Dominio 1 Flashcards
¿Qué es GRC?
Governance Risk Compliance
What is business driver?
A business driver is a condition, process, requirement, or other concern that influences the way in which an organization directs or manages activities.
3 form of business organization? definition?
Proprietorship: a single individual owns the organization.
Partnership: two or more individuals owns the organization.
Corporations: legal entities that are separate from their owners
What is CMMI?
capability maturity model integration
5 levels of CMMI? Definiton of each?
INITIAL:Processes are unpredictable, poorly controlled, & reactive.
MANAGED: Processes are characterized for projects, but is often reactive.
DEFINED: Processes are characterized throughout the organization & proactive.
QUANTITATIVELY MANAGED: Processes are measured & controlled - proactive.
OPTIMIZING: Focuses on process improvement & enhancing existing processes
To whom should the CISO report?
CIO
What is a CIO?
Chief Information Officer
NIST SP 800-30 Rev. 1?
Guide for Conducting Risk Assessments
NIST SP 800-37 Rev. 2
Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
NIST SP 800-39
Managing Information Security Risk: Organization
ISO/IEC 27005:2018
Information technology – Security techniques – Information security risk management
Necessity of a Security Policy?
Can provide legal protection, it demonstrates an organization’s commitment to adhere to legal and regulatory requirements
A single company can have different security policies for different “branches”?
Yes
Role of the CISO: maintain processes across enterprise with 4 objectives:
- Reduce risks
- Establish and implement security policies and procedures
- Establish standards and controls
- Respond to incidents
A Seven-Question Framework for Ethical Decision Making
1 What decision alternatives are available?
2 What individuals/organizations are impacted in the outcome of my decision?
3 Will an individual/organization be harmed by any of the alternatives?
4 Which alternative will do the most good with the least harm?
5 Would someone I respect find any of the alternatives objectionable?
6 At a gut level, am I comfortable with the decision I’ve made?
7 Will I be comfortable telling my friends and family about this decision?
What is Risk management?
identification, assessment, prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or maximize the realization of opportunities.
Risk modification?
Change risk exposures or outcomes by applying security controls
Risk sharing?
Transferir el riesgo
Difference risk analysis vs risk evaluation?
Analysis: Consequences, Incident Liklihood, Level of Risk Determination
Evaluation: Business Impact
ISO 27005 identifies WHAT as the two feedback loops that complete the risk management workflow?
1 risk monitoring (and review) and 2 risk communication
risk monitoring and review has two goals:
- monitor the risks and initiate reassessment when risks change. 2. assess and review the risk management program for continuous improvement.
Defintion of RFM?
Risk Management Framework
What is ISO 3000 about?
a framework that provides generic guidelines for enterprise risk management
Defintion of TARA?
Threat Agent Risk Assessment
Definition of OCTAVE?
Operationally Critical Threat, Asset, and Vulnerability Evaluation
