Security and Risk Management Domain

Question 1

Administrative Controls

Answer 1

Procedures implemented to define the roles, responsibilities, policies, and administrative functions needed to manage the control environment.

Question 2

Annualized Rate of Occurrence (ARO)

Answer 2

An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.

Question 3

Arms Export Control Act of 1976

Answer 3

Authorizes the President to designate those items that shall be considered as defense articles and defense services and control their import and the export.

Question 4

Availability

Answer 4

The principle that ensures that information is available and accessible to users when needed.

Question 5

Breach

Answer 5

An incident that results in the disclosure or potential exposure of data.

Question 6

Compensating Controls

Answer 6

Controls that substitute for the loss of primary controls and mitigate risk down to an acceptable level.

Question 7

Compliance

Answer 7

Actions that ensure behavior that complies with established rules.

Question 8

Confidentiality

Answer 8

Supports the principle of “least privilege” by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis.

Question 9

Copyright

Answer 9

Covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases, and computer programs.

Question 10

Corrective: Controls

Answer 10

Controls implemented to remedy circumstance, mitigate damage, or restore controls.

Question 11

Data Disclosure

Answer 11

A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party.

Question 12

Detective Controls

Answer 12

Controls designed to signal a warning when a security control has been breached.

Question 13

Deterrent Controls

Answer 13

Controls designed to discourage people from violating security directives.

Question 14

Directive Controls

Answer 14

Controls designed to specify acceptable rules of behavior within an organization.

Question 15

Due Care

Answer 15

The care a “reasonable person” would exercise under given circumstances.

Question 16

Due Diligence

Answer 16

Is similar to due care with the exception that it is a pre-emptive measure made to avoid harm to other persons or their property.

Question 17

Enterprise Risk Management

Answer 17

A process designed to identify potential events that may affect the entity, manage risk so it is within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives.

Question 18

Export Administration Act of 1979

Answer 18

Authorized the President to regulate exports of civilian goods and technologies that have military applications.

Question 19

Governance

Answer 19

Ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated.

Question 20

Incident

Answer 20

A security event that compromises the confidentiality, integrity, or availability of an information asset.

Question 21

Integrity

Answer 21

Comes in two forms; making sure that information is processed correctly and not modified by unauthorized persons, and protecting information as it transits a network.

Question 22

Information Security Officer

Answer 22

Accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability.

Question 23

Least Privilege

Answer 23

Granting users only the accesses that are required to perform their job functions.

Question 24

Logical (Technical) Controls

Answer 24

Electronic hardware and software solutions implemented to control access to information and information networks.

Question 25

Patent

Answer 25

Protects novel, useful, and nonobvious inventions.

Question 26

Physical Controls

Answer 26

Controls to protect the organization’s people and physical environment, such as locks, fire management, gates, and guards; physical controls may be called “operational controls” in some contexts.

Question 27

Preventive Controls

Answer 27

Controls implemented to prevent a security incident or information breach.

Question 28

Recovery Controls

Answer 28

Controls implemented to restore conditions to normal after a security incident.

Question 29

Recovery Time Objective (RTO)

Answer 29

How quickly you need to have that application’s information available after downtime has occurred.

Question 30

Recovery Point Objective (RPO)

Answer 30

The point in time to which data must be restored in order to successfully resume processing.

Question 31

Risk

Answer 31

1. A combination of the probability of an event and its consequence (ISO 27000) 2. An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.(RFC 2828)

Question 32

Risk Acceptance

Answer 32

The practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

Question 33

Risk Avoidance

Answer 33

The practice of coming up with alternatives so that the risk in question is not realized.

Question 34

Risk Mitigation

Answer 34

The practice of the elimination of or the significant decrease in the level of risk presented.

Question 35

Risk Transfer

Answer 35

The practice of passing on the risk in question to another entity, such as an insurance company.

Question 36

Risk Management

Answer 36

A systematic process for identifying, analyzing, evaluating, remedying, and monitoring risk.

Question 37

Single Loss Expectancy (SLE)

Answer 37

Defined as the difference between the original value and the remaining value of an asset after a single exploit.

Question 38

Single Points of Failure (SPOF)

Answer 38

Any single input to a process that, if missing, would cause the process or several processes to be unable to function.

Question 39

Trademark

Answer 39

Any word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods and distinguish them from those made or sold by others.

Question 40

Trade Secret

Answer 40

Proprietary business or technical information, processes, designs, practices, etc., that are confidential and critical to the business.

Question 41

Vulnerability Assessment

Answer 41

Determines the potential impact of disruptive events on the organization’s business processes.

Question 42

Wassenaar Arrangement

Answer 42

Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.