Domain 3 -InfoSec Governance & Risk Mgt

Question 0

A potentially negative occurrence

Answer 0

Threat

Question 1

The cost of loss due to risk over a year

Answer 1

Annualised Loss Expectancy (ALE)

Question 2

A weakness in a system

Answer 2

Vulnerability

Question 3

A matched threat and vulnerability

Answer 3

Risk

Question 4

A measure taken to reduce risk

Answer 4

Safeguard

Question 5

The cost of a safeguard

Answer 5

Total Cost of Ownership

Question 6

Money saved by deploying a safeguard

Answer 6

Return on Investment - ROI

If your annual TCO is less than your ALE then you have positive ROI and have made a good choice. If the TCO is higher than ALE, you have made a poor choice.

Question 7

Cornerstone concept of information security that seeks to prevent unauthorised disclosure of information

Answer 7

Confidentiality

Question 8

Cornerstone concept of information security that seeks to prevent unauthorised modification of information

Answer 8

Integrity

Question 9

Cornerstone concept of information security that ensures information is available when needed

Answer 9

Availability

Question 10

Unauthorised disclosure of information

Answer 10

Disclosure

Question 11

Unauthorised modification of information or data

Answer 11

Alteration

Question 12

Making systems unavailable

Answer 12

Destruction

Question 13

Is a claim of who you are

Answer 13

Identity / identification

Question 14

Proving an identity claim

Answer 14

Authentication

Question 15

Describes the action you can perform on a system once you have identified and authenticated

Answer 15

Authorisation

Question 16

Holds user accountable for their actions

Answer 16

Accountability

Question 17

Means a user cannot deny (repudiate) having performed a transaction

Answer 17

Non-repudiation

Question 18

You must have both authentication and integrity to have non repudiation. True or False?

Answer 18

True

Question 19

Means a user should be granted the minimum amount of access (authorisation) required to do his job, but no more

Answer 19

Least privilege

Question 20

Means a user can access data if he has business need todo so.

Answer 20

Need to know. User must need to know that specific piece of information before accessing it.

Question 21

Is a layered defences that applies multiple safeguards (also called controls or measures taken to reduce risk) to protect an asset

Answer 21

Defence in depth. All controls can fail and sometimes multiple controls will fail. Deploying a range of different defence in depth safeguards lower the chance that all controls will fail

Question 22

Assessing risk

Answer 22

Risk analysis

Question 23

Valuable resources you are trying to protect. Eg. Data, systems, buildings, property etc.

Answer 23

Assets.

The value or criticality of the assets will dictate what safeguards to deploy. People are your most valuable nasset.

Question 24

A potentially harmful occurrence. Eg. Earthquake, power outage, network based worm.

Answer 24

Threat. A negative action that may harm a system.

Question 25

Threat * vulnerability

Answer 25

Risk

Question 26

A weakness that allows a threat to cause harm

Answer 26

Vulnerability

Question 27

The severity of the damage

Answer 27

Impact

Question 28

Threat * vulnerability * impact

Answer 28

Risk. When calculating risk using the formula, any risk including loss of human life is extremely high, and must be mitigated.

Question 29

Allow you to perform qualitative risk analysis based on likelihood ( from rare to almost certain ) , consequences (or impact) from insignificant to catastrophic

Answer 29

Risk Analysis Matrix It uses a quadrant to map the likelihood of a risk occurring against the consequences or impact the risk would have.

Question 30

Allows you to determine the annual cost of a loss due to a risk as well as allows you to make informed decisions to mitigate the risk

Answer 30

Annualised Loss Expectance - ALE

Question 31

The value of an asset that you are trying not protect

Answer 31

Asset value

Question 32

Is the percentage of value an asset lost due to an incident

Answer 32

Exposure Factor - EF

Question 33

Cost of single loss

Answer 33

Single Loss Expectancy - SLE

Question 34

Number of losses you suffer per year

Answer 34

Annual Rate Of Occurrence - ARO

Question 35

Is your yearly cost due to a risk

Answer 35

Annualised Loss Expectancy -ALE

Question 36

The total cost of a mitigating safeguards

Answer 36

Total Cost Of Ownership - TCO

Question 37

Asset value * Exposure Factor

Answer 37

Single Loss Expectancy - SLE

Question 38

SLE * ARO

Answer 38

ALE

Question 39

What are the risk choices?

Answer 39

1. Accept the risk if TCO is higher than ALE 2. Mitigate the risk 3. Transfer the risk - Insurance 4. Avoid the risk

Question 40

A risk analysis that uses hard metrics such as dollars. It requires you to calculate the quantity of the asset you are protecting. It is more objective.

Answer 40

Quantitative Risk Analysis

Question 41

A risk analysis that uses simple approximate values. The Risk Analysis Matrix can also be use. This type is more subjective.

Answer 41

Qualitative Risk Analysis

Question 42

Is information security at the organisation level: senior management, policies, processes and staffing

Answer 42

Information Security Governance

Question 43

A high level management directives; is mandatory and does not delve into specifics

Answer 43

Policy

Question 44

Step by step guide for accomplishing a task; low level and specific; are mandatory

Answer 44

Procedures

Question 45

Describes the specific use of technology often applied to hardware or software ; are mandatory

Answer 45

Standards

Question 46

Are recommendations which are discretionary

Answer 46

Guidelines

Question 47

Uniform ways of implementing a safeguard; are discretionary

Answer 47

Baselines

Question 48

Changes user behaviour about security

Answer 48

Security Awareness

Question 49

Teaches a user how to do something

Answer 49

Security Training

Question 50

Its roles and responsibility is to ensure all assets are protected and creates a security program

Answer 50

Senior Management

Question 51

The information owner or business owner

Answer 51

Data Owner

Question 52

He provides hands on protection of assets such as data. Don't make decisions

Answer 52

Custodian

Question 53

He follow rules and comply with mandatory policies and procedures

Answer 53

User

Question 54

Protection of the confidentiality of persona information (PII)

Answer 54

Privacy

Question 55

Doing what is reasonable person would do. Prudent man rule

Answer 55

Due Care

Question 56

Management of due care

Answer 56

Due Diligence

Question 57

Opposite of due care

Answer 57

Gross negligence

Question 58

A consensus of the best way to protect CIA of assets

Answer 58

Best Practice

Question 59

The use of third party to provide IT support or services

Answer 59

Outsourcing

Question 60

Is outsourcing to another country

Answer 60

Offshoring

Question 61

Means verifying compliance to a security control framework.

Answer 61

Auditing

Question 62

What is OCTAVE?

Answer 62

Operationally Critical Threat, Asset and Vulnerability Evaluation. A Risk Management Framework from Carnegie Mellon University

Question 63

What are the 3 phases for managing risks according to OCTAVE?

Answer 63

Phase 1 - identifies staff knowledge, assets and threats Phase 2 - identifies vulnerabilities and evaluates safeguards Phase 3 - conducts risk analysis and develop the risk mitigation strategy.

Question 64

Risk management guide for information technology systems developed by NIST

Answer 64

NIST SP-800-30

Question 65

9 Steps Risk Analysis Process (NIST SP800-30)

Answer 65

1. System characterisation - scope 2. Threat identification 3. Vulnerability identification 4. Control analysis - Safeguard 5. Likelihood determination 6. Impact analysis 7. Risk determination 8. Control recommendation 9. Results documentation

Question 66

Information Technology/Security techniques; codes of practice of information security management introduced by ISO

Answer 66

ISO/IEC 17799:2005

Question 67

11 Areas of ISO 17799

Answer 67

1. Policy 2. Organisation of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and operations management 7. Access Control 8. Information systems acquisition,development and maintenance 9. Information security incident management 10. Business Continuity Management 11. Compliance

Question 68

Is a control framework created by ISACA for deploying/employing information security governance best practices with in an organisation.

Answer 68

COBIT - Control Objectives for Information and related Technology

Question 69

4 Domains of COBIT

Answer 69

1. Plan and organise 2. Acquire and implement 3. Deliver and support 4. Monitor and evaluate

Question 70

Is a framework for providing best services in IT Service Management or ISTM

Answer 70

ITIL - information technology infrastructure library

Question 71

5 ITIL Service Management Pactices

Answer 71

1. Service strategy 2. Service design 3. Service transition 4. Service operation 5. Continual Service Improvement

Question 72

Is a detailed inspection that verifies whether a system meets the documented security requirements

Answer 72

Certification

Question 73

Data owner's acceptance of the risk represented by that system.

Answer 73

Accreditation

Question 74

NIST guide for Credit and Accreditation

Answer 74

NIST SP-800-37

Question 75

4 Steps Process of NIST SP800-37 (Certification and Accreditation)

Answer 75

1. Initiation phase 2. Security certification phase 3. Security accreditation phase 4. Continuous monitoring phase

Question 76

Doing what is morally right

Answer 76

Ethics

Question 77

What are the four ISC2 canons - code of ethics

Answer 77

In order: 1. Protect society, the commonwealth and the infrastructure 2. Act honourably, honestly, justly, responsibly and legally 3. Provide diligent and competent service to principals 4. Advance and protect the profession