Information Security Governance

Question 1

Core Goals of Security

Answer 1

CIA

Availability
Integrity
Confidentiality

Question 2

Vulnerability

Answer 2

Weakness or lack of countermeasure

Question 3

Threat agent

Answer 3

Entity that can exploit a vulnerability

Question 4

Threat

Answer 4

The danger of a threat agent exploiting a vulnerability

Question 5

Risk

Answer 5

The probability of a threat agent exploiting a vulnerability and the associated impact

Question 6

Control

Answer 6

Safeguard that is put in place to reduce risk, also called a countermeasure

Question 7

Exposure

Answer 7

Presence of a vulnerability, which exposes the organization to a threat

Question 8

Availability

Answer 8

Reliable and timely data access to authorized individuals

Question 9

Integrity

Answer 9

Accuracy and reliability of the information

Question 10

Confidentiality

Answer 10

Necessary level of secrecy is enforced

Question 11

Deterrent Control Function

Answer 11

Intended to discourage a potential attacker

Question 12

Preventative Control Function

Answer 12

Intended to avoid an incident from occurring

Question 13

Corrective Control Function

Answer 13

Fixes components or systems after an incident has occurred

Question 14

Recovery Control Function

Answer 14

Intended to bring the environment back to regular operations

Question 15

Detective Control Function

Answer 15

Helps identify an incident’s activities and potentially an intruder

Question 16

Compenstating Control Function

Answer 16

Controls that provide an alternate measure of control

Question 17

Control Types

Answer 17

Administrative, Technical, Physical

Question 18

Defense-In-Depth

Answer 18

Implementation of multiple controls so that successful penetration and compromise is more difficult to attain

Question 19

Security through obscurity

Answer 19

Assuming that your enemies are not as smart as you are and they cannot figure out something that you feel is very tricky

Question 20

Zachman Architecture Framework

Answer 20

One of the first enterprise architecture frameworks that is a 2d mode consisting of what, how, where, who, when, why.

Question 21

The Open Group Architecture Framework (TOGAF)

Answer 21

DOD enterprise architecture framework consisting of business, data, applications, and technology descending levels of possible architecture frameworks

Question 22

Department of Defense Architecture Framework (DoDAF)

Answer 22

Military framework consisting of command, control, communications, computers, intelligence, surveillance, and reconnaissance categories

Question 23

British Ministry of Defense Architecture Framework (MODAF)

Answer 23

A military framework based on DoDAD that focuses on compatible data formats and expedited delivery to those who need it

Question 24

British Ministry of Defense Architecture Framework (MODAF)

Answer 24

A military framework based on DoDAD that focuses on compatible data formats and expedited delivery to those who need it

Question 25

Enterprise security architecture

Answer 25

Subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally

Question 26

Enterprise security architecture

Answer 26

Subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally

Question 27

ISMS

Answer 27

Information Security Management System

Question 28

Strategic alignment

Answer 28

Business drivers and regulatory and legal requirements are being met by the security enterprise architecture

Question 29

Business enablement

Answer 29

The core business processes are integrated into the security operating model

Question 30

Process enhancement

Answer 30

We can do stuff better

Question 31

Security effectiveness

Answer 31

Metrics measuring performance

Question 32

CobiT

Answer 32

Control objectives for information and related technology

Question 33

NIST 800-53

Answer 33

Control objectives for government systems

Question 34

COSO IC framework

Answer 34

Committee Of Sponsoring Organizations Internal Control - model for corporate governance; derived COBIT

Question 35

ITIL

Answer 35

Information Technology Infrastructure Library - de facto standard of best practices for IT service management

Question 36

Six Sigma

Answer 36

Process improvement methodology developed by Motorola using statistical methods of measuring operational efficacy by assigning a sigma rating.

Question 37

CMMI

Answer 37

Capability Maturity Model Integration - model defining incremental security improvement developed by Carnegie Mellon

Question 38

Top-down Approach

Answer 38

Implement a security program from top management down. Typically more effective than bottom-up.

Question 39

Bottom-Up Approach

Answer 39

Implement a security program from IT up without buy in from management. Typically less effective than top-down.