IT Governance and Compliance Flashcards Preview

CISA 2018 Exam Prep > IT Governance and Compliance > Flashcards

Flashcards in IT Governance and Compliance Deck (41)
Loading flashcards...
1

Data classification - what are the 4 classifications

- top secret
- secret
- sensitive
- public

2

What are the 4 principles and activities in an Information Security Policy

Roles and responsibilities

Risk management

Security processes - defined by security policy: vulnerability and incident mngt, swft dev, hiring, vendor mngt

Acceptable use

3

Security policy and security mngt should be separate from what 2 items?

IT mngt and IT policy

4

Data classification policy sets levels of sys security that correspond to —————

Data classification

5

Who correctly classifies a document or data’s classification policy?

Data owner

6

Site classification policy, dimensions to set levels of phys security:

(5)

Criticality of staff there

Criticality of business perf there

Value of assets

Sensitivity of data

Siting risk of location

7

3 social media policy dimensions

Personal

Professional

Disclosure of company info

8

3 other tech policies

Equipment control and use

Data destruction

Moonlighting

9

Processes and procedures (sop)
The “how”

3Ds and R contained in a procedure document:

Document/process owner

Doc revisions

Reviews and approvals

Dependencies

10

Standards

Which is not valid?
Tech standards
Protocol standards
Controls standards
Supplier standards
Methodology
Configure
Architecture

Controls

11

Methodology standards?

Including:

software dev,

sys administration

Network engineering

End user support

12

Laws and regulations: what do you evaluate to gauge impact? 4

Enterprise architecture

Controls

Processes

Personnel

13

What is the standard for storage and transmission of credit card data?

PCI-DSS

Payment card industry data security standard

14

Risk mngt

4 risk actions (treatments)

Accept

Mitigate or reduce

Share or transfer

Avoid

15

Risk mngt program

Examples of objectives

Reduce network penetrations

Reduce incidents

16

Risk mngt program

1- Example of scope

2- What is authority

3- Example of resources

4- What is the remaining dimension needed?

1- What business units are involved?

2 - who said to establish the program? What is their support?

3- budget, software, staff

4- policies, procedures and records

17

Risk mngt lifecycle

What comes after asset identification?

Risk analysis

18

Risk IT Framework has 3 components:

Risk G——-

Risk E——-

Risk R——-

Risk governance
Risk evaluation
Risk response

19

Risk IT Framework has 3 things

Risk g
Risk e
Risk r

Governance
Evaluation
Response

20

Sources of asset data for risk management

Financial systems a——- I——

Financial system asset inventory

21

Other sources of asset data

Interviews
IT systems portfolio (is what?)

Docs around major applications.

Online data

Asset management system

22

Risk analysis formula

What is FAIR?

Risk = probability x impact

Factor analysis of information risk

23

Threat analysis is to ID all possible/reasonable threats.

Natural

Man made

Severe storms
Flooding
Fire
Labor issues
Power outage
Criminal
Errors

24

What is a logical threat analysis?

Malware


All that aren’t physical

25

Vulnerability IDentification

Missing or broken antivirus
Weak passwords
Missing audit logs
Building entrance that permits tailgating

26

Probability analysis that a threat will actually be realized

Impact analysis is ...

A realized threat will have some effect on org. Must know how an asset impacts business processes. Must have a h m l rating

27

Imagine act analysis must also have what?

Statement ——-//

If impact

28

Qualitative risk analysis

In scope assets, threat vulnerability (and ——-/) and statement of —

And severity


Statement of impact

29

Quantitative risk analysis

Risk are expressed with financial measure

Standard quantitative risk analysis requires values for

A—-
E——
S—expectancy
ARO
ALE

Asset Value

Exposure Factor: AV-salvage

Single loss expectancy: AVxEF

Annualized rate of occurrence: times per year

Annualized loss expectancy: SLE x ARO

30

ALEs

Can be added together for identification

But separated for treatments