Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP Training > Domain 1: Sec. Risk mgt. > Flashcards

Domain 1: Sec. Risk mgt. Flashcards

1
Q

What are the different roles and responsibilities?

A
  • Senior mgt
  • Steering Committee
  • CISO
  • Information Security Manager
  • Business Managers
  • Security Practitioners
  • Auditors
  • Sec owners
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the different kind of controls?

A

Physical
Technical
Administrative

  • safeguards (Prevent/Deter)
  • Countermeasure (reactive/respond/recover
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the order of Risk Identification?

A

Assets -> Threats -> Ex. Controls -> Vulnerabilities -> Consequences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the 1., 2. and 3. Lines in Risk mgt?

A

1st: Business Unit (Day to day, apply controls)
2nd: Risk and Compliance (Oversee Risk mgt, develop framework)
3rd: Audit (Review 1st and 2nd line, objective and offer assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the elements of quantitative Risk assessment?

A
  • AV (asset value). Dollars
  • EF (Exposure). Percentage
  • SLE (Single loss Expectancy). Dollar
  • ARO (Annual rate of Occurrence)
  • ALE (Annual Loss Expectancy)
  • TCO (Total cost of ownership to the control)
  • ROI (Return of investment). Saved money
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the four overall Risk mitigation types?

A
  • Reduce likelihood/impact via controls
  • Transfer. Share Risk with another org. SLA
  • Acceptance. Based on cost-benefit analysis. Justify the reason for non-mitigation. Still includes due diligence
  • Rejection. Not acceptable!
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you ensure Risk monitoring?

A
  • Reevaluate the Risk assessment
  • be up-to-date about threats/controls
  • Use Key Risk Indicators (KRI): Early warnings, analysis of trends, indikation of Risk appetite and tolerance, optimizing Risk governance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is neglience?

A

The lack of due care or due diligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the difference between Due Care and Due Diligence?

A

Due Care: ENFORCING policy to bring ORG into compliance

Due Diligence: RESEARCH standards and best practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What kind of laws are there?

A

Criminial law

Civil law

Administrative law

Intellectual Property law: Protecting products

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is mandatory vacation?

A

Forcing the employee into vacation and rotere another person in that position to check if any suspicious activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the definition of Cvil law, Common law, Customary law, Religious law?

A

Civil: rule-based law, not precedent based

Common law: based on previous interpretations of laws

Customary law: Deals mainly with personal conduct and patterns of behaviour

Religious law: Based on beliefs of the religion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of Awareness, training and Education?

A
  • about behaviour change
  • part of due care, adm. control
  • optimally tailored to the employees job description
  • ability to hold employees accountable for actions
  • to raise collective sec. awareness in the ORG
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the difference between BCP and DRP?

A

BCP: sustaining operations. Long term by nature. An umbrella. The safety net for Risk management. Unknown unknowns

DRP: Deals with the immediate aftermath. Critical systems, which are time sensitive. Short term. IT-focused

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the scale of disruptions?

A

Non-disaster: incident. Imconvenience. Hard drive failure

Emergency/crisis: immident potential for loss of life or property

Disaster: unusable facilities for longer time

Catastrophe: Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which frameworks speak about BCP?

A
  • DRII (Disaster recovery Institute int.)
  • NIST 800-34 rev1
  • ISO 27031
  • BCI GPG (Good practice Guidelines)
  • ISC2 org. Four processes of BCP
17
Q

What is the typical order of BCP?

A

BCP policy ->

BIA

ID preventative controls

Contingency strategies

BCP

Testing, training, exercises

Maintenance

18
Q

What are the ISC2 four steps of BCP?

A
  1. Project scope and planning
  2. BIA
  3. C. Planning
  4. Approval and implementation
19
Q

What is step 1 of BCP?

A
  1. Project scope and planning
    - policy statement
    - Asset analysis. Operational departments. Core services
    - BCP team creation. Cross functional senior mgt. rep
    - analysis of ressources available
    - legal and regulatory landscape (HR/Legal)
20
Q

What is step 2 of BCP?

A

BIA

  • processes based on criticality (RPO/RTO/SLO service level objective)
  • MTD (maximum tolerable downtime) > RTO
  • RPO: the amount of data the ORG can lose
  • WRT (work recovery time): the amount of time to restore the function of the asset, But not nessecarily the asset itself.
21
Q

What is step 3 of BCP?

A

CP
- strategy Development

  • provisions and processes
    1. People
    2. Buildings and facilities (Mirrored: direct ownership/Cold (weeks)/Warm(weeks)/Hot site (hours): MOA or SLA. Vendor agreement

Memorandums of understanding - internal
Memorandums og agreements - external

Sign off/approval!

CISSP Training (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions