Domain 5.0: Governance, Risk, and Compliance

Question 1

generally, ___ deter, prevent, detect or correct. some ___ such as anti-malware, provide more than 1 of those functions

Answer 1

controls

Question 2

a computer login notification is an example of a common ____ control

Answer 2

preventive

Question 3

____ controls are used when a business or technological constraint exists and an alternate control is effective in the current security threat landscape

Answer 3

compensating

Question 4

___, ___, ___ and ISA are types of interoperability agreements that help mitigate risk when dealing with 3rd parties

Answer 4

SLA (service-level agreement), BPA (business partners agreement), MOU (memorandum of understanding) (and ISA-interconnection security agreements)

Question 5

user ___ require unique training and awareness. the user ____ include general users, privileged users, system admin, executive users, data owners and system owners. the last 3 are in positions that are responsible for creating or managing security policies

Answer 5

types

Question 6

____ designates the amount of data that will be lost or will have to be reentered due to network downtime

Answer 6

RPO (recovery point objective)

Question 7

____ designates the amount of time that can pass before a disruption begins to seriously impede normal business operations

Answer 7

RTO (recovery time objective)

Question 8

___ is the average time before a product requires repair

Answer 8

MTBF (mean time between failures)

Question 9

____ is the average time before a product fails and cannot be repaired

Answer 9

MTTF (mean time to fail)

Question 10

a ____ ____ ___ determines whether systems contain personal information. a ____ ____ _____ is needed for any organization that collects, uses, stores, or processes such information

Answer 10

privacy threshold assessment

Question 11

___ _____ is largely a function of threat, vulnerability and impact. it can be considered with this formula

____ = threat x vulnerability x impact

Answer 11

risk assessment
risk

Question 12

____ _____ includes asset identification, risk assessment, threat identification and classification, and identification of vulnerabilities

Answer 12

risk identification

Question 13

regarding risk, ____ measures are based on subjective values; they are less precise than ___ measures, which rely on numbers

Answer 13

qualitative, quantitative

Question 14

an ____ ___ can be accepted, mitigated, transferred, or avoided. purchasing insurance is a common example of transferring risk

Answer 14

identified risk

Question 15

____ = SLE (single loss expectancy) x ARO (annualized rate of occurrence)

used in quantitative risk assessment

Answer 15

ALE (annualized loss expectancy)

7 laptops stolen a year (ARO) x $1,000 (SLE) = $7,000 (ALE)

Question 16

___ ____ is important because change introduces risk that can impact systems and services

Answer 16

change management

Question 17

a _____ details considerations for backup and restoration, including secure recovery methods

Answer 17

DRP (disaster recovery plan)

Question 18

to be considered ___, information must be specifically associated with an individual person

Answer 18

PII (personally identifiable information)

Question 19

data ____ determine data’s classification level. data ____ implement the controls for the data

Answer 19

owners, custodians

Question 20

___ is a data disposal method that involves using a tool to reduce or remove the magnetic field of storage media

Answer 20

degaussing

Question 21

___ provide guidance for creating a secure configuration posture

Answer 21

benchmarks