Governance & Policy
This is the highest-level document that outlines an organization's security intentions?
What is a security policy?
This is the risk that remains after all controls are applied.
What is residual risk?
This law protects health-related personal data in the U.S.
What is HIPAA?
The CISSP code of ethics says to protect this first.
What is society/the common good?
The three parts of the CIA triad.
What are confidentiality, integrity, and availability?
This concept ensures individuals only access data they need to do their job?
What is least privilege?
Name the 4 common risk response strategies.
What are accept, avoid, transfer, and mitigate?
This EU law protects the privacy of citizens’ personal data.
What is GDPR?
Acting with integrity, honesty, and respect aligns with this part of CISSP ethics.
What is act honorably, honestly, justly, responsibly, and legally?
This term means layering security controls across an environment.
What is defense in depth?
This is what a data owner primarily does.
What is classify data and determine access?
This is the formula for Annualized Loss Expectancy (ALE).
What is SLE × ARO?
This is the difference between civil and criminal law?
Civil = lawsuits/penalties; Criminal = jail/fines/punishment by state
Which international framework focuses on information security management systems?
What is ISO/IEC 27001?
The main goal of business continuity planning
What is to keep critical functions running during/after disruptions?
This document defines how to carry out a policy.
What is a standard or procedure?
This is the SLE of a server worth $100k and has an exposure factor of 0.3.
What is $30,000?
This is the legal term for failing to act with reasonable care.
What is negligence?
What’s the difference between due care and due diligence?
Due diligence = research; Due care = action taken
RTO and RPO in disaster recovery.
RTO = time to restore; RPO = max data loss acceptable
This principle requires multiple people to complete a critical task to prevent fraud.
What is separation of duties?
This method of evaluating risk uses rankings like High, Medium, and Low instead of dollar values.
What is qualitative risk analysis?
This type of intellectual property protects creative works like books and music.
What is copyright?
This principle means ensuring security is considered from the very beginning of a project.
What is security by design?
STRIDE is used in this type of analysis.
What is threat modeling?