Topic 1 - Supporting IT Governance and Risk Management

Question 1

What are two widely used “Information Classification” systems?

Answer 1

Government Classification System, which focuses on Confidentiality, and Commercial Classification System with focuses on Integrity

Question 2

What’s the equation to calculate Single Loss Expectancy (SLE)?

Answer 2

Asset Value (AV) x Exposure Factor (EF)

Question 3

Define Mergers and Acquisitions

Answer 3

The combination of two or more commercial companies into a single surviving entity

Question 4

What is the name of a risk report containing the findings, information, assessments, and recommendations for an organization?

Answer 4

Risk assessment report

Question 5

What is an IT Audit?

Answer 5

An examination of controls within an information technology system or network

Question 6

Ranking elements of a risk assessment by non-monetary values is to do a…

Answer 6

Qualitative Risk Assessment

Question 7

Assigning a monetary value to elements of a risk assessment is to do a …

Answer 7

Quantitative Risk Assessment

Question 8

What are the four categories of the Commercial Classification System?

Answer 8

Public, Sensitive, Private, Confidential

Question 9

What is FISMA?

Answer 9

Federal Information Security Management Act addresses info sec requirements for no n-national security government agencies.

Question 10

Explain the final phase of the risk management process, “continuous monitoring “

Answer 10

Continuous monitoring allows organizations to evaluate the effectiveness of controls on a near or real-time basis since it occurs immediately or closely after events

Question 11

What are examples of insecure data transmission protocols?

Answer 11

FTP, Telnet, HTTP, SMTP

Question 12

Who is responsible for identifying and analyzing risks?

Answer 12

The risk management team

Question 13

Define a “Risk Detterence”

Answer 13

A process, policy or system that discourages others from exploiting a vulnerability

Question 14

What is COBIT?

Answer 14

Control Objectives for Information Related Technology. It is a leading governance framework

Question 15

Define the ESA framework SABSA

Answer 15

Sherwood Applied Business Security Architecture is a strategy based on an architectural viewpoint

Question 16

What is GLBA?

Answer 16

Gramm-Leach-Bliley Act is a law overhauling financial services regulation in the US and applies to financial institutions.

Subtitle A requires institutions to make disclosures about privacy policies and opt-out capability.

Question 17

What is an SLA?

Answer 17

Service Level Agreement that defines performance targets for hardware and software

Question 18

What are SLA examples?

Answer 18

Help Desk and Caller Services, Uptime and Availability Agreements,

Question 19

What is FISMA 2014?

Answer 19

The updated version of the original 2002 Federal Information Security Management Act

Question 20

What is ISAM?

Answer 20

INFOSEC Assessment Methodology - A qualitative assessment

Question 21

What is an HSM?

Answer 21

Hardware Security Module. It’s a type of secure cryptoprocessor targeted at managing keys

Question 22

What is “business continuity planning”?

Answer 22

The formation of a plan on what to do if your business suffers a disruption

Question 23

What are policies?

Answer 23

High-level documents that outline the security goals and objectives of the company

Question 24

What is the measurement called that tracks the time it takes to go from a failure to repaired for an asset

Answer 24

MTTR - Mean time to Repair

Question 25

Define a Partnership business model

Answer 25

A model where two or more entities share potential profit and risk with each other.

Question 26

What is a vulnerability?

Answer 26

A vulnerability can be described as a weakness in hardware or software that may be exploited

Question 27

Encrypted file system (EFS) and VeraCrypt are examples of?

Answer 27

Software encryption options for data-at-rest

Question 28

A group risk assessment that allows people to contribute anonymously is known as …

Answer 28

Delphi Technique

Question 29

What is the IT Governance Institute Framework?

Answer 29

A process that begins with setting objectives for the enterprise’s IT , providing initial direction and then evolving into a continuous loop

Question 30

What is Outsourcing?

Answer 30

An arrangement in which one company provides services for another company that may or may not have been provided in-house

Question 31

What is GDPR?

Answer 31

General Data Protection Regulation in the EU that affects multi-national companies

Question 32

Define “Asset Identification”

Answer 32

The process of identifying all of the organization’s assets.

Question 33

What is a vulnerability window?

Answer 33

When an IT asset is most vulnerable

Question 34

What are the types of business models?

Answer 34

Outsourcing, Partnerships and Mergers and Acquisitions

Question 35

What is a TPM?

Answer 35

Trusted Platform Module.

A specialized chip that can be installed on the motherboard of a computer and is used for hardware authentication

Question 36

Define the ESA framework EA

Answer 36

Enterprise Architecture used by the federal government to ensure business strategy and IT investments are aligned

Question 37

What is an asset?

Answer 37

An asset is an item of value to an institution, such as data, hardware, software or physical property.

Question 38

What are the four categories of the Government Classification System?

Answer 38

Unclassified, Confidential, Secret and Top Secret

Question 39

What are examples of risk sources?

Answer 39

The source of a risk can be either internal or external. Internal example is a disgruntled employee and external example is a natural disaster

Question 40

What is HIPAA?

Answer 40

Health Insurance Portability and Accountability Act is a law regarding privacy that has three major purposes:

1. To provide consumers with access to their health information
2. To improve quality of health care in the US by restoring trust in the system
3. Creating a national framework for health privacy protection

Question 41

What are examples of “Tangible Assets”?

Answer 41

Hardware and software

Question 42

List the three security control types

Answer 42

Physical controls (door locks), technical controls (cameras, anti-virus), operation controls (background checks, security awareness training)

Question 43

A quick risk assessment based on a series of questions is known as …

Answer 43

FRAP - Facilitated Risk Assessment Process

Question 44

List potential risks in a Partnership business model

Answer 44

Loss of Competency, broken agreements, service deterioration, poor cultural fit, hidden costs

Question 45

What is a Zero-Day?

Answer 45

An exploit the vendor either doesn’t know about, or that no patch or mitigation exists for

Question 46

What is a network boundary?

Answer 46

The point at which your control ends

Question 47

List proper equipment disposal methods

Answer 47

Drive wiping, zeroization, degaussing, physical destruction

Question 48

Define Annualized Rate of Occurrence (ARO)

Answer 48

Frequency at which a specified risk will be realized over a single year

Question 49

What are threat examples that pertain to IT security?

Answer 49

Natural disaster, malicious code, breach of physical security, hacker attack, DDoS, cyberterrorism

Question 50

Define “Risk Appetite”

Answer 50

The amount of risk a company is willing to accept

Question 51

What is a threat?

Answer 51

Any situation that affects confidentiality, availability or integrity of an IT asset

Question 52

What does “CVE” stand for?

Answer 52

Common vulnerabilities and exposures. It’s a system to normalize data about a vuln so fixing or mitigating is less of a challenge

Question 53

What is SOX?

Answer 53

Sarbanes-Oxley Act mandated reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud. Section 302 requires the CEO and CFO to certify personally that the org has proper internal controls. Section 404 requires infrastructure designed to archive records and data while protecting it from destruction and loss.

Question 54

What are examples of “Intangible Assets”?

Answer 54

Reputation and services

Question 55

Define “RPO” and “RTO”

Answer 55

Recovery Point Object - the tolerable period of time between the last backup and the failure, which is what data would be lost. A 5 minute RPO provides you with data lost only over the last 5 minutes.

Recovery Time Objective - The amount of time required to bring the systems back online and restore normal access that the company wants to tolerate

Question 56

What do you call an unmitigated risk when discussing risk assessment?

Answer 56

An exemption

Question 57

Explain “Risk Mitigation Planning”

Answer 57

Comes after a quantitative or qualitative assessment and is to make a determination and decide which security controls should be applied.

Question 58

What is the name of a predictable interval between failures of an asset?

Answer 58

MTBF - Mean time between failures

Question 59

What is Operational Risk?

Answer 59

Either a company’s internal and external practices, or external sources such as government agencies or regulatory requirements.

Question 60

List two common “Enterprise Security Architecture (ESA)” frameworks

Answer 60

Enterprise Architecture (EA) and Sherwood Applied Business Security Architecture (SABSA)

Question 61

Define Exposure Factor (EF)

Answer 61

The percentage of loss experienced IF a specific asset were attacked. Based on asset value

Examples: Perhaps an attack doesn’t render an asset totally inaccessible or inoperable

Question 62

What is Risk?

Answer 62

Risk is the probability/likelihood of the occurrence or realization of a threat

Question 63

What is motivation?

Answer 63

The driving force behind an activity

Question 64

List the four alternatives for handling potential risks

Answer 64

Avoid, Accept, Transfer, Mitigate

Avoid - to eliminate - examples being withdraw from a practice or not become involved
Accept - acknowledging it has been understood and evaluated but senior management has made the decision that the benefits of moving forward outweigh the risk.
Transfer - Deflect to a third party
Mitigate - A control is used to reduce the risk

Question 65

What is the equation to calculate Annualized Loss Expectancy (ALE)

Answer 65

Annualized Rate of Occurrence (ARO) x Single Loss Expectancy (SLE)

Question 66

Define compliance

Answer 66

Being in accordance with agreed-upon guidelines, specifications, legislation, or regulations

Question 67

Enterprise Resilience is ..

Answer 67

An approach to risk management that anticipates disruptions, better ensures recovery, and protects business profitability

Question 68

Explain the purpose of “Risk Assessment”

Answer 68

To evaluate risks in terms of the likelihood and the magnitude of an impact, to determine a response strategy and to monitor progress in reducing the threat.

Question 69

What are the four strategic responses to positive risks?

Answer 69

exploit, share, enhance and accept

Question 70

List the Qualitative risk assessment grade scale

Answer 70

Low, Medium and High across CIA

Low = Minor inconvenience
Medium = Can  Result in damage to an organization
High = Will result in a loss of goodwill, legal action or fine

Question 71

What is the CIA triad?

Answer 71

Confidentiality, Integrity and Availability

Question 72

Define Confidentiality and list the most common controls…

Answer 72

Keeping good data away from bad actors | Encryption, data classification, awareness training

Question 73

Define Integrity and list the most common controls..

Answer 73

Change control for data with no unauthorized modification without knowledge and consent of data owner | hashing, IDS, strict access controls

Question 74

Define Availability and list the most common controls..

Answer 74

Authorized subjects can access objects in a timely manner without interruption | redundant system design, continuous monitoring and testing of backups

Question 75

Define IT governance

Answer 75

A concept in which stakeholders ensure that those who govern IT resources are fulfilling objectives and strategies

Question 76

What is “Due Diligence”

Answer 76

Good governance/good oversight. Loosely, overseeing action, directing it with governance, policy and providing strategy so people understand objectives

Question 77

What is “Due Care”

Answer 77

Good actions/acting aligned with the structure from due diligence so we are doing the right things, not wrong things.

Loosely, if you are at a pool and there are rules on the wall, like no running, the actions abiding by those rules is Due Care.

Question 78

What is a countermeasure (control)?

Answer 78

mechanism to minimize risk

Question 79

What is residual risk?

Answer 79

remaining risk after countermeasures applied

Question 80

Define the risk management cyclical process

Answer 80

Identify, Assess, Analyze and Respond

Question 81

What is ERM

Answer 81

Enterprise Risk Management - process of evaluation, measuring and mitigating risks at an organization level

Question 82

What is a semi-quantitative analysis

Answer 82

Attempts to find a middle ground between the two types

Question 83

What is a security framework?

Answer 83

A reference point with common language. Examples: SOX, NIST, SABSA,

Question 84

What is a policy?

Answer 84

Direction from senior management (strategic)

Question 85

What is a standard?

Answer 85

Formalized from external guidance (regulatory example GDPR)

Question 86

What is a procedure?

Answer 86

Step by step method of accomplishing something (tactical)

Question 87

What is a Guideline?

Answer 87

best practice re commendation

Question 88

What is de-perimeterization?

Answer 88

The process of shifting, reducing or removing some enterprise boundaries to facilitate interactions with the world outside of it’s domain

Question 89

When talking system-specific risk analysis, what are common questions to ask?

Answer 89

How can the attack be performed? / Can the attack be performed in the current network?

Question 90

What is a Aggregate CIA score?

Answer 90

A subjective score on a sliding scale of harm. The highest risks are rated a 10, the lowest risks are rated at 1 and data having no risk is rated at 0.

The CIA attributes of information are compared to the threat that each attribute faces, then multiplied to produce a total. Value x threat = total for an attribute

The total risk for each attribute are added to produce the aggregate CIA score for that entire risk.

Question 91

What is the “Golden Rule”

Answer 91

It’s very important to incorporate stakeholder input as part of the process.

Seek the blessing and the authorization and the acceptance of senior leadership before you implement anything.

Question 92

What is the CVSS?

Answer 92

Common Vulnerability Scoring System - A risk management approach where vuln data is quantified and then the degrees of risk to systems or information are taken into account. v3.1 is the current vector.

Metrics are base (AV/AC/PR/UI/S/C/I/A), temporal (E/RL/RC), environmental or specific context (

Used to score vulnerabilities in CVE

Question 93

What is a Business Impact Analysis (BIA)

Answer 93

Business Impact Analysis - Used to determine impact a disruptive event would have on an org.

Goals: determine criticality/ estimate max downtime / evaluate resource requirements

Steps: gather requirements & info/vuln assessment/risk anlysis/ communicate findings

Question 94

What are examples of documents that support security initiatives

Answer 94

MSA - Master Services Agreement - Expedites agreement process
SOA - Statement of applicability - identifies controls in place
BIA - Business Impact Analysis - identifies present organizational risks
IA - Interoperability Agreement - general term for any doc that outlines a business partnership
ISA - Interconnection security agreement -
MOU - Memorandum of Understanding - not legally binding
SLA - Service Level Agreement - clearly defines what services are to be provided to the client
OLA - Operating Level Agreement - identifies and defines the working relationships between groups or divisions
NDA - Non Disclosure Agreement - an agreemnt between entities stipulating you will not share specific information with unauthorized third parties
BPA - Business Partner Agreement - defines how a partnership between business entities will be conducted

Question 95

What are all the ways you can measure downtime?

Answer 95

Maximum allowable downtime (MAD)/ Maximum tolerable downtime (MTD )
recovery time objective (RTO)
recovery point objective (RPO)
mean time to failure (MTTF)
meant time to repair (MTTR)
mean time between failures (MTBF)

Question 96

What are the 5 steps of incident response?

Answer 96

Detection, Response, Reporting, Recovery, Remediation and Review

Question 97

Describe two-man control

Answer 97

Two operators review and approve each other’s work

Question 98

What are the MIL levels for a Cyber Resilience Review (CRR)

Answer 98

MIL0 - Incomplete
MIL1 - Performed
MIL2 - Planned
MIL3 - Managed
MIL4 - Measured
MIL5 - Defined