Security and Risk Management Flashcards
Understand key concepts and facts in the Security and Risk Management domain.
Information security objectives are to provide:
A) Accountability, Confidentiality and Integrity
B) Confidentiality, Audit and Availability
C) Availability, Confidentiality and Integrity
D) None of the above
C) Availability, Confidentiality and Integrity
A(n) _____ is a weakness in a system which allows a threat source to compromise its security.
A) Vulnerability
B) Risk
C) Exploit
D) None of the above
A) Vulnerability
A ______ is the possibility that someone or something could exploit a vulnerability, accidentally or intentionally, causing harm to an asset.
A) Risk
B) Threat
C) Vulnerability
D) Exploit
B) Threat
A _____ is the probability of a threat agent exploiting a vulnerability and the potential for loss from that exploit.
A) Loss Expectancy
B) Risk
C) Likelihood
D) Residual Risk
B) Risk
What mitigates a risk?
i. Countermeasure
ii. Avoidance
iii. Control
iv. Safeguard
A) i
B) ii and iii
C) i, iii, iv
D) All of the above
C) i, iii, iv
‘Countermeasure’, ‘control’ and ‘safeguard’ may be used interchangeably for the same mitigation of risk.
‘Avoidance’ and ‘mitigation’ of risk are two different options for addressing risk; ‘avoidance’ does not itself ‘mitigate’ risk.
A control can be characterized by one of the following :
A) Avoidance, acceptance, or transference
B) Administrative, technical, or empirical
C) Logical, mitigation or remediation
D) Administrative, technical, or physical
D) Administrative, technical, or physical
A ____ control is put into place for financial or business function reasons.
A) Adminstrative
B) Acceptance
C) Compensating
D) None of the above
C) Compensating
One framework for IT governance and control objectives is:
A) Six Sigma
B) NIST
C) SANS
D) COBIT
D) COBIT
The standard for the establishment, implementation, control and improvement of of the information security management system is:
A) ISO 27005
B) ISO 27004
C) ISO 27001
D) OCTAVE
C) ISO 27001
What is used to develop architectures for specific stakeholders and to present information in ‘views’?
A) Constrained user interfaces
B) The KANBAN methodology
C) NIST 800-53
D) Enterprise architecture frameworks
D) Enterprise architecture frameworks
A coherent set of policies, processes and systems to manage risks is, according to ISO27001, called:
A) Risk management lifecycle
B) SIEM
C) Information Security Management System (ISMS)
D) None of the above
C) Information Security Management System (ISMS)
Enterprise security architecture is a subset of:
A) Data architecture
B) Enterprise architecture
C) Business architecture
D) Classical architecture
C) Business architecture
A _____ is a functional definition for the integration of technology into business processes.
A) Roadmap
B) Blueprint
C) Procedure
D) None of the above
B) Blueprint
Enterprise architecture is used to build individual architectures that best map to:
A) Users
B) Business teams
C) Business drivers
D) All of the above
C) Business drivers
SABSA is a(n):
A) Capability Maturity Model
B) Security enterprise architecture framework
C) Enterprise architecture framework
D) Continuous improvement process
B) Security enterprise architecture framework