Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISSP > Domain 1: Information Security Governance and Risk Management > Flashcards

Domain 1: Information Security Governance and Risk Management Flashcards

(150 cards)

Start Studying
1
Q

What does the acronym ALE stand for ?

A

Annual Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does Annual Loss Expectancy (ALE) mean?

A

Allows security practitioners to determine the annual cost of a loss due to risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the Annual Loss Expectancy (ALE) Formula?

A

Single Loss Expectancy (SLE) X Annual Rate of Occurrence (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the Annual Rate of Occurrence (ARO) mean?

A

The number of losses you suffer per year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the acronym ARO stand for?

A

Annual Rate of Occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does the phrase

Exposure Factor (EF)

mean in the Annual Loss Expectancy section?

A

The Percentage of value an Asset lost due to an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does Asset Value (AV) mean?

A

The value of an asset you are trying to protect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does ROI stand for?

A

Return on Investment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the acronym EF stand for in the Annual Loss Expectancy section?

A

Exposure Factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the phrase

Single Loss Expectancy (SLE)

mean in the Annual Loss Expectancy (ALE) section?

A

The cost of a single Loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the acronym

SLE

stand for?

A

Single Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the

Single LossExpectancy (SLE)

Formula?

A

SLE = AV * EF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does the phrase

Return on Investment (ROI)

mean?

A

The amount of money saved by implementing a safguard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What component can you add to the a

Risk Calculation

to give it more meaning?

A

Add Impact to the equation: Risk = Threat * Vulnerability * Impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does AV stand for in the Annual Loss Expectancy framework?

A

Asset Value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does

Total Cost of Ownership (TCO)

mean?

A

The total cost of a mitigated safeguard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does the acronym

TCO

stand for?

A

Total Cost of Ownership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the

Single Loss Expectancy (SLE)

Formula?

A

Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Can a certification be performed by a trusted third party?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Who accepts the risk in an Accreditation?

A

The Data Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a certification?

A

A detailed inspection that verifies whether a system meets the documented security requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When a certification is performed by a trusted third party, are the issues identified recommendations

or

mandatory

actions?

A

Recommendations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is an Accreditation?

A

The Data Owner’s acceptance of the risk represented by the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are NIST’s four steps to accreditation?

A

1: Initiation Phase (Research)
2: Security Certification Phase (Assessment)
3: Security Accreditation Phase (Decision to Accept Risk)
4: Continuous Monitoring Phase (Monitor)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is an example of System **Alteration** in the CIA model?
Malcode Install
26
What is an example of **Destruction** in the CIA model?
DDOS
27
What is an example of an **Availability** Failure in the CIA model?
DDOS Attack
28
What does **Integrity** mean in he CIA model?
Protections against unauthorized and undetected **alteration** of information
29
What is an example of **Disclosure** in the CIA model?
Wikileaks
30
What is an example of a **Confidentiality** Failure in the CIA model?
Wikileaks
31
What does **Confidentiality** mean in the CIA model?
Protections against unauthorized disclosure of information
32
What does **CIA** stand for?
Confidentiality Integrity Availability
33
What is the Opposite of **Integrity** in the CIA model?
Alteration
34
What is an example of Data **Alteration** in the CIA model?
Web Page Defacement
35
What is the Opposite of **Confidentiality** in the CIA model?
Disclosure
36
What is an example of a System **Integrity** Failure in the CIA model?
Malcode Infection
37
What does **Availability** mean in the CIA model?
Protections against denying authorized parties access to information when needed
38
What is the Opposite of **Availability** in the CIA model?
Destruction
39
What is an example of a Data **Integrity** Failure in the CIA model?
Web Page Alteration
40
What does **Least Privilege** meanin the Cornerstone Concept section?
A user should only have the bare minimum **Authorization** to do his job and no more.
41
What does the phrase **Need to Know** mean?
Even if the user has the privilege to do something, it doe not mean that he needs to know it because of his job.
42
What is more **granular**? **Need to Know** or **Least Privilege**?
Need to Know
43
What does **Defense in Depth** mean in the Cornerstone Concepst section?
A **Layered Defense** that reduces the risk of a single point of failure.
43
When discussing policy, the exam will use words like Mandatory (compulsory) or Discretionary. Best Practices are usually
discretionary but if you decide not to follow them, you better have a good reason.
43
Do not confuse the Data Owner with a person who owns his own data.
The Data Owner is responsible for ensuring the data is protected. A user who owns his own data has read/write access.
44
Memory Device: Quantitative –
Quantity – Hard Numbers
45
When human life is at risk,
practitioners must weigh those consequences very high.
46
What are the three parts to teh **ISC Code of Ethics**?
Preamble: Introduction Canons: Mandatory and Applied in order Guidance: Advisory
46
Always choose the most ethical answer
in order of the canons.
47
What is Ethics?
Ethics is doing what is morally right
49
What are the **ISC Code of Ethics Canons** in order?
1: Protect society, the commonwealth, and the infrastructure. 2: Act honorably, honestly, justly, responsibly, and legally. 3: Provide diligent and competent service to principals. 4: Advance and Protect the profession.
50
What does **IAAA** stand for?
Identity Authentication Authorization Accountability
51
What is an example of an **Identity** in the IAAA model?
Username
52
What is an example of **Authorized** Use in the IAAA model?
Regular users can see their own processes but cannot see the password file.
53
What does **Authorization** mean in the IAAA model?
Permissions that the identity can perform an action on a system;
54
What does **Nonrepudiation** mean?
Users cannot deny actions identified through **Accountability** procedures within the **IAAA** framework. **Identity** is validated through **Authentication** transactions. **Integrity** of the system is validated with **Accountability** (through logging and audit of transactions).
55
"To Repudiate" means
to deny
56
What are three examples of **Accountability** in the IAAA model?
Logging Audit Sanctions.
57
What is meant by **Authentication** in the IAAA model?
The process of proving the identity claim; Ex - password
57
What is an example of an **authentication** (Identity Claim) response?
Password
58
What is **Accountability** in the IAAA model?
Ensuring that authorizations have not been violated by examining computer transactions.
60
What is an **Identity** in the IAAA model?
Identitiy Is a claim of personhood or role (Rick or Admin)
61
Name two things that **Standards** help with the business
1 - They lower the Total Cost of Ownership (TCO). ## Footnote 2 - They support disaster recovery.
62
What is the name of the **informal rule** used to describe **Due Care ** in the Information Security Governance section?
Prudent Man Rule
63
In the Information Security Governance section, what are three sources for **Best Practices**?
1: NIST 2: NSA 3: SANS
64
What is a **Policy** fromt the Information Security Governance section?
High-level management directives.
65
What is a **Guideline** in the Information Security Governance section?
A discretionary piece of useful advice; a recommendation; especially good for novice users.
65
What does the word **Baselines **mean in the Information Security Governance section?
**Discretionary** but **Uniform** ways of implementing a safeguard.
66
In the Information Security Governance section, is **ignorance** an acceptable excuse for **non-compliance**?
An organization must be in compliance with all laws and regulations that apply to it. Ignorance of any law is never a valid excuse for breaking it.
67
What is **Due Care** in the Information Security Governance section?
Actions that a reasonable man would do.
68
What does the phrase **Information Security Governance** mean?
The policies, processes and staffing approved by senior management that make up the organization’s **Information Security Program.**
69
What is a **Standard** in the Information Security Governance section?
Describes a specific and Mandatory use of a technology; usually hardware or software. ## Footnote
70
In the Information Security Governance, If you lose some PII and cannot demonstrate **Due Care** you are
**Grossly Negligent**
71
What does the phrase **Gross Negligence** mean in the Information Security Governance section?
It is the **opposite** of **Due Care**.
72
What is an **Issue-Specific Policy** in the Information Security Governance section?
It is one of three policy types (Program - **Issue** - System) that govern security rules for a category of activity and not the overall program and not s system. Ex: Email Policy, Email Privacy Policy
73
What is a **Program Policy** in the Information Security Governance section?
It is one of three types of policies (**Program**- Issue - System) that creates an organization’s computer security program.
74
What are **Procedures** in the Information Security governance section?
Mandatory, Step-by-Step Guides for accomplishing tasks. They are low-level and specific.
75
What is the difference between a **Data Owner** vs a **Person Who Owns His Own Data** in the Information Security Governance section?
The **Data Owner** is responsible for ensuring the data is protected. A **User Who Owns His Own Data** has read/write access.
77
What are the **three Policy Types** from the Information Securitiy Governance section?
1: Program Policy 2: Issue-Specific Policy 3: System Specific Policy
77
What are the five tools you can use to govern Information Security?
1 - **Policy**: High Level Mgt Directives (Mandatory) 2 -**Procedures**: Instructions for completing a task (Mandatory) 3 - **Standard**: A specific use for a technology (Mandatory) 4 - **Guideline**: Advice (Discretionary) 5 - **Baseline** A Starting point (Discretionary)
79
What is a **Best Practice** in the Information Security Governance section?
It is a consensus of the best way to protect CIA (Confidentiality, Integrity, and Availability).
80
What does the phrase **Due Diligence** mean in the Information Security Governance section?
It is a formal process for the management of **Due Care.**.
80
What is a good way to demonstrate **Due Care** and **Due Diligence** in the Information Security Governance section?
Following **Best Practices**
81
What is an example of a **System-Specific Policy**
File Server Policy, Web Server Policy
82
What does **Outsourcing** mean?
Using a third party to provide IT support services which were previously performed in-house.
83
What does **Offshoring** mean?
Outsourcing to another country
84
What does **Privacy** mean?
The protection of Personally Identifiable Information (PII). The protection of this kind of information must be assured.
85
Qualitative Risk Assessment vs Quantitative Risk Analysis
More subjective but easier to calculate
86
In a Qualitative Risk Assessment, how is a **Risk Matrix** used?
Uses a quadrant grid to map the likelihood (Rare – Unlikely – Possible – Likely – Certain) of a Risk occurring against the Impact (Insignificant – Minor – Moderate – Major – Catastrophic).
87
Which is **easier to calculate**? **Qualitative Risk Analysis** or **Quantitative Risk Analysis**
**Qualitative Risk Analysis**
88
What is the **formula** associated with **Quantitative Risk Analysis**?
Annual Loss Expectancy (ALE) formula
89
What does the phrase **Qualitative Risk Analysis** mean?
Uses approximate values to calculate **Risk**
90
What are the four benefits of using a **Risk Matrix** for Qualitative Analysis
1: Distinguish between High-Likelihood/Low-Consequences and High-Consequences/Low-Likelihood risks which have the same risk rating value. 2: Graphically display risks, thus makes them easier to analyse 3: Select risks for prioritising and further actions 4: Communicate risk
91
What does **Quantitative Risk Analysis** mean?
Uses hard numbers to calculate Risk
92
Which is more **objective?** **Quantitative Risk Analysis** or **Qualitative Risk Analysis**
**Quantitative Risk Analysis **
93
What is a **Threat**?
A potential harmful occurrence like earthquakes, cyber espionage, etc.
93
What is a **Risk**?
A connection between a Threat and a Vulnerability. Threat X Vulnerability Security practitioners have assigned arbitrary values to Threats and Vulnerabilities to assess risk. Use any scale as long as you stay consistent.
96
What is a **Vulnerability**?
Weaknesses in the defenses that can cause harm.
98
What is the **Risk** formula?
Threat X Vulnerability
99
What does **Impact** mean when calculating **Risk**?
An evaluation of the consequences if the Threat is realized (Somebody or something leverages the Vulnerability).
100
What is the **impact** when Human life is on the line in the Risk Analysis section?
Impact is always very high
100
What does the acronym **TCO** stand for in the Risk Analysis section?
Total Cost of Ownership
102
What is an **Asset **in Risk Analysis?
Valuable company resources like Data, systems, people, property, IP, etc.
103
In calculating **Risk**, do security practioners use arbitrary values or precise valuses for **Threats** and **Vulnerabilities**?
Arbitrary Use any scale as long as you stay consistent.
104
According to NIST, what are the **9 Steps** in the process to asses **Risk** in an organization?
1: System Characterization 2: Threat identification 3: Vulnerability Identification 4: Control Analysis 5: Likelihood Determination 6: Impact Analysis 7: Risk Determination 8: Control recommendations 9: Results Documentation
105
What are two ways to measure **Impact** in the Risk Analysis section?
Sometimes those consequences are in terms of money lost (Cost). Sometimes those consequences are more moral (human lives lost).
109
In the Risk Analysis Framework section, What does **PCI** stand for?
Payment Card Industry.
110
Who does the **Payment Card Industry** (PCI) framework protect?
Vendors who use credit cards.
111
What does the acronym **OCTAVE** stand for in the Risk Analysis Framework section?
Operationally Critical Threat Asset and Vulnerability Evaluation
112
Who built **OCTAVE** in the Risk Analysis Frameworks section?
Carnegie Mellon
112
What are the **11 areas** that **ISO 17799** focuses on in the Risk Analysis Frameworks section?
1: Policy 2: Organization of Information Security 3: Asset Management 4: Human Resource Security 5: Physical and Environmental Security 6: Communications and Operational Management 7: Access Control 8: Information Systems Acquisition, development and maintenance 9: Information Security Incident Management 10: Business Continuity Management 11: Compliance
113
What is **ISO** in the Risk Analysis Frameworks
An International Organization for Standardization
113
Why did **ISO** renumber **ISO 17799** to **ISO 27002 **in the Risk Analysis Frameworks section?
**Consistency**
114
What does **ISO 27001** describe in the Risk Analysis Frameworks section? ## Footnote
a process for auditing (requirements) those best practices
115
What does teh acronym **COBIT** stand for in the Risk Analysis Frameworks section? ## Footnote
Control Objectives for Information and related Technologies
116
What are the **three phases** in **OCTAVE** from the Risk Analysis Frameworks
1: Identify Staff knowledge, assets and Threats. 2: Identify vulnerabilities and evaluate safeguards. 3: Conduct Risk Analysis and develop risk mitigation strategy.
116
What was **ISO 17799** renumbered to in the Risk Analysis Frameworks section?
**ISO 27002 **
116
What does **ISO 27002** describe in the Risk Analysis Frameworks section? ## Footnote
Information Security Best Practices (techniques)
116
Who built **COBIT** in the Risk Analysis Frameworks section? ## Footnote
The Information Systems Audit and Control Association (ISACA)
118
How many **phases** in **OCTAVE** from the Risk Analysis Frameworks section?
**3**
119
Who **sponsors** the Information Technology Infrastrucre Libray (**ITIL**) in the Risk Analysis Frameworks section?
The UK Government
120
What does the acronym **ITIL** stand for in the Risk Analysis Frameworks section?
Information Technology Infrastructure Library
120
What are the **five service management practices** in the Information Technology Infrastructure Library (**ITIL**) from the Risk Analysis Frameworks section?
1: Service Strategy 2: Service Design 3: Service Transition 4: Service Operations 5: Continual Service Improvement
121
What are the **Four Phases** in the **COBIT** Risk Analysis Framework?
1: Plan and Organize 2: Acquire and Implement 3: Deliver & Support 4: Monitor& Evaluate
122
How many **areas** does **ISO 17799** focus on in the Risk Analysis Frameworks section?
**11**
125
What does **Mitigate** mean in the Risk Choices section?
Lower the risk to an acceptable level
126
What does **Transfer** mean in the Risk Choices section?
Insurance Model - Have somebody else assume the risk
127
What are the five Risk Analysis choices?
Acceptance Mitigation Eliminate Transfer Avoid
128
What are three examples where you cannot **Accept** the Risk in the Risk Choices section?
Human safety Laws Regulations
129
What does **Acceptance** mean in the Risk Choices section?
The cost of doing anything else would be more expensive then the cost associated with the risk itself. There are some cases (Human safety, Laws, Regulations) where it is not possible to accept the risk.
129
What does **Eliminate** mean in the Risk Choices section?
Remove the risk entirely; do not allow
130
What does **Avoidance** mean in the Risk Choices section?
If the project is too risky, don’t do it. Compare the Annual Loss Expectancy (ALE) to the ROI after Risk Mitigation. If the ALE is higher, avoid the project.
132
What is a **Data Owner** in the ROLES AND RESPONSIBILITIES section?
Employee responsible for ensuring that specific data is protected; determines the sensitivity label and the frequency of backup. He is not the custodian.
132
What does the **User** in the ROLES AND RESPONSIBILITIES section?
They are the people that must follow the policy, procedures, and standards set by the Information Security Program in their day-to-day jobs.
133
What does **Senior Management** do in the ROLES AND RESPONSIBILITIES section?
Creates the information security program
134
What does **Security Awareness** mean?
Changes user behavior; users already know how to do something and awareness might make them change how they are doing it.
134
What is a **Custodian** in the ROLES AND RESPONSIBILITIES section?
Perform hands-on asset protection: Backups, restoration, patching, A/V Configuration, etc. They follow orders, they do not make policy.
136
What does **Security Training** mean?
Provides a skill set; teaches a user how to do something.
137
14: What was ISO 17799 renamed as?? A: BS 7799-0-1. B: ISO 27000. C: ISO 27001. D: ISO 27002.
D: ISO 27002.
140
10: Which of the following describes the duty of the Data Owner? A: Patch systems. B: Report suspicious activity. C: Ensure their files are backed up. D: Ensure data has proper security labels.
D: Ensure data has proper security labels.
141
1: Which of the following would be an example of a Policy Statement? A: Protect PII by hardening servers. B: Harden Windows 7 by first installing the pre-hardened OS image. C: You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols. D: Download the CISecurity Windows benchmark and apply it.
A: Protect PII by hardening servers.
142
11: Which control framework has 34 processes across four domains? A: COSO. B: COBIT. C: ITIL. D: OCTAVE.
B: COBIT.
143
12: What is the difference between a standard and a guideline? A: Standards are compulsory and guidelines are mandatory. B: Standards are recommendations and guidelines are requirements. C: Standards are requirements and guidelines are recommendations. D: Standards are recommendations and guidelines are optional.
C: Standards are requirements and guidelines are recommendations.
144
2: Which of the following describes the money saved by implementing a security control? A: Total Cost of Ownership (TCO). B: Asset Value (AV). C: Return on Investment (ROI). D: Control Savings.
C: Return on Investment (ROI).
145
13: Which phase of OCTAVE identifies vulnerabilities and safeguards? A: Phase 1. B: Phase 2. C: Phase 3. D: Phase 4.
B: Phase 2.
146
9: Which of the following steps would be taken while conducting a Qualitative Risk Assessment? A: Calculate the Asset Value. B: Calculate the return on Investment. C: Complete the Risk Analysis Matrix. D: Complete the ALE.
C: Complete the Risk Analysis Matrix.
147
15: Which of the following ethical actions is the most important? A: Act legally. B: Protect Society. C: Advance and Protect the profession. D: Provide diligent service.
B: Protect Society.
148
4: Which of the following proves an identity claim? A: Authentication. B: Authorization. C: Accountability. D: Auditing.
A: Authentication.
149
3: Which of the following is an example of a program policy? A: Establish the Information Security Program. B: Email Policy. C: Application Development Policy. D: Server Policy.
A: Establish the Information Security Program.
150
5: Which of the following protects against unauthorized changes to data? A: Confidentiality. B: Integrity. C: Availability. D: Alteration.
B: Integrity.

CISSP (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions