Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CGRC > Domain 4 > Flashcards

Domain 4 Flashcards

(78 cards)

Start Studying
1
Q

Security and privacy controls are the technical, administrative, and physical measures that an organization implements to protects its information systems and data from:

A
  • unauthorized access
  • use
  • disclosure
  • modification
  • destruction.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security and Privacy controls help organization ensure the…

A

Security and Privacy controls help organization ensure the: CIA Triad and Access Controls
- Confidentiality
- Integrity
- Availability
of their information systems and data and comply with applicable Laws, Regulations, and Standards|laws, regulations, and standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some examples of security and privacy controls?

A

Examples of security and privacy controls include.
- encryption
- authentication
- access control
- backup
- audit
- data minimization
- consent
- transparency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Control Implementation and alignment?

A

Control implementation and alignment is the process of:
- selecting
- applying
- testing
- and monitoring
security and privacy controls that are appropriate for the organization’s:
- objectives,
- risk appetite
- and compliance obligations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why is Control implementation and alignment important?

A

Control implementation and alignment is important because it helps the organization to achieve its goals, reduce its exposure to threats and vulnerabilities, and demonstrate its adherence to relevant laws, regulations, and standards.

Control implementation and alignment enables the organization to communicate its security and privacy posture to its:

stakeholders
customers
partners
and to build trust and reputation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the first step of the Control implementation process?

A

Identify and assess the organization’s security and privacy objectives, risks, and obligations.

This includes defining the:
- Scope
- boundaries
- and roles
of the information systems and assets, analyzing threats and vulnerabilities, and determining legal, regulatory, and contractual requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the second step of the Control implementation process?

A

2. Select and implement the security and privacy controls that are suitable for the organization’s context, needs and capabilities.
This includes choosing the controls from recognized frameworks or standards, such as ISO/IEC 27001, NIST 800-53, GDPR and applying them in a consistent and effective manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the third step of the Control implementation process?

A
  1. Test, monitor, and evaluate the performance and effectiveness of the security and privacy controls.
    This includes measuring the indicators and outcomes of the controls, conducting audits and reviews, and reporting and documenting results.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the fourth step of the Control implementation process?

A
  1. Review and update the security and privacy controls as needed.
    This includes identifying and addressing any gaps, weaknesses, or changes in the organization’s environment, risk profile, or compliance status, and ensuring the continuous improvement of the controls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does ISO/IEC 27001 specify?

A

ISO/IEC 27001 specifies the requirements for:
- establishing
- implementing
- maintaining
- and improving an Information security management system (ISMS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does NIST SP 800-53 provide?

A

NIST SP 800-53 provides a catalog of security and privacy controls for federal information systems and organizations. The controls are organized into families, such as:
- access controls,
- audit
- and accountability
- or identification and authentication.

Organization can use these controls to protect their information systems from various threats and comply with different laws and regulations. NIST SP 800-53 is a comprehensive catalog of security and privacy controls for federal information systems and organizations, which helps them meet their legal and regulatory obligations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Controls can be classfied into three main types. What are they?

A

Controls can be classified into three main types:
- management
- technical
- operational

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a common control?

A

Additionally, a common control is a subset of these main control types. Each type of control has a different:

purpose
scope
level of responsibility
in maintaining a secure and compliant environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are examples of management controls:

A

Examples of management controls include:
- The security and compliance policies that define the:
- goals
- objectives
- roles
- responsibilities
of the organization.

  • The risk management process that identifies, assesses, prioritizes, and mitigates the risks to the organization’s information assets
  • The security and compliance audits that evaluate the effectiveness and efficiency of the controls and identify any gaps or weaknesses
  • The security and compliance training and awareness programs that educate the staff and stakeholders on:
    • policies
    • procedures
    • standards
    • guidelines of the organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are management controls?

A

Management controls are the administrative and organizational controls established by senior management to shape the security culture and governance structure within an organization and provide strategic direction, oversight, and accountability for security compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

For what are management controls essential?

A

Management controls are essential for establishing the security and compliance culture and governance of the organization. They provide high-level vision, direction, and support for the implementation and a maintenance of the other types of controls.

Through these controls, senior management can communicate the importance of information security and compliance, setting the tone for a culture that values and protects information assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are technical controls?

A

Technical controls are the technological controls (e.g. hardware, software, etc.) implemented to protect the: (CIA TRIAD)
- [[Confidentiality]]
- [[Integrity]]
- [[Availability]]

of information assets. They provide the technical means and mechanisms for enforcing the security and compliance policies and standards of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name examples of technical controls:

A

Examples of technical controls include:

  • The encryption and decryption of data in transit and at rest
  • The authentication and authorization of users and devices
  • The firewall and antivirus software that prevent and detect unauthorized access and malicious attacks
  • The backup and recovery systems that ensure the availability and resilience of data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

For what are technical controls crucial?

A

Technical controls are crucial for delivering the security and compliance capabilities of information systems. They offer foundational:
- protection
- detection
- and response mechanisms

for information assets.

These controls facilitate the safeguarding of data and systems at a granular level, ensuring the confidentiality, integrity, and availability of organizational resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are operational controls?

A

Operational controls are specific to a particular information system or domain within an organization. They provide customized security and compliance requirements and standards that are tailored to the unique characteristics and needs of the information asset.

They are directly involved in the operation and use of information systems and include procedures and measures that help maintain the secure functioning of these systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are examples of operational controls?

A

Examples of operational controls include:

  • The access control of the granting and revoking of permissions and privileges to the information asset.
  • The data classification of the data labeling and handling of the information asset according to its sensitivity and criticality.
  • The data retention and disposal of the storing and destroying of the information asset according to its life cycle and legal obligations.
  • The data quality and integrity of the ensuring and verifying of the accuracy and completeness of the information asset.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are operational controls essential for?

A

Operational controls are essential for providing the security and compliance specificity and effectiveness of the information asset. They provide fine-grained and tailored protection, detection, and response for information assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are common controls?

A

Common controls are those shared by multiple information systems or domains within an organization. These controls may fall under the category of:
- management,
- technical
- or operational
control.

They are inherited from other systems or a third-party vendor controls that can be placed into implementation. They provide the baseline security and compliance requirements and standards that are applicable to all or most of the information assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are examples of common controls?

A

Examples of common controls include:

  • Enterprise-wide security policies, governance frameworks, and risk assessment methodologies
  • Centralized authentication mechanisms and network security measures
  • The physical security of the premises and facilities that house the information assets
  • The network security of the infrastructure and devices that connect the information assets
  • The configuration management of the hardware and software components of the information assets
  • Incident management of the reporting and handling of security and compliance events and incidents.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are **common controls** essential for?
**Common controls** are essential for providing security and compliance, consistency, and efficiency throughout the organization. They provide centralized, cross-cutting and shared protection, detection, and response for the information assets. Controls are the key elements of security and compliance in an organization. By understanding and applying the different types of controls, the **GRC professional** can achieve a comprehensive and balanced security and compliance posture.
26
Why are **Compliance documentation reviews and training** essential activities?
**Compliance documentation reviews and training** are essential activities for ensuring an organization meets the security standards and regulations that apply to its industry and operations. Compliance documentation reviews involve verifying that security policies, procedures, and controls are accurate, complete, and up to date.
27
The frequency of compliance documentation reviews and training depends on several factors, what are they?
The frequency of compliance documentation reviews and training depends on several factors, such as: - the size and complexity of the organization, - the nature and scope of the security risks - changes in the security environment - feedback from audits and assessments - and regulatory requirements.
27
What does **Compliance Training** involve?
Compliance training involves educating the staff on the security requirements and best practices that they need to follow.
28
What is the general rule of thumb in regards to the frequency of **compliance documentation reviews and training?**
However, a general rule of thumb is to conduct compliance documentation reviews and training at least once a year, or more often if there are significant changes or incidents that affect the security posture.
29
What are some examples of evets that may trigger a need for **compliance documentation review and training?**
- **The introduction of new technologies, systems**, or applications that create **new security risks or vulnerabilities**, or that require n**ew security policies, procedures, or controls**. -** The adoption of new security standards or regulations that impose new security requirements or obligations on the organization**, or that modify or revoke existing ones. - **The occurrence of security breaches, incidents**, or events that compromise the: - [[Confidentiality]] - [[Integrity]] - [[Availability]] of the organization's data, assets, or operations, or that expose the organization to legal, reputational, or financial damages. - **The reorganization, expansion or downsizing of the organization that affects the roles, responsibilities or access rights of the staff**, or that changes the security scope or boundaries of the organization.
30
What are several benefits for establishing a frequency for **compliance documentation reviews?**
- Ensuring that the security polciies, procedures, and controls are aligned with the current security standards and regulations - Frequent reviews and updates of security documentation ensure that the organization's security measures evolve in tandem with the changing threat landscape. - Identifying and addressing any gaps, weaknesses, or inconsistencies in the security documentation and implementation, and updating them accordingly. - Enhancing the security awareness and competence of the staff and ensuring that they understand and comply with the security requirements and best practices - Demonstrating the commitment and accountability of the organization to the security stakeholders, such as the customers, regulators, auditors, and partners - Reducing the likelihood and impact of security breaches, incidents, and violations, and improving the security performance and reputation of the organization.
31
What are **Security Controls?**
**Security controls** are the: - technical - or administrative measures used to protect the: - Confidentiality - Integrity - and Availability of information systems and data.
32
**Security controls** can be... ?
Security controls can be: - preventive, - detective, - compensating - or corrective
33
Depending on their purpose and fucntion. **Security controls can also be classified as: **
Security controls can also be classified as: - physical - logical - or administrative, depending on their nature and scope.
34
**Security controls** should be implemented according to the... ?
The implementation of security controls is a critical process that requires careful planning, execution, testing and monitoring. Security controls should be implemented according to the: - organization's compliance requirements, - the industry, - and the regulatory bodies.
35
Sometimes **security controls** may be too: - costly - complex - impractical to implement - or they may interfere with the functionality or performance of the system. What should you do if that happens?
In such cases, compensating or alternate security controls may be used to provide a similar or equivalent level of protection, without compromising the system's functionality or performance. Compensating or alternate security controls are not substitutes for the original security controls, but rather alternatives that can achieve the same security objectives in a different way.
36
Name the 5 **control implementation process** steps.
1. Assessment 2. Selection 3. Implementation 4. Evaluation 5. Maintenance
37
Explain the Control Implementation Process step: **1. Assessment.**
1. **Assessment.** The first step of the **control implementation process** is to assess the current state of the: - system, - network, - or application and identify the: - risks - threats - and vulnerabilities that affect it.
38
What should the Control Implementation Process step: **1. Assessment**, consider?
The assessment should also consider the compliance requirements that apply to the system, network, or application, and the **security objects** that the organization wants and needs to achieve.
39
What should the Control Implementation Process step:** 1. Assessment**, result in?
The assessment should result in a: - **risk analysis** and a - **gap analysis**, which can help to prioritize the security needs and determine the appropriate **security controls**.
40
Explain the Control Implementation Process step: **2. Selection.**
2 . **Selection** The second step of the **control implementation process** is to select the security controls that best suit the: - system, - network, - or application, based on the assessment results, the compliance requirements, and the **security objectives**.
41
What should the Control Implementation Process step: **2. Selection**, consider?
The **selection** should also consider the: - cost, - complexity - and feasibility of the security controls, and the potential **impact** on the: - **functionality** - and **performance** of the system, network, or application.
42
What should the Control Implementation Process step:** 2. Selection**, result in?
The **selection** should result in a security plan and the security policy, which can guide the implementation and management of the **security controls**.
43
Explain the Control Implementation Process step: **3. Implementation.**
The third step of the **control implementation process** is to implement thesecurity controls that have been **selected**, according to the security plan and the security policy.
44
What should the Control Implementation Process step: **3. Implementation**, follow?
The implementation should follow the best practices and standards that apply to the security controls, and the system, network, or application.
45
What should the Control Implementation Process step:** 3. Implementation**, involve?
The implementation should also involve: - testing, - verification - and validation of the security controls, to ensure that they are working as intended and meeting the security objectives.
46
Explain the Control Implementation Process step: **4. Evaluation.**
4 . **Evaluation**. The fourth step of the control implementation process is to evaluate the effectiveness and efficiency of the security controls implemented, based on the **security objectives** and the compliance requirements.
47
What should the Control Implementation Process step:** 4. Evaluation**, involve?
The evaluation should also involve: - measuring , - monitoring - and reporting on the security performance and the **security incidents** that occur on the: - system - network - application.
48
What should the Control Implementation Process step:** 4. Evaluation**, result in?
The evaluation should result in a **security review** and a **security audit**, which can provide feedback and improvement suggestions for the **security controls.**
49
What are **compensating or alternate security controls?**
Compensating or alternate security controls are security measures implemented when the recommended or **baseline security controls** are: - not feasible, - cost-effective - or compatible with the system or environment.
50
**Compensating or alternate security controls** provide equivalent or comparable protection to the **baseline security controls**, but they may differ in terms of.... ?
Compensating or alternate security controls provide equivalent or comparable protection to the baseline security controls, but they may differ in terms of: - functionality, - implementation, - or assurance level.
51
What are **compensating or alternate security controls** also known as?
Compensating or alternate security controls are also known as: - compensatory, - alternative, - or substitute controls.
52
Compensating or alternate security controls are needed for various reasons, such as... ?
- **Technical limitations**: The system or environment may not support the **baseline security controls** due to hardware, software, or network constraints. - **Operational requirements.** The system or environment may have specific operational needs that conflict with the **baseline security controls**, such as performance, availability, or usability. - **Business constraints.** The system or environment may have budgetary, legal, regulatory, or contractual limitations that prevent the implementation of the **baseline security controls**. - **Risk acceptance**. The system or environment may have a low risk level or a high-risk tolerance that justify the use of less stringent or more flexible security controls.
53
Name a view examples of **compensating or alternate security controls**?
Some examples of compensating or alternate **security controls are:** - **[Encryption** If the **baseline security control** is to physically secure the storage media, a compensating or alternate security control could be to encrypt the data on the storage media. - **Segmentation**. If the **baseline security control** is to isolate the system or environment from the network, a compensating or alternate security control could be to segment the network and apply firewall rules to restrict access to the system or environment. - **Authentication**. If the **baseline security control** is to use multifactor authentication, a compensating or alternate **security control** could be strong passwords and enforcement of password policies. - **Audit**. If the **baseline security control** is to implement access control mechanisms, a compensating or alternate security control could be to audit and log the access activities and review them regularly. - **Training**. If the baseline security control is to install antivirus software, a compensating or alternate security control could be to train the users on how to avoid malware infections and report suspicious incidents.
54
Describe the **Compensating or alternate security controls** - Implementation process.
**Compensating or alternate security controls** are implemented through a systematic process that involves the following steps: 1. Identify the **baseline security controls** that are not feasible, cost-effective, or compatible with the system or environment 2. Analyze the security objectives, risks, and impacts of not implementing the **baseline security controls**. 3. Select the compensating or alternate security controls that provide equivalent or comparable protection to the **baseline security controls**. 4. Document the rational, justification, and approval for using compensating or alternate security controls. 5. Implement, test, monitor, and evaluate the effectiveness of the compensating or alternate security controls. 6. Review and update the compensating or alternate security controls as needed.
55
What do **compensating security controls** provide?
**Compensating security controls** provide additional capabilities to mitigate risk and decrease the likelihood and impact of potential incidents.
56
# ompensa What is an essential part of the **security management process** as it provides **evidence** of the effectiveness and compliance of the controls and helps to prioritize and mitigate the remaining risks.
**Documentation**. Documenting the security controls and the Residual Risk is an essential part of the security management process, as it provides **evidence** of the effectiveness and compliance of the controls and helps to prioritize and mitigate the remaining risks.
57
What does **documenting** the implemented controls demonstrates?
Documenting the implemented controls demonstrates the security posture and compliance of the organization and provides a basis for continuous improvement and audit. It provides a clear and detailed record of the security measures in place, which is essential for understanding the organization's defense mechanisms against potential threats.
58
What are the key elements involved in documenting the implemented controls?
- **Organization's purpose, scope and risk profile**. These elements define the context and objectives of security controls and the level of risk that the organization is willing to accept. - **Security policies, standards, and procedures.** These elements specify the rules, guidelines, and processes that govern the implementation and operation of security controls. - **Security control framework and baseline.** These elements provide a structured and consistent approach to selecting, implementing, and assessing the security controls, based on the best practices and requirements of the organization and its stakeholders. - **Security control inventory and assessment.** These elements identify and document the **security controls** that are in place and evaluate their performance and effectiveness against the predefined criteria and metrics. - **Security control gaps and recommendations.** These elements highlight areas where security controls are not sufficient or adequate and suggest the improvements or enhancements needed.
59
What is **residual security risk?**
Residual security risk is what remains after implementing security controls and mitigating actions. It is inevitable that some **residual risk** will always exist, as no system or organization can be completely secure.
60
How should** residual risk** be treated?
However **residual risk** should be: - identified - assessed - treated - and documented so that it can be **monitored and managed effectively.**
61
What is a **Plan of Action and Milestones (POA&M)?**
A **Plan of Action and Milestones (POA&M)** is a document that lists the security issues or weaknesses that have been identified in a system or organization, and the actions that are planned to address them. A **Plan of Action and Milestones (POA&M)** is a useful tool for documenting planned implementations, as it helps to track the progress and completion of security actions, and to measure the reduction of risk. A **POA&M** should be updated regularly and reviewed by the security manager or the senior management.
62
What does a **Plan of Action and Milestones (POA&M) **typically include?
- Description - Source This is the source of the issue or weakness, such a an audit, an assessment, or a test. - Responsible Party - Estimated completion date - Status - Residual risk
63
What is a **risk register?**
A **risk register** is a document listing the risks identified in a system or organization and the controls or actions that have been implemented or planned to mitigate them.
64
What is the purpose of a **risk register?**
It serves as a central repository for all risk-related information, documenting the details of each identified risk, including its: - nature - the likelihood of occurrence, - the impact it would have on the organization or a project, - and the measures that are in place or planned to mitigate or manage the risk.
65
What does a risk register typically include?
**- Description** **- Impact** e.g. financial, operationa, reputational, or legal. **- Likelihood** e.g. probabiltiy of the risk occurring **- Risk level** e.g. combination of impact and likelihood (low, medium or high) **- Controls** These are the existing controls in place to prevent or reduce the risk: e.g. (policies, procedures, or technologies) **- Actions** These are additional controls or actions to be implemented to further mitigate the risk (e.g. training, monitoring, testing) **- Owner**
66
What are **implemented controls?**
**Implemented controls** are the actions, activities, or mechanisms that an organization uses to manage its risks and achieve its objectives. Implemented controls can be: - preventive, - detective - corrective and can be applied at different levels of the organization such as: - strategic, - operational, - or tactical. Implemented controls can also be classified as: - technical, - administrative, - or physical, depending on the nature and source of the control.
67
What are the **key elements** of documenting an **implemented control**?
- Control objective - control type - control level - control operator - control activities or tasks - control frequency - control evidence - control performance indicators - control improvement actions
68
What is **control frequency?**
- The **control frequency.** This is the time interval or occurrence rate at which the a control activities or tasks are performed, such as: - daily, - weekly, - monthly, - quarterly, - annually, - or as needed.
69
What are **control activities or tasks?**
- The **control activities or tasks.** These are the specific actions or mechanisms that constitute the control, such as **policies, procedures, processes, systems, tools, devices, or personnel.**
70
What is a **control operator?**
- The **control operator.** This is the person or entity performing the control activities or tasks on a regular or ad hoc basis.
71
72
What are **control types?**
- The **control type.** This is the category or classification of the control, such as: - preventive, - detective, - corrective, - technical, - administrative, - or physical.
73
What are **control objectives?**
- The **control objective**. This is the specific risk or outcome that the control is intended to address or achieve.
74
What steps are recommended to ensure that documentation of implemented controls is consistent with the organization's: - purpose, - scope, - and risk profile.
The following steps are recommended: 1. **Identify the organization's purpose, scope, and risk profile.** 2. **Identify the organization's policies, procedures, and strategic plans.** 3. **Identify the implemented controls supporting the organization's purpose, scope and risk profile.** 4. **Document the implemented controls using the key elements described above.** 5. **Periodically review and update the documentation of implemented controls.**
75
Name 6 best practices in regards to **documenting implemented controls:**
Good practices - Use a consistent format and structure for the documentation of **implemented controls**, such as a **template, checklist, or table.** - Use **clear and concise language** for the documentation of **implemented controls**, and avoid **jargon, acronyms, or technical terms** that may not be understood by the intended audience. - Use relevant and reliable information sources for the documentation of implemented controls, such as **official documents, records, reports, or data**. - Use **objective and verifiable evidence** for the documentation of implemented controls and provide references or citations for the information sources. - **use quantitative and qualitative indicators** for the documentation of implemented controls and provide benchmarks or targets for comparison or evaluation. - use **constructive and actionable feedback** for the documentation of **implemented controls** and provide recommendations or plans for improvement or modification.
76
What does **documenting impelmented controls provide?**
Documenting implemented controls is an essential part of the risk management process, as it provides evidence of the effectiveness and efficiency of the controls, as well as their alignment with the organizations, purpose, scope and risk profile. Documenting implemented controls also helps communicate the roles and responsibilities of the control owners and operators and facilitate the monitoring, evaluation, and improvement of the controls.
77
What can **documenting implemented** controls also support?
Documenting implemented controls can also support the organization's compliance with internal and external requirements, such as: - policies, - procedures, - standards, - laws, - and regulation.

CGRC (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions