Dominio 1

Question 1

¿Qué es GRC?

Answer 1

Governance Risk Compliance

Question 2

What is business driver?

Answer 2

A business driver is a condition, process, requirement, or other concern that influences the way in which an organization directs or manages activities.

Question 3

3 form of business organization? definition?

Answer 3

Proprietorship: a single individual owns the organization.
Partnership: two or more individuals owns the organization.
Corporations: legal entities that are separate from their owners

Question 4

What is CMMI?

Answer 4

capability maturity model integration

Question 5

5 levels of CMMI? Definiton of each?

Answer 5

INITIAL:Processes are unpredictable, poorly controlled, & reactive.
MANAGED: Processes are characterized for projects, but is often reactive.
DEFINED: Processes are characterized throughout the organization & proactive.
QUANTITATIVELY MANAGED: Processes are measured & controlled - proactive.
OPTIMIZING: Focuses on process improvement & enhancing existing processes

Question 6

To whom should the CISO report?

Answer 6

CIO

Question 7

What is a CIO?

Answer 7

Chief Information Officer

Question 8

NIST SP 800-30 Rev. 1?

Answer 8

Guide for Conducting Risk Assessments

Question 9

NIST SP 800-37 Rev. 2

Answer 9

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

Question 10

NIST SP 800-39

Answer 10

Managing Information Security Risk: Organization

Question 11

ISO/IEC 27005:2018

Answer 11

Information technology – Security techniques – Information security risk management

Question 12

Necessity of a Security Policy?

Answer 12

Can provide legal protection, it demonstrates an organization’s commitment to adhere to legal and regulatory requirements

Question 13

A single company can have different security policies for different “branches”?

Answer 13

Yes

Question 14

Role of the CISO: maintain processes across enterprise with 4 objectives:

Answer 14

1. Reduce risks
2. Establish and implement security policies and procedures
3. Establish standards and controls
4. Respond to incidents

Question 15

A Seven-Question Framework for Ethical Decision Making

Answer 15

1 What decision alternatives are available?
2 What individuals/organizations are impacted in the outcome of my decision?
3 Will an individual/organization be harmed by any of the alternatives?
4 Which alternative will do the most good with the least harm?
5 Would someone I respect find any of the alternatives objectionable?
6 At a gut level, am I comfortable with the decision I’ve made?
7 Will I be comfortable telling my friends and family about this decision?

Question 16

What is Risk management?

Answer 16

identification, assessment, prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or maximize the realization of opportunities.

Question 17

Risk modification?

Answer 17

Change risk exposures or outcomes by applying security controls

Question 18

Risk sharing?

Answer 18

Transferir el riesgo

Question 19

Difference risk analysis vs risk evaluation?

Answer 19

Analysis: Consequences, Incident Liklihood, Level of Risk Determination
Evaluation: Business Impact

Question 20

ISO 27005 identifies WHAT as the two feedback loops that complete the risk management workflow?

Answer 20

1 risk monitoring (and review) and 2 risk communication

Question 21

risk monitoring and review has two goals:

Answer 21

1. monitor the risks and initiate reassessment when risks change. 2. assess and review the risk management program for continuous improvement.

Question 22

Defintion of RFM?

Answer 22

Risk Management Framework

Question 23

What is ISO 3000 about?

Answer 23

a framework that provides generic guidelines for enterprise risk management

Question 24

Defintion of TARA?

Answer 24

Threat Agent Risk Assessment

Question 25

Definition of OCTAVE?

Answer 25

Operationally Critical Threat, Asset, and Vulnerability Evaluation