Domain 1
Chief Risk Officer (CRO)
-responsible for managing risk for multiple types of assests (information, physical, and workplace safety). -responsible for the treatment of pure and speculative risks faced by the organization
Chief Privacy Officer (CPO)
-the executive who ensures that the organization's policies, practices, controls, and systems ensure the proper collection, use, and protection of Personally Identifiable Information. -Responsible for ensuring the ethical and legal use of information
A new CISO in an organization is building its cybersecurity program from the ground up. To ensure collaboration among business leaders and department heads in the organization, the CISO should form and manage:
A cybersecurity steering committee. -consisting of senior executives, business unit leader, and department heads, can discuss organization-wide issues related to cybersecurity and make decisions regarding cyber risk.
Payment Card Industry Data Security Standard.
All controls are required, regardless of actual risk.
What is the scope of requirements of PCI-DSS?
All systems that store, process, and transmit credit card numbers, as well as all other systems that can communicate with these systems.
COBIT Framework
An IT Process framework that includes security processes that are interspersed throughout the framework. -COBITs 4 domains include: Plan & Organize, Acquire & Implement, Deliver & Support, and Monitor & evaluate.
Jerome, a new CISO in a SaaS organization, has been asked to develop a long-term information security strategy. While examining the organization's information security policy, and together with knowledge of the organization's practices and controls., Jerome now realizes that the organization's security policy is largely aspirational. What is the most important consequence of this organization?
Appearance that the organization is not in control of its security practices.
What is the best method for ensuring that an organization's security program achieves adequate business alignment?
Find and understand the organization's vision statement, mission statement, goals and objectives.
What is the main advantage of a security architecture function in a larger, distributed organization?
Greater consistancy in the use of tools and configurations.
ISO 27001
mainly focuses on the body of requirements (aka clauses) that describe all of the required activities and business records needed to run an Info Sec Management Program.
In a US public company, a CISO will generally report the state of the organization's cybersecurity program to:
the audit committee of the board of directors.
Control Framework
the set of managerial and organizational processes that keep the firm moving toward its strategic goals
What is the purpose of metrics in an information security program?
To measure the performance and effectiveness of security controls.
Risk Appetite Statement
(a.k.a. Risk tolerance or Risk Capacity Statement) provides guidence on the type of risk and amount of risk an organization may be willing to accept.
Key Goal Indicator (KGI)
A measure that tells management, after the fact, whether an IT process has achieved its business requirements; usually expressed in terms of information criteria
What is the primary distinction between a network engineer and a telecom engineer?
A network engineer is primarily involved with networks and internal network media, while a telecom engineer is primarily involved with networks and external (carrier) network media.
The PCI-DSS is an example of:
A private industry standard enforced with contracts.
The best management-level metric for vulnerability management process?
Average time from availability of a patch to the successful application of a patch.
Steve, a CISO has vulnerability management metrics and needs to build business-level metrics. Which of the following is the best leading indicator metrics suitable for his organization's board of directors?
Average time to patch servers supporting manufacturing process.
Business Model for Information Security (BMIS) Diagram
BMIS is a business-oriented model for managing information security utilizing systems thinking to clarify complex relationships within an enterprise. The four elements and six dynamic interconnections form the basis of a three dimensional model that establish the boundaries of an information security program and models how the program functions and reacts to internal and external change. BMIS provides the context for frameworks such as COBIT.
Which is the best party to make decisions about purpose and function of business applications?
Business Department Head. -they are the party who is responsible for the ongoing operation and success of business operations and processes.
An organization needs to hire an executive who will be responsible for ensuring that the organization's policies, business process, and information systems are compliant with the laws and regulations concerning the proper collection, use, and protection of PII. What is the best job title for the position.
Chief Privacy Officer (CPO)
An organization needs to hire an executive who will build a management program that will consider threats and vulnerabilities and determine controls needed to protect systems and work centers. What is the best job title for this position?
Chief Risk Officer (CRO)
Carole is a CISO in a new organization with fledgling security program. Carole needs to identify and develop mechanisms to ensure desired outcomes in selected business process. What is a common term used to define these mechanisms?
Controls.
Custodial Responsibility
Custodian makes decisions based on customer's defined interests.
Which is the best party to conduct access reviews?
Department Head. -the persons responsible for business activities should be the ones who reviews user access to applications that support business activities.
Business Model for Information Security (BMIS)
Describes the relationship (as dynamic interconnection) between people, process, technology, and the organization.
An IT architect needs to document the flow of data from one system to another, including external systems operated by third-party service providers. What kind of documentation does the IT architect need to develop?
Data Flow Diagram (DFDs).
The Big Data Company is adjusting several position titles in its IT department to reflect industry standards. Included in consideration are two individuals: The first is responsible for the overall relationship and data flows among its internal and external information systems. The second is responsible for the overall health and management of systems containing information. What two job titles are appropriate for these two roles?
Data architect and database administrator.
Quincy is a security leadere who wants to formalize security in his organization. What is the best first step to formailzing the program?
Develop an information security program Charter. -An Information Security Program Charter describes the mission and vision for an information security program.
Two similar-sized organizations are merging. Paul will be the CISO of the new combined organization. What is the greatest risk that may occur as a result of the merger?
Difference in practice that may not be understood. -a merger typically results in the introduction of new practices that are not always understood.
Robert has located his organization's mission statement and a list of strategic objectives. What steps should Robert take to ensure that the information security program aligns with the business?
Discuss strategic objectives with business leaders to understand better what they want to accomplish and what steps are being taken to achieve them.
Jerome, a new CISO in a SaaS organization, has been asked to develop a long-term information security strategy. Why would Jerome choose to perform a threat assessment prior to producing the strategy?
Ensure that the organization is aware of everything that could reasonably go wrong.
What is the primary risk of IT acting as custodian for business owner?
IT may have insufficient knowledge of business operations to make good decisions.
Which of the following would constitute an appropriate use of the Zachman Enterprise Framework
IT systems described at a high level and then in increasing levels of detail.
The best description for the purpose of performing risk management is:
Identify and address threats that are relevant to the organization.
Jacqueline, an experienced CISO, is reading the findings in a recent risk assesment that describes deficiencies in the organization's vulnerability management process. How would Jacqueline use the Business Model for Information Security (BMIS) to analyze the deficiencies?
Identify the Dynamic Interconnections (DI) connected to the process element.
An organization is required by PCI to include several policies that are highly technical and not applicable to the majority of its employees. What is the best course of action for implementing these policies?
Implement a technical security policy containing these required items, with a separate acceptable use policy for all worker.
What is the best explanation for the Implementation Tiers in the NIST Cybersecurity Framework?
Implementation Layers are likened to maturity levels.
The following is the most likely result of an organization that lacks a security architecture function?
Inconsistent application of standards.
A new CISO in a manufacturing company is gathering artifacts to understand the state of security in the organization. Why is a Report to the Board of Directors the least valuable for determining risk posture?
It is secondary information that may have been filtered, edited, and/or bias.
Of What value is a Business Impact Analysis (BIA) for a security leader in an organization?
It provides a view of the criticality of business processes in an organization.
The metric "percentage of systems with completed istallation of advanced antimalware" is best described as:
Key Goal Indicator (KGI)
A member of the board of directors has asked Ravila, aCIRO, to produce a metric showing the reduction of risk as a result of the organization making key improvments to its security information and event management system. Which type of metric is most suitable for this purpose?
Key Risk Indicator (KRI). -high impact events usually occur rarely.
A security operations manager is proposing that engineers who design and manage information systems play a role in monitoring those systems. Is design and management compatible with monitoring? Why? or Why not?
Personnel who design and manage systems will be more familiar with the reasons and steps to take when alerts are generated.
Information Security Governance
Management's Controls of Information Security processes. -ISACA defines governance as a set of processes that ensure that stakeholders needs, conditions and options are evaluated to determine balanced agreed on enterprise objectives to be achieved.
Which security metric is best considered a leading indicator of an attack?
Mean time to apply patches. -There is a strong correlation between the absence of security patches and the likelihood and success of attacks on systems.
Key Risk Indicators (KRIs)
Metrics that provide an early signal of increasing risk exposures in the various areas of an enterprise.
Jeffery is CISO in an organization that performs financial services for private organizations as well as government agencies and US federal agencies. What is the best Information Security Controls Framework for this organization?
NIST 800-53 -As a service provider for the US federal govenment, Jeffery's organization is required to adopt NIST 800-53 controls framework.
The regulation "Security and Privacy Controls for Federal Information Systems and Organizations," is better known as what?
NIST SP800-53
The statement "Complete migration of flagship system to latest version of vendor-supplied software" is an example of what?
Objective Statement -the statement is a strategic objective
Jerome, a new CISO in a SaaS organization, has been asked to develop a long-term information security strategy. The best first step for understanding the present state of the organization's existing information security program is:
Perform a baseline risk assessment.
In a risk management process, who is the best person(s) to make a risk treatment decision?
Process owner who is associated with the risk. -The dept. head (or division head or business owner) associated with business activity regarding the risk treatment.
An organization that is a US public company is redesigning its access management and access review controls. What is the best role for internal audit in this redesign effort.
Provide feedback on control design. -Internal ausit cannot play a design role in any process or control that it may later be required to audit.
Michael wants to improve the risk management process in his organization by creating guidelines that will help management understand when certain risks should be mitigated. The policy that Michael needs to create is known as what?
Risk appetite Statement
Joel, a new CISO in an organization, has discovered that the server team applies security patches in response to the quarterly vulnerability scan report created by the security team. What is the best process improvement Joel can introduce to this process?
Server Team proactively applies patches, and security scans confirm effective patching and identify other issues.
Name a distinct disadvantage of the ISO 27001 standard.
Single copies of ISO 27001 standard cost more than $100, making adoption slow.
A common way to determine the effectiveness of security and risk metrics is the SMART method. What does SMART stand for?
Specific, Measurable, Attainable, Relevant, Timely.
Jerome, a new CISO in a SaaS organization, has identified a document that describes acceptable encryption protocols. What type of document is this?
Standard. -A document that describes tools, products, or protocols is a standard.
What is the best approach to develop security controls in a new organization?
Start with a standard control framework and make risk-based adjustments as needed. -risk assesment and risk treatment will result in adjustment to the framework (removing, improving, and adding controls over time).
Ernie, a CISO who manages a large security group, wants to create a mission statement for the CISO group. What is the best approach fro creating this mission statement?
Start with the organizations mission statement. -The best way to manage a security organization is to align it with the business it is supporting.
Of what value is a Third-Party Risk Management (TPRM) process for a CISO who is developing a long-term security for an organization?
TPRM provides valuable insight into the security capabilities of critical service providers. -An effective TPRM program captures and archives detailed information about security controls in third-party service-provider organization.
Joseph, a CISO, is collecting statistics on several operational areas and needs to find a standard way of measuring and publishing information about the effectiveness of his program. What is the best approach to follow?
The Balanced Scorecard (BSC) is a well-known framework that is used to measure the performance and effectiveness of an organization.
The ultimate responsibility for an organization's cybersecurity program lies with whom?
The Board of Directors. -They are ultimatly responsible for everything.
Who is the best person or group to make cyber-risk treatment decisions?
The Cybersecurity Steering committee. -cybersecurity decision made by an individual are less likely to be supported.
Samual is the CISO in an organization that is a US public company. Samuel has noted that the organization's internal audit function concentrates its auditing efforts on "financially relevant" applications and underlying IT systems and infrastructure. As an experienced CISO, what conclusion can Samuel draw from this?
The scop of the internal audit's auditing activities is as expected for a U.S. public company.
Information Security Governance
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly.
Joseph a new security leader in an online retail organization, is developing a long-term security strategy. Joseph has developed a detailed description of the future state of the secuirity organization. What must Joseph do before developing a strategy to realize the future state?
Understand the currant state and perform a gap analysis to identify the differences.
What is the purpose of Value Delivery Metrics?
Value delivery metrics are most often associated with long-term reduction in costs, in proportion to other measures such as the number of employees and assets.