Dominio 1 Flashcards

1
Q

¿Qué es GRC?

A

Governance Risk Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is business driver?

A

A business driver is a condition, process, requirement, or other concern that influences the way in which an organization directs or manages activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3 form of business organization? definition?

A

Proprietorship: a single individual owns the organization.
Partnership: two or more individuals owns the organization.
Corporations: legal entities that are separate from their owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is CMMI?

A

capability maturity model integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

5 levels of CMMI? Definiton of each?

A

INITIAL:Processes are unpredictable, poorly controlled, & reactive.
MANAGED: Processes are characterized for projects, but is often reactive.
DEFINED: Processes are characterized throughout the organization & proactive.
QUANTITATIVELY MANAGED: Processes are measured & controlled - proactive.
OPTIMIZING: Focuses on process improvement & enhancing existing processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

To whom should the CISO report?

A

CIO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a CIO?

A

Chief Information Officer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NIST SP 800-30 Rev. 1?

A

Guide for Conducting Risk Assessments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NIST SP 800-37 Rev. 2

A

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NIST SP 800-39

A

Managing Information Security Risk: Organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO/IEC 27005:2018

A

Information technology – Security techniques – Information security risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Necessity of a Security Policy?

A

Can provide legal protection, it demonstrates an organization’s commitment to adhere to legal and regulatory requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A single company can have different security policies for different “branches”?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Role of the CISO: maintain processes across enterprise with 4 objectives:

A
  1. Reduce risks
  2. Establish and implement security policies and procedures
  3. Establish standards and controls
  4. Respond to incidents
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A Seven-Question Framework for Ethical Decision Making

A

1 What decision alternatives are available?
2 What individuals/organizations are impacted in the outcome of my decision?
3 Will an individual/organization be harmed by any of the alternatives?
4 Which alternative will do the most good with the least harm?
5 Would someone I respect find any of the alternatives objectionable?
6 At a gut level, am I comfortable with the decision I’ve made?
7 Will I be comfortable telling my friends and family about this decision?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Risk management?

A

identification, assessment, prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or maximize the realization of opportunities.

17
Q

Risk modification?

A

Change risk exposures or outcomes by applying security controls

18
Q

Risk sharing?

A

Transferir el riesgo

19
Q

Difference risk analysis vs risk evaluation?

A

Analysis: Consequences, Incident Liklihood, Level of Risk Determination
Evaluation: Business Impact

20
Q

ISO 27005 identifies WHAT as the two feedback loops that complete the risk management workflow?

A

1 risk monitoring (and review) and 2 risk communication

21
Q

risk monitoring and review has two goals:

A
  1. monitor the risks and initiate reassessment when risks change. 2. assess and review the risk management program for continuous improvement.
22
Q

Defintion of RFM?

A

Risk Management Framework

23
Q

What is ISO 3000 about?

A

a framework that provides generic guidelines for enterprise risk management

24
Q

Defintion of TARA?

A

Threat Agent Risk Assessment

25
Q

Definition of OCTAVE?

A

Operationally Critical Threat, Asset, and Vulnerability Evaluation