Info Security Governance and Risk Management

Question 1

What is the CIA Triad?

Answer 1

Confidentiality, Integrity & Availability

Question 2

Describe CIA, “Confidentiality”

Answer 2

Prevents the unauthorized use or disclosure of information, aka “Privacy”.

Question 3

PII

Answer 3

Personally Identifiable Information

Question 4

Integrity

Answer 4

Integrity safeguards the accuracy and completeness of information and
processing methods

Question 5

Availability

Answer 5

Availability ensures that authorized users have reliable and timely access to
information, and associated systems and assets, when needed

Question 6

What is DAD?

Answer 6

The opposite of CIA. Disclosure, Alteration & Destruction

Question 7

Defense in Depth

Answer 7

Defense in depth is an information security strategy based on multiple layers
of defense. Includes security management principles, security technologies and vendor solutions

Question 8

Elements of Commercial Data Classification (4)

Answer 8

Used to protect information that has monetary value, to comply with applicable laws, protect privacy and limit liability

Question 9

What are the elements of Government Data Classification (3)

Answer 9

Protect national security, comply with applicable laws and protect privacy.

Question 10

What are Government Security Classifications (5)

Answer 10

Unclassified, FOUO, Confidential, Secret, Top Secret

Question 11

Governance

Answer 11

Collectively represents the system of policies, standards, guidelines and procedures that help steer an organization’s day to day operations and decisions

Question 12

TYPES of InfoSec Policies (4)

Answer 12

Senior Management, Regulatory, Advisory and Informative

Question 13

What is an SLA?

Answer 13

Service-level Agreements establish minimum performance standards for a system, application, network or service.

Question 14

Information OWNER

Answer 14

The OWNER has ultimate responsibility for the security of the information. Responsible for determining classification, policy for access, maintain inventory, review classification and delegate day-to-day functions.

Question 15

Information CUSTODIAN

Answer 15

Responsibility for day-to-day security of information.

Question 16

Separation of Duties and Responsibilities

Answer 16

Ensures that no single individual has complete authority and control over a critical system or process

Question 17

What are the three parts of a RISK in the risk management concept (Risk Management triple)

Answer 17

Threat, Vulnerability & an Asset

Question 18

Threat x Vulnerability = ?

Answer 18

Risk

Question 19

What are the three parts of Risk Management

Answer 19

Identification, analysis & Risk Treatment

Question 20

Steps of Threat Analysis

Answer 20

Define the actual threat, Identify possible consequences if threat event transpires, determine probable frequency of a threat event, assess the probability that the threat will actually occur

Question 21

Steps of Risk Analysis (RA)

Answer 21

1. Identify assets to be protected, 2. Define threats (threat analysis), 3. Calculate ALE, annualized loss expectancy, 4. Select appropriate safeguards

Question 22

SLE

Answer 22

Single Loss Expectancy

Question 23

ARO

Answer 23

Annualized Rate of Occurrence

Question 24

ALE

Answer 24

Annualized Loss Expectancy

Question 25

What is a qualitative risk analysis

Answer 25

A scenario-base RA

Question 26

Elements of a Security Awareness Program (3)

Answer 26

Awareness Program, Formal Training & Education