CISSP - Information Security/Risk Management Questions

The flashcards below were created by user bookjr2008 on FreezingBlue Flashcards.

  1. This organization was formed in 1985 to sponsor the Nationa lCommittee on Fraudulent Financial Reporting, whose studies producedrecommendations for public companies, their auditors, the Securities andExchange Commission, and other regulators.
    Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  2. This standard specifies requirements for the implementation of security controls customized to the needs of individual organizations
    ISO 27000: 2005
  3. Planning that focuses on the high-level, long-range requirements of the company’s long-term plan.
    Strategic Planning
  4. Planning that has a mid-term focus on events that will affect the entire organization.
    Tactical Planning
  5. This is planning for the near-term that directly impacts the ability of theorganization to accomplish its objectives.
    Operational Planning
  6. What are the 5 areas of that COSO focues on?
    • Control environment
    • Risk Assessment
    • Control Activities
    • Information and communication
    • Monitoring
  7. This framework is an IT governance framework and supporting toolset published by the IT Governance Institute.
  8. How many processes are in COBIT?
  9. This is a set of five books covering the life cycle of service management.
    Information Technology Infrastructure Library (ITIL)
  10. Benchmarks used to ensure that a minimum level ofsecurity is provided across multiple implementations of the systems,networks, and products used by the organization
  11. What is the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and the resulting impact if this should occur?
  12. A process for efficiently allocating limited resources to manage risks associated with business processes and the assets deployed to support them.
    Risk Management
  13. What are the 3 steps involved in Risk Management?
    • Risk Analysis
    • Risk Response
    • Evaluation/Monitoring
  14. Something that is of value to the organization in accomplishing its goals and objectives.
  15. The source of any circumstance or event with the potential to cause harm to an IT system.
    Threat Agent
  16. Any potential danger to information or an information system.
  17. The impact of an adverse event caused by the opportunity for a threat to cause loss, or the amount of loss suffered as a result of an attack.
  18. A flaw or weakness in system security procedures, design,implementation, or internal controls that might be exercised (whether accidentally or intentionally) and cause a security breach or a violation of the system’s security policy.
  19. What information security role perform tasks such as information classification, setting user access conditions, and deciding on business continuity priorities?
    Data owners
  20. What information security role ensures that information is available to the end users and is backed up to enable recovery in the event of data loss of corruption.
    Data cusodian
  21. What information security role determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placeed on systems.
  22. Which framework includes the ability to scopw and tailor controls to an organization's specific mission or requirements?
    NIST SP 800-53
  23. Which framework has over 300 controls in over 17 families and three classes.
    NIST SP 800-53
  24. Denial of service and loss of service are the two primary areas affecting which principle of the CIA triad?
  25. Security policies that address areas of particular security concerns are called:
    Issue specific policies
  26. Security policies that are more targeted for a specific application or platform is called:
    System specific policy
  27. The specific rules describing how to implement the best security controls in support of policy and standards is called:
  28. Which cloud service focuses on providing basic computing resources, such as processors, memory, storage or transmission media to a customer.
    Infrastructure as a Service (IaaS)
  29. Which cloud service typically offer an operating system or database to a customer?
    Platform as a Service (PaaS)
  30. Which cloud service provides software over the Internet – eliminating the need to install and run the application on the customer's computers.
    Software as a Service (SaaS)
  31. What are the five areas of internal control that COSO identifies?
    • Control Environment
    • Risk Assessment
    • Control Activities
    • information and communication
    • Monitoring
  32. Which framework is a set of 34 books published by the British government Stationary office between 1989 and 1992 to improve IT service management?
    IT Infrastructure Library (ITIL)
  33. Which framework provides the blueprint, or architecture, for anorganization’s information infrastructure?
  34. Which framework is a risk-driven enterprise security architecture (ESA) framework that operates under the premise that everything flows from the business requirements.The diagram and design starts at the highest level — contextual — and flows down to the lowest level — component.
    Sherwood Applied Business Security Architecture (SABSA)
  35. Which framework is for enterprise architecture that provides a comprehensive approach to the design, planning, implementation, and governance of an enterpriseinformation architecture.
    The Open Group Architecture Framework (TOGAF)
  36. Which standard is a certifiable and measureable standard used in the development of an Information Security Management Systems (ISMS).
    ISO/IEC 27001
  37. The standard that provides a framework through a set of measurable criteria that an organization would follow to demonstrate a higher level of maturity.
    Capability Maturity Model Integration (CMMI)
  38. This term includes all areas of security for an organization: leadership, strategy, organizational structure, planning, design, implementation, and operations.
    Enterprise SecurityArchitecture (ESA)
  39. Which type of risk analysis is scenario oriented and is done for every department in the organization. Input comes from the department itself, but is often derived from many other sources as well.
  40. Which type of risk analysis is a carefully reasoned process and requires a good deal ofjudgment.
  41. This type of risk assessment evaluates the impact or effect of threats on the business process or thegoals of the organization.
  42. This type of risk analysis assigns independent, objective, numeric monetary valuesto the elements of risk assessment and the assessment of potential losses.
  43. Which type of risk assessment is very labor- and time-intensive.
  44. What are the 4 ways to deal with risk?
    • Accept
    • Mitigate
    • Transfer
    • Avoid
  45. The practice of coming up with alternatives so that the risk in question is not realized.
    Risk Avoidance
  46. The practice of letting someone else deal with the risk is called:
    Risk transfer
  47. The practice of eliminating or significantly decreasing risk is called:
    Risk Mitigation
  48. If the cost to mitigate a risk outweighs the cost of dealing with the risk, what would be the best approach to take?
    Accept the risk
  49. This type of planning typically have a long-term horizon ranging from 3 to 5 years.
  50. This type of planning have a mid-term horizon typically ranging from 6 to 18 months.
  51. The probability that a potential vulnerability be exercised within the construct of the associated threat environment.
  52. An action intending to cause harm. An effort by a threat agent tolaunch a threat by exploiting a vulnerability in an information system.
  53. Administrative, technical, or physical measures and actions taken to tryand protect systems. They include countermeasures and safeguards.
  54. Controls applied after the fact; reactive in nature.
  55. Controls applied before the fact; proactive in nature.
  56. Includes the factors of threats, vulnerabilities, and current value of the asset.
    Total Risk
Card Set:
CISSP - Information Security/Risk Management Questions
2013-12-28 15:43:36
Study Guide

Information Security
Show Answers: