Manage Security Risks Flashcards
CISSP stands for?
Certified Information Security Certified Professiinal
Security Posture
An orgs ability to
manage defense of its critical assets and data. Ability to react to change.
What are the 8 Security Domains?
- Security/Risk Management
2.Asset Security - Security Architecture / Engineering
- Communication/ Network Security
- Identity/Access Management
- Security Assement/Tetsing
- Security Operations
- Software Development
What is Security and Risk Management?
Domain 1
Defining security goals and objectives, risk mitigation, compliance, business continuity, and legal regulations.
What is Asset Security?
Domain 2
Securing digital and physical assets.
Related to the storage, maintenance, retention, and destruction of data
What is Security Architecture and Engineering?
Domain 3
Optimizing data security by ensuring effective tools, systems, and processes are in place
What is Communication and Network Security?
Domain 4
Managing and securing physical networks and wireless communications.
What is Identity and Access Management (IAM)?
Domain 5
Access and authorization to keep data secure.
What is Security Assessment and Testing?
Domain 6
Conducting security control testing, collecting and analyzing data, and conducting security audits.
What is Security Operations?
Domain 7
Conducting investigations and implementing preventative measures.
What is Software Development Security?
Domain 8
Using secure coding practices (recommended guidelines for creating secure applications and services).
What is low Risk?
Information that would not harm reputation, operations, or cause financial damage if compromised.
What is a medium risk threat?
Non-public information that may cause some damage to finances, reputation, or operations.
What is a high risk threat?
Information protected by regulations/laws; severe negative impact if compromised.
What is NIST Risk Management Framework (RMF)?
A framework provided by the National Institute of Standards and Technology (NIST) used by security professionals to manage risks, threats, and vulnerabilities.
What are the 7 steps of NIST?
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
What is NIST Step 1?
Prepare. Activities before a breach to manage risks (e.g., monitoring, identifying controls).
What is NIST Step 2?
Categorize: Develop risk management processes by considering impacts on confidentiality, integrity, and availability.
What is NIST Step 3?
Select: Choose, tailor, and document security controls (e.g., maintaining playbooks).
What is NIST Step 4?
Implement: Put security and privacy plans into action (e.g., changing password requirements).
What is NIST Step 5?
Assess: Evaluate if controls are working correctly and meeting needs; identify weaknesses.
What is NIST Step 6?
Authorize: Take accountability for risks; involves reporting, action plans, and aligning with security goals.
What is NIST Step 7?
Monitor: Continuously track system operations and ensure they support security goals; suggest changes if needed.
What is a Framework?
are guidelines organizations use as a starting point to create specific security policies and processes.
“Provides structure”
What are Security Controls?
Plans for security risk.
1. Encryption
2. Authentication
3. Authorization
“Actions in a structure”
Types of Frameworks?
- Cyber Threat Framework (CTF)
- ISO/IEC 27001
What are the control types? (PTA)
- Physical
- Technical
- Administrative
