IT Governance and Compliance

Question 1

Data classification - what are the 4 classifications

Answer 1

• top secret
• secret
• sensitive
• public

Question 2

What are the 4 principles and activities in an Information Security Policy

Answer 2

Roles and responsibilities

Risk management

Security processes - defined by security policy: vulnerability and incident mngt, swft dev, hiring, vendor mngt

Acceptable use

Question 3

Security policy and security mngt should be separate from what 2 items?

Answer 3

IT mngt and IT policy

Question 4

Data classification policy sets levels of sys security that correspond to —————

Answer 4

Data classification

Question 5

Who correctly classifies a document or data’s classification policy?

Answer 5

Data owner

Question 6

Site classification policy, dimensions to set levels of phys security:

(5)

Answer 6

Criticality of staff there

Criticality of business perf there

Value of assets

Sensitivity of data

Siting risk of location

Question 7

3 social media policy dimensions

Answer 7

Personal

Professional

Disclosure of company info

Question 8

3 other tech policies

Answer 8

Equipment control and use

Data destruction

Moonlighting

Question 9

Processes and procedures (sop)
The “how”

3Ds and R contained in a procedure document:

Answer 9

Document/process owner

Doc revisions

Reviews and approvals

Dependencies

Question 10

Standards

Which is not valid?
Tech standards
Protocol standards
Controls standards
Supplier standards
Methodology 
Configure
Architecture

Answer 10

Controls

Question 11

Methodology standards?

Answer 11

Including:

software dev,

sys administration

Network engineering

End user support

Question 12

Laws and regulations: what do you evaluate to gauge impact? 4

Answer 12

Enterprise architecture

Controls

Processes

Personnel

Question 13

What is the standard for storage and transmission of credit card data?

Answer 13

PCI-DSS

Payment card industry data security standard

Question 14

Risk mngt

4 risk actions (treatments)

Answer 14

Accept

Mitigate or reduce

Share or transfer

Avoid

Question 15

Risk mngt program

Examples of objectives

Answer 15

Reduce network penetrations

Reduce incidents

Question 16

Risk mngt program

1- Example of scope

2- What is authority

3- Example of resources

4- What is the remaining dimension needed?

Answer 16

1- What business units are involved?

2 - who said to establish the program? What is their support?

3- budget, software, staff

4- policies, procedures and records

Question 17

Risk mngt lifecycle

What comes after asset identification?

Answer 17

Risk analysis

Question 18

Risk IT Framework has 3 components:

Risk G——-

Risk E——-

Risk R——-

Answer 18

Risk governance
Risk evaluation
Risk response

Question 19

Risk IT Framework has 3 things

Risk g
Risk e
Risk r

Answer 19

Governance
Evaluation
Response

Question 20

Sources of asset data for risk management

Financial systems a——- I——

Answer 20

Financial system asset inventory

Question 21

Other sources of asset data

Answer 21

Interviews
IT systems portfolio (is what?)

Docs around major applications.

Online data

Asset management system

Question 22

Risk analysis formula

What is FAIR?

Answer 22

Risk = probability x impact

Factor analysis of information risk

Question 23

Threat analysis is to ID all possible/reasonable threats.

Natural

Man made

Answer 23

Severe storms
Flooding
Fire
Labor issues
Power outage
Criminal
Errors

Question 24

What is a logical threat analysis?

Answer 24

Malware

All that aren’t physical

Question 25

Vulnerability IDentification

Answer 25

Missing or broken antivirus Weak passwords Missing audit logs Building entrance that permits tailgating

Question 26

Probability analysis that a threat will actually be realized Impact analysis is ...

Answer 26

A realized threat will have some effect on org. Must know how an asset impacts business processes. Must have a h m l rating

Question 27

Imagine act analysis must also have what? Statement ——-//

Answer 27

If impact

Question 28

Qualitative risk analysis In scope assets, threat vulnerability (and ——-/) and statement of —

Answer 28

And severity Statement of impact

Question 29

Quantitative risk analysis Risk are expressed with financial measure Standard quantitative risk analysis requires values for ``` A—- E—— S—expectancy ARO ALE ```

Answer 29

Asset Value Exposure Factor: AV-salvage Single loss expectancy: AVxEF Annualized rate of occurrence: times per year Annualized loss expectancy: SLE x ARO

Question 30

ALEs

Answer 30

Can be added together for identification But separated for treatments

Question 31

How do you transfer risk?

Answer 31

With insurance policy Avoidance by remote bing asset or practice

Question 32

Residual risk formula

Answer 32

Original risk -mitigated risk-transferred risk = residual risk

Question 33

PCI-DSS

Answer 33

Payment Card Industry - Data Security Standards

Question 34

Ofac

Answer 34

Office of Foreign Asset Control

Question 35

Offsite local Offsite remote

Answer 35

Personnel are near the office in community Personnel are in another community but in country

Question 36

ITIL

Answer 36

Information Technology Infrastructure Library

Question 37

Risk with outsourcing

Answer 37

``` Errors and omission - data breaches? Higher than expected costs Poor quality and performance Loss of control Lowered employee morale Audit and compliance right to audit Time zone difference ```

Question 38

Leverage for outsourcing

Answer 38

Money Bad/good reviews

Question 39

Mitigating outsourcing risks

Answer 39

SLA ``` Security policy and controls -right to audit Quality - error rates Vet backgrounds Who owns intellectual property Schedule Regulations Warranty Dispute resolution Payments ```

Question 40

Outsourcing governance

Answer 40

Can’t outsource accountability Contracts and work orders Sow contains details Change management Security - they must have security controls Quality standards Metrics Audits

Question 41

ITIL 5 volumes

Answer 41

``` See strat Serb design Serb transition Service operation Continual service improvement ```