[qdeck random=”false” align=”center” scroll=”false” hide_gotit=”true” gotit_active=”false” show_first=”front” style=”min-height: 500px !important; border-color: #ff6633 !important; width: 800px !important; border-width: 4px !important; border-style: solid !important; ” reshow_after=”50″ cards_to_show=”50″]
[h] CISSP Domain 01: Risk and Security Management

[i] CISSP Domain 01

This domain covers the foundation of information security and risk management and this flashcard helps to understand and update key concept

Objective: To ensure the candidate understands and can apply fundamental security principles to manage organizational and business risks, aligning security program management with strategic goals.

[start]

[q] What is the CIA Triad?

[a] The CIA Triad stands for Confidentiality, Integrity, and Availability. It’s a model designed to guide policies for information security within an organization.

 

Confidentiality ensures that data is accessible only to those authorized to have access.

Integrity assures that the information is reliable and accurate.

Availability ensures that the information is accessible to authorized users when needed.

[q] Define Risk Management.

[a] Risk Management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings. These risks could stem from a variety of sources including financial uncertainty, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters.

[q] What is a Security Governance Framework?

[a] A Security Governance Framework is a set of roles, policies, standards, and processes that guide how an organization’s information systems are managed and protected. It helps align IT security with business strategy and regulatory requirements, ensuring that the organization’s information assets are protected effectively. 

[q] What is the purpose of an Information Security Policy?

[a] The purpose of an Information Security Policy is to set the direction, scope, and tone for all security efforts within the organization. It is a high-level document that outlines how security will be managed and provides a framework for implementing and managing security controls in line with the organization’s risk appetite and compliance requirements.

[q] What is Asset Valuation in the context of information security?

[a] Asset Valuation is the process of determining the worth of an asset within the organization. In information security, this includes not only the physical value of hardware and software but also the value of the data held by the organization and the impact to the business should that data be compromised or lost.

[q] Define Quantitative Risk Analysis.

[a] Quantitative Risk Analysis is a method for assessing risk that assigns numerical values to the probability of a risk and its potential impact on the organization. This approach often uses formulas and models to predict the cost of losses and the likelihood of their occurrence, allowing for a more precise risk management strategy.

[q] Explain the difference between a Threat, a Vulnerability, and a Risk.

[a] Threat: A potential cause of an unwanted incident, which may result in harm to a system or organization.

Vulnerability: A weakness in a system or its design that could be exploited by a threat.

Risk: The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability.

[q] What is the purpose of Business Continuity Planning (BCP)?

[a] Business Continuity Planning (BCP) is the process of creating systems of prevention and recovery to deal with potential threats to a company. The goal of BCP is to enable ongoing operations before and during execution of disaster recovery.

[q] Describe the concept of “Separation of Duties.”

[a] Separation of Duties is a key concept in internal control that prevents fraud and errors. This is achieved by spreading the responsibilities of a particular security process among multiple people or systems. It ensures that no single individual has the authority to execute, control, and review the results of the same activity.

[q] What is a Security Audit?

[a] A Security Audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria. This comprehensive examination includes assessments of security policies, user access controls, risk management procedures, and other protective measures.

[q] Explain the term “Data Custodian” in information security.

[a] A Data Custodian is responsible for the safe custody, transport, storage of the data and implementation of business rules. They are typically responsible for the technical environment and database management, focusing on technical control, security measures, and data storage.

 

[q] Define Third-Party Governance in the context of information security.

[a] Third-Party Governance refers to the processes and technologies used by organizations to monitor and manage the security and compliance of third-party services, vendors, and partners. It involves assessing the risks these third parties pose to data security and ensuring they meet the organization’s security standards.

[q] Explain the concept of “Least Privilege.”

[a] The principle of Least Privilege means that a user, program, or process should have the minimum levels of access – or permissions – necessary to perform its tasks or functions, but no more. This principle is applied to reduce the risk of unauthorized access or the spread of malware.

[q] Describe “Security Awareness Training.”

[a] Security Awareness Training is a formal process for educating employees about computer security and the policies, procedures, and practices required to maintain security within an organization. It aims to equip employees with the information they need to protect themselves and the organization from breaches, emphasizing the role every individual plays in the security ecosystem.

[q] What are “Third-Party Risk Management” practices?

[a] Third-Party Risk Management involves the processes and technologies used to evaluate and monitor the risk associated with outsourcing to third-party vendors or service providers. This includes assessing the security posture of the third party, ongoing monitoring of their compliance with security standards, and ensuring contractual agreements include security requirements.

[q] Define “Data Classification.”

[a] Data Classification is the process of organizing data into categories that make it easier to manage and secure. Categories are often based on the level of sensitivity and the impact to the organization if disclosed, altered, or destroyed. Common classification levels include Public, Internal, Confidential, and Highly Confidential.

[q] Explain the difference between “Qualitative Risk Assessment” and “Quantitative Risk Assessment.”

[a] Qualitative Risk Assessment is a subjective method of assessing risks based on the severity of impact and the likelihood of occurrence, often using categories like low, medium, and high.

Quantitative Risk Assessment involves the use of numerical values to estimate risk levels, calculating potential losses in financial terms and the probability of occurrence in percentages or monetary values.

 

[q] What is “Asset Management” in cybersecurity?

[a] Asset Management in cybersecurity is the process of identifying, classifying, managing, and protecting the physical and digital assets of an organization. This includes hardware, software, data, and intellectual property. Effective asset management helps an organization understand what assets they own, their value, and the security controls needed to protect them.

[q] Describe the concept of “Business Impact Analysis (BIA).”

[a] Business Impact Analysis (BIA) is a process that identifies and evaluates the potential effects (financial, operational, legal, etc.) of an interruption to critical business operations as a result of a disaster, accident, or emergency. The BIA is crucial for developing strategies for business continuity and disaster recovery.

[q] What is “Compliance” in the context of information security?

[a] Compliance in information security refers to the process of adhering to laws, regulations, guidelines, and specifications relevant to the organization’s operations. It involves ensuring that security policies, practices, and controls meet established standards and legal requirements to protect data and avoid legal penalties.

[q] Define “Ethics” in information security.

[a] Ethics in information security involves the principles and moral values that guide the behavior of individuals and organizations in the creation, distribution, use, and management of information systems and technology. It covers issues such as privacy, respect for intellectual property, non-repudiation, and the responsible disclosure of vulnerabilities.

[q] What is “Risk Appetite”?

[a] Risk Appetite is the amount and type of risk that an organization is willing to pursue or retain in order to achieve its objectives. It reflects the organization’s attitude towards risk-taking and is a critical component in the development of its overall risk management strategy.

[q] Explain “Supply Chain Risk Management.”

[a] Supply Chain Risk Management is the process of identifying, assessing, and mitigating risks throughout the supply chain to protect against interruptions, ensure continuity, and maintain the integrity of products and services. It includes managing the security and resilience of suppliers and third-party vendors.

[q] What are “Personal Data Protection” principles?

[a] Personal Data Protection principles are guidelines designed to protect individuals’ privacy and personal information. These principles include lawful processing, limitation of purpose, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. They form the foundation of data protection laws like GDPR.

[q] Describe the “Principle of Non-repudiation.”

[a] Non-repudiation is a security principle that ensures that a party in a transaction cannot deny the authenticity of their signature on a document or the sending of a message that they originated. This is crucial for legal and financial transactions, and it is typically ensured through cryptographic methods.

[q] What is “Incident Management”?

[a] Incident Management is the process used by organizations to identify, respond to, and manage security incidents and breaches. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. It involves a prepared response plan, analysis, containment, eradication, recovery, and post-incident review.

 

[q] Explain “Security Posture.”

[a] Security Posture refers to the overall security status of an organization’s software, networks, services, and information. It includes the current state of all of the organization’s security measures, practices, capabilities, and the ability to defend against security threats and vulnerabilities.

[q] What is the difference between “Strategic,” “Tactical,” and “Operational” planning in the context of information security?

[a] Strategic Planning involves long-term goals and objectives that align with the organization’s mission and vision, focusing on the establishment of security policies and frameworks.

Tactical Planning refers to the medium-term efforts and resources needed to implement strategies, including the development of specific security procedures and guidelines.

Operational Planning deals with short-term actions and day-to-day operations to enforce tactical plans, including routine security tasks and incident response.

[q] Define “Information Security Management System (ISMS).

[a] An Information Security Management System (ISMS) is a systematic approach consisting of processes, technology, and people that helps you protect and manage your organization’s information through effective risk management. It’s typically aligned with international standards, such as ISO/IEC 27001, and is designed to ensure confidentiality, integrity, and availability of data.

[q] What is “Security Culture” in an organization?

[a] Security Culture refers to the set of values, shared by everyone in an organization, that determine how people are expected to think about and approach security. A strong security culture is one where security considerations are a natural part of all decisions and actions, emphasizing the importance of security awareness and behavior at all levels of the organization.

 

[q] Explain the concept of “Security by Design.”

[a] Security Culture refers to the set of values, shared by everyone in an organization, that determine how people are expected to think about and approach security. A strong security culture is one where security considerations are a natural part of all decisions and actions, emphasizing the importance of security awareness and behavior at all levels of the organization.

[q] Describe the “Principle of Defense in Depth.”

[a] The Principle of Defense in Depth is a security strategy that employs multiple layers of security controls (physical, technical, and administrative) throughout an IT system. This approach aims to provide redundancy in the event a security control fails or a vulnerability is exploited, ensuring that other layers of defense will mitigate the impact.

[q] What is “Business Continuity Planning (BCP)”?

[a] Business Continuity Planning (BCP) is the process of creating systems of prevention and recovery to deal with potential threats to a company. BCP ensures that personnel and assets are protected and are able to function quickly in the event of a disaster. It involves identifying the organization’s critical business functions and developing an operational plan to ensure that these can continue or be restored in a timely fashion after a disruption.

[q] What is “Security Information and Event Management (SIEM)”?

[a] Security Information and Event Management (SIEM) is a solution that provides a holistic view of an organization’s information security. SIEM tools aggregate and analyze log data from various sources, detecting anomalies, managing events, and providing real-time reporting and alerts on security incidents to enable prompt response.

[q] What is “Privacy Impact Assessment (PIA)”?

[a] A Privacy Impact Assessment (PIA) is a process that helps organizations identify and reduce the privacy risks of new projects or policies. The assessment examines how personally identifiable information is collected, used, stored, and shared, ensuring that the project complies with privacy laws and practices.

[q] Describe “Threat Intelligence.”

[a] Threat Intelligence involves the collection, evaluation, and analysis of information about potential or current attacks that threaten the security of an organization. It is used to understand the capabilities, motives, and intentions of adversaries, enabling proactive defense and informed security decision-making.

[q] What is “Data Encryption”?

[a] Data Encryption is a security method where information is encoded into a format that can only be read or processed after it has been decrypted with a decryption key. Encryption is vital for protecting the confidentiality and integrity of data during storage and transmission.

[q] Explain “Penetration Testing.”

[a] Penetration Testing, or pen testing, is a simulated cyber attack against a computer system, network, or web application to identify vulnerabilities and security weaknesses. It helps validate the efficacy of defensive mechanisms and adherence to compliance requirements.

[q] Define “Zero Trust Security Model.”

[a] The Zero Trust Security Model is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. This approach relies on various technologies, including multi-factor authentication, encryption, and security policies that enforce least privilege access.

[q] Explain “Quantum Computing” and its implications for cybersecurity.

[a] Quantum Computing refers to the use of quantum-mechanical phenomena, such as superposition and entanglement, to perform computation. Its implications for cybersecurity are significant, as quantum computers have the potential to break many of the cryptographic algorithms currently used for data encryption, necessitating the development of quantum-resistant cryptographic methods.

[q] Describe “Internet of Things (IoT) Security.”

[a] Internet of Things Security addresses the challenges and vulnerabilities associated with IoT devices, which are often built with minimal security features. IoT Security encompasses the strategies and technologies used to protect IoT devices and the networks they are connected to, from unauthorized access, misuse, or harm.

[q] What is “Security Orchestration, Automation, and Response (SOAR)”?

[a] SOAR refers to technologies that allow organizations to collect inputs monitored by the security operations team, such as alerts from various security tools. SOAR tools automate responses to these security incidents, streamlining the processes of incident response and security operations center (SOC) workflows, thus improving efficiency and response times.

[q] Explain “Environmental Security” within an information security context.

[a] Environmental Security involves protecting the physical environment around critical information technology assets. This includes controlling access to hardware, protecting against natural disasters, ensuring proper heating, ventilation, and air conditioning (HVAC) to prevent equipment damage, and disposing of equipment securely to prevent data leakage.

[q] What is “Social Engineering”?

[a] Social Engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybersecurity, social engineers manipulate individuals into breaking normal security procedures to gain unauthorized access to systems, networks, physical locations, or for financial gain.

[q] Describe “Public Key Infrastructure (PKI).”

[a] PKI is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The purpose of PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email.

[q] What are “Advanced Persistent Threats (APT)”?

[a] APTs are sophisticated, long-term cyberattacks that penetrate a network to steal information or sabotage communications. They typically target high-value targets, such as nation-states and large corporations, with the goal of stealing information over a long period rather than causing immediate harm.

[q] Define “Data Masking.”

[a] Data Masking is a data security technique used to hide original data with modified content (characters or other data.) This process creates a structurally similar but inauthentic version of the organization’s data to protect sensitive information while allowing functional practices like testing and user training to occur safely.

[q] Explain “Geofencing” in security contexts.

[a] Geofencing is a location-based service in which an app or other software uses GPS, RFID, Wi-Fi, or cellular data to trigger a pre-programmed action when a mobile device or RFID tag enters or exits a virtual boundary set up around a geographical location, known as a geofence. In security, it can restrict device functionalities or send alerts when devices enter or leave specified areas.

[q] What is “Multi-factor Authentication (MFA)”?

[a] MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. MFA combines two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).

[q] What is “Information Rights Management (IRM)”?

[a] IRM is a form of IT security technology used to protect sensitive information from unauthorized access. It involves using encryption and a set of policies for controlling access to documents, emails, and other digital content based on user roles and permissions, ensuring that only authorized users can view or edit the protected information.

[x] [restart]

[/qdeck]