Info RM and Compliance Flashcards

1
Q

Can you decide on avoiding, transferring, mitigating, and accepting a risk without involving committee members?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In a merger, when should a comprehensive risk assessment be conducted?

A

ASAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What requirements for information security are cited in GDPR?

A

Personal data shall be protected against loss, destruction, or damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are examples of risk acceptance?

A

Omitting something from a risk register or getting a system owner’s approval on a risk,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an example of risk transfer?

A

Moving source code from an off-premise repository to an IaaS repository?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What reporting is required for companies that accept payment cards?

A

Annual self-assessment questionnaire (SAQ) and attestation of compliance (AOC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How should assets be classified?

A

Value, criticality, and/or sensitivity to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 4 phases of risk management?

A

Reporting, assessing, evaluating, and monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is OCTAVE?

A

Operational Critical Threat Assessment and Vulnerability Evaluation. Framework with 8 (Octa) steps that helps identify, rank, and prioritize events for assessment.

  1. Establish criteria for measuring risks
  2. Create an information asset profile
  3. Identify information asset container
  4. Recognize areas for concern
  5. Identify threat actor and scenarios
  6. Identify risks
  7. Analyze risks
  8. Choose countermeasures and control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the Bowtie method?

A

Diagrams link between cause, control, and consequence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Delphi Method?

A

Expert judgement through 2 or more rounds of questionnaires

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a Fault Tree Analysis

A

Top down diagrammed analysis of single events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the ETA method?

A

Event Tree Analysis. Derived from fault tree analysis, a log-model technique which is forward looking and bottom-up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Markov Analysis

A

Analysis of systems in various states

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the Open Fair concept?

A

Statistical inference based on prior distribution data to determine probabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are Monte Carol Simulations?

A

Establishes aggregate variations for a large number of inputs

17
Q

What does NIST publish?

A

Framework for improving critical infrastructure cybersecurity

18
Q

What does US-CERT publish

A

US Computer Emergency Readiness Team produces threat warning information

19
Q

What does ISACA publish?

A

RiskIT Framework

20
Q

What does the Computer Security Resource Center publish?

A

National Vulnerability Database (NVD)

21
Q

What does Verizon publish?

A

The Annual Data Breach Investigation Report

22
Q

What is the Risk Acceptance Framework?

A

Low: Risk accepted by local supervisors
Medium: Risk accepted by CIO
High: Risk accepted by CIO, CISO, or other directors based on probable impact
Severe: Risk accepted only by BoD with management notification

23
Q

What is the threat lifecycle

A

Agent actor > attack > vulnerability > impact

24
Q

What is RTO?

A

Recoverability Time Objective: A period of time from the onset of an outage until the resumption of service

25
Q

What is RPO?

A

Recovery Point Objective: The period of acceptable data loss due to an incident or a disaster

26
Q

What is RCapO

A

Recovery Capacity Objective: The capacity of a temporary or recovery process, as compared to the normal process

27
Q

What is SDO?

A

Service Delivery Objective: Level of quality of service that is required after an incident, as compared to business normal operations

28
Q

What is MTD?

A

Maximum Tolerable Downtime: Theoretical time period, measured from the onset of a disaster, after which the organization’s ongoing viability would be at risk

29
Q

What is MTO/MAO

A

Maximum Tolerable Outage aka Maximum Acceptable Outage MAO: The maximum period of time that an organization can tolerate operating in recovery