Governance, Risk and Compliance

Question 1

Types of controls categories (3)

Answer 1

Managerial, technical, operational

Question 2

Difference between managerial and operational controls

Answer 2

Managerial is high-level risk management, assesment and mitigation plans, usually at the policy, plan and procedure level.

Operational is targeted to employee’s day-to-day operations, including physical security.

Question 3

AUP

Answer 3

Acceptable Use Policy

Question 4

Risk formula

Answer 4

Probability times impact

Question 5

SLE

Answer 5

Single Loss Expectancy

Question 6

EF

Answer 6

Exposure Factor

Question 7

Define Exposure Factor

Answer 7

cost of theat event divided by value of asset

Question 8

Define SLE

Answer 8

cost of a threat event (value * EF)

Question 9

ARO

Answer 9

Average Rate of Occurence

Question 10

ALE

Answer 10

Average Loss Expectancy

Question 11

Define ALE

Answer 11

The Average Loss Expectancy is the SLE * ARO

Question 12

MTTF

Answer 12

Mean Time to Fail (one-time)

Question 13

RTO

Answer 13

Recovery Time Objective

Question 14

RPO

Answer 14

Recovery Point Objective

Question 15

Ways to handle risk (3 + 2)

Answer 15

Mitigation, Acceptance and Transference + Avoidance and Deterrence

Question 16

Change Management

Answer 16

Evaluation the impact of changes in the system as a whole

Question 17

DLP

Answer 17

Data Loss Prevention

Question 18

Two locking doors with a space between them

Answer 18

Mantrap

Question 19

Cold vs Warm vs Hot Site

Answer 19

Cold is only backup space, with no IT infrastructure, needs equipment. Warm already has office space and critical IT equipment. Hot is ready to go with all infrastructure and systems needed.

Question 20

Disaster Recovery Sites can be either ____ or _____

Answer 20

shared or exclusive

Question 21

Incremental vs Differential Backup

Answer 21

Differential only saves files changed since the last full backup (only requires one delta), incremental are several deltas.

Question 22

BCP

Answer 22

Business Continuity Plan

Question 23

DRP

Answer 23

Disaster Recovery Plan

Question 24

BIA

Answer 24

Business Impact Analysis

Question 25

BCP uses ____ to determine impact of down or lost systems

Answer 25

BIA

Question 26

RAID 0

Answer 26

Striping

Question 27

RAID 1

Answer 27

Mirroring

Question 28

RAID 5

Answer 28

Striping + Parity

Question 29

RAID 6

Answer 29

Striping + Double Parity

Question 30

RAID 10

Answer 30

Striping + Mirroring

Question 31

RAID 5 requires at least _ disks

Answer 31

3 disks

Question 32

RAID 10 requires at least _ disks

Answer 32

4 disks

Question 33

CIA

Answer 33

Confidentiality, Integrity and Availability

Question 34

Security posture

Answer 34

baseline

Question 35

Threat assessment

Answer 35

Only identifies threats, part of risk assessment

Question 36

Vulnerability assessment

Answer 36

Identifies vulnerabilities, and therefore threats and risks, part of risk assessment

Question 37

Banner grabbing

Answer 37

Used for service recognition during port or vulnerability scans

Question 38

Scan from an administrative account

Answer 38

Credentialed scan

Question 39

Scan as an unauthorized user

Answer 39

Non-credentialeed scan

Question 40

XSRF/CSRF

Answer 40

Cross-site request forgery

Question 41

AAA

Answer 41

Authentication, Authorization, and Accounting

Question 42

Diversity

Answer 42

Having different vendors for resiliency

Question 43

Diversity

Answer 43

Having different vendors for resiliency

Question 44

Windows specific security update

Answer 44

Hotfix

Question 45

Security control types (6)

Answer 45

Compensating, Corrective, Detective, Deterrent, Physical and Preventative

Question 46

There are _ control categories.

Answer 46

3

Question 47

There are _ control types.

Answer 47

6

Question 48

PCI DSS

Answer 48

Payment Card Information Data Security Standard

Question 49

PCI DSS, unlike GDPR, is an example of industry __-_____.

Answer 49

self-governance

Question 50

CCPA

Answer 50

California Consumer Privacy Act

Question 51

CIS CSC

Answer 51

Center for Information Security (CIS) Critical Security Controls (CSC)

Question 52

Top 20 controls are published by the

Answer 52

Center for Information Security (CIS)

Question 53

NIST RMF has _ steps.

Answer 53

7 steps

Question 54

NIST RMF

Answer 54

NIST Risk Management Framework

Question 55

RMF vs NIST CSF

Answer 55

CSF was made for critical sectors, but it’s also used elsewhere.

Question 56

NIST CSF Categories (5)

Answer 56

Identify, Protect, Detect, Respond, Recover

Question 57

NIST CSF has _ categories.

Answer 57

5 categories

Question 58

ISO/IEC 27701:2019

Answer 58

Requirements and guidence for implementation and mantaining a Privacy Information Management System (PIMS)

Question 59

PIMS

Answer 59

Privacy Information Management System

Question 60

PIMS guidelines are found on ISO

Answer 60

27701

Question 61

ISO 31000:2018

Answer 61

Risk Management Guidelines

Question 62

ISO 27000:2018

Answer 62

Overview of Information Security Management Systems and vocabulary

Question 63

ISMSs

Answer 63

Information Security Management Systems

Question 64

SOC 2 assesment

Answer 64

Service and Organizations Controls on Cybersecurity, under Statement on Standards for Attestation Engagements 18 (SSAE-18).

Question 65

Cybersecurity assesment related to SSAE-18 from the AICPA

Answer 65

SOC 2

Question 66

Two key artifacts of the Cloud Security Alliance (CSA) frameworks

Answer 66

Cloud Control Matrix (CCM) and Enterprise Architecture

Question 67

Enterprise Architecture

Answer 67

CSA Cloud methodology for cloud service capabilities

Question 68

Example of benchmarks and secure configuration guides

Answer 68

DoD Security Technical Implementation Guides (STIGs)

Question 69

DoD STIGs

Answer 69

Security Technical Implementation Guides

Question 70

RMF phases (7)

Answer 70

Prepare, Categorize systems, Select Controls, Implement, Assess controls, Systems Authorization by an authority, Continuous Monitoring

Question 71

RMF phases are meant to be implemented in an _____ manner

Answer 71

iterative manner

Question 72

Due Care vs Due Diligence vs Due Process

Answer 72

Due Care is ensuring day-to-day safe activities, due diligence is mantaining security procedures and evaluating them, due process regards employee rights and fairness when being investigated.

Question 73

EOSL

Answer 73

Equipment end of service line

Question 74

In the context of third-party risk management, MSA means

Answer 74

Measurement Systems Analysis

Question 75

In the context of a BPA, a general partnership implies

Answer 75

equal sharing of profits and liabilities

Question 76

A joint venture is a general partnership that has a

Answer 76

shorter time-frame

Question 77

Risk Assessment Phases (4)

Answer 77

Asset ID, Risk Analysis, Determine Risk Likelihood and Impact, Identify Cost of Solutions

Question 78

Inherent Risk vs Control Risk vs Residual Risk

Answer 78

Inherent is without controls, control is because of control failure or inadequacy, residual is what’s left after controls are implemented.

Question 79

COOP

Answer 79

Continuity of Operations Plan

Question 80

BCP is composed of

Answer 80

BIA, DRP, COOP

Question 81

BCP is composed of (3 + 2)

Answer 81

Risks, Sites + BIA, DRP, COOP

Question 82

MEFs

Answer 82

Mission Essential Functions

Question 83

PIA

Answer 83

Privacy Impact Assessment (PIA)

Question 84

A PIA starts with a…

Answer 84

PTA (Privacy Threshold Analysis)

Question 85

In the context of testing a DRP, AAR is

Answer 85

After-action reporting

Question 86

MTTR

Answer 86

Mean Time To Repair

Question 87

In the context of PIA, PHI is

Answer 87

Protected Health Information

Question 88

In the context of GDPR, SPI is

Answer 88

Sensitive Personal Information, including PII, PHI, beliefs, standpoints, genetic data, sexual orientatrion, etc

Question 89

At least in the US, the term “data owner” has been succeeded by

Answer 89

data steward, or data custodian

Question 90

The __________ determines what data will be collected and how it will be used within an organization

Answer 90

Data controller

Question 91

The overall program for the entire organization is called _____ management, while changes at the actual host or network level of baseline configurations is called ______ management.

Answer 91

change, configuration

Question 92

In DLP, tokenization refers to

Answer 92

Replacing sensitive data by tokens that refers to the actual data somewhere else.

Question 93

In the context of cloud storage, a CASB is

Answer 93

Cloud Access Security Broker, acting as an intermediary between users and cloud providers, enforcing enterprise security policy

Question 94

DevOps is characterized by

Answer 94

Bringing together PMs, Developers and Operations to enable rapid software development

Question 95

A mantrap is also called a…

Answer 95

Access Control Vestibule

Question 96

In the context of electronic locks, fail safe vs fail secure

Answer 96

Fail safe disengages a lock in an emergency, fail secure engages it.

Question 97

Perimeter Lightning must be

Answer 97

turned from dask to dawn

Question 98

access control model that will allow you to assign specific access policies depending on which network a user is on and not necessarily on the actual identity of the specific user.

Answer 98

Rule based AC

Question 99

In MAC, access is controlled by

Answer 99

The OS

Question 100

In DAC, ___ ___ define what users can access data.

Answer 100

data owners