a formula -> ALE = SLE and ARO

SLE = Single Loss Expectancy
ARO = Annualized rate of occurrence.
24
Q

Why is change management important?

A

Change introduces risk that can impact systems and services.

25
Q

DRP

A

Disaster Recovery Planning details considerations for backup and restoration including secure recovery methods.

26
Q

What is considered PII

A

Personal Identifiable Information – information must be specifically associated with an individual.

27
Q

Data owners

A

They determine data classification level

28
Q

Data custodians

A

They implement the controls for data

29
Q

Degaussing

A

Data disposal method that includes using a tool to reduce or remove the magnetic field of storage media.

30
Q

Benchmarks

A

Providing guidance for creating a secure configuration posture.