Security and Risk Management Flashcards
Understand key concepts and facts in the Security and Risk Management domain. (36 cards)
Information security objectives are to provide:
A) Accountability, Confidentiality and Integrity
B) Confidentiality, Audit and Availability
C) Availability, Confidentiality and Integrity
D) None of the above
C) Availability, Confidentiality and Integrity
A(n) _____ is a weakness in a system which allows a threat source to compromise its security.
A) Vulnerability
B) Risk
C) Exploit
D) None of the above
A) Vulnerability
A ______ is the possibility that someone or something could exploit a vulnerability, accidentally or intentionally, causing harm to an asset.
A) Risk
B) Threat
C) Vulnerability
D) Exploit
B) Threat
A _____ is the probability of a threat agent exploiting a vulnerability and the potential for loss from that exploit.
A) Loss Expectancy
B) Risk
C) Likelihood
D) Residual Risk
B) Risk
What mitigates a risk?
i. Countermeasure
ii. Avoidance
iii. Control
iv. Safeguard
A) i
B) ii and iii
C) i, iii, iv
D) All of the above
C) i, iii, iv
‘Countermeasure’, ‘control’ and ‘safeguard’ may be used interchangeably for the same mitigation of risk.
‘Avoidance’ and ‘mitigation’ of risk are two different options for addressing risk; ‘avoidance’ does not itself ‘mitigate’ risk.
A control can be characterized by one of the following :
A) Avoidance, acceptance, or transference
B) Administrative, technical, or empirical
C) Logical, mitigation or remediation
D) Administrative, technical, or physical
D) Administrative, technical, or physical
A ____ control is put into place for financial or business function reasons.
A) Adminstrative
B) Acceptance
C) Compensating
D) None of the above
C) Compensating
One framework for IT governance and control objectives is:
A) Six Sigma
B) NIST
C) SANS
D) COBIT
D) COBIT
The standard for the establishment, implementation, control and improvement of of the information security management system is:
A) ISO 27005
B) ISO 27004
C) ISO 27001
D) OCTAVE
C) ISO 27001
What is used to develop architectures for specific stakeholders and to present information in ‘views’?
A) Constrained user interfaces
B) The KANBAN methodology
C) NIST 800-53
D) Enterprise architecture frameworks
D) Enterprise architecture frameworks
A coherent set of policies, processes and systems to manage risks is, according to ISO27001, called:
A) Risk management lifecycle
B) SIEM
C) Information Security Management System (ISMS)
D) None of the above
C) Information Security Management System (ISMS)
Enterprise security architecture is a subset of:
A) Data architecture
B) Enterprise architecture
C) Business architecture
D) Classical architecture
C) Business architecture
A _____ is a functional definition for the integration of technology into business processes.
A) Roadmap
B) Blueprint
C) Procedure
D) None of the above
B) Blueprint
Enterprise architecture is used to build individual architectures that best map to:
A) Users
B) Business teams
C) Business drivers
D) All of the above
C) Business drivers
SABSA is a(n):
A) Capability Maturity Model
B) Security enterprise architecture framework
C) Enterprise architecture framework
D) Continuous improvement process
B) Security enterprise architecture framework
____ is a governance model used to help prevent fraud within a corporate setting.
A) PCI-DSS
B) COSO Internal Control-Integrated Framework
C) Sarbanes Oxley
D) SANS
B) COSO Internal Control-Integrated Framework
____ is/are a set of best practices for service management.
A) ISO
B) NIST
C) ITIL
D) All of the above
C) ITIL
A framework used to identify process defects in order to remedy them is:
A) CMMI
B) SABSA
C) ITIL
D) Six Sigma
D) Six Sigma
____ is a maturity model which allows for processes to improve in an incremental and standard fashion.
A) SABSA
B) Six Sigma
C) CMMI
D) ITIL
C) CMMI
Security enteprise architecture should include:
i. Strategic alignment
ii. Control implementation
iii. Business enablement
iv. Business planning
A) i, iii
B) i, iv
C) ii, iii
D) i, ii, iii
C) ii, iii
NIST 800-53 identifies which of the following control categories:
i. Procedural
ii. Business
iii. Technical
iv. Operational
v. Management
A) i, iii, iv
B) ii, iii, iv
C) iii, iv, v
D) ii, iii, iv
C) iii, iv, v
The civil law system:
A) Is based on pre-written rules
B) is based on precedence
C) Is different from tort law
D) Both A and C
D) Both A and C
The common law system made up of:
A) Criminal laws
B) Civil laws
C) Administrative laws
D) All of the above
D) All of the above
A customary law system:
A) Addresses primarily personal conduct
B) Uses local/regional customs and traditions as its foundation
C) Is usually mixed with another type of legal system
D) All of the above
D) All of the above