Security and Risk Management Domain

Question 1

Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations

Answer 1

Wassenaar Arrangement

Question 2

Authorized the President to regulate exports to civilian goods and technologies that have military applications

Answer 2

Export Administration Act of 1979

Question 3

Controls designed to specify acceptable rules of behavior within an organization.

Answer 3

Directive Controls

Question 4

Procedures implemented to define the roles, responsibilities, policies and administrative functions needed to manage the control environment

Answer 4

Administrative Controls

Question 5

Determines the potential impact of disruptive events on the organization’s business processes

Answer 5

Vulnerability Assessment

Question 6

Proprietary business or technical information, processes, designs, practices, etc, that are confidential and critical to the business

Answer 6

Trade Secret

Question 7

Any word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods and distinguish them from those made or sold by others

Answer 7

Trademark

Question 8

Any single input to a process that, if missing, would cause the process or several processes to be unable to function

Answer 8

Single Point of Failure (SPOF)

Question 9

Defined as the differences between the original value and the remaining value of an asset after a single exploit

Answer 9

Single Loss Expectancy (SLE)

Question 10

A systematic process for identifying, analyzing, evaluating, remedying and monitoring risk

Answer 10

Risk Management

Question 11

The practice of passing on the risk in question to another entity, such as an insurance company

Answer 11

Risk Transfer

Question 12

The practice of the elimination of or the significant decrease in the level of risk presented

Answer 12

Risk Mitigation

Question 13

The practice of coming up with alternatives so that the risk in question is not realized

Answer 13

Risk Avoidance

Question 14

The practice of accepting certain risks, typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way

Answer 14

Risk Acceptance

Question 15

1. A combination of the probability of an event and its consequence (ISO 27000)
2. An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result (RFC 2828)

Answer 15

Risk

Question 16

The point in time to which data must be restored in order to successfully resume processing

Answer 16

Recovery Point Objective (RPO)

Question 17

How quickly you need to have that appilcation’s information available after downtime has occurred

Answer 17

Recovery Time Objective

Question 18

Controls implemented to restore conditions to normal after a security incident

Answer 18

Recovery Controls

Question 19

Controls implemented to prevent a security incident or information breach

Answer 19

Preventive Controls

Question 20

Controls to protect the organization’s people and physical enviornment, such as locks, fire management, gates, and guards, physicall controls may be called ‘operational control’ in some contexts.

Answer 20

Physical Controls

Question 21

Protects novel, useful and nonobvious inventions

Answer 21

Patent

Question 22

Electronic hardware and software solutions implemented to control access to information and information networks

Answer 22

Logical (Technical) Controls

Question 23

Granting users only the accesses that are required to perform their job functions

Answer 23

Least Privilege

Question 24

Accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailability

Answer 24

Information Security Officer

Question 25

Comes in two forms; making sure that information is processed correctly and not modified by unauthorised persons, and protecting information as it transits a network

Answer 25

Integrity

Question 26

A security event that compromises the confidentiality, integrity or availability of an information asset

Answer 26

Incident

Question 27

Ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated

Answer 27

Governance

Question 28

A process designed to identify potential events that may affect the entity, manage risk so it is within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives

Answer 28

Enterprise Risk Management

Question 29

Is similar to due care with the exception that it is a pre-emptive measure made to avoid harm to other persons or their property

Answer 29

Due Diligence

Question 30

The care a “reasonable person” would exercise under given circumstances

Answer 30

Due Care

Question 31

Controls designed to discourage people from violating security directives

Answer 31

Deterrent Controls

Question 32

Controls designed to signal a warning when a security control has been breached

Answer 32

Detective Controls

Question 33

A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party

Answer 33

Data Disclosure

Question 34

Controls implemented to remedy circumstances, mitigate damage, or restore controls

Answer 34

Corrective Controls

Question 35

Covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases and computer programs

Answer 35

Copyright

Question 36

Supports the principle of “least Privilege” by providing that only authorized individuals, processes or systems should have access to information on a need to know basis

Answer 36

Confidentiality

Question 37

Actions that ensure behavior that complies with established rules

Answer 37

Compliance

Question 38

Controls that substitute for the loss of primary controls and mitigate risk down to an acceptable level

Answer 38

Compensating Controls

Question 39

An incident that results in the disclosure or potential exposure of data

Answer 39

Breach

Question 40

The principle that ensure that information is available and accessible to users when needed

Answer 40

Availability

Question 41

Authorizes the President to designate those items that shall be considered as defence articles and defense services and control their import and the export

Answer 41

Arms Export Control Act of 1976

Question 42

An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year

Answer 42

Annualized Rate of Occurence (ARO)