Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISSP > D1 - Security and Risk Management > Flashcards

D1 - Security and Risk Management Flashcards

(59 cards)

Start Studying
1
Q

System owner

A
  • Own specific IT systems,
  • Responsible for systems to be secure,
  • Meet business requirements,
  • Comply relevant policies & regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

System administrator

A

Day-to-day operations & mainteinance of IT systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Analyst

A
  • Monitors networks & systems for security breaches,
  • Investigates security incidents,
  • Assess risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Board of Directors

A

Sets the direction for the organisation:
- Risk appetite,
- Security governance framework.
- Responsible for organisation’s strategies align with business objectives & legal regulatory requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Management

A

Implements Board of Directors´s directive by establishing:
- Security procedures,
- Controls,
- Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Audit Comittee

A
  • Part of the board or independent entity,
  • Focus on oversight of financial reporting & disclousures (insight/revelación, divulgación)
  • Overseeing effectiveness of organisational controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Owner

A
  • Management is responsible for a specific data set,
  • Decides classification,
  • Approves access controls according to sensitivity & business importance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data Custodian

A
  • Technical environment & operations procedures protecting data, (Procedimientos en el entorno técnico y operacional protegiendo datos)
  • Implement controls that the Data Owner said,
  • Regulatory backups, patches & accessiblility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

(Acquisition) What are and do the Governance Committees?

A

-Groups tasked with oversight roles:
* Strategic directions,
* Compliance,
* Managing risks.

  • Policy Development & Review:
  • Developing,
  • Reviewing & approving security policies & framework,
  • Ensure they align with organisational objectives & compliance requirements,
  • Risk Oversight,
  • Resource Allocation,
  • During Acquisition & Divestures:
  • Participate in due diligence process,
  • Assess security implications, manage the associated risks.
  • Through Governance Committees:
  • Contribute security policies:
  • Advocate security resources,
  • Cyber security risks appropriately represented & managed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

(Acquisition) What are Divestitures? (disinvestment, dispossession)

A
  • Sell or spining off a portion of its business,
  • Data segregation,
  • Access Revocation,
  • Continuity of Security Operations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

(Acquisition) How do you do Integration when in Acquisition?

A
  • Integrates IT systems, networks & data.
  • Maintaining security standards,
  • Cultural integration:
    *Harmonising the security cultures,
  • Security governance principles are uniformly applied.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

(Acquisition) What does consist a Risk Assessment when in Acquisition?

A
  • Identify risks,
  • Maturity of the acquired company´s security practices,
  • Evaluate security policies:
  • Incident response history,
  • Compliance,
  • Existing vulnerabilities & breaches.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What we mean by Acquisition?

A

Purchaising or taking over another company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key difference between due diligence and due care

A

Due diligence:
- Actively seeking, identifying & understanding risks & regulatory requirements,
- The process of gathering information.

Due care:
- Taking action,
- Mitigate risks & comply with legal obligations,
- Practical application of due dligence findings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Due care

A
  • Actions taken,
  • Prevent harm & protect its assets by implementing security measures,
  • Taking necessary steps & applying knowledge from due diligence,
  • Address identified risks & comply with legal & regulatory standards.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Due diligence

A

Investigation & analysis conducted to identify the risks associated with an organisation´s
- IT environment
- Business operations
- Legal Obligations
Proactive actions taken to understand & analyse the risks faced by an organisations.
Application:
Conducting comprehensive risks assessments to identify potential threats & vulnerbilities,
- Revieweing & understanding applicable laws, regulations & standards to ensure compliance,
- Evaluating the security controls & practices of thrid-party vendors & partners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which are the 5 pillars of IS?

A

Confidentiality, Integrity, Availability, Authenticity, Nonrepudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What’s Confidentiality?

A
  • Only authorised ppl can access
  • Encryption, Access Control, Authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What’s Integrity?

A
  • No authorised changes
  • Hash functions, Digital Signatures, Version Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What’s Availability?

A
  • Accessible when needed
  • Redundancy, Failover Systems, Regular Mainteinance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What’s Authenticity?

A
  • Confirms IDs of People, Systems and Entities
  • Digital Certificates, Biometric Verification
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What’s Nonrepudiation

A
  • Prevent denying actions
  • Digital Signatures, Comprehensive Audit Trails
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What’s Defense in Depth?

A
  • Multiple layers of security measures
  • Firewalls, IDS/IPS, Malware Protection Systems, Encryption, AC, Policies, …
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What’s Layered Defense?

Study These Flashcards
A

Stacking security measures. It is a comprehensive security model.
LAYERS:

  • Network
    *Firewalls, Network Segmentation
  • Application
    *App. Firewalls, Secure Coding Practices
  • Endpoint security
    *Antivirus, Device Management
  • User Training & Awareness programs
25
Authentication
- Verifies identity of users + systems + entities - Base of access control -CIA+AN * Foundation for security
26
Biometrics, MFA
- Verification of identity - Biometrics/MFA * something you know * something you have * something you are * somewhere you are
27
What are the Authentication (Foundation for security with authentication) types?
Types: - SFA (Single Factor Authentication) *Password or PIN - MFA (Multi Factor Authentication) *2 or more = password + smart card - Biometrics *Biological characteristics - Authentication Protocols & Mechanisms *Kerberos *SSL/TLS > web authorisation *RADIUS (Remote Authentication Dial In User Service) > network access
28
Authorisation
- Process of granting or denying the right & privileges
29
What are the core aspects of authorisation?
- RBAC (Role-Based Access Control) *Grouping by roles - ABAC (Attribute-Based Access Control) *Dynamically adjust permissions *Based on contextual factors like day & time - DAC ( Discretionary Access Control) *Owners provide access + specific resources *Access based on identity - MAC (Mandatory Access Control) *Policy-based *Lattice *High level of security > used by the military service and government - Authorisation mechanisms *Key implementing least privilege
30
Accountability
- Trace actions back to the individual or entity, - Responsible for their actions, -Supports: * Enforcement of security policies, * Detection of policy violation, * Investigation of security incidents.
31
What are the key components of Accountability?
- Identification & Authentication * Reliable system, * Users, devices & systems, * Uniquely identified & authenticated. -Logging & Monitoring * User activities, systems events, security incidents, *Review actions, * Detect anomalies, * Trace suspicious activities back to the source. - Access Controls * What actions users can perform, * Controlling Access based on ** Roles, ** Permissions, ** Policies * Held accountable for accessing resources. - User training & awareness * Understand how to maintain & secure systems, ** Managing risks, ** Supporting compliance, *Act responsibly & cognizant (competent) of their actions.
32
Least Privilege
- Limits access rights to a minimum necessary for their job function, - Minimises risks of * Data breaches, * Potential damage, * Unauthorised access - Restricts administrative access by implementing controls as: * SUDO admin & privileges, * RBAC * If someone needs admin rights ** 2 accounts one as a user & other as an admin
33
Need to know
- Asserting access, need of information to complete a specific task, - Protects sensitive or classified information, - Data Access * Whose roles explicitly require access to data, - Project-based access, * Limits access for a project or a specific period of time, - Compartmentalization * Segmenting information & networks, * Access to data controlled by "need to know", * Reduces wide-scale exposure from a single point of compromise.
34
Security Governance Principles
- Process structures and information, * Guides organisational objectives to achieve ** Manage risks, ** Ensure compliance, ** Defining R&R, ** Establishing security policies, ** Establishing frameworks, ** Development of policies, standards, procedures & guidelines, ** Monitoring performance - Make sure strategies align with business objectives.
35
Risk Management
- Identifying, assessing & prioritising risks, - Implementing strategies for mitigation to an acceptable level.
36
Organisational risk landscape
- Threats, vulnerabilities, likelihood, - Apply risk mitigation strategies * Avoidance, * Mitigation, * Transfer, * Acceptance - Continuous monitoring & assessment to adapt & change.
37
Compliance
- Adhering to laws, regulations, policies & standards, - Ongoing efforts to monitor changes in compliance requirements. +
38
Security Function Alignment
- business strategy, goals, mission & objectives, - support & enhance its overall business objectives rather than operate in isolation, - fundamental for security posture, KEY ASPECTS - Understand business objectives * Tailor security strategy, * Not impede business operations, - Strategic operation - Risk Management Alignment * Assess the impact of risks on business objectives, * Prioritising security efforts, - Compliance & Regulatory Considerations, - Comms & Collaboration, * Crucial for alignment, * Work closely with other departments, * Understand needs & concerns for business processes, - Security Metrics and Reporting, * Helps to demonstrate the value, * Contribution to achieving business objectives, * Show efficiency like: ** Risk reduction, ** Compliance, ** Operational efficinecy
39
What are the key activities of the Security Function Alignment?
- Evaluating Security Governance Structures * Assess Governance structures & its integration with business strategy, * Security leadership has visibility & influence, - Applying Security Governance Principles * Promote alignment like consideration into projects & change - Sustaining Security Business Alignment, * Continuous monitoring, * Align with security initiatives & business objectives.
40
Due diligence
- Investigation & analysis conducted to identify the risks associated with an organisation's: * IT environment, * Business Operations, *Legal obligations - Take proactive actions to understand & analyse the risks faced by an organisation
41
Tell me 3 examples of the application of Due Diligence
- Conducting comprehensive risk assessments to identify potential threats & vulnerabilities, - Reviewing & understanding applicable laws, regulations & standards to ensure compliance, - Evaluating the security controls & practices of third-party vendors & partners.
42
Tell me 3 situation where to apply Due Care
*Implementing security policies, procedures & controls that are in line with best practices & regulatory requirements. *Ensuring that employees are trained on security awareness & understand their role in protecting the organisation´s assets. *Regulatory updating & maintaining security systems to protect against known threats & vulnerabilities.
43
Users
- Comply with the organisation's security policies & procedures, * Passwords management, * Data handling practices, - Responsible for reporting suspected security incidents or vulnerabilities.
44
Security Control Framework
- Set of guidelines & best practices, *Help organisations IMPLEMENT, MANAGE & SUSTAIN effective security measures, * Systematic approach,
45
Tell me the key aspects of Security Control Frameworks
- Comprehensive coverage, * Broad range of security controls, - Best Practices & Benchmarks Frameworks, * Measure Security performance against, * Identify gaps, * Make informed decisions to allocate resources for improvement, - Compliance & Regulatory Alignment * Meet specific regulatory & compliance requirements efficiently, - Structured Approach to Risk Management, * To IDENTIFYING, ASSESSING & MANAGING information risks, * Align to organisational risk appetite & business objectives.
46
Integrating security control frameworks
- Framework selection & customisation, - Implementation & Integration, - Continuous Assessment & Improvement, Training and Awareness.
47
What is ISO/IEC 27001 about?
- Specifies request for ESTABLISHING, MAINTAINING & CONTINUALLY IMPROVE an Information Security Management Systems (ISMS), - Secure assets and be cost efficient, - Set of policies, procedures, processes & systems, - Manage information risks such as DLP, cyber attacks, ... - It is a must to document everything.
48
What are the key aspects for the ISO/IEC 27001?
- Risk-based approach *IDENTIFYING, ASSESSING & TREATING RISKS to CIA, - Leadership & Commitment * Leadership championing to integrate information security governance framework, - Performance evaluation, * Regular monitoring, measurement, analysis & evaluation, * Demonstrates effectiveness & control improvement, , - Compliance & legal requirements * Identify & address legal, regulatory & contractual obligations, - Continuous improvement, * Adapt to internal & external changes, - Documentation & records, IT IS A MUST TO DOCUMENT EVERYTHING * Policies, Objectives, Procedures & Records, * Clear audit trail of governance activities, * Accountability, Transparency & effective security governance.
49
What is NIST SP 800-53 SP about?
- Provide guidelines, recommendations, technical specifications & annual reports for NIST, - Intended for governmental audience & private sector, - Security & Privacy Controls for Federal Information Systems & Organisations, - Comply with FISMA, * CIA of information systems & data, * Mitigate risks from various threats.
50
What are the key aspects for the NIST SP 800-53?
- Comprehensive control catalogue, - RMF *Guides security & privacy risk, *Integrate RMF organisation culture & align with security practices & business processes. - Tailoring & customisation, - Continuous monitoring, *Effectiveness overtime, - Accountability & documentation *Procedures, *Security policies, *Control implementations, - Integration with other standards & frameworks.
51
What's COBIT about?
- IT Management & Governance developed by ISACA, - Guidelines, practices & tools, - Manage & Govern IT environments effectively.
52
What are the 5 principles of COBIT?
- Meeting stakeholders' needs, - Covering the enterprise end-to-end, - Applying a single integrated framework, - Enabling a holistic approach, - Separating governance from management,
53
What are enables and which ones are in COBIT?
Enablers are crucial for optimising IT resources & align IT processes with business objectives, - Principles, Policies & Frameworks, - Processes, - Organisational Structures, - Culture, Ethics and Behaviours, - Information, - Services, Infraestructure & Applications, - People, Skills and Competencies.
54
What characteristics does the COBIT's enabler, Principles, Policies and Frameworks ?
*Principles guide decision-making, *Policies provide specific guidelines for actions + behaviours, *Frameworks are structured approach to implementing Governance & Management practices, *Ensure consistency, clear direction for IT Governance & Management.
55
What characteristics does the COBIT's enabler Processes?
* Structured sets of activities, * Achieve specific objectives.
56
What characteristics does the COBIT's enabler Organisational Structures?
* Roles & Responsibilities and communication.
57
What characteristics does the COBIT's enabler Information?
Lifecycle of the information, from gathering, classification...to deletion.
58
What characteristics does the COBIT's enabler Services, Infraestructure & Applications?
- IT resources *Services, *Infraestructure (physical + virtual), *Applications - Optimise performance, - Support service delivery
59

CISSP (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions